On Mon, Feb 19, 2018 at 3:13 PM, Stephen Morris <samorris@xxxxxxxxxxxxxxx> wrote: > > I thought that with SB all your drivers etc had to be signed to be > able to boot from a SecureBoot system, and as such Fedora were using > Microsoft certificates, whereas Ubuntu was going down the path of self > signing. Given what you said around the /usrlib/grub/x86_64-efi-signed > directory, which doesn't exist on my system, and if I understood you > correctly doesn't exist in fedora anyway, where are fedora's > certificates, and, if I enable SecureBoot in my bios do I have to also > load the default certificates that the bios offers? Ubuntu's using an MS sig. The difference between Fedora and Ubuntu is that the latter doesn't require that kernel modules be signed. The "/usr/lib/grub/x86_64-efi-signed/" is an Ubuntu directory. So the signed grub EFI executable is in "/boot/efi/EFI/ubuntu/" and "/usr/lib/grub/x86_64-efi-signed/". Fedora only ships the grub EFI executable in "/boot/efi/EFI/fedora/". So, if you run "grub-install" it's recreated and unsigned (I assume!). AFAIK, "shim" is signed by MS (and is validated by an MS-supplied and -signed "thingy" in the firmware) and it embeds the Fedora sig with which grub, the kernel, and the kernel modules are signed and validated. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
