Questions on the instructions in BUILDING

[TBOpen]

I was thinking of updating my shim and reading building I see:

_- POST_PROCESS_PEFLAGS This allows you to add flags to the invocation of "post-process-pe", for example to disable the NX compatibility flag.

But I thought I read that NX compatibility flag is NOT set by default?

What would be the way to set the NX flag?

Vendor SBAT data: It will sometimes be requested by reviewers that a build includes extra .sbat data. The mechanism to do so is to add a CSV file in data/ with the name sbat.FOO.csv, where foo is your EFI subdirectory name. The build system will automatically include any such files.

What is "your EFI subdirectory" ?

[aronowski]

The NX compatibility flag being enabled by default got introduced with https://github.com/rhboot/shim/commit/7c7642530fab73facaf3eac233cfbce29e10b0ef. This got introduced after shim 15.7 got released, therefore once shim 15.7 is to be reviewed, there are several methods one can use:

• port the patch to a 15.7 release
• change the building process so that post-process-pe runs on the shimx64.efi binary with the -n option rather than -N (meaning it should enable NX rather than disable: https://github.com/rhboot/shim/blob/main/post-process-pe.c)

[TBOpen]

I think I'll wait for 15.8 and hopefully they will also have guides if you should update sbat versions, if grub needs updating, or if certificates should be changed.