Thanks for your feedback
On Mon, 8 Sep 2025, Chris Adams via arm wrote:
Once upon a time, Udo Seidel <udoseidel@xxxxxx> said:
I was trying to use it on KVM guests on a AArch64 host. So it was
the AAVMF package providing the firmware. Thas the famouse
"Microsoft Corporation Third Party Marketplace Root" key. Do you
need more information?
My point is that if there's no hardware shipping with that cert, and
especially if that's not what MS considers the intended use of that cert
(because at one point their rules were different between x86_64 and
AArch64), they may not sign any code for that use. Even if Fedora did
have the setup for signing the AArch64 pieces, MS may not sign shim.
Understood.
I can say that MS has signed shims for other AArch64 distributions. I
tested Debian, Rocky Linux, Oracles OEL and SUSEs SLES as well as
openSUSE. BTW, the RHEL shim is only signed by Red Hat and not co-signed
by Microsoft.
I figure now that the other Linux providers have set up those dedicated
builders as described earlier in this thread and they want through the MS
signing process.
If you need Secure Boot in your VMs, you'll probably have to add your
own cert and do the signing yourself.
Understood.
--
_______________________________________________
arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
