Closed solsticedhiver closed 2 years ago
This project works with custom Secure Boot keys so why would you need shim?
This project is used to sign and update linux kernel. The way you boot the kenel is up to you.
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_a_signed_boot_loader
Never mind, There is already a .sbat section. possibly created by sbsign.
The command to check that is
objdump -j .sbat -s /path/to/binary.efi
This project is used to sign and update linux kernel
Actually this project creates efi image with linux kernel included which if signed allow to avoid any intermediaries like shim. It's simpler with less attack surface. Just FYI.
The newer shim (shim-signed 15.4) requires a SBAT section for the EFI binary.
https://github.com/rhboot/shim/blob/main/SBAT.md
Please add support to sign kernels with an appropriate SBAT section to boot with the new shim-signed package.