Sunday, September 7, 2025

[fedora-arm] Re: fedora with MS signed Secure Boot

Hi there,
any hints on this topic?
Cheers, Udo

On Sun, 31 Aug 2025, Udo Seidel wrote:

>
> Dear all,
> I failed to find the answer myself. :-(
> It seems to me that the AARCH64 version of Fedora is not enabled for UEFI
> Secure Boot like the x86_64 version. I.e., the shim EFI binary is not signed
> and neither is the kernel (see below). What am I missing? What am I doing
> wrong?
> Background: I want to use AARCH64 Fedora in a UEFI Secure Boot environment
> with the the pre-deployed keys from Microsoft.
> Thanks, Udo
>
>
> AARCH64
>
> # uname -r
> 6.15.10-200.fc42.aarch64
> # sbverify --list /boot/efi/EFI/fedora/shimaa64.efi
> warning: data remaining[830464 vs 971654]: gaps between PE/COFF sections?
> warning: data remaining[830464 vs 971656]: gaps between PE/COFF sections?
> No signature table present
> # sbverify --list /boot/vmlinuz-6.15.10-200.fc42.aarch64
> No signature table present
> #
>
>
>
> X86_64
>
> # uname -r
> 6.15.7-200.fc42.x86_64
> root@ronin:~# sbverify --list /boot/efi/EFI/fedora/shimx64.efi
> warning: data remaining[823272 vs 949424]: gaps between PE/COFF sections?
> signature 1
> image signature issuers:
> - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
> Corporation UEFI CA 2011
> image signature certificates:
> - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Windows UEFI Driver Publisher
> issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation UEFI CA 2011
> - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation UEFI CA 2011
> issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation Third Party Marketplace Root
> # sbverify --list /boot/vmlinuz-6.15.9-201.fc42.x86_64
> signature 1
> image signature issuers:
> - /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot
> CA 20200709/CN=fedoraca
> image signature certificates:
> - subject: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora
> Secure Boot Signer/OU=bkernel01 kernel/CN=kernel-signer
> issuer: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora
> Secure Boot CA 20200709/CN=fedoraca
> #
>
>
>
>
>
>
--
_______________________________________________
arm mailing list -- arm@lists.fedoraproject.org
To unsubscribe send an email to arm-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/arm@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)