On Wed, Dec 6, 2023 at 5:15 AM Gerd Hoffmann <kraxel@xxxxxxxxxx> wrote: > > Hi, > > > What is the point of using shim in this path? We're not having UKIs > > signed by Microsoft, and unless the Linux kernel knows how to call > > shim for certificates, I don't see how this is supposed to be useful > > for the Microsoft->Fedora->OS boot chain. > > Booting without shim.efi would work only if you enroll the fedora secure > boot CA in your firmware's security database. That is not the default, > and not all virtualization environments offer the option to do that. > > So, on a typical setup with the microsoft keys enrolled the firmware > wouldn't load the UKI, exactly because it is not signed by microsoft. > shim.efi is needed for everything signed with the fedora keys, be it > grub.efi, fwupd.efi, traditional kernels or UKIs. > > Also note that fallback.efi (comes with shim and runs in case there is > no UEFI boot configuration) will create only uefi boot entries including > shim in the boot path, so there is no easy way to exclude shim. > > Ideally we would have shim.efi signed with both microsoft and fedora > keys. In that case the firmware -> shim.efi -> fedora-signed.efi boot > path would work in both cases (fedora keys / microsoft keys enrolled). > Does that mean that the Linux EFI boot code knows how to call back to shim to get the certificates instead of reading the firmware directly? Because without that, shim is kind of pointless. Shim returns the certificates from firmware plus the embedded distribution one (Fedora's in this case) when it's asked for them. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue