Hi, > > I'm with you on that. Unfortunately the boot loader team is not. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2108083 > > > > tl;dr: You can't boot Fedora in secure boot mode without microsoft keys > > today. grub.efi refuses to work without shim.efi, and shim.efi exists > > only in a microsoft-signed version (which differed from rhel were a > > second, redhat-signed shim binary exists). > > > > Oh, and the above applies to x86 only. On arm fedora shim.efi is not > > signed and grub.efi is signed with the (public) redhat test keys. > > So what is holding Fedora back from providing a fixed shim binary if > it doesn't need to be signed by Microsoft?
I'd love to have an serious answer for that question, but I havn't. Usually I get either no answer, or something along the lines of "-ENOTIME because of $otherwork". Right now waiting for v6.7-final before sending a new shim.efi to microsoft for signing and the desire to keep all archs in sync also plays a role (I guess). Technically there is no good reason, fedora even has a separate shim-unsigned-$arch.rpm which could be up-to-date all the time on all architectures, independent from the microsoft signing process. But that is right now at v15.6, which is not even the latest (v15.7) release. And 15.7 is more than one year old already ... > To be honest (and I know I am preaching to the choir here), the more i > learn about this, the less I am inclined to make *any* accommodations > whatsoever, given that the boot loader team obviously does not give a > shit about their crappy boot chain. Can understand that sentiment. Problem is this hits the wrong people, and the fallout goes beyond rhel + fedora because the rh team also maintains upstream shim. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112072): https://edk2.groups.io/g/devel/message/112072 Mute This Topic: https://groups.io/mt/102967690/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
