Package Details: shim-signed 15.6+fedora+2-1

Git Clone URL: https://aur.archlinux.org/shim-signed.git (read-only, click to copy)
Package Base: shim-signed
Description: Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt X64 and IA32 EFI binaries from Fedora)
Upstream URL: https://koji.fedoraproject.org/koji/packageinfo?packageID=14502
Keywords: fbia32 fbx64 mmia32 mmx64 MokManager SecureBoot shim shimia32 shimx64 UEFI
Licenses: BSD
Submitter: nl6720
Maintainer: nl6720
Last Packager: nl6720
Votes: 21
Popularity: 1.52
First Submitted: 2016-12-07 12:04 (UTC)
Last Updated: 2022-08-07 06:42 (UTC)

Pinned Comments

nl6720 commented on 2022-11-26 17:11 (UTC)

Please do not flag the package out-of-date if there is no updated Fedora package available.

nl6720 commented on 2021-05-28 11:19 (UTC)

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2022-05-28 13:24 (UTC) by nl6720)

shimx64.efi and shimia32.efi are signed with Microsoft key, they also have a hardcoded Fedora key inside. MokManager (mmx64.efi and mmia32.efi) is signed with Fedora's key.

shimx64.efi and shimia32.efi can launch any EFI binary signed with Microsoft keys.

More information is available on the wiki: Secure Boot#shim.

fbx64.efi and fbia32.efi scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.

Latest Comments

1 2 3 Next › Last »

nl6720 commented on 2022-11-26 17:11 (UTC)

Please do not flag the package out-of-date if there is no updated Fedora package available.

adrianinsaval commented on 2022-07-05 21:46 (UTC)

How hard would it be to provide a grub-signed package alongside this? The instructions in the wiki to use grub no longer work, it seems it's necessary to use grub-mkimage instead of grub-install but I'm not sure how to do this, for now I just used a copy of fedora's signed grub but it would be better to have a package for this

tom.ty89 commented on 2022-05-31 14:41 (UTC) (edited on 2022-05-31 14:46 (UTC) by tom.ty89)

It seems to me that it's a bad idea to include fbx64.efi in the package, especially when bootx64.csv is not included, since shim will appear to fail with no reason if a user copied fbx64.efi to the ESP as well (by doing something like cp /usr/share/shim-signed/*x64.efi $esp/EFI/BOOT/; ...; mv|cp $esp/EFI/BOOT/{shim,boot}x64.efi).

I suppose it will fail too if shimx64.efi is renamed (instead of copied) to bootx64.efi even if bootx64.csv is included. So it probably is still bad unless it ships also bootx64.efi (a dup of shimx64.efi).

Added a note on the wiki page already though.

nl6720 commented on 2022-05-27 08:24 (UTC)

I added shimia32.efi, mmia32.efi and fbia32.efi to the package. IMHO the files are small enough to not warrant a separate package.

Raansu commented on 2022-05-25 07:26 (UTC)

Would it be possible to add a package for ia32?
I noticed Fedora has a ia32 shim package and I have a HP Pro Tablet 408 G1 that supports secure boot but has a 32 bit UEFI although it has a 64 bit compatible CPU that runs Arch Linux fine.

Bobrolak commented on 2022-01-05 10:50 (UTC)

small update: systemd-boot of systemd 250 is now building with SBAT by default: https://github.com/systemd/systemd/blob/main/NEWS

steadfasterX commented on 2021-11-09 13:44 (UTC)

finally I stumbled over this (SBAT) as well.

I use rEFInd as bootloader and was not able to get it booting anymore after upgrading to this latest shim release.

adding a .sbat entry is easy while it still does not work actually... Main reason: adding a sbat section will not be appended but added to the beginning of the sections - which then let EFI fail.

There is a solution/workaround though.

Check this out: https://github.com/rhboot/shim/issues/376#issuecomment-964137621

michael.shepherd commented on 2021-07-15 21:41 (UTC)

download of https://deb.debian.org/debian/pool/main/s/shim-signed/shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb via curls end with a 404 error (debian uses already shim-signed 1.36), so package could not be installed anymore

nl6720 commented on 2021-05-31 11:18 (UTC)

I found MokManager. It's in shim-helpers-amd64-signed 1+15+1533136590.3beb971+7+deb10u1.