Arch Linux User Repository

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

shimx64.efi is signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.

shimx64.efi can launch any EFI binary signed with Microsoft keys.

More information is available on the wiki: Secure Boot#shim.

fbx64.efi scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.

Alternative signed shim sources:

• Debian shim: https://tracker.debian.org/pkg/shim-signed
• Fedora shim: https://koji.fedoraproject.org/koji/packageinfo?packageID=14502

There's a Fedora bug for the expired certificate: https://bugzilla.redhat.com/show_bug.cgi?id=2198977

Reading an unrelated bug, it doesn't appear like Fedora (or anyone else?) will release a new signed shim anytime soon.

I am not sure if this should go here or to fedoras page, but currently when I try to boot the os from the grub menu I receive the error "bad shim signature". Running mokutil --list-enrolled shows that the fedora signature expired on Dec 5 2022.

Edit: This is a grub issue https://bbs.archlinux.org/viewtopic.php?id=286617

Please do not flag the package out-of-date if there is no updated Fedora package available.

How hard would it be to provide a grub-signed package alongside this? The instructions in the wiki to use grub no longer work, it seems it's necessary to use grub-mkimage instead of grub-install but I'm not sure how to do this, for now I just used a copy of fedora's signed grub but it would be better to have a package for this

It seems to me that it's a bad idea to include fbx64.efi in the package, especially when bootx64.csv is not included, since shim will appear to fail with no reason if a user copied fbx64.efi to the ESP as well (by doing something like cp /usr/share/shim-signed/*x64.efi $esp/EFI/BOOT/; ...; mv|cp $esp/EFI/BOOT/{shim,boot}x64.efi).

I suppose it will fail too if shimx64.efi is renamed (instead of copied) to bootx64.efi even if bootx64.csv is included. So it probably is still bad unless it ships also bootx64.efi (a dup of shimx64.efi).

Added a note on the wiki page already though.

I added shimia32.efi, mmia32.efi and fbia32.efi to the package. IMHO the files are small enough to not warrant a separate package.

Would it be possible to add a package for ia32?
I noticed Fedora has a ia32 shim package and I have a HP Pro Tablet 408 G1 that supports secure boot but has a 32 bit UEFI although it has a 64 bit compatible CPU that runs Arch Linux fine.

small update: systemd-boot of systemd 250 is now building with SBAT by default: https://github.com/systemd/systemd/blob/main/NEWS

finally I stumbled over this (SBAT) as well.

I use rEFInd as bootloader and was not able to get it booting anymore after upgrading to this latest shim release.

adding a .sbat entry is easy while it still does not work actually... Main reason: adding a sbat section will not be appended but added to the beginning of the sections - which then let EFI fail.

There is a solution/workaround though.

Check this out: https://github.com/rhboot/shim/issues/376#issuecomment-964137621