I am using shim-signed and it works great. My Dell Inspiron 5593 firmware has the Microsoft UEFI CA 2011 certificate enrolled. If I upgrade to Microsoft UEFI CA 2023 will shim-signed continue to work?
Thanks in advance.
Git Clone URL: | https://aur.archlinux.org/shim-signed.git (read-only, click to copy) |
---|---|
Package Base: | shim-signed |
Description: | Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 and AA64 binaries from Ubuntu) |
Upstream URL: | https://packages.ubuntu.com/noble/shim-signed |
Keywords: | fbx64 mmx64 MokManager SecureBoot shim shimx64 UEFI |
Licenses: | BSD-2-Clause |
Submitter: | nl6720 |
Maintainer: | nl6720 |
Last Packager: | nl6720 |
Votes: | 32 |
Popularity: | 0.89 |
First Submitted: | 2016-12-07 12:04 (UTC) |
Last Updated: | 2024-12-08 10:23 (UTC) |
I am using shim-signed and it works great. My Dell Inspiron 5593 firmware has the Microsoft UEFI CA 2011 certificate enrolled. If I upgrade to Microsoft UEFI CA 2023 will shim-signed continue to work?
Thanks in advance.
Sorry, just forget my about previous comment! I believe it's actually my mistake. 😁 Turns out I have made a change in the script that I wrote perform the whole installing procedure, believing that it was an oversight and changing it was a good idea.
I'll explain it here so that other people making the same mistake can learn from it:
I changed it copy everything from /usr/share/shim-signed/ to my /boot/efi/EFI/<bootloader-name>/ location, instead of online specific files.
And that was not supposed to be done, according to the wiki 🧐:
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Set_up_shim
"Note: Make sure you do not copy fbx64.efi (which is under the same directory) unless you actually have a valid bootx64.csv to use. Otherwise shim will not execute grubx64.efi but will appear to fail to work and just reset the machine."
Whoops. Moral of the story: Always read the wiki, also do it again when changing things later. :)
Is this current used version not supposed to work with booting from a USB device? Or am I missing something. I cannot boot GRUB on my USB drive with Secure Boot enabled anymore.
Using this thing in the EFI partition on my laptop and desktop builtin SSD works fine, which proves that for a part things still go actually right.
But on a portable device (on which a maintain a separate Arch installation, a bit like live disk but then actually writable and usable to work on as well) I also used it.
In this way I was nicely able to boot my drive on Secure Boot enabled systems (useful as a way for me to quickly fix problems, and also on systems where Secure Boot cannot be disabled). I sign the actual GRUB binary and kernel with my own keys.
But turns out on the USB device I was still using a Fedora shim from 2022 as it seems. But also from this AUR repo.
There is already a noble package published: http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_1.58+15.8-0ubuntu1_amd64.deb
I'm waiting for Ubuntu for publish a new 15.8 amd64
package. I'm assuming it should happen before 2024-04-11 when the Ubuntu 24.04 LTS beta is scheduled.
@nl6720 Would you kindly let us know when the package will be updated? It is currently out of date
Thank you @nl6720 and @solsticedhiver for the response.
Yes I have executed the grub-install command using the helper scripts available in this repository: Aur-secureboot-grub 0.2.3-1 and this script runs without any error and creates the grubx64.efi. The difference I see is that with previous release the command sudo mokutil --list-sbat-revocations returns:
sbat,1,2022052400
grub,2
But, with the present release the output is
sbat,1,2023012900
shim,2
grub,3
grub.debian,4
Which tells me that some thing is amiss with the sbat versioning.
@philch Have you tried to re-install grub? not the package, but the booloader with grub-install ...
. With the latest grub package installed, of course.
I think I saw a warning about resintalling with a recent grub update (of the package)
Note: I don't use grub as bootloader
Edit: Also, looking at the install file of grub, on can see:
Grub does no longer support side-loading modules when secure boot is
enabled. Thus booting will fail, unless you have an efi executable
'grubx64.efi' with bundled modules
Sorry, I have no idea about GRUB. All I've read about using Secure Boot + GRUB is that it is a pain.
Pinned Comments
nl6720 commented on 2021-05-28 11:19 (UTC)
shim 15.4 requires SBAT. It will not launch EFI binaries without a
.sbat
section.nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2024-12-08 10:29 (UTC) by nl6720)
shimx64.efi
is signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi
) is signed with Ubuntu's key.shimx64.efi
can launch any EFI binary signed with Microsoft keys.More information is available on the wiki: Secure Boot#shim.
fbx64.efi
scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.Alternative signed shim sources: