Given Rocky Linux shall be 100% bug-for-bug compatible with Red Hat Enterprise Linux, signing the “UEFI shim loader” for UEFI Secure Boot will also become a topic.
Microsoft provides a long list of UEFI Signing Requirements, which likely require some additional work and have external dependencies, thus they should be started early:
- EV certificate (as per CA/B forum, this requires a registered verifiable legal entity, e.g. company, foundation, natural person if they’re a registered business) and an Azure Active Directory (AAD) account.
- Shims must be reviewed first by the “shim review board” before they can be signed.
- Code signing keys must be backed up, stored, and recovered only by personnel in trusted roles, using at least dual-factor authorization in a physically secured environment.
- Private part of the code signing key must be protected with a hardware cryptography module, e.g. HSMs, smart cards, smart-card-like USB tokens and TPMs.
- Operating environment must achieve a level of security at least equal to FIPS 140-2 Level 2.
Parts of this might be relevant for the “What servers/services do we need to bootstrap ourselves” topic.