Hi, > (hint: You really don't want or need shim on ARM. The only reason for shim > is that on most x86 desktop systems, users will have the MS keys > preinstalled. The MS Secure Boot concept however is terribly broken: Any > compromise of any of the MS signed binaries jeopardizes your boot chain. > You're a lot better off installing *only* your distribution's key material. > That way you at least you know who you trust. Just remove shim. Have a look > at how Amazon Linux 2023 did it [2] :))
You are in the luxurious position to run your own distro on your own platform, which makes this totally easy. The RH bootloader team considers shim.efi being an essential part of the boot chain (to the point that the distro grub.efi throws errors with secure boot being enabled and shim.efi missing), and on x86 bare metal it actually is essential because hardware usually ships with only the microsoft certificate enrolled. At least they promised to sign shim with both distro and microsoft keys on the next update, so I have the option to enroll the distro instead of the micosoft keys in 'db' on platforms where this is possible. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112038): https://edk2.groups.io/g/devel/message/112038 Mute This Topic: https://groups.io/mt/102967690/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-