Booting a Secure Boot UEFI system using PXE
How to boot a Secure Boot UEFI system using PXE.
When booting a system with UEFI Secure Boot, a chain of trust is established where the signature of the next step of the boot chain is checked by the previous step. For licensing reasons, grub is usually not signed with a key trusted by the system firmware and instead a UEFI shim loader is booted first. The UEFI shim loader will then load grub, verifying its signature against an embedded key and/or the keys trusted by the system firmware. Finally, grub will utilize a protocol provided by the UEFI shim loader to verify the signature of the kernel.
This means that when booting a UEFI Secure Boot system using PXE, you must use GRUB2 rather than syslinux, and you must boot the UEFI shim loader first.