Hi,

> (hint: You really don't want or need shim on ARM. The only reason for shim
> is that on most x86 desktop systems, users will have the MS keys
> preinstalled. The MS Secure Boot concept however is terribly broken: Any
> compromise of any of the MS signed binaries jeopardizes your boot chain.
> You're a lot better off installing *only* your distribution's key material.
> That way you at least you know who you trust. Just remove shim. Have a look
> at how Amazon Linux 2023 did it [2] :))

You are in the luxurious position to run your own distro on your own
platform, which makes this totally easy.

The RH bootloader team considers shim.efi being an essential part of the
boot chain (to the point that the distro grub.efi throws errors with
secure boot being enabled and shim.efi missing), and on x86 bare metal
it actually is essential because hardware usually ships with only the
microsoft certificate enrolled.

At least they promised to sign shim with both distro and microsoft keys
on the next update, so I have the option to enroll the distro instead of
the micosoft keys in 'db' on platforms where this is possible.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112038): https://edk2.groups.io/g/devel/message/112038
Mute This Topic: https://groups.io/mt/102967690/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to