SELoader: Secure EFI Loader

Secure EFI Loader
The SELoader is designed to authenticate the non-PE files which cannot be verified by the MOK verify protocol supplied by shim loader, such as grub configuration, initrd, grub modules and so on. The SELoader employs PKCS7 Verify Protocol available since UEFI Specification version 2.5 to verify the signature to prove the integrity of checked file. If BIOS doesn’t support it, a pre-built Pkcs7VerifyDxe driver is provided. In order to estabilish the chain of trust, the SELoader is required to be signed by a private key corresponding to a DB certificate, the shim certificate, the vendor certificate or a shim MOK certificate. The specifical key is determined by the Secure Boot scheme you will use. Using UEFI Secure Boot, MOK verify protocol and SELoader Secure Boot together, the boot process will be completely trustworthy.