Package Details: shim-efi 15-3

Git Clone URL: https://aur.archlinux.org/shim-efi.git (read-only)
Package Base: shim-efi
Description: Bootloader for UEFI Secure Boot
Upstream URL: https://github.com/rhboot/shim/
Licenses: BSD
Submitter: vorpalblade
Maintainer: dbermond
Last Packager: dbermond
Votes: 6
Popularity: 0.063291
First Submitted: 2015-08-29 15:08
Last Updated: 2019-09-06 18:50

Dependencies (2)

Required by (0)

Sources (2)

Latest Comments

dbermond commented on 2019-02-06 01:54

@diabonas Thank you for the interest. This package is on the radar for making appropriate improvements. I'm just not having enough time yet due to other priorities :)

diabonas commented on 2019-01-28 10:45

A couple of suggestions for this package:

  • The URL should be updated to the new upstream URL https://github.com/rhboot/shim
  • This package is licensed under a BSD license, not under the GPL, see the COPYRIGHT file. As a corollary, the license needs to be installed to /usr/share/licenses.
  • The package shouldn't provide and conflict the corresponding VCS package. IMHO the provides and conflicts arrays aren't necessary at all.
  • I don't see the need for the given depends and optdepends. IMHO the only necessary dependency is a makedepends on gnu-efi-libs.
  • It would be easier to install the EFI files with make DESTDIR="$pkgdir" install-as-data instead of manually copying them with install. This would also take care of the following point:
  • The package in its current form is a bit useless, because it is missing the files mmx64.efi and fbx64.efi: these should installed in package(), but the .efi.signed files referred there are never going to exist with this configuration: you are supposed to sign the binaries yourself with the private part of the certificate specified in VENDOR_CERT_FILE, the package can't do that itself because it is only given the public part. The only way for these files to exist is to specify ENABLE_SHIM_CERT=1 during make, which generates a throwaway key and signs mmx64.efi and fbx64.efi with it. However if you are using VENDOR_CERT_FILE, you don't want this because you have your own signing key anyway.
  • Using options=('!strip') and unsetting CFLAGS/LDFLAGS/.../MAKEFLAGS is not necessary: The resulting binaries are exactly the same without these, as can be seen easily by comparing them with cmp.
  • Building from the Git tag "$pkgver" gives the advantage of having verified sources, signed by project maintainer Peter Jones (key fingerprint: B00B48BC731AA8840FED9FB0EED266B70F4FEF10).
  • (Completely optional: It might be nice to enable enable PXE boot with the ENABLE_HTTPBOOT=1 option to make.)

To sum up, I suggest using a PKGBUILD which is more along the following lines: https://gist.github.com/diabonas/693548bc921506ddf78b6f4e6692ed51

Seeing that you are a TU, would you be willing to adopt this as an official package? This would be extremely helpful for Secure Boot support, see my recent mailing list post. As a first step, it would be enough to have a shim without any custom VENDOR_CERT_FILE embedded, so you could completely remove the stuff related to that, and possibly the .install file as well: https://gist.github.com/diabonas/cd286695605c0880b4e2158c37d40952

vorpalblade commented on 2017-06-06 11:26

ca-certificates does not have signing keys for secure boot.

Since you are using shim-efi, it is assumed that you want to have your own keys, which I have defaulted to /etc/efi/certs.

Again, ca-certificates ARE NOT usable for secure boot.

If you do not want to use secure boot, modify line 54 (I'm fixing this and pushing here in a minute).

Anonymous comment on 2017-06-06 06:42

I get an error

cert.S: Assembler messages:
cert.S:25: Error: file not found: /etc/efi/certs/pub.crt
make: *** [Makefile:133: cert.o] Error 1
==> ERROR: A failure occurred in build().
Aborting...
:: failed to build shim-efi package(s)

for start ca-certificates in Arch are located on /usr/share/ca-certificates/ but there is more, no arch package have a file in that path so it will fail.