shim is compiled with gnu-efi. The MokManager from 13.4 will be needed until Fedora recompiles their shim with a fixed gnu-efi (I forgot which version contains the fix, but the latest should be fine). That will most likely not happen until there is new version of shim.
Search Criteria
Package Details: shim-signed 15.f8-2
| Git Clone URL: | https://aur.archlinux.org/shim-signed.git (read-only, click to copy) |
|---|---|
| Package Base: | shim-signed |
| Description: | Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments |
| Upstream URL: | https://apps.fedoraproject.org/packages/shim |
| Keywords: | fbx64 mmx64 MokManager SecureBoot shim UEFI |
| Licenses: | |
| Submitter: | nl6720 |
| Maintainer: | nl6720 |
| Last Packager: | nl6720 |
| Votes: | 9 |
| Popularity: | 0.99 |
| First Submitted: | 2016-12-07 12:04 |
| Last Updated: | 2018-10-08 10:54 |
Latest Comments
nl6720 commented on 2019-12-19 20:42
Soroshi commented on 2019-12-19 20:31
I'm not clear how gnu-efi is related to shim (is it compiled into shim?), but with this issue closed (https://github.com/rhboot/shim/issues/143), do we still need to be pulling version 13.4 of MokManager?
jussihi commented on 2018-08-09 16:08
the openssl command did not fail, and the boot configuration (USB stick) worked on other laptop flawlessly. I don't know what's up with that but I think that the bug is in shim itself. I opened an issue on their Github (https://github.com/rhboot/shim/issues/143).
Thanks for a quick response though! Shim seems to work on every machine except my own laptop :)
nl6720 commented on 2018-08-09 11:11
Just because it has a .cer or .der extension doesn't mean that it's a DER format certificate.
Run openssl x509 -noout -text -inform DER -in MOK.cer. If it fails then the cert is not in DER format and you need to convert it.
jussihi commented on 2018-08-09 09:08
I keep getting the error "Unsupported Format: Only DER encoded certificate (*.cer/der/crt) is supported"
From source code (https://github.com/rhboot/shim/blob/master/MokManager.c#L1908) it seems like I have a wrong filename suffix for my cert, but the file name is indeed "MOK.cer".
Is this a bug?
crazyh commented on 2018-04-24 15:29
Sorry, my mistake.
nl6720 commented on 2018-04-24 07:01
This package has no hardcoded /boot/efi/ paths. The EFI binaries are installed to /usr/share/shim-signed/.
crazyh commented on 2018-04-24 01:43
It does not work when the ESP is mounted to /boot due to hardcoded "/boot/efi/..." paths. :(
nl6720 commented on 2016-12-07 13:17
shimx64.efi is signed with Microsoft key, it also has a hardcoded Fedora key inside.
MokManager (mmx64.efi) is signed with Fedora key.
shimx64.efi can launch any EFI binary signed with Microsoft keys.
More information is available on the wiki: Secure Boot#shim.
fbx64.efi scans the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.
Pinned Comments
nl6720 commented on 2016-12-07 13:17
shimx64.efiis signed with Microsoft key, it also has a hardcoded Fedora key inside. MokManager (mmx64.efi) is signed with Fedora key.shimx64.efican launch any EFI binary signed with Microsoft keys.More information is available on the wiki: Secure Boot#shim.
fbx64.efiscans the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.