SBAT support for new shim

andreyv / sbupdate

Generate and sign kernel images for UEFI Secure Boot on Arch Linux

GNU General Public License v3.0

225 stars 20 forks source link

SBAT support for new shim #48

Closed solsticedhiver closed 2 years ago

solsticedhiver commented 2 years ago

The newer shim (shim-signed 15.4) requires a SBAT section for the EFI binary.

https://github.com/rhboot/shim/blob/main/SBAT.md

Please add support to sign kernels with an appropriate SBAT section to boot with the new shim-signed package.

Maryse47 commented 2 years ago

This project works with custom Secure Boot keys so why would you need shim?

solsticedhiver commented 2 years ago

This project is used to sign and update linux kernel. The way you boot the kenel is up to you.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_a_signed_boot_loader

solsticedhiver commented 2 years ago

Never mind, There is already a .sbat section. possibly created by sbsign.

The command to check that is

objdump -j .sbat -s /path/to/binary.efi

Maryse47 commented 2 years ago

This project is used to sign and update linux kernel

Actually this project creates efi image with linux kernel included which if signed allow to avoid any intermediaries like shim. It's simpler with less attack surface. Just FYI.