I do create my own "EFI stub" by embedding the kernel and initrd in a GRUB image as memdisk using grub-mkimage. Then I sign that using my own keys and copy it over to the EFI partition. One cool thing about it is that I can still adjust kernel boot parameters, or load entirely different kernels by mounting the encrypted LVM volume of I really need to. Using the kernel's own stub support this isn't possible, but at the end the grub image still a single self-contained bootable EFI executable file, just like the Linux stub.
No comments yet.