I don’t know if the last built Whonix KVM image already comes with EFI booting compatibly. It might not. New Whonix KVM image required to test this for real.
Secure Boot support:
It depends which OVMF firmware is in use. Afaik (not re-tested now):
/usr/share/OVMF/OVMF_CODE_4M.ms.fd: EFI SecureBoot with Microsoft key/usr/share/OVMF/OVMF_CODE.fd: EFI without SecureBoot
I figured that out when making sure the Kicksecure ISO is compatible with EFI SecureBoot inside QEMU for simplified testing of ISO images.
So,
- A) enabling vs not enabling EFI by default, versus
- B) enabling vs not enabling Secure Boot by default,
are two different decisions to make.
These are connected in so far that
- If enabling Secure Boot by default, enabling EFI by default is a prerequisite.
- However, in theory we could enable EFI by default but not Secure Boot.
For Secure Boot there is a dedicated forum thread: enable Linux kernel gpg verification in grub and/or enable Secure Boot by default