On Sun, 7 Sep 2025, Chris Adams via arm wrote:
Once upon a time, Dennis Gilmore <dennis@xxxxxxxx> said:
Last I knew, we did not have hardware available to sign the
secure-boot binaries at build time for AArch64. so we have not gone
through the process to have Microsoft sign shim. The way that it
works on x86_64 is that there are dedicated builders with smartcards
installed that have the keys for signing. pesign Is used to do the
signing. In order to sign the binaries on AArch64 we would need some
builders set up the same way, and then we could sign grub, shim, and
kernel. Then we would have shim signed by Microsoft and included in
the shim-signed package. Today, the only way to enable secure boot is
to sign the binaries yourself and enroll and trust the keys in the
system.
What AArch64 hardware ships with SecureBoot and MS's keys in firmware?
I was trying to use it on KVM guests on a AArch64 host. So it was the
AAVMF package providing the firmware. Thas the famouse "Microsoft
Corporation Third Party Marketplace Root" key. Do you need more information?
Does that include a "third-party" key like on x86_64 (which wasn't
enabled by default for example in my newest Thinkpad)? IIRC MS was
treating SecureBoot on AArch64 different at one point, like I thought
they were only including a key for their own use.
--
_______________________________________________
arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
