mageia secure boot enabled

I have been doing some research about this issue. I found that just a few distro's have been abled to enable secure boot mode. The reason for this is you have to sign the boot loader, kernel, and hardware drivers. Then you would have to import the keys into the bios. I am working on the exact process is for this to be done correctly.

Example

This is from what I understand so far.

1. You need a code signing certificate.
2. The certificate is used to create your private and public key pairs.
3. You sign the boot loader, kernel, and hardware drivers in the correct order.
4. Then you import the certificate and public keys into the bios for the boot loader, kernel, and hardware drivers.
5. Then you can enable the secure boot.

The correct order of signing

From what I under stand every time you sign the boot loader, kernel, and hardware drivers this generates a key hash to be validated. This is why from what I understand this would be the correct order. Note make sure to enable secure boot mode in the kernel options.

1. Compile the kernel and after each driver has been compiled you would sign the driver. (akmods utility does this)
2. Compile of the kernel has finished now sign the compiled kernel.
3. Now sign the boot loader.

secure boot issues

I have found out if you upgrade the kernel you have to resign the kernel drivers and the kernel and then reimport those keys into the bios. If you update the boot loader you will have to resign the boot image again and import the keys into the bios again.

Signing certificate used for secure boot issues. If the certificate private key is ever compromised then everything signed with that private key has to be blocked. This means if the OS updates the bios with new authorized keys and blocked keys users may find themselves not able to boot and have to turn off secure boot to be able to start the OS again.