It seems to me that it's a bad idea to include fbx64.efi in the package, especially when bootx64.csv is not included, since shim will appear to fail with no reason if a user copied fbx64.efi to the ESP as well (by doing something like cp /usr/share/shim-signed/*x64.efi $esp/EFI/BOOT/; ...; mv|cp $esp/EFI/BOOT/{shim,boot}x64.efi
).
I suppose it will fail too if shimx64.efi is renamed (instead of copied) to bootx64.efi even if bootx64.csv is included. So it probably is still bad unless it ships also bootx64.efi (a dup of shimx64.efi).
Added a note on the wiki page already though.
Pinned Comments
nl6720 commented on 2021-05-28 11:19 (UTC)
shim 15.4 requires SBAT. It will not launch EFI binaries without a
.sbat
section.nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2023-12-15 09:27 (UTC) by nl6720)
shimx64.efi
is signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi
) is signed with Ubuntu's key.shimx64.efi
can launch any EFI binary signed with Microsoft keys.More information is available on the wiki: Secure Boot#shim.
fbx64.efi
scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.