Hi Denis,
On Sun, 7 Sep 2025, Dennis Gilmore wrote:
> Last I knew, we did not have hardware available to sign the
...
> to sign the binaries yourself and enroll and trust the keys in the
> system.
ah - thanks for the clarification. That also explains why other Linux
distribution - even RHEL-based - come with MS signed SHIM.
Thanks,
Udo
>
> Dennis
>
> On Sun, Sep 7, 2025 at 4:40 AM Udo Seidel via arm
> <arm@lists.fedoraproject.org> wrote:
>>
>>
>> Hi there,
>> any hints on this topic?
>> Cheers, Udo
>>
>> On Sun, 31 Aug 2025, Udo Seidel wrote:
>>
>>>
>>> Dear all,
>>> I failed to find the answer myself. :-(
>>> It seems to me that the AARCH64 version of Fedora is not enabled for UEFI
>>> Secure Boot like the x86_64 version. I.e., the shim EFI binary is not signed
>>> and neither is the kernel (see below). What am I missing? What am I doing
>>> wrong?
>>> Background: I want to use AARCH64 Fedora in a UEFI Secure Boot environment
>>> with the the pre-deployed keys from Microsoft.
>>> Thanks, Udo
>>>
>>>
>>> AARCH64
>>>
>>> # uname -r
>>> 6.15.10-200.fc42.aarch64
>>> # sbverify --list /boot/efi/EFI/fedora/shimaa64.efi
>>> warning: data remaining[830464 vs 971654]: gaps between PE/COFF sections?
>>> warning: data remaining[830464 vs 971656]: gaps between PE/COFF sections?
>>> No signature table present
>>> # sbverify --list /boot/vmlinuz-6.15.10-200.fc42.aarch64
>>> No signature table present
>>> #
>>>
>>>
>>>
>>> X86_64
>>>
>>> # uname -r
>>> 6.15.7-200.fc42.x86_64
>>> root@ronin:~# sbverify --list /boot/efi/EFI/fedora/shimx64.efi
>>> warning: data remaining[823272 vs 949424]: gaps between PE/COFF sections?
>>> signature 1
>>> image signature issuers:
>>> - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
>>> Corporation UEFI CA 2011
>>> image signature certificates:
>>> - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
>>> Corporation/CN=Microsoft Windows UEFI Driver Publisher
>>> issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
>>> Corporation/CN=Microsoft Corporation UEFI CA 2011
>>> - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
>>> Corporation/CN=Microsoft Corporation UEFI CA 2011
>>> issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
>>> Corporation/CN=Microsoft Corporation Third Party Marketplace Root
>>> # sbverify --list /boot/vmlinuz-6.15.9-201.fc42.x86_64
>>> signature 1
>>> image signature issuers:
>>> - /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot
>>> CA 20200709/CN=fedoraca
>>> image signature certificates:
>>> - subject: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora
>>> Secure Boot Signer/OU=bkernel01 kernel/CN=kernel-signer
>>> issuer: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora
>>> Secure Boot CA 20200709/CN=fedoraca
>>> #
>>>
>>>
>>>
>>>
>>>
>>>
>> --
>> _______________________________________________
>> arm mailing list -- arm@lists.fedoraproject.org
>> To unsubscribe send an email to arm-leave@lists.fedoraproject.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/arm@lists.fedoraproject.org
>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>
No comments:
Post a Comment