[Feature]: Secure Boot Templates are a nice way to name a configuration and make it easier to get aligned but the templates need to be changed for real-world usage and clarity.

[spbrogan]

Feature Overview

This is feedback based on the code tree at version 3d71b6f

There should be 4 defined templates.

Solution Overview

1. MicrosoftOnly (leave this as is. This looks good)
2. MicrosoftAndOptionRoms (leave this as is but add a comment to indicate that this is not going to work yet in 2025. Maybe in 2027 this will be viable but since option-roms are not yet being signed or shipped with 2023 signatures this template will not work)
3. MicrosoftAndThirdyParty
   1. This should include Windows 2023, Microsoft UEFI 2011, Microsoft UEFI 2023, and Microsoft UEFI option-rom 2023.
   2. This is what is practical in the year 2025 for a machine that needs option-roms to boot.
   3. This is not nearly as secure as desired but is practical at this point. Please add comments in the toml file to indicate the security of this.
4. Compatibility
   1. This should include Windows 2023, Windows 2011, Microsoft UEFI 2011, Microsoft UEFI 2023, Microsoft UEFI option-rom 2023
   2. This enables a user to boot anything and everything the user has been able to boot in past with secure boot on.
   3. This is not very secure by itself but with revocations and key sealed to PCR values it can be manageable.

Alternatives Considered

No response

Urgency

High

Are you going to implement the feature request?

Someone else needs to implement the feature

Do you need maintainer feedback?

No maintainer feedback needed

Anything else?

No response