| Git Clone URL: | https://aur.archlinux.org/shim-signed.git (read-only, click to copy) |
|---|---|
| Package Base: | shim-signed |
| Description: | Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 and AA64 binaries from Ubuntu) |
| Upstream URL: | https://packages.ubuntu.com/noble/shim-signed |
| Keywords: | fbx64 mmx64 MokManager SecureBoot shim shimx64 UEFI |
| Licenses: | BSD-2-Clause |
| Submitter: | nl6720 |
| Maintainer: | nl6720 |
| Last Packager: | nl6720 |
| Votes: | 34 |
| Popularity: | 0.55 |
| First Submitted: | 2016-12-07 12:04 (UTC) |
| Last Updated: | 2024-12-08 10:23 (UTC) |
This package should be updated to the latest version from Fedora. The old versions are currently on the DBX (due to BootHole), so users need to upgrade.
https://kojipkgs.fedoraproject.org//packages/shim/15.4/5/x86_64/shim-x64-15.4-5.x86_64.rpm
This version also fixes a lot of bugs (including the gnu-efi one), so the 13.4 workaround should no longer be needed.
@nl6720 https://fedoramagazine.org/announcing-fedora-33/ see "A note on Secure Boot".
Idk what they mean by "before broad-scale certificate revocation takes place" because Windows updates the list regardless of vendors providing updated firmware.
UEFI Revocation List dbxupdate_x64.bin, dated October 12, 2020, contains three certs as far as dbxtool can tell. I don't really know how to find out what they are.
shimx64.efi is signed with Microsoft Corporation UEFI CA 2011, is it really blacklisted? @chandradeepdey, has this issue been reported to Fedora?
The key used to sign shimx64.efi is blacklisted for months now and Fedora isn't releasing a new version. Can this be switched to the Ubuntu shim and shim-signed packages?
shim is compiled with gnu-efi. The MokManager from 13.4 will be needed until Fedora recompiles their shim with a fixed gnu-efi (I forgot which version contains the fix, but the latest should be fine). That will most likely not happen until there is new version of shim.
I'm not clear how gnu-efi is related to shim (is it compiled into shim?), but with this issue closed (https://github.com/rhboot/shim/issues/143), do we still need to be pulling version 13.4 of MokManager?
the openssl command did not fail, and the boot configuration (USB stick) worked on other laptop flawlessly. I don't know what's up with that but I think that the bug is in shim itself. I opened an issue on their Github (https://github.com/rhboot/shim/issues/143).
Thanks for a quick response though! Shim seems to work on every machine except my own laptop :)
Just because it has a .cer or .der extension doesn't mean that it's a DER format certificate.
Run openssl x509 -noout -text -inform DER -in MOK.cer. If it fails then the cert is not in DER format and you need to convert it.
I keep getting the error "Unsupported Format: Only DER encoded certificate (*.cer/der/crt) is supported"
From source code (https://github.com/rhboot/shim/blob/master/MokManager.c#L1908) it seems like I have a wrong filename suffix for my cert, but the file name is indeed "MOK.cer".
Is this a bug?
Sorry, my mistake.
Pinned Comments
nl6720 commented on 2021-05-28 11:19 (UTC)
shim 15.4 requires SBAT. It will not launch EFI binaries without a
.sbatsection.nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2024-12-08 10:29 (UTC) by nl6720)
shimx64.efiis signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.shimx64.efican launch any EFI binary signed with Microsoft keys.More information is available on the wiki: Secure Boot#shim.
fbx64.efiscan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.Alternative signed shim sources: