I'm not sure why I never tried just signing the kernel and systemd-boot, but it works. If either one is not signed, it causes gives a security violation error.
A con of this implementation is that unlike the combo app, we don't inherently validate the initrd. In the future we could require that an initrd is not used with secure boot unless the combo app is chosen. Obviously some cleanup is needed on my old work should we go this route, but its the end of a friday and I wanted to get some feedback on this. If you want to test it out you can pull my branch clsulliv/secureboot-simple. --- Cal California Sullivan (4): classes: Add uefi-sign.bbclass systemd-boot: Add uefi-sign bbclass to sign bootloader linux-intel: Add uefi-sign bbclass to sign kernel meta-intel.inc: Add secureboot to valid IMAGE_FEATURES classes/uefi-sign.bbclass | 52 ++++++++++++++++++++++ .../systemd-boot/systemd-boot_%.bbappend | 3 ++ common/recipes-kernel/linux/linux-intel_4.9.bb | 5 ++- conf/machine/include/meta-intel.inc | 2 + 4 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 classes/uefi-sign.bbclass -- 2.9.4 -- _______________________________________________ meta-intel mailing list meta-intel@yoctoproject.org https://lists.yoctoproject.org/listinfo/meta-intel