Since we are going for enforce kernel module software signature verification [module signing] / disallow kernel module loading by default, should we also work towards enable Linux kernel gpg verification in grub and/or enable Secure Boot by default?
Looks doable in principle.
KVM: supports both EFI boot and Secure Boot.
On https://blog.heckel.io/2018/08/06/booting-image-files-and-isos-with-kvm-qemu-efi-and-bios/ see
2. Booting image files with KVM (EFI)
The https://packages.debian.org/buster/ovmf ships an EFI BIOS.
sudo apt install ovmf
Other search results indicate it also supports Secure Boot.
VirtualBox: supports EFI boot (
VBoxManage modifyvm "VM name" --firmware efi) but does not support Secure Boot (yet?)
Maybe we could enable Linux kernel gpg verification in grub anyhow?
Whonix Host: Would be nice if it could be booted with Secure Boot enabled. Even if security benefits are contested, this would increase compatibility/usability.
Secure Boot in Debian generally:
Secure Boot generally:
Software Freedom / ethical considerations:
At least some points (I am not an expert on the subject) of which FSF are making
are very valid. Secure Boot in effect has lead to fewer people capable of running alternative operating systems such as linux distributions on the PC computer hardware which they thought they fully own as well as other hardware which as locked bootloaders which cannot be unlocked which then result in vendor lock-in with respect to the operating system. Needless to say, this is very wrong.
This development discussion however does not concern this. If Secure Boot support in Whonix gets implemented, it may improve usability (on Whonix Host) and/or security, but it does not limit what users can do with their hardware or Whonix. It will still be possible to disable Secure Boot and/or to disable Secure Boot after starting Whonix and/or to disable this in Whonix source code for custom builds.