Chao B Zhang of Intel has created a branch of the Tianocore EDK-II for Customized Secure Boot, presumably a new flavor mentioned in the UEFI Forum’s private issue tracking system (or it is public, not sure yet what branch will contain). It sounds like some new post-2.6, pre-2.7 feature that Microsoft is requesting. I wonder how this will impact non-Windows OSes…
Excerpted readme:
[Staging/Customized-Secure-Boot]: Create branch for Customized Secure Boot
Create a remote branch Staging/Customized-Secure-Boot for EC1263 feature. This staging branch is requested by Jeremiah Cox of Microsoft for ECR 1263 Customized Secure Boot feature. This ECR has some conflicting language/figures that may result in in consistent implementations. Customized Secure Boto feature provides capabilities for automated platform deployment by enterprises, OEMs, system integrators, and enthusiasts into custom, higher security Secure Boot configurations. This can mitigate chain of custody concerns in the supply chain of a given hardware platform. It further provides the ability to manage multiple UEFI certificate signers and image revocations from multiple signers. It also provides a viable solution to enterprise, enthusiast, and OS vendor signing of images while maintaining overall security of the pre-boot environment. Finally, it provides for a consistent programmatic and secure re-deployment of already-deployed systems.
More info:
https://github.com/tianocore/edk2-staging/tree/Customized-Secure-Boot
https://mantis.uefi.org/mantis/view.php?id=1263 (UEFI Forum members only, not for public)
https://lists.01.org/mailman/listinfo/edk2-devel
Firmware Security 