There’s a lot of FUD going around about Secure Boot, but very few people seem to really understand how it works. I decided to learn the hard way: by actually trying to set it all up and see what it does.

The first problem is that I don’t have any UEFI hardware to test on. Luckily there is a reference firmware for virtual machines called OVMF. This can be run in QEMU. The project page has binaries that you can try out, but in order to get Secure Boot you need to recompile it.

Rather than explain in full how to do that, I have added the extra steps required to build with Secure Boot to the UEFI-howto on the Ubuntu wiki. So the first thing for you to do is to follow all the steps on that guide. At the end you should have QEMU set up to run OVFM and also an (unsigned) HelloWorld.efi which you can run inside it.

In the end I have a file structure like this:

~/uefi
├── bios
│   ├── bios.bin -> edk2/Build/OvmfX64/DEBUG_GCC46/FV/OVMF.fd
│   └── vgabios-cirrus.bin -> edk2/Build/OvmfX64/DEBUG_GCC46/FV/OvmfVideo.rom
└── hda
    └── HelloWorld.efi -> edk2/Build/MdeModule/DEBUG_GCC46/X64/HelloWorld.efi


I run QEMU like this:

$ qemu-system-x86_64 -L ./bios -hda fat:hda -no-kvm

Verify that your OVMF build has Secure Boot support by typing “exit” to leave the EFI shell. Now choose the menu option “Device Manager”. You should now see another menu with “Secure Boot Configuration” as the only option.

IMPORTANT: QEMU/OVMF will not save any settings, so any changes you make in the EFI shell or menus won’t be saved if you shutdown QEMU.

I encourage anyone who is curious about how secure boot will look to the end user to try setting this up. Leave a comment if you have any problems.