The RISC-V platform specification requires UEFI. Secure boot is defined in the UEFI specification.
With U-Boot, Shim, GRUB, and a signed kernel I am able demonstrate secure boot on RISC-V. I am upstreaming the necessary patches. Roots of trust for RISC-V are in active development but not yet available on commercial boards: Cf. https://riscv.org/wp-content/uploads/2019/03/15.05-RISC-V-Security-Multizone-v-TrustZone-3-12-19.pdf Canonical has started discussing with SiFive how a root of trust can be supplied. A boot ROM checking the first bootstage (U-Boot SPL) using a certificate from the OTP memory would be a good start. This only requires a software change on the vendor side. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-riscv in Ubuntu. https://bugs.launchpad.net/bugs/1941950 Title: linux-riscv: missing kernel signature Status in linux-riscv package in Ubuntu: New Bug description: U-Boot and EDK II both support secure boot. But vmlinuz-5.11.0-1014-generic and vmlinuz-5.13.0-1002-generic are not signed via sbsign. Please, adjust the RISC-V build system to sign new kernels. Best regards Heinrich To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-riscv/+bug/1941950/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp