qzed
commented
2 years ago It turns out that openSUSE provides a signed shim for Leap at https://download.opensuse.org/distribution/leap/15.4/repo/oss/aarch64/ (direct link). This can be used to boot grub via prior a enrolled hash, but unfortunately grub doesn't want to load other images. In addition it seems that the devicetree command is not allowed in lockdown mode.
Fedora patches grub to make it play nice with shim. We may need to do the same thing / pull in those patches. Unfortunately, however, those patches seem to be the ones breaking boot (#12). So we should first figure out why that is and how we can fix it.
Secure Boot doesn't work. The problem is that there doesn't seem to be a signed shim for AArch64 (
shimaa64.efi). Until Microsoft / the UEFI CA provides one, there is currently nothing we can do about that.