OpenBSD kernel address randomized link

The shim loads the microsoft signed key, has the bios validate and loads the bootloader, but to retain a secure boot codepath then the bootloader needs to be signed by a key the shim knows, then the bootloader loads the kernel which is signed by a key the bootloader knows, etc, etc, etc. Secure boot arguably isn't much use if you don't sign all the way down the chain to the boot kernel at least. Then if you want to be really secure you have to sign modules, programs and everything after the kernel with a key the kernel can validate. Fully implemented you shouldn't be able to get anything executed during boot that isn't cryptographicly signed and presumably unmodified.

The problem's always been that everything's got to be signed (and presumably the private key isn't available on the disk for someone to start signing stuff) so you can verify nothing's been tampered with. This signing is a non-trivial task. The cool thing is if you can get something like this working you've got a lot of confidence up to that point that nothing unapproved is loaded (although this doesn't protect you from bugs at all). The hard part is getting this simple enough that it's not a 2 day effort to patch security vulnerabilities. I believe they're working towards this goal with the future of secure boot and TPM.