On Thu, 4 Jun 2026 at 10:27, Gerd Hoffmann <[email protected]> wrote: > > On Thu, May 28, 2026 at 03:28:05PM +0100, Peter Maydell wrote: > > On Thu, 21 May 2026 at 12:28, Gerd Hoffmann <[email protected]> wrote: > > > > > > Also little refactoring in preparation > > > to avoid code duplication. > > > > > > Gerd Hoffmann (3): > > > hw/nvram: add load_image_to_fw_cfg_file() > > > hw/i386: switch shim loading to load_image_to_fw_cfg_file > > > hw/arm: add support for shim loading > > > > Any chance of some information on what this is? > > It passes the shim binary to the efi firmware, > in addition to the kernel binary. > > x86 has this for a while already, this brings arm on par. > > docs update with some background below. > > take care, > Gerd > > --- a/docs/system/linuxboot.rst > +++ b/docs/system/linuxboot.rst > @@ -17,6 +17,15 @@ Use ``-kernel`` to provide the Linux kernel image and > ``-append`` to > give the kernel command line arguments. The ``-initrd`` option can be > used to provide an INITRD image. > > +The ``-shim`` option specifies the shim.efi binary. This is needed > +when using direct kernel boot with UEFI secure boot enabled. The > +verification chain used by linux distros requires shim.efi. Typically > +shim.efi is signed by micsosoft and verified by the firmware. The > +linux kernel is signed by the distro and is verified by shim.efi. So > +without shim.efi in the loop secure boot verification will not work. > +Usually you can find shim.efi as ``EFI/BOOT/BOOT{X64,AA64}.EFI`` on > +distro install media.
Thanks. I'm not sure why you'd want to enable UEFI secure boot when you're not booting via UEFI, though. Do we actually run the shim.efi code, or is it just there to be "verified" ? -- PMM
