Is this current used version not supposed to work with booting from a USB device? Or am I missing something. I cannot boot GRUB on my USB drive with Secure Boot enabled anymore.
Using this thing in the EFI partition on my laptop and desktop builtin SSD works fine, which proves that for a part things still go actually right.
But on a portable device (on which a maintain a separate Arch installation, a bit like live disk but then actually writable and usable to work on as well) I also used it.
In this way I was nicely able to boot my drive on Secure Boot enabled systems (useful as a way for me to quickly fix problems, and also on systems where Secure Boot cannot be disabled). I sign the actual GRUB binary and kernel with my own keys.
But turns out on the USB device I was still using a Fedora shim from 2022 as it seems. But also from this AUR repo.
Pinned Comments
nl6720 commented on 2021-05-28 11:19 (UTC)
shim 15.4 requires SBAT. It will not launch EFI binaries without a
.sbat
section.nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2023-12-15 09:27 (UTC) by nl6720)
shimx64.efi
is signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi
) is signed with Ubuntu's key.shimx64.efi
can launch any EFI binary signed with Microsoft keys.More information is available on the wiki: Secure Boot#shim.
fbx64.efi
scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.