Enhancement: Implement Sbnb Linux Secure Boot

Summary

Implement Secure Boot support for Sbnb Linux by ensuring that the sbnb.efi UKI binary is signed with a trusted certificate. This will enhance security and prevent unauthorized modifications to the boot chain.

Tasks

1. Certificate Authority (CA) Selection

• Research and select a reliable Certificate Authority (CA) that can sign Sbnb binaries.
• Evaluate options such as:
  • Third-party UEFI CA (e.g. Microsoft, but requires submission process)
  • Open-source alternatives (sbsign) and/or self-hosted CA
  • Hardware-backed solutions (HSM)
• Document the pros and cons of each approach.

2. User Guide: Secure Boot Setup

• Write a step-by-step guide on how users can:
  • Clean existing Secure Boot certificates (reset PK, KEK, DB), enable Secure Boot Setup Mode

3. Enrollment Script for Secure Boot Keys

• Develop a script that automates the process of enrolling Sbnb Secure Boot keys:
  • Import Platform Key (PK), Key Exchange Key (KEK), and Signature Database (DB)
• Integrate the script into the Sbnb Linux installer or first boot process.
• Add documentation to the guide for manual enrollment if needed.

Acceptance Criteria

• A trusted signing mechanism is selected and documented.
• Users have a clear guide on switching their system into Secure Boot mode for Sbnb.
• A functional script exists to enroll Secure Boot keys at first boot, ensuring a seamless experience.