On Thu, May 28, 2026 at 03:28:05PM +0100, Peter Maydell wrote:
> On Thu, 21 May 2026 at 12:28, Gerd Hoffmann <[email protected]> wrote:
> >
> > Also little refactoring in preparation
> > to avoid code duplication.
> >
> > Gerd Hoffmann (3):
> > hw/nvram: add load_image_to_fw_cfg_file()
> > hw/i386: switch shim loading to load_image_to_fw_cfg_file
> > hw/arm: add support for shim loading
>
> Any chance of some information on what this is?
It passes the shim binary to the efi firmware,
in addition to the kernel binary.
x86 has this for a while already, this brings arm on par.
docs update with some background below.
take care,
Gerd
--- a/docs/system/linuxboot.rst
+++ b/docs/system/linuxboot.rst
@@ -17,6 +17,15 @@ Use ``-kernel`` to provide the Linux kernel image and
``-append`` to
give the kernel command line arguments. The ``-initrd`` option can be
used to provide an INITRD image.
+The ``-shim`` option specifies the shim.efi binary. This is needed
+when using direct kernel boot with UEFI secure boot enabled. The
+verification chain used by linux distros requires shim.efi. Typically
+shim.efi is signed by micsosoft and verified by the firmware. The
+linux kernel is signed by the distro and is verified by shim.efi. So
+without shim.efi in the loop secure boot verification will not work.
+Usually you can find shim.efi as ``EFI/BOOT/BOOT{X64,AA64}.EFI`` on
+distro install media.
+
If you do not need graphical output, you can disable it and redirect the
virtual serial port and the QEMU monitor to the console with the
``-nographic`` option. The typical command line is:
