Package Details: shim-signed 15.8+ubuntu+1.58-1

Git Clone URL: https://aur.archlinux.org/shim-signed.git (read-only, click to copy)
Package Base: shim-signed
Description: Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 and AA64 binaries from Ubuntu)
Upstream URL: https://packages.ubuntu.com/noble/shim-signed
Keywords: fbx64 mmx64 MokManager SecureBoot shim shimx64 UEFI
Licenses: BSD-2-Clause
Submitter: nl6720
Maintainer: nl6720
Last Packager: nl6720
Votes: 30
Popularity: 2.53
First Submitted: 2016-12-07 12:04 (UTC)
Last Updated: 2024-04-10 11:55 (UTC)

Pinned Comments

nl6720 commented on 2021-05-28 11:19 (UTC)

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2023-12-15 09:27 (UTC) by nl6720)

shimx64.efi is signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.

shimx64.efi can launch any EFI binary signed with Microsoft keys.

More information is available on the wiki: Secure Boot#shim.

fbx64.efi scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.

Latest Comments

« First ‹ Previous 1 2 3 4 5 Next › Last »

tom.ty89 commented on 2022-05-31 14:41 (UTC) (edited on 2022-05-31 14:46 (UTC) by tom.ty89)

It seems to me that it's a bad idea to include fbx64.efi in the package, especially when bootx64.csv is not included, since shim will appear to fail with no reason if a user copied fbx64.efi to the ESP as well (by doing something like cp /usr/share/shim-signed/*x64.efi $esp/EFI/BOOT/; ...; mv|cp $esp/EFI/BOOT/{shim,boot}x64.efi).

I suppose it will fail too if shimx64.efi is renamed (instead of copied) to bootx64.efi even if bootx64.csv is included. So it probably is still bad unless it ships also bootx64.efi (a dup of shimx64.efi).

Added a note on the wiki page already though.

nl6720 commented on 2022-05-27 08:24 (UTC)

I added shimia32.efi, mmia32.efi and fbia32.efi to the package. IMHO the files are small enough to not warrant a separate package.

Raansu commented on 2022-05-25 07:26 (UTC)

Would it be possible to add a package for ia32?
I noticed Fedora has a ia32 shim package and I have a HP Pro Tablet 408 G1 that supports secure boot but has a 32 bit UEFI although it has a 64 bit compatible CPU that runs Arch Linux fine.

Bobrolak commented on 2022-01-05 10:50 (UTC)

small update: systemd-boot of systemd 250 is now building with SBAT by default: https://github.com/systemd/systemd/blob/main/NEWS

steadfasterX commented on 2021-11-09 13:44 (UTC)

finally I stumbled over this (SBAT) as well.

I use rEFInd as bootloader and was not able to get it booting anymore after upgrading to this latest shim release.

adding a .sbat entry is easy while it still does not work actually... Main reason: adding a sbat section will not be appended but added to the beginning of the sections - which then let EFI fail.

There is a solution/workaround though.

Check this out: https://github.com/rhboot/shim/issues/376#issuecomment-964137621

michael.shepherd commented on 2021-07-15 21:41 (UTC)

download of https://deb.debian.org/debian/pool/main/s/shim-signed/shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb via curls end with a 404 error (debian uses already shim-signed 1.36), so package could not be installed anymore

nl6720 commented on 2021-05-31 11:18 (UTC)

I found MokManager. It's in shim-helpers-amd64-signed 1+15+1533136590.3beb971+7+deb10u1.

nl6720 commented on 2021-05-31 11:15 (UTC)

From the looks of it, Debian's shim-signed 1.33+15+1533136590.3beb971-7 doesn't ship MokManager.

nl6720 commented on 2021-05-31 11:14 (UTC)

No shim 15.4 will not launch even previously enrolled EFI binaries. SBAT is an upstream shim 15.4 feature, so it shouldn't matter if the shim is from Debian, Ubuntu or SUSE (admittedly, I haven't actually tried them).

For boot loaders:

AFAIK other boot loaders have not yet implemented adding a .sbat section.

If anyone want's to try, here's a diff for the 15.4.f4 PKGBUILD:

diff --git a/PKGBUILD b/PKGBUILD
index 0b3ac3a..dcc196d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,24 +1,16 @@
 # Maintainer: nl6720 <nl6720@archlinux.org>

 pkgname='shim-signed'
-pkgver='15.f8'
-pkgrel='2'
+pkgver='15.4.f4'
+pkgrel='1'
 pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt X64 EFI binaries from Fedora)'
 url='https://koji.fedoraproject.org/koji/packageinfo?packageID=14502'
 arch=('any')
 license=('BSD')
 options=('!strip')
 noextract=('shim-x64-13-4.x86_64.rpm')
-source=("https://kojipkgs.fedoraproject.org/packages/shim/${pkgver//.f/\/}/x86_64/shim-x64-${pkgver//.f/-}.x86_64.rpm"
-        'https://kojipkgs.fedoraproject.org/packages/shim-signed/13/4/x86_64/shim-x64-13-4.x86_64.rpm')
-sha512sums=('bea58059801c9af1f9beab675cf7b6bb7262278b1fe874cb56c3dec051a71236a352d3444f82ee0204518fdf1e18cbde4ce2d240dc1223dda2409ea23c3daa48'
-            'b6091fd4154b7cd4353e9bea2bcd0b796864c3c268a5a9ebce90e738afc7ab30924099b2127eec108d62da96983147c4d40292ed391ed1b2cfe5257b8d6fd474')
-
-prepare() {
-   cd "${srcdir}"
-   # Use old MokManager from Fedora's shim-signed 13-4, https://github.com/rhboot/shim/issues/143 
-   bsdtar -f shim-x64-13-4.x86_64.rpm -x boot/efi/EFI/fedora/mmx64.efi
-}
+source=("https://kojipkgs.fedoraproject.org/packages/shim/${pkgver//.f/\/}/x86_64/shim-x64-${pkgver//.f/-}.x86_64.rpm")
+sha512sums=('6650236531ef22f8b4da694eec912e506ed698cc33f0737716ed4aee9ae4a13bdb1799b25a97608566f5566541d6bbb98636caa689804c24e947d013712e2d9f')

 package() {
    install -D -m0644 -t "${pkgdir}/usr/share/${pkgname}/" "${srcdir}/boot/efi/EFI/fedora/shimx64.efi"

« First ‹ Previous 1 2 3 4 5 Next › Last »