Signed-off-by: Gerd Hoffmann <[email protected]>
---
docs/system/linuxboot.rst | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/docs/system/linuxboot.rst b/docs/system/linuxboot.rst
index f7573ab80a..c787481ccc 100644
--- a/docs/system/linuxboot.rst
+++ b/docs/system/linuxboot.rst
@@ -17,6 +17,23 @@ Use ``-kernel`` to provide the Linux kernel image and
``-append`` to
give the kernel command line arguments. The ``-initrd`` option can be
used to provide an INITRD image.
+The ``-shim`` option specifies the ``shim.efi`` binary. This is needed
+when you are booting UEFI firmware and using the ``-kernel`` option to
+tell UEFI to boot a specific kernel image, and the UEFI firmware you
+are booting has UEFI secure boot enabled.
+
+When this option is specified, the guest UEFI firmware will first
+load, verify and run the shim binary, which is typically signed by
+Microsoft so the firmware accepts it. The shim binary in turn will
+load and verify the Linux kernel. The kernel is typically signed by
+the distro and the certificates needed to verify them are compiled
+into the shim binary, so shim + kernel must come from the same Linux
+distribution.
+
+Usually you can find shim.efi as ``EFI/BOOT/BOOT{X64,AA64}.EFI`` on
+distro install media. You might find a second shim copy in the
+``EFI/$distro/`` directory.
+
If you do not need graphical output, you can disable it and redirect the
virtual serial port and the QEMU monitor to the console with the
``-nographic`` option. The typical command line is:
--
2.54.0
