On Mon, 8 Sep 2025, Kevin Fenzi wrote:
On Sun, Sep 07, 2025 at 07:28:38PM -0500, Dennis Gilmore via arm wrote:
Last I knew, we did not have hardware available to sign the
secure-boot binaries at build time for AArch64. so we have not gone
...
to sign the binaries yourself and enroll and trust the keys in the
system.
Yep. Additionally, there is some progress on this. We have a new
hardware setup (that we have not yet switched to) that should allow us
to sign on aarch64. It uses a small application to gateway that signing
request back to our sign vault which signs it. Switching to that is on
my list, currently 2 places from the top. I'm hoping to get that done
after Beta goes out and we are out of beta freeze.
There's also a new shim version coming up, and hopefully we can get that
signed by MS at the same time they do so for x86.
Additionally, there were also some issues with the fedora kernel and
it's secure-boot lockdown patch that didn't work right, but I think
thats since been fixed. Also, it breaks kexec, and I am not sure where
that is at, but it's not a blocker I don't think.
So anyhow, slow (sometimes very slow) progress is being made.
Ah .. lots of good news. Good to know what is going on behind the scenes
and why are where they are the moment.
On top of the KVM guests I can also test that - once it is out - on
Raspberry Pi 3/4 where it is possible to chainload UEFI by u-boot.
https://github.com/useidel/uefiboot4rpi
Cheers,
Udo
--
_______________________________________________
arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
