Hi, > What is the point of using shim in this path? We're not having UKIs > signed by Microsoft, and unless the Linux kernel knows how to call > shim for certificates, I don't see how this is supposed to be useful > for the Microsoft->Fedora->OS boot chain.
Booting without shim.efi would work only if you enroll the fedora secure boot CA in your firmware's security database. That is not the default, and not all virtualization environments offer the option to do that. So, on a typical setup with the microsoft keys enrolled the firmware wouldn't load the UKI, exactly because it is not signed by microsoft. shim.efi is needed for everything signed with the fedora keys, be it grub.efi, fwupd.efi, traditional kernels or UKIs. Also note that fallback.efi (comes with shim and runs in case there is no UEFI boot configuration) will create only uefi boot entries including shim in the boot path, so there is no easy way to exclude shim. Ideally we would have shim.efi signed with both microsoft and fedora keys. In that case the firmware -> shim.efi -> fedora-signed.efi boot path would work in both cases (fedora keys / microsoft keys enrolled). take care, Gerd -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
