Thank you Tim,
I understand that.
Unfortunately the genuine problem, i.e. Secure Boot compatibility without the attestation of private (by definition) drivers, looks unsolvable so far. So any private entity has to be made “public” for the attestation frist.
And there are no reliable options to make it Secure Boot compatible (keeping it private) beyond switching Secure Boot off completely.
I still hope that there is a way to sign the driver “privately” by putting the related certificate in the UEFI’s DB for the verification.
All my experiments failed so far.
Maybe because of the DB is used for genuine UEFI binaries verification only, so the kernel drivers are verified somehow else.
Maybe because of lack of the diagnostics. I can put a driver’s “root” certificate into the DB, the sign verification fails, but I can’t realize whether it happens by design or by different certificate format to be used in the DB. Looks like BIOS interface allows adding nearly everything to the DB by just concatenating whatever chosen.
Thank you,
Serge