Once upon a time, Dennis Gilmore <den...@ausil.us> said: > Last I knew, we did not have hardware available to sign the > secure-boot binaries at build time for AArch64. so we have not gone > through the process to have Microsoft sign shim. The way that it > works on x86_64 is that there are dedicated builders with smartcards > installed that have the keys for signing. pesign Is used to do the > signing. In order to sign the binaries on AArch64 we would need some > builders set up the same way, and then we could sign grub, shim, and > kernel. Then we would have shim signed by Microsoft and included in > the shim-signed package. Today, the only way to enable secure boot is > to sign the binaries yourself and enroll and trust the keys in the > system.
What AArch64 hardware ships with SecureBoot and MS's keys in firmware? Does that include a "third-party" key like on x86_64 (which wasn't enabled by default for example in my newest Thinkpad)? IIRC MS was treating SecureBoot on AArch64 different at one point, like I thought they were only including a key for their own use. -- Chris Adams <li...@cmadams.net> -- _______________________________________________ arm mailing list -- arm@lists.fedoraproject.org To unsubscribe send an email to arm-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/arm@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
