New comment by andkem on void-packages repository

https://github.com/void-linux/void-packages/issues/12495#issuecomment-504224383
Comment:
@congdanhqx, I looked at those recipes and the hooks that were in place, but didn't consider them a complete secure boot solution since they don't, as you point out, sign the initrd or provide tools for actually generating keys. There was also some block of the hook that had a comment stating it was untested, iirc. Sadly I'm away from my computer for the week-end so I cannot check.

For a secure boot solution that isn't trivial (well almost) to circumvent we need both kernel and initrd to be signed. We also need the root file system to either be signed and read only, ex. using dm-verity, or encrypted. I'd suggest that telling people to encrypt should be enough, since a read only root won't really work with Void the way it is currently structured.

The main point to make for using Grub instead of a pure EFI boot is that we could support having the boot partition encrypted. Even with signed binaries, there are attacks that can be mitigated by having it encrypted. An example could be injecting data into the partition that you are then tricked to sign.

If you'd like to start working on this, congdanhqx, I don't mind. I'd also be glad to cooperate, review and discuss if you want.