On Mon, Jun 08, 2026 at 10:24:28AM +0100, Peter Maydell wrote: > On Thu, 4 Jun 2026 at 10:27, Gerd Hoffmann <[email protected]> wrote: > > > > On Thu, May 28, 2026 at 03:28:05PM +0100, Peter Maydell wrote: > > > On Thu, 21 May 2026 at 12:28, Gerd Hoffmann <[email protected]> wrote: > > > > > > > > Also little refactoring in preparation > > > > to avoid code duplication. > > > > > > > > Gerd Hoffmann (3): > > > > hw/nvram: add load_image_to_fw_cfg_file() > > > > hw/i386: switch shim loading to load_image_to_fw_cfg_file > > > > hw/arm: add support for shim loading > > > > > > Any chance of some information on what this is? > > > > It passes the shim binary to the efi firmware, > > in addition to the kernel binary. > > > > x86 has this for a while already, this brings arm on par. > > > > docs update with some background below. > > > > take care, > > Gerd > > > > --- a/docs/system/linuxboot.rst > > +++ b/docs/system/linuxboot.rst > > @@ -17,6 +17,15 @@ Use ``-kernel`` to provide the Linux kernel image and > > ``-append`` to > > give the kernel command line arguments. The ``-initrd`` option can be > > used to provide an INITRD image. > > > > +The ``-shim`` option specifies the shim.efi binary. This is needed > > +when using direct kernel boot with UEFI secure boot enabled. The > > +verification chain used by linux distros requires shim.efi. Typically > > +shim.efi is signed by micsosoft and verified by the firmware. The > > +linux kernel is signed by the distro and is verified by shim.efi. So > > +without shim.efi in the loop secure boot verification will not work. > > +Usually you can find shim.efi as ``EFI/BOOT/BOOT{X64,AA64}.EFI`` on > > +distro install media. > > Thanks. I'm not sure why you'd want to enable UEFI secure boot > when you're not booting via UEFI, though.
When not booting via UEFI you can ignore that. > Do we actually run the shim.efi code, or is it just there to > be "verified" ? edk2 firmware will load + run it (if present). take care, Gerd
