Thanks, I've read all of those posts, and I'm already using Matthew's shim
loader. I'm planning on taking a different approach more along the lines
of Chromium OS' verified boot:

http://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot

The difference between Fedora (and SUSE, Ubuntu, etc.) on one side and
Chromium OS and us on the other is that the distros are general purpose
and support booting any userspace, so there needs to be some restricting
of the kernel's capabilities to prevent writing an initscript that e.g.
kexecs a trojanned Windows. Matthew is submitting several patches upstream
to the kernel to lock down userspace access to kernelspace memory if the
kernel has been secure-booted, and I think Fedora at least is planning on
module signing and a push towards KMS everywhere, but backporting those
patches and switching to module signing would be a pain that I don't think
we need to do.

We (and Chromium OS) have the advantage that we're shipping a complete OS
image, so if we validate the image, we know that the initscripts and so
forth are clean, and we can allow our signed userspace code to modify
kernelspace. So if I can validate the OS image from GRUB, I don't need to
make a ton of intrusive changes to our kernel and X stack.

Besides, verified boot is a feature we already have been wanting to
implement, possibly with the TPM, but Secure Boot makes this available on
commodity hardware (instead of requiring a custom ROM as on Chromebooks).
And I think GRUB commands for verifying digitally-signed files and for
implementing dm-verity would be of general interest, even independent of
Secure Boot. Do you agree?

This isn't quite accurate - GPLv3 wasn't an issue, but using shim makes
it easier to guarantee that users can exercise their freedoms and also
means we don't have to upload a binary to Microsoft every time we update
grub.

Do you have something I can start from that you could drop somewhere? I
haven't begun implementing this yet, and I suspect that starting from your
code would be helpful for getting this done faster and also doing it in a
style compatible with upstream.

Also, a slightly more generic question -- what's a reasonable format here?
I'm kind of surprised to find that openssl has no generic command to sign
a file or verify it's signatures. I could use PGP, but we're already using
SSL-style certificates for Authenticode, so I'd prefer not generate
another key with a completely different format. That said, if more people
will find PGP verification useful, I can implement that.
http://code.google.com/p/cryptsetup/wiki/DMVerity
is the official documentation.

Briefly, you generate a salted hash tree of each block (and in turn of the
blocks containing the hashes) until you get a root hash. So with a trusted
way to get the root hash, the original device, and a device/file
containing the hashes, you can generate a new (read-only) device that
validates hashes up to the root, and throws an IO error if the data has
been tampered with.

The "veritysetup" command in sbin in recent cryptsetup versions can
generate the hash tree and print out the root hash.