Skip to content

Firmware Build Process

Jump to bottom
Doug Flick edited this page Mar 5, 2025 · 2 revisions

Setting up the Secure Boot Defaults

Assuming the platform is using the "unsigned" Secure Boot Objects (which are just EFI Signature Lists)

The secure boot binary objects are formatted to the expected UEFI data structures to enable simple integration into an EDK2 platform.

Integration Strategies

On Project Mu that uses Stuart:

  1. Platform add's a extdep tracking the secure boot objects
  2. Platform add's a plugin to convert the secure boot objects to PCDs
  3. Platform uses the SecureBootKeyStoreLib that uses the PCDs

On Projects that do not use stuart:

  1. Storing them as a Freeform Ffs file

Reduce the attack surface

A careful balance must be considered when providing templates that offer capability and attack surface reduction.

Each additional certificate or hash increases the attack surface.

Clone this wiki locally