UEFI Boot Sequence

According to the UEFI spec a device will initially start up and look for a particular file based on the architecture of the system: As we need to bypass the standard boot, we use the jailbreak to hack the process using a supplemental policy, which enables testsignmode. See EFI Signing for details

SoC will load the boot setup, then load up UEFI bios. UEFI will then load /efi/boot/bootarm.efi (which needs to be signed with a (hardcoded) secureboot-key) into ram and pass it control to then load other stuff in turn. We haven't been able to sign our own stuff yet ( if we could then we could just install uboot and bypass all the pain!). So.. we use Microsoft's, aka WindowsBootManager (/efi/boot/bootarm.efi) to eventually load our boot tool (i.e. grub2)

Microsoft's bootarm.efi checks for

efi/microsoft/boot/bcd (boot configuration data)

(which then loads our special "jailbreak" policy), then loads a test.efi shim, which finally loads a secondary EFI file - i.e. GRUB2 or uefi shell placed in the root.

/boot.efi Hardcoded bootloader boots "bootarm.efi"(1: windows bootmanager) Bootmanager loads BCD (2) Bootmanager loads SecureBootDebug.efi, and the SecureBootDebugPolicy.p7b Then loads a test.efi (lolhax? shim) [this can be changed to our own shim, eg https://github.com/imbushuo/boot-shim/releases ] Which finally loads our boot.efi

+efi
+---microsoft
+------boot
+---------fonts (obvious)
+---------bcd(2)
+---------(automatically generated files)
+---boot
+------bootarm.efi(1)
+unicode.pf2
+test.efi(3)
+grub.cfg
+BOOT.efi

More detail here - https://forum.xda-developers.com/windows-8-rt/rt-development/wip-secure-boot-linux-surface-rt-t3653848/page12

Also worth a look through https://wiki.debian.org/UEFI https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html