To my knowledge that's not possible with the Microsoft bootloader, you need to use Microsoft's keys, hence why I am suggesting that this open source bootloader could be useful. Can you provide some more information about such a setup?
> The Microsoft Windows Production PCA 2011 with a SHA-1 Cert Hash of 58 0a 6f 4c c4 e4 b6 69 b9 eb dc 1b 2b 3e 08 7b 80 d0 67 8d must be included in db in order to allow the Windows OS Loader to load.
But DB entries can also contain SHA-256 hashes of the image to load (with the image stripped of the signature, which btw allows you to also resign it).
Are you sure? I havent tried, but this disagrees: https://docs.microsoft.com/en-us/previous-versions/windows/i...
"Windows boot components: BootMgr, WinLoad, Windows Kernel Startup. Windows boot components verify the signature on each component. Any non-trusted components will not be loaded and instead will trigger Secure Boot remediation. "
> DB entries can also contain SHA-256 hashes
OK, fair enough, but it still doesn't really solve the problem because an attacker could just copy your modified bootmgr to be able to steal and use your workstation. In order for this to work you'd also have to add some kind of additional checks which we can now do with an open source version of the bootloader.
As for abusing signed bootloader, the full process depends on verifying that the signed bootloader appropriately handles TPM, which is then also coupled with an encrypted disk, which in turn works to prevent loading unsanctioned code.
Of course, it's possible to defeat this, but the idea is to frustrate the efforts and raise the cost of an attack, as well as give you a longer timeframe to deal with an attack.
Besides: the prevalence of terrible software like Lojack/CompuTrace in the enterprise just goes to show that many clients actually do care about physical theft scenarios. Also consider how basically every modern mobile device now provides factory reset protection.
- Remove all keys (switch to Setup mode)
- Setup your own PKI and platform keys
- Sign hash of specific EFI files and load those signatures into EFI
The last part doesn't require modifying files themselves, as you're locking specific files. The firmware will make a hash of the file, and verify that it's on permitted list (the list is signed)