Ticket: #6560

One possible plan

Goal: avoid the need to disable Secure Boot in the firmware configuration. Tails should boot out-of-the-box with Secure Boot enabled, without the user having to do anything special about it.

Means: use the shim signed by Microsoft + GRUB2.

We don't support booting on a custom built kernel, so that should be relatively easy.