Gerd Hoffmann <kra...@redhat.com> writes:
> Hi,
>
>> Does that mean that the Linux EFI boot code knows how to call back to
>> shim to get the certificates instead of reading the firmware directly?
>
> No. The linux efi stub doesn't need that.
>
> shim.efi does:
>
> (a) Set efi variables, where the linux kernel can read the
> certificates from. This works the same way for both traditional
> kernels and UKIs.
>
> (b) provide an efi protocol for bootloaders, which can be called by grub
> and systemd-boot to verify the signature for binaries they load
> (typically the linux kernel, but could also be fwupd.efi).
Note, the protocol is also used by systemd-stub (the base for UKIs) to
verify cmdline addons, see
commit 05c9f9c2517c54b98d55f08f8afa67c79be861e8
Author: Luca Boccassi <bl...@debian.org>
Date: Fri May 12 00:55:58 2023 +0100
stub: allow loading and verifying cmdline addons
this AFAIU means that we also need shim in the boot chain if we want to
support these addons.
--
Vitaly
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
