We began the process of cryptographically signing our UEFI firmware as a way to mitigate rogue firmware. While our existing solution is platform specific for our x86 AMD server fleet, we did not have a similar one for UEFI firmware signing for Arm.
Here’s what we did: Armed to Boot: an enhancement to Arm’s Secure Boot chain