On Sun, Sep 07, 2025 at 07:28:38PM -0500, Dennis Gilmore via arm wrote: > Hi, > > Last I knew, we did not have hardware available to sign the > secure-boot binaries at build time for AArch64. so we have not gone > through the process to have Microsoft sign shim. The way that it > works on x86_64 is that there are dedicated builders with smartcards > installed that have the keys for signing. pesign Is used to do the > signing. In order to sign the binaries on AArch64 we would need some > builders set up the same way, and then we could sign grub, shim, and > kernel. Then we would have shim signed by Microsoft and included in > the shim-signed package. Today, the only way to enable secure boot is > to sign the binaries yourself and enroll and trust the keys in the > system. Yep. Additionally, there is some progress on this. We have a new hardware setup (that we have not yet switched to) that should allow us to sign on aarch64. It uses a small application to gateway that signing request back to our sign vault which signs it. Switching to that is on my list, currently 2 places from the top. I'm hoping to get that done after Beta goes out and we are out of beta freeze. There's also a new shim version coming up, and hopefully we can get that signed by MS at the same time they do so for x86. Additionally, there were also some issues with the fedora kernel and it's secure-boot lockdown patch that didn't work right, but I think thats since been fixed. Also, it breaks kexec, and I am not sure where that is at, but it's not a blocker I don't think. So anyhow, slow (sometimes very slow) progress is being made. -- > > Dennis > > On Sun, Sep 7, 2025 at 4:40 AM Udo Seidel via arm > <arm@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > > > Hi there, > > any hints on this topic? > > Cheers, Udo > > > > On Sun, 31 Aug 2025, Udo Seidel wrote: > > > > > > > > Dear all, > > > I failed to find the answer myself. :-( > > > It seems to me that the AARCH64 version of Fedora is not enabled for UEFI > > > Secure Boot like the x86_64 version. I.e., the shim EFI binary is not signed > > > and neither is the kernel (see below). What am I missing? What am I doing > > > wrong? > > > Background: I want to use AARCH64 Fedora in a UEFI Secure Boot environment > > > with the the pre-deployed keys from Microsoft. > > > Thanks, Udo > > > > > > > > > AARCH64 > > > > > > # uname -r > > > 6.15.10-200.fc42.aarch64 > > > # sbverify --list /boot/efi/EFI/fedora/shimaa64.efi > > > warning: data remaining[830464 vs 971654]: gaps between PE/COFF sections? > > > warning: data remaining[830464 vs 971656]: gaps between PE/COFF sections? > > > No signature table present > > > # sbverify --list /boot/vmlinuz-6.15.10-200.fc42.aarch64 > > > No signature table present > > > # > > > > > > > > > > > > X86_64 > > > > > > # uname -r > > > 6.15.7-200.fc42.x86_64 > > > root@ronin:~# sbverify --list /boot/efi/EFI/fedora/shimx64.efi > > > warning: data remaining[823272 vs 949424]: gaps between PE/COFF sections? > > > signature 1 > > > image signature issuers: > > > - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft > > > Corporation UEFI CA 2011 > > > image signature certificates: > > > - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft > > > Corporation/CN=Microsoft Windows UEFI Driver Publisher > > > issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft > > > Corporation/CN=Microsoft Corporation UEFI CA 2011 > > > - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft > > > Corporation/CN=Microsoft Corporation UEFI CA 2011 > > > issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft > > > Corporation/CN=Microsoft Corporation Third Party Marketplace Root > > > # sbverify --list /boot/vmlinuz-6.15.9-201.fc42.x86_64 > > > signature 1 > > > image signature issuers: > > > - /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot > > > CA 20200709/CN=fedoraca > > > image signature certificates: > > > - subject: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora > > > Secure Boot Signer/OU=bkernel01 kernel/CN=kernel-signer > > > issuer: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora > > > Secure Boot CA 20200709/CN=fedoraca > > > # > > > > > > > > > > > > > > > > > > > > -- > > _______________________________________________ > > arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx > > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > -- > _______________________________________________ > arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
