Gerd Hoffmann <kraxel@xxxxxxxxxx> writes:
> Hi,
>
>> Does that mean that the Linux EFI boot code knows how to call back to
>> shim to get the certificates instead of reading the firmware directly?
>
> No. The linux efi stub doesn't need that.
>
> shim.efi does:
>
> (a) Set efi variables, where the linux kernel can read the
> certificates from. This works the same way for both traditional
> kernels and UKIs.
>
> (b) provide an efi protocol for bootloaders, which can be called by grub
> and systemd-boot to verify the signature for binaries they load
> (typically the linux kernel, but could also be fwupd.efi).
Note, the protocol is also used by systemd-stub (the base for UKIs) to
verify cmdline addons, see
commit 05c9f9c2517c54b98d55f08f8afa67c79be861e8
Author: Luca Boccassi <bluca@xxxxxxxxxx>
Date: Fri May 12 00:55:58 2023 +0100
stub: allow loading and verifying cmdline addons
this AFAIU means that we also need shim in the boot chain if we want to
support these addons.
--
Vitaly
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
