@nl6720 https://fedoramagazine.org/announcing-fedora-33/ see "A note on Secure Boot".
Idk what they mean by "before broad-scale certificate revocation takes place" because Windows updates the list regardless of vendors providing updated firmware.
Search Criteria
Package Details: shim-signed 15.f8-2
| Git Clone URL: | https://aur.archlinux.org/shim-signed.git (read-only, click to copy) |
|---|---|
| Package Base: | shim-signed |
| Description: | Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt X64 EFI binaries from Fedora) |
| Upstream URL: | https://koji.fedoraproject.org/koji/packageinfo?packageID=14502 |
| Keywords: | fbx64 mmx64 MokManager SecureBoot shim UEFI |
| Licenses: | |
| Submitter: | nl6720 |
| Maintainer: | nl6720 |
| Last Packager: | nl6720 |
| Votes: | 11 |
| Popularity: | 1.27 |
| First Submitted: | 2016-12-07 12:04 |
| Last Updated: | 2020-09-29 09:29 |
chandradeepdey commented on 2021-01-23 17:20
nl6720 commented on 2021-01-23 11:54
UEFI Revocation List dbxupdate_x64.bin, dated October 12, 2020, contains three certs as far as dbxtool can tell. I don't really know how to find out what they are.
shimx64.efi is signed with Microsoft Corporation UEFI CA 2011, is it really blacklisted? @chandradeepdey, has this issue been reported to Fedora?
chandradeepdey commented on 2021-01-23 10:11
The key used to sign shimx64.efi is blacklisted for months now and Fedora isn't releasing a new version. Can this be switched to the Ubuntu shim and shim-signed packages?
nl6720 commented on 2019-12-19 20:42
shim is compiled with gnu-efi. The MokManager from 13.4 will be needed until Fedora recompiles their shim with a fixed gnu-efi (I forgot which version contains the fix, but the latest should be fine). That will most likely not happen until there is new version of shim.
Soroshi commented on 2019-12-19 20:31
I'm not clear how gnu-efi is related to shim (is it compiled into shim?), but with this issue closed (https://github.com/rhboot/shim/issues/143), do we still need to be pulling version 13.4 of MokManager?
jussihi commented on 2018-08-09 16:08
the openssl command did not fail, and the boot configuration (USB stick) worked on other laptop flawlessly. I don't know what's up with that but I think that the bug is in shim itself. I opened an issue on their Github (https://github.com/rhboot/shim/issues/143).
Thanks for a quick response though! Shim seems to work on every machine except my own laptop :)
nl6720 commented on 2018-08-09 11:11
Just because it has a .cer or .der extension doesn't mean that it's a DER format certificate.
Run openssl x509 -noout -text -inform DER -in MOK.cer. If it fails then the cert is not in DER format and you need to convert it.
jussihi commented on 2018-08-09 09:08
I keep getting the error "Unsupported Format: Only DER encoded certificate (*.cer/der/crt) is supported"
From source code (https://github.com/rhboot/shim/blob/master/MokManager.c#L1908) it seems like I have a wrong filename suffix for my cert, but the file name is indeed "MOK.cer".
Is this a bug?
crazyh commented on 2018-04-24 15:29
Sorry, my mistake.
nl6720 commented on 2018-04-24 07:01
This package has no hardcoded /boot/efi/ paths. The EFI binaries are installed to /usr/share/shim-signed/.
Pinned Comments
nl6720 commented on 2016-12-07 13:17
shimx64.efiis signed with Microsoft key, it also has a hardcoded Fedora key inside. MokManager (mmx64.efi) is signed with Fedora key.shimx64.efican launch any EFI binary signed with Microsoft keys.More information is available on the wiki: Secure Boot#shim.
fbx64.efiscans the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.