@dino66 Got hit by same issue when upgrading systemd. Strange enough downgrading systemd & systemd-libs to 257.2-1 restored correct behavior.
Search Criteria
Package Details: shim-signed 15.8+ubuntu+1.59-1
Package Actions
| Git Clone URL: | https://aur.archlinux.org/shim-signed.git (read-only, click to copy) |
|---|---|
| Package Base: | shim-signed |
| Description: | Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 and AA64 binaries from Ubuntu) |
| Upstream URL: | https://packages.ubuntu.com/noble/shim-signed |
| Keywords: | fbx64 mmx64 MokManager SecureBoot shim shimx64 UEFI |
| Licenses: | BSD-2-Clause |
| Submitter: | nl6720 |
| Maintainer: | nl6720 |
| Last Packager: | nl6720 |
| Votes: | 33 |
| Popularity: | 1.16 |
| First Submitted: | 2016-12-07 12:04 (UTC) |
| Last Updated: | 2024-12-08 10:23 (UTC) |
Dependencies (0)
Required by (3)
- refind-btrfs-c3-c4-git (optional)
- refind-git (optional)
- secureboot-grub
Sources (2)
User00891 commented on 2025-01-15 06:46 (UTC)
dino66 commented on 2025-01-10 17:56 (UTC)
Hi I'd like to discuss this issue I've described here, https://answers.launchpad.net/ubuntu/+source/shim-signed/+question/819989 that is me not able to enroll hashes with mmx because every EFI I try I get a message ~ "EFI not valid (OxE) not found" (see link for the exact error), while I know it is valid because I can use them while SB not enabled. And I'm also quite sure I've able to do it before because I could boot the system at least once before I made an upgrade and broke it. Any help you could give will be appreciated.
adv commented on 2024-08-29 16:29 (UTC)
I am using shim-signed and it works great. My Dell Inspiron 5593 firmware has the Microsoft UEFI CA 2011 certificate enrolled. If I upgrade to Microsoft UEFI CA 2023 will shim-signed continue to work?
Thanks in advance.
jongeduard commented on 2024-07-06 21:21 (UTC) (edited on 2024-07-06 21:28 (UTC) by jongeduard)
Sorry, just forget my about previous comment! I believe it's actually my mistake. 😁 Turns out I have made a change in the script that I wrote perform the whole installing procedure, believing that it was an oversight and changing it was a good idea.
I'll explain it here so that other people making the same mistake can learn from it:
I changed it copy everything from /usr/share/shim-signed/ to my /boot/efi/EFI/<bootloader-name>/ location, instead of online specific files.
And that was not supposed to be done, according to the wiki 🧐:
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Set_up_shim
"Note: Make sure you do not copy fbx64.efi (which is under the same directory) unless you actually have a valid bootx64.csv to use. Otherwise shim will not execute grubx64.efi but will appear to fail to work and just reset the machine."
Whoops. Moral of the story: Always read the wiki, also do it again when changing things later. :)
jongeduard commented on 2024-04-28 14:58 (UTC) (edited on 2024-04-28 15:04 (UTC) by jongeduard)
Is this current used version not supposed to work with booting from a USB device? Or am I missing something. I cannot boot GRUB on my USB drive with Secure Boot enabled anymore.
Using this thing in the EFI partition on my laptop and desktop builtin SSD works fine, which proves that for a part things still go actually right.
But on a portable device (on which a maintain a separate Arch installation, a bit like live disk but then actually writable and usable to work on as well) I also used it.
In this way I was nicely able to boot my drive on Secure Boot enabled systems (useful as a way for me to quickly fix problems, and also on systems where Secure Boot cannot be disabled). I sign the actual GRUB binary and kernel with my own keys.
But turns out on the USB device I was still using a Fedora shim from 2022 as it seems. But also from this AUR repo.
project0 commented on 2024-04-10 11:40 (UTC)
There is already a noble package published: http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_1.58+15.8-0ubuntu1_amd64.deb
nl6720 commented on 2024-04-05 15:54 (UTC)
I'm waiting for Ubuntu for publish a new 15.8 amd64 package. I'm assuming it should happen before 2024-04-11 when the Ubuntu 24.04 LTS beta is scheduled.
adv commented on 2024-04-05 15:49 (UTC)
@nl6720 Would you kindly let us know when the package will be updated? It is currently out of date
philch commented on 2024-04-01 20:48 (UTC) (edited on 2024-04-01 20:51 (UTC) by philch)
Thank you @nl6720 and @solsticedhiver for the response.
Yes I have executed the grub-install command using the helper scripts available in this repository: Aur-secureboot-grub 0.2.3-1 and this script runs without any error and creates the grubx64.efi. The difference I see is that with previous release the command sudo mokutil --list-sbat-revocations returns:
sbat,1,2022052400
grub,2
But, with the present release the output is
sbat,1,2023012900
shim,2
grub,3
grub.debian,4
Which tells me that some thing is amiss with the sbat versioning.
Pinned Comments
nl6720 commented on 2021-05-28 11:19 (UTC)
shim 15.4 requires SBAT. It will not launch EFI binaries without a
.sbatsection.nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2024-12-08 10:29 (UTC) by nl6720)
shimx64.efiis signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.shimx64.efican launch any EFI binary signed with Microsoft keys.More information is available on the wiki: Secure Boot#shim.
fbx64.efiscan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.Alternative signed shim sources: