On Fri, 12 Jun 2026 at 17:17, Gerd Hoffmann <[email protected]> wrote: > > Signed-off-by: Gerd Hoffmann <[email protected]> > --- > docs/system/linuxboot.rst | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/docs/system/linuxboot.rst b/docs/system/linuxboot.rst > index f7573ab80a..c787481ccc 100644 > --- a/docs/system/linuxboot.rst > +++ b/docs/system/linuxboot.rst > @@ -17,6 +17,23 @@ Use ``-kernel`` to provide the Linux kernel image and > ``-append`` to > give the kernel command line arguments. The ``-initrd`` option can be > used to provide an INITRD image. > > +The ``-shim`` option specifies the ``shim.efi`` binary. This is needed > +when you are booting UEFI firmware and using the ``-kernel`` option to > +tell UEFI to boot a specific kernel image, and the UEFI firmware you > +are booting has UEFI secure boot enabled. > + > +When this option is specified, the guest UEFI firmware will first > +load, verify and run the shim binary, which is typically signed by > +Microsoft so the firmware accepts it. The shim binary in turn will > +load and verify the Linux kernel. The kernel is typically signed by > +the distro and the certificates needed to verify them are compiled > +into the shim binary, so shim + kernel must come from the same Linux
extremely minor nit, I think I would say "and" rather than "+" here. Anyway Reviewed-by: Peter Maydell <[email protected]> thanks -- PMM
