I have a setup that's almost like what Poettering proposes. Only that I don't use any external bootloader as it seems completely unnecessary.
All you need for secure boot in such a setup is signing the UKI with your keys.
That's the simplest boot setup ever!
It's only one file, so no moving parts. It just works. No LiLo and config, no grub and config, not systemd-boot, no nothing. Just the signed UKI on the EFI partition, and a efibootmgr entry pointing to that single file. That's all needed to boot a modern system.
I have a setup that's almost like what Poettering proposes. Only that I don't use any external bootloader as it seems completely unnecessary.
All you need for secure boot in such a setup is signing the UKI with your keys.
That's the simplest boot setup ever!
It's only one file, so no moving parts. It just works. No LiLo and config, no grub and config, not systemd-boot, no nothing. Just the signed UKI on the EFI partition, and a efibootmgr entry pointing to that single file. That's all needed to boot a modern system.