I'm not clear how gnu-efi is related to shim (is it compiled into shim?), but with this issue closed (https://github.com/rhboot/shim/issues/143), do we still need to be pulling version 13.4 of MokManager?
Search Criteria
Package Details: shim-signed 15.8+ubuntu+1.58-1
Package Actions
| Git Clone URL: | https://aur.archlinux.org/shim-signed.git (read-only, click to copy) |
|---|---|
| Package Base: | shim-signed |
| Description: | Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 and AA64 binaries from Ubuntu) |
| Upstream URL: | https://packages.ubuntu.com/noble/shim-signed |
| Keywords: | fbx64 mmx64 MokManager SecureBoot shim shimx64 UEFI |
| Licenses: | BSD-2-Clause |
| Submitter: | nl6720 |
| Maintainer: | nl6720 |
| Last Packager: | nl6720 |
| Votes: | 31 |
| Popularity: | 2.81 |
| First Submitted: | 2016-12-07 12:04 (UTC) |
| Last Updated: | 2024-04-10 11:55 (UTC) |
Dependencies (0)
Required by (3)
- refind-btrfs-c3-c4-git (optional)
- refind-git (optional)
- secureboot-grub
Sources (2)
Soroshi commented on 2019-12-19 20:31 (UTC)
jussihi commented on 2018-08-09 16:08 (UTC) (edited on 2018-08-09 16:09 (UTC) by jussihi)
the openssl command did not fail, and the boot configuration (USB stick) worked on other laptop flawlessly. I don't know what's up with that but I think that the bug is in shim itself. I opened an issue on their Github (https://github.com/rhboot/shim/issues/143).
Thanks for a quick response though! Shim seems to work on every machine except my own laptop :)
nl6720 commented on 2018-08-09 11:11 (UTC)
Just because it has a .cer or .der extension doesn't mean that it's a DER format certificate.
Run openssl x509 -noout -text -inform DER -in MOK.cer. If it fails then the cert is not in DER format and you need to convert it.
jussihi commented on 2018-08-09 09:08 (UTC)
I keep getting the error "Unsupported Format: Only DER encoded certificate (*.cer/der/crt) is supported"
From source code (https://github.com/rhboot/shim/blob/master/MokManager.c#L1908) it seems like I have a wrong filename suffix for my cert, but the file name is indeed "MOK.cer".
Is this a bug?
crazyh commented on 2018-04-24 15:29 (UTC)
Sorry, my mistake.
nl6720 commented on 2018-04-24 07:01 (UTC)
This package has no hardcoded /boot/efi/ paths. The EFI binaries are installed to /usr/share/shim-signed/.
crazyh commented on 2018-04-24 01:43 (UTC) (edited on 2018-04-24 01:44 (UTC) by crazyh)
It does not work when the ESP is mounted to /boot due to hardcoded "/boot/efi/..." paths. :(
nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2023-12-15 09:27 (UTC) by nl6720)
shimx64.efi is signed with Microsoft key, they also have a hardcoded Ubuntu key inside.
MokManager (mmx64.efi) is signed with Ubuntu's key.
shimx64.efi can launch any EFI binary signed with Microsoft keys.
More information is available on the wiki: Secure Boot#shim.
fbx64.efi scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.
Pinned Comments
nl6720 commented on 2021-05-28 11:19 (UTC)
shim 15.4 requires SBAT. It will not launch EFI binaries without a
.sbatsection.nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2023-12-15 09:27 (UTC) by nl6720)
shimx64.efiis signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.shimx64.efican launch any EFI binary signed with Microsoft keys.More information is available on the wiki: Secure Boot#shim.
fbx64.efiscan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.