Linux and Secure Boot HOW-TO

Greig Paul has an article in Linux Journal, a new Security HOW-TO on UEFI Secure Boot.

Take Control of Your PC with UEFI Secure Boot

[..] This article focuses on a single useful but typically overlooked feature of UEFI: secure boot. Often maligned, you’ve probably encountered UEFI secure boot only when you disabled it during initial setup of your computer. Indeed, the introduction of secure boot was mired with controversy over Microsoft being in charge of signing third-party operating system code that would boot under a secure boot environment. In this article, we explore the basics of secure boot and how to take control of it. We describe how to install your own keys and sign your own binaries with those keys. We also show how you can build a single standalone GRUB EFI binary, which will protect your system from tampering, such as cold-boot attacks. Finally, we show how full disk encryption can be used to protect the entire hard disk, including the kernel image (which ordinarily needs to be stored unencrypted). […]

Full article: