Package Details: shim-signed 15.4+fedora+5-1

Git Clone URL: https://aur.archlinux.org/shim-signed.git (read-only, click to copy)
Package Base: shim-signed
Description: Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt X64 EFI binaries from Fedora)
Upstream URL: https://koji.fedoraproject.org/koji/packageinfo?packageID=14502
Keywords: fbx64 mmx64 MokManager SecureBoot shim UEFI
Licenses: BSD
Submitter: nl6720
Maintainer: nl6720
Last Packager: nl6720
Votes: 12
Popularity: 0.41
First Submitted: 2016-12-07 12:04
Last Updated: 2021-07-18 15:27

Pinned Comments

nl6720 commented on 2021-05-28 11:19

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

nl6720 commented on 2016-12-07 13:17

shimx64.efi is signed with Microsoft key, it also has a hardcoded Debian key inside. MokManager (mmx64.efi) is signed with Debian's key.

shimx64.efi can launch any EFI binary signed with Microsoft keys.

More information is available on the wiki: Secure Boot#shim.

fbx64.efi scans the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.

Latest Comments

1 2 Next › Last »

michael.shepherd commented on 2021-07-15 21:41

download of https://deb.debian.org/debian/pool/main/s/shim-signed/shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb via curls end with a 404 error (debian uses already shim-signed 1.36), so package could not be installed anymore

nl6720 commented on 2021-05-31 11:18

I found MokManager. It's in shim-helpers-amd64-signed 1+15+1533136590.3beb971+7+deb10u1.

nl6720 commented on 2021-05-31 11:15

From the looks of it, Debian's shim-signed 1.33+15+1533136590.3beb971-7 doesn't ship MokManager.

nl6720 commented on 2021-05-31 11:14

No shim 15.4 will not launch even previously enrolled EFI binaries. SBAT is an upstream shim 15.4 feature, so it shouldn't matter if the shim is from Debian, Ubuntu or SUSE (admittedly, I haven't actually tried them).

For boot loaders:

AFAIK other boot loaders have not yet implemented adding a .sbat section.

If anyone want's to try, here's a diff for the 15.4.f4 PKGBUILD:

diff --git a/PKGBUILD b/PKGBUILD
index 0b3ac3a..dcc196d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,24 +1,16 @@
 # Maintainer: nl6720 <nl6720@archlinux.org>

 pkgname='shim-signed'
-pkgver='15.f8'
-pkgrel='2'
+pkgver='15.4.f4'
+pkgrel='1'
 pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt X64 EFI binaries from Fedora)'
 url='https://koji.fedoraproject.org/koji/packageinfo?packageID=14502'
 arch=('any')
 license=('BSD')
 options=('!strip')
 noextract=('shim-x64-13-4.x86_64.rpm')
-source=("https://kojipkgs.fedoraproject.org/packages/shim/${pkgver//.f/\/}/x86_64/shim-x64-${pkgver//.f/-}.x86_64.rpm"
-        'https://kojipkgs.fedoraproject.org/packages/shim-signed/13/4/x86_64/shim-x64-13-4.x86_64.rpm')
-sha512sums=('bea58059801c9af1f9beab675cf7b6bb7262278b1fe874cb56c3dec051a71236a352d3444f82ee0204518fdf1e18cbde4ce2d240dc1223dda2409ea23c3daa48'
-            'b6091fd4154b7cd4353e9bea2bcd0b796864c3c268a5a9ebce90e738afc7ab30924099b2127eec108d62da96983147c4d40292ed391ed1b2cfe5257b8d6fd474')
-
-prepare() {
-   cd "${srcdir}"
-   # Use old MokManager from Fedora's shim-signed 13-4, https://github.com/rhboot/shim/issues/143 
-   bsdtar -f shim-x64-13-4.x86_64.rpm -x boot/efi/EFI/fedora/mmx64.efi
-}
+source=("https://kojipkgs.fedoraproject.org/packages/shim/${pkgver//.f/\/}/x86_64/shim-x64-${pkgver//.f/-}.x86_64.rpm")
+sha512sums=('6650236531ef22f8b4da694eec912e506ed698cc33f0737716ed4aee9ae4a13bdb1799b25a97608566f5566541d6bbb98636caa689804c24e947d013712e2d9f')

 package() {
    install -D -m0644 -t "${pkgdir}/usr/share/${pkgname}/" "${srcdir}/boot/efi/EFI/fedora/shimx64.efi"

joerichey commented on 2021-05-31 11:06

Nevermind, I just found https://github.com/rhboot/shim/issues/373 which details the issue in greater depth.

It looks like we could switch to using the Debian version (https://packages.debian.org/buster/shim-signed) specifically 15+1533136590.3beb971-7+deb10u1 (which is currently used on Debian 10) which rotated the Debian signing keys, but didn't include the SBAT changes.

joerichey commented on 2021-05-31 10:44

nl6720, do you know if SBAT is required even if the EFI binary is enrolled via the MokManager? All Arch Bootloaders/Kernels are enrolled that way (as they aren't signed by RedHat). If SBAT is only mandatory for RedHat signed binaries, then I think 15.4 would be fine.

Alternatively, we could switch to using the Debian, Ubuntu, or SUSE shim (provided that they don't have the same issue).

nl6720 commented on 2021-05-28 11:19

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

joerichey commented on 2021-05-28 10:29

This package should be updated to the latest version from Fedora. The old versions are currently on the DBX (due to BootHole), so users need to upgrade.

https://kojipkgs.fedoraproject.org//packages/shim/15.4/5/x86_64/shim-x64-15.4-5.x86_64.rpm

This version also fixes a lot of bugs (including the gnu-efi one), so the 13.4 workaround should no longer be needed.

chandradeepdey commented on 2021-01-23 17:20

@nl6720 https://fedoramagazine.org/announcing-fedora-33/ see "A note on Secure Boot".

Idk what they mean by "before broad-scale certificate revocation takes place" because Windows updates the list regardless of vendors providing updated firmware.

nl6720 commented on 2021-01-23 11:54

UEFI Revocation List dbxupdate_x64.bin, dated October 12, 2020, contains three certs as far as dbxtool can tell. I don't really know how to find out what they are.

shimx64.efi is signed with Microsoft Corporation UEFI CA 2011, is it really blacklisted? @chandradeepdey, has this issue been reported to Fedora?