* Steve Langasek: >> and this is the reason we have to require all modules to be signed by >> default. > > Enforcement of kernel module signatures is part of what's called the > "lockdown" featureset. It is optional, and not a requirement from > the UEFI spec,
The requirement is in the Microsoft signing policy (or the document that comes closest to such a policy): | b. Developers might assume that secure boot security requirements | have been satisfied when their initial boot is complete. However, | if a secure boot system permits launch of another operating system | instance after execution of unauthenticated code, the security | guarantee of secure boot is compromised. If this vulnerability is | exploited, the submission might be revoked. <https://techcommunity.microsoft.com/t5/Windows-Hardware-Certification/Microsoft-UEFI-CA-Signing-policy-updates/ba-p/364828> Admittedly, that part isn't entirely clear. I think most vendors have an escape hatch to load unsigned kernel modules even in secure boot mode, without a reboot or physical presence check.