Oracle Secure Boot UEFI added in a new version of its Linux distribution, but the safety of this mechanism led to doubts on the part of professionals.
In particular, Matthew Garrett (Matthew Garrett), developer of the Linux kernel and security specialist in the Nebula Inc., which received an award from the FOUNDATION for the support of UEFI Secure Boot in Linux, said in his Twitter that only core from Oracle with more or less secure is the kernel of Red Hat, which was forked from the Oracle Linux kernel. The problem is that core Enterprise Kernel from Unbreakable Oracle supports kexec_load () and signed by the same key as the original kernel of Red Hat.
Oracle Secure Boot process in details is described here. The main idea of this mechanism is that all of the load at each step is checked for authenticity by using digital signatures. Matthew Garrett‘s comments, if true, the problem with kexec_load () opens a big security hole, because with this system call, the kernel can be spoofed.