On Sun, 7 Sep 2025, Chris Adams via arm wrote:
> Once upon a time, Dennis Gilmore <dennis@ausil.us> said:
>> Last I knew, we did not have hardware available to sign the
>> secure-boot binaries at build time for AArch64. so we have not gone
>> through the process to have Microsoft sign shim. The way that it
>> works on x86_64 is that there are dedicated builders with smartcards
>> installed that have the keys for signing. pesign Is used to do the
>> signing. In order to sign the binaries on AArch64 we would need some
>> builders set up the same way, and then we could sign grub, shim, and
>> kernel. Then we would have shim signed by Microsoft and included in
>> the shim-signed package. Today, the only way to enable secure boot is
>> to sign the binaries yourself and enroll and trust the keys in the
>> system.
>
> What AArch64 hardware ships with SecureBoot and MS's keys in firmware?
I was trying to use it on KVM guests on a AArch64 host. So it was the
AAVMF package providing the firmware. Thas the famouse "Microsoft
Corporation Third Party Marketplace Root" key. Do you need more information?
> Does that include a "third-party" key like on x86_64 (which wasn't
> enabled by default for example in my newest Thinkpad)? IIRC MS was
> treating SecureBoot on AArch64 different at one point, like I thought
> they were only including a key for their own use.
--
_______________________________________________
arm mailing list -- arm@lists.fedoraproject.org
To unsubscribe send an email to arm-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/arm@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No comments:
Post a Comment