Interest in Secure Boot Support project (GSoC 2026)
harshit bhalani
I'm Harshit, and I'm interested in the Secure Boot Support project for GSoC 2026.
Before reaching out, I went through Kamil Aronowski's talk from Qubes OS Summit 2025, Piotr Król's talks from Summit 2024 and the Xen Winter Meetup, your own development update from Summit 2025, and issues #4371 and #8206 on GitHub. So I have a rough picture of what the project involves building a tool to package and sign a Unified Kernel Image, hook it into the update mechanism, and add a fallback boot entry. I also noticed UKI packaging didn't make it into R4.3, which makes this feel like a well-timed contribution.
I understand the Microsoft signing path is blocked for now because of upstream Xen issues (SBAT, NX_COMPAT, the .reloc crash), so the practical approach is user-generated keys via MOK enrollment and that's what this project is building toward.
I'm comfortable with Python and Bash. Right now I'm setting up QEMU with OVMF to try to reproduce the shim_lock and SBAT mismatch errors from #4371 before writing anything.
If my understanding is off somewhere, I'd genuinely like to know. And if there are any good starting points or open issues related to this work, I'd love to dig in.
Thanks!
Harshit Bhalani
Marek Marczykowski-Górecki
Hash: SHA256
I'm not sure why I got this email only now (likely moderation queue...),
but I responded to your other email ("Introduction") already :)
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmmv/50ACgkQ24/THMrX
1yzdQwgAlUdn5AfO8MXDk0JgXsO3oTXistNtGPWbQuZCjzNeENPGjdRYSCWO/Aa1
2iHYvggaaG0YUzD7ua7JYdCgSvx40wMb6V5QBSZ/HcctZEGcnOde/djGxAcn59ul
sjg6XoCqVgje/NZrzoYt5JjHjbv146sEJ4uqnvGXecnRxL2eXDprzZePz7QN8IWA
hn9IjcSRGyAdAdC9gXa1FjsxNmRAHumyIZ/g3v6g4db2wwaIAhZ7pxkyve/ZhubT
4HG4U0rC3RklyOfQPReIyon4e26/yQmkIScI6amfY4k3O2TcW4hhoaJ7Hc11nza4
dIUdqpKecpjImza0Pgw0zWDwMhPRrw==
=FupC
-----END PGP SIGNATURE-----