On Mon, 8 Sept 2025 at 16:51, Chris Adams via arm <arm@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Once upon a time, Udo Seidel <udoseidel@xxxxxx> said: > > I can say that MS has signed shims for other AArch64 distributions. > > I tested Debian, Rocky Linux, Oracles OEL and SUSEs SLES as well as > > openSUSE. BTW, the RHEL shim is only signed by Red Hat and not > > co-signed by Microsoft. > > Okay, then that answers the "will MS do it" part. That's good to know. > Then it's a matter of Fedora having time and resources to go through > setting it all up and submitting shim (which is still a big hurdle). They have been signing shim for some time, there was some requirements around some security requirements but they were fixed well over 2 years ago. > Most (all? not sure) Fedora AArch64 supported hardware uses u-boot, No, that's incorrect, there's a LOT of enterprise hardware that doesn't and has secure boot enabled and ready to go, as does Jetson hardware and a number of other options. > which might be impractical to use with Secure Boot; I'd guess each image > would have to be signed, and I don't know if there's even board firmware > that implements a Secure Boot loader anyway (so it'd be mostly useless > for those platforms). U-Boot upstream has supported UEFI secure boot for a while. I've been meaning on looking into it and enrolling the Fedora keys into our builds so it's there across all our officially supported devices. -- _______________________________________________ arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
