by summers » Thu May 14, 2020 10:34 am
Well I'm not expert on secure boot, but one of my machines, and odroid-c2 has it (in some form, it can be worked round).
When a machine with secure boot powers up, ROM in the CPU does the first few stages of secure boot. Everything here needs to be signed, so it is known that its not modified. Eventually uboot is called, and this also has to be signed. But this is where the signing usually stops, uboot will boot whatever it needs to and doesn't continue the signature process.
So for linux, its typically only uboot (or the first stage of uboot) than needs signing. If you are lucky, the signing tools are made available by the manufacturer. E.g. for the odroid-c2 hard kernel makes the tools available. So you can spin your own uboot if you need to ...
Not sure if this answers your question, but its as far as I go ...