Package Details: shim-signed 15.8+ubuntu+1.58-1

Git Clone URL: https://aur.archlinux.org/shim-signed.git (read-only, click to copy)
Package Base: shim-signed
Description: Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 and AA64 binaries from Ubuntu)
Upstream URL: https://packages.ubuntu.com/noble/shim-signed
Keywords: fbx64 mmx64 MokManager SecureBoot shim shimx64 UEFI
Licenses: BSD-2-Clause
Submitter: nl6720
Maintainer: nl6720
Last Packager: nl6720
Votes: 32
Popularity: 0.87
First Submitted: 2016-12-07 12:04 (UTC)
Last Updated: 2024-04-10 11:55 (UTC)

Pinned Comments

nl6720 commented on 2021-05-28 11:19 (UTC)

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2023-12-15 09:27 (UTC) by nl6720)

shimx64.efi is signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.

shimx64.efi can launch any EFI binary signed with Microsoft keys.

More information is available on the wiki: Secure Boot#shim.

fbx64.efi scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 Next › Last »

michael.shepherd commented on 2021-07-15 21:41 (UTC)

download of https://deb.debian.org/debian/pool/main/s/shim-signed/shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb via curls end with a 404 error (debian uses already shim-signed 1.36), so package could not be installed anymore

nl6720 commented on 2021-05-31 11:18 (UTC)

I found MokManager. It's in shim-helpers-amd64-signed 1+15+1533136590.3beb971+7+deb10u1.

nl6720 commented on 2021-05-31 11:15 (UTC)

From the looks of it, Debian's shim-signed 1.33+15+1533136590.3beb971-7 doesn't ship MokManager.

nl6720 commented on 2021-05-31 11:14 (UTC)

No shim 15.4 will not launch even previously enrolled EFI binaries. SBAT is an upstream shim 15.4 feature, so it shouldn't matter if the shim is from Debian, Ubuntu or SUSE (admittedly, I haven't actually tried them).

For boot loaders:

AFAIK other boot loaders have not yet implemented adding a .sbat section.

If anyone want's to try, here's a diff for the 15.4.f4 PKGBUILD:

diff --git a/PKGBUILD b/PKGBUILD
index 0b3ac3a..dcc196d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,24 +1,16 @@
 # Maintainer: nl6720 <nl6720@archlinux.org>

 pkgname='shim-signed'
-pkgver='15.f8'
-pkgrel='2'
+pkgver='15.4.f4'
+pkgrel='1'
 pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt X64 EFI binaries from Fedora)'
 url='https://koji.fedoraproject.org/koji/packageinfo?packageID=14502'
 arch=('any')
 license=('BSD')
 options=('!strip')
 noextract=('shim-x64-13-4.x86_64.rpm')
-source=("https://kojipkgs.fedoraproject.org/packages/shim/${pkgver//.f/\/}/x86_64/shim-x64-${pkgver//.f/-}.x86_64.rpm"
-        'https://kojipkgs.fedoraproject.org/packages/shim-signed/13/4/x86_64/shim-x64-13-4.x86_64.rpm')
-sha512sums=('bea58059801c9af1f9beab675cf7b6bb7262278b1fe874cb56c3dec051a71236a352d3444f82ee0204518fdf1e18cbde4ce2d240dc1223dda2409ea23c3daa48'
-            'b6091fd4154b7cd4353e9bea2bcd0b796864c3c268a5a9ebce90e738afc7ab30924099b2127eec108d62da96983147c4d40292ed391ed1b2cfe5257b8d6fd474')
-
-prepare() {
-   cd "${srcdir}"
-   # Use old MokManager from Fedora's shim-signed 13-4, https://github.com/rhboot/shim/issues/143 
-   bsdtar -f shim-x64-13-4.x86_64.rpm -x boot/efi/EFI/fedora/mmx64.efi
-}
+source=("https://kojipkgs.fedoraproject.org/packages/shim/${pkgver//.f/\/}/x86_64/shim-x64-${pkgver//.f/-}.x86_64.rpm")
+sha512sums=('6650236531ef22f8b4da694eec912e506ed698cc33f0737716ed4aee9ae4a13bdb1799b25a97608566f5566541d6bbb98636caa689804c24e947d013712e2d9f')

 package() {
    install -D -m0644 -t "${pkgdir}/usr/share/${pkgname}/" "${srcdir}/boot/efi/EFI/fedora/shimx64.efi"

joerichey commented on 2021-05-31 11:06 (UTC)

Nevermind, I just found https://github.com/rhboot/shim/issues/373 which details the issue in greater depth.

It looks like we could switch to using the Debian version (https://packages.debian.org/buster/shim-signed) specifically 15+1533136590.3beb971-7+deb10u1 (which is currently used on Debian 10) which rotated the Debian signing keys, but didn't include the SBAT changes.

joerichey commented on 2021-05-31 10:44 (UTC)

nl6720, do you know if SBAT is required even if the EFI binary is enrolled via the MokManager? All Arch Bootloaders/Kernels are enrolled that way (as they aren't signed by RedHat). If SBAT is only mandatory for RedHat signed binaries, then I think 15.4 would be fine.

Alternatively, we could switch to using the Debian, Ubuntu, or SUSE shim (provided that they don't have the same issue).

nl6720 commented on 2021-05-28 11:19 (UTC)

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

joerichey commented on 2021-05-28 10:29 (UTC) (edited on 2021-05-28 10:35 (UTC) by joerichey)

This package should be updated to the latest version from Fedora. The old versions are currently on the DBX (due to BootHole), so users need to upgrade.

https://kojipkgs.fedoraproject.org//packages/shim/15.4/5/x86_64/shim-x64-15.4-5.x86_64.rpm

This version also fixes a lot of bugs (including the gnu-efi one), so the 13.4 workaround should no longer be needed.

chandradeepdey commented on 2021-01-23 17:20 (UTC) (edited on 2021-01-23 17:22 (UTC) by chandradeepdey)

@nl6720 https://fedoramagazine.org/announcing-fedora-33/ see "A note on Secure Boot".

Idk what they mean by "before broad-scale certificate revocation takes place" because Windows updates the list regardless of vendors providing updated firmware.

« First ‹ Previous 1 2 3 4 5 6 Next › Last »