On Mon, 8 Sept 2025 at 17:28, Kevin Fenzi via arm <arm@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On Sun, Sep 07, 2025 at 07:28:38PM -0500, Dennis Gilmore via arm wrote: > > Hi, > > > > Last I knew, we did not have hardware available to sign the > > secure-boot binaries at build time for AArch64. so we have not gone > > through the process to have Microsoft sign shim. The way that it > > works on x86_64 is that there are dedicated builders with smartcards > > installed that have the keys for signing. pesign Is used to do the > > signing. In order to sign the binaries on AArch64 we would need some > > builders set up the same way, and then we could sign grub, shim, and > > kernel. Then we would have shim signed by Microsoft and included in > > the shim-signed package. Today, the only way to enable secure boot is > > to sign the binaries yourself and enroll and trust the keys in the > > system. > > Yep. Additionally, there is some progress on this. We have a new > hardware setup (that we have not yet switched to) that should allow us > to sign on aarch64. It uses a small application to gateway that signing > request back to our sign vault which signs it. Switching to that is on > my list, currently 2 places from the top. I'm hoping to get that done > after Beta goes out and we are out of beta freeze. > > There's also a new shim version coming up, and hopefully we can get that > signed by MS at the same time they do so for x86. > > Additionally, there were also some issues with the fedora kernel and > it's secure-boot lockdown patch that didn't work right, but I think I believe that's all now resolved. So we need to get the Fedora signing stuff in place and then sign shim and we're done. \o/ > thats since been fixed. Also, it breaks kexec, and I am not sure where > that is at, but it's not a blocker I don't think. > > So anyhow, slow (sometimes very slow) progress is being made. > -- > > > > Dennis > > > > On Sun, Sep 7, 2025 at 4:40 AM Udo Seidel via arm > > <arm@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > > Hi there, > > > any hints on this topic? > > > Cheers, Udo > > > > > > On Sun, 31 Aug 2025, Udo Seidel wrote: > > > > > > > > > > > Dear all, > > > > I failed to find the answer myself. :-( > > > > It seems to me that the AARCH64 version of Fedora is not enabled for UEFI > > > > Secure Boot like the x86_64 version. I.e., the shim EFI binary is not signed > > > > and neither is the kernel (see below). What am I missing? What am I doing > > > > wrong? > > > > Background: I want to use AARCH64 Fedora in a UEFI Secure Boot environment > > > > with the the pre-deployed keys from Microsoft. > > > > Thanks, Udo > > > > > > > > > > > > AARCH64 > > > > > > > > # uname -r > > > > 6.15.10-200.fc42.aarch64 > > > > # sbverify --list /boot/efi/EFI/fedora/shimaa64.efi > > > > warning: data remaining[830464 vs 971654]: gaps between PE/COFF sections? > > > > warning: data remaining[830464 vs 971656]: gaps between PE/COFF sections? > > > > No signature table present > > > > # sbverify --list /boot/vmlinuz-6.15.10-200.fc42.aarch64 > > > > No signature table present > > > > # > > > > > > > > > > > > > > > > X86_64 > > > > > > > > # uname -r > > > > 6.15.7-200.fc42.x86_64 > > > > root@ronin:~# sbverify --list /boot/efi/EFI/fedora/shimx64.efi > > > > warning: data remaining[823272 vs 949424]: gaps between PE/COFF sections? > > > > signature 1 > > > > image signature issuers: > > > > - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft > > > > Corporation UEFI CA 2011 > > > > image signature certificates: > > > > - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft > > > > Corporation/CN=Microsoft Windows UEFI Driver Publisher > > > > issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft > > > > Corporation/CN=Microsoft Corporation UEFI CA 2011 > > > > - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft > > > > Corporation/CN=Microsoft Corporation UEFI CA 2011 > > > > issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft > > > > Corporation/CN=Microsoft Corporation Third Party Marketplace Root > > > > # sbverify --list /boot/vmlinuz-6.15.9-201.fc42.x86_64 > > > > signature 1 > > > > image signature issuers: > > > > - /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot > > > > CA 20200709/CN=fedoraca > > > > image signature certificates: > > > > - subject: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora > > > > Secure Boot Signer/OU=bkernel01 kernel/CN=kernel-signer > > > > issuer: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora > > > > Secure Boot CA 20200709/CN=fedoraca > > > > # > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > _______________________________________________ > > > arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx > > > To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx > > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx > > > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > > -- > > _______________________________________________ > > arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx > > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > -- > _______________________________________________ > arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
