Thanks for your feedback
On Mon, 8 Sep 2025, Chris Adams via arm wrote:
> Once upon a time, Udo Seidel <udoseidel@gmx.de> said:
>> I was trying to use it on KVM guests on a AArch64 host. So it was
>> the AAVMF package providing the firmware. Thas the famouse
>> "Microsoft Corporation Third Party Marketplace Root" key. Do you
>> need more information?
>
> My point is that if there's no hardware shipping with that cert, and
> especially if that's not what MS considers the intended use of that cert
> (because at one point their rules were different between x86_64 and
> AArch64), they may not sign any code for that use. Even if Fedora did
> have the setup for signing the AArch64 pieces, MS may not sign shim.
Understood.
I can say that MS has signed shims for other AArch64 distributions. I
tested Debian, Rocky Linux, Oracles OEL and SUSEs SLES as well as
openSUSE. BTW, the RHEL shim is only signed by Red Hat and not co-signed
by Microsoft.
I figure now that the other Linux providers have set up those dedicated
builders as described earlier in this thread and they want through the MS
signing process.
>
> If you need Secure Boot in your VMs, you'll probably have to add your
> own cert and do the signing yourself.
Understood.
--
_______________________________________________
arm mailing list -- arm@lists.fedoraproject.org
To unsubscribe send an email to arm-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/arm@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No comments:
Post a Comment