shim needs to be updated because the Fedora v13 shim is signed with Microsoft UEFI CA 2011 certificate which was revoked by Microsoft and put in the revocation list of new motherboards

[rwasef1830]

Hello, On new motherboards such as Gigabyte B550 Vision D-P, the UEFI comes out of the box with Microsoft UEFI CA issued in 2011 in the revoked keys list, so all such motherboards will refuse to boot the shim version used in this project.

It is recommended to use the shim version of a recent linux distribution such as ubuntu or opensuse.

Details about the revocation: https://support.microsoft.com/en-us/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

[ValdikSS]

Neither of the shim files used in SUISBD are present in UEFI revocation file, however Microsoft's revocation lists may (and probably do) include additional revocation information, so UEFI Forum's dbxupdate.bin may not be complete, so to say.

Current signed shim version from Fedora contains bug which prevents it from booting on some machines. I'll update SUISBD to use known-good shim-15-8 version, but this disk was created as a proof-of-concent and is not planned to be maintained or enhanced. I should stress that in the readme.

[ValdikSS]

It is recommended to use the shim version of a recent linux distribution such as ubuntu

Ubuntu's shim does not load third-party EFI executables, it's not suitable for the purpose of this disk. Not checked OpenSUSE.

[ValdikSS]

https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk/releases/tag/3-2

[3pichaxz0r]

The shim provided in the newest release appears to not be bootable (with secure boot enabled) on Lenovo Thinkpad E14 gen3 laptops. I tested a few things and I was able to get the shim included in the latest release of fedora to boot on the device but I am unable to get it to boot the preloader binary when using the updated shim ( I assume some sort of security restriction?). I am able to get other MOK signed efi binaries to boot on that laptop using the latest fedora shim, such as ipxe.

If you have any advice on what I could try to fix this on my own that would be awesome. I'm not against compiling things from source if needed.

[ValdikSS]

@3pichaxz0r, what exactly happens when you try to boot the disk?

[3pichaxz0r]

Specifically on these newer Lenovo laptops it just flashes the screen for a second (like its attempting to boot) and then just shows the boot menu again. With secure boot disabled it works fine. On any older laptops or desktops I test it on it works fine too.

If you'd like me to gather any information from the Lenovo laptops that wont boot, such as denied secure boot certificates, let me know.

[ValdikSS]

@3pichaxz0r This sounds like it successfully loads the file but something is wrong with preloader. As far as I remember, I stripped out all UI, will try to return it back and make a file for you.

[3pichaxz0r]

You are probably right. I thought the shim was the issue because I thought I remember testing my self signed iPXE binary with the provided shim and having the same issue but I just tested again to make sure and it was able to successfully boot the self signed iPXE binary I made using the provided shim.

I really appreciate the help

[SeriousHoax]

@ValdikSS I recently learned Ventoy uses your Super-UEFIinSecureBoot-Disk. And after upgrading the BIOS I can't use it anymore with secure boot enabled. Can you have a look at the issue I created there, and can you share your thoughts on this? https://github.com/ventoy/Ventoy/issues/1666

[Arcitec]

@ValdikSS Solved: https://github.com/ventoy/Ventoy/issues/1243#issuecomment-1366812283