Tools for creating and using Secure Boot policies.
bootmgr prior to RS1 accepts Secure Boot policies signed by PK.
Thus, if you control PK, you control what Windows Code Integrity trusts. Sign your own Windows Boot Application; hypervisor; securekernel; driver (VTL0/VTL1); protected process; PPL.
SecureBootPolicy: library and compiler for Secure Boot policies. Includes three example policies:SecureBootPolicyDefault.xmlreimplements as much as possible the default Secure Boot policy included in bootmgr starting from RS2.SecureBootPolicyDefaultWithSigners.xmlis the same as above that also reimplements the default signers trusted by CI for easy extensibilitySecureBootPolicyExample.xmladds a custom signer. Replace the TBS hash and enjoy your trusted binaries.
EfiInstallPolicy: EFI application to install a signed Secure Boot policy into UEFI non-volatile variables.BootAppToEfi: Windows Boot Application that switches back to the EFI environment and callsEfiMain().
I am not responsible for anything that may happen to your systems/VMs when using these tools; after all, you control the keys!