Arch Linux User Repository

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

shimx64.efi is signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.

shimx64.efi can launch any EFI binary signed with Microsoft keys.

More information is available on the wiki: Secure Boot#shim.

fbx64.efi scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.

There is already a noble package published: http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_1.58+15.8-0ubuntu1_amd64.deb

see also https://packages.ubuntu.com/noble/shim-signed

I'm waiting for Ubuntu for publish a new 15.8 amd64 package. I'm assuming it should happen before 2024-04-11 when the Ubuntu 24.04 LTS beta is scheduled.

@nl6720 Would you kindly let us know when the package will be updated? It is currently out of date

Thank you @nl6720 and @solsticedhiver for the response.

Yes I have executed the grub-install command using the helper scripts available in this repository: Aur-secureboot-grub 0.2.3-1 and this script runs without any error and creates the grubx64.efi. The difference I see is that with previous release the command sudo mokutil --list-sbat-revocations returns:

sbat,1,2022052400

grub,2

But, with the present release the output is

sbat,1,2023012900

shim,2

grub,3

grub.debian,4

Which tells me that some thing is amiss with the sbat versioning.

@philch Have you tried to re-install grub? not the package, but the booloader with grub-install .... With the latest grub package installed, of course.

I think I saw a warning about resintalling with a recent grub update (of the package)

Note: I don't use grub as bootloader

Edit: Also, looking at the install file of grub, on can see:

  Grub does no longer support side-loading modules when secure boot is
    enabled. Thus booting will fail, unless you have an efi executable
    'grubx64.efi' with bundled modules

Sorry, I have no idea about GRUB. All I've read about using Secure Boot + GRUB is that it is a pain.

This release 15.8+ubuntu+1.57-1 is not working on my aptop. Get below error on boot up and PC shuts down:

Verifying shim SBAT: Security Violation Failure Something went terribly wrong [...]

Restoring to earlier version 15.7+ubuntu+1.56-1 and tried re-install and checked the sbat revocation:

sudo mokutil --list-sbat-revocations

sbat,1,2023012900

shim,2

grub,3

grub.debian,4

My current sbat file is as follows:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md

grub,3,Free Software Foundation,grub,2:2.12-2,https//www.gnu.org/software/grub/

grub.arch,1,Arch Linux,grub,2:2.12-2,https://archlinux.org/packages/core/x86_64/grub/

Please advice.

There is something weird. The deb package is gone. The package can't be built anymore.

OK. That's one way to dodge the question.

Also, I am wondering why we need to have all the binaries of the arch installed; because only ne will be used, right? Like x86_64 and never any aarch64 efi binaries...

and if you add, later on, the 32bit binaries

The EFI binaries are not run in Linux, so I don't see an issue with using arch=('any').