Ideally:
- For dowloaded Whonix VM images: these come with keys created by the distribution. (Useful? Necessary?) On first boot, distribution keys automatically are removed and user auto generated keys being used.
- For Whonix VM images build from source: these come with keys created by the builder.
May not be as difficult as you think? https://debamax.com/blog/2019/04/19/an-overview-of-secure-boot-in-debian/ describes that Debian creates both, signed and unsigned packages. For example:
- shim-unsigned
- shim-signed
The same goes for the grub bootloader and the linux kernel.
As far as I understand:
- Only shim is signed my Microsoft. grub and linux is signed by Debian, not Microsoft.
- For a distribution it should be possible to sign shim (and or even grub and linux) without recompilation. Just start with the
-unsigned
package, then sign it, and create the-signed
package for it.
Therefore removing the dependency on Microsoft keys does not necessitate require recompliation of shim, grub or linux.
While what I think may be a lot easier, I would agree that it is still a non-trivial effort to implement all of this.
That may be true however Secure Boot support for Whonix Host builds also have another goal:
Usability - ability to boot the computer without need to modify BIOS settings. Therefore worth going for even when depending shim-signed by Microsoft.