Hi, Last I knew, we did not have hardware available to sign the secure-boot binaries at build time for AArch64. so we have not gone through the process to have Microsoft sign shim. The way that it works on x86_64 is that there are dedicated builders with smartcards installed that have the keys for signing. pesign Is used to do the signing. In order to sign the binaries on AArch64 we would need some builders set up the same way, and then we could sign grub, shim, and kernel. Then we would have shim signed by Microsoft and included in the shim-signed package. Today, the only way to enable secure boot is to sign the binaries yourself and enroll and trust the keys in the system. Dennis On Sun, Sep 7, 2025 at 4:40 AM Udo Seidel via arm <arm@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > Hi there, > any hints on this topic? > Cheers, Udo > > On Sun, 31 Aug 2025, Udo Seidel wrote: > > > > > Dear all, > > I failed to find the answer myself. :-( > > It seems to me that the AARCH64 version of Fedora is not enabled for UEFI > > Secure Boot like the x86_64 version. I.e., the shim EFI binary is not signed > > and neither is the kernel (see below). What am I missing? What am I doing > > wrong? > > Background: I want to use AARCH64 Fedora in a UEFI Secure Boot environment > > with the the pre-deployed keys from Microsoft. > > Thanks, Udo > > > > > > AARCH64 > > > > # uname -r > > 6.15.10-200.fc42.aarch64 > > # sbverify --list /boot/efi/EFI/fedora/shimaa64.efi > > warning: data remaining[830464 vs 971654]: gaps between PE/COFF sections? > > warning: data remaining[830464 vs 971656]: gaps between PE/COFF sections? > > No signature table present > > # sbverify --list /boot/vmlinuz-6.15.10-200.fc42.aarch64 > > No signature table present > > # > > > > > > > > X86_64 > > > > # uname -r > > 6.15.7-200.fc42.x86_64 > > root@ronin:~# sbverify --list /boot/efi/EFI/fedora/shimx64.efi > > warning: data remaining[823272 vs 949424]: gaps between PE/COFF sections? > > signature 1 > > image signature issuers: > > - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft > > Corporation UEFI CA 2011 > > image signature certificates: > > - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft > > Corporation/CN=Microsoft Windows UEFI Driver Publisher > > issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft > > Corporation/CN=Microsoft Corporation UEFI CA 2011 > > - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft > > Corporation/CN=Microsoft Corporation UEFI CA 2011 > > issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft > > Corporation/CN=Microsoft Corporation Third Party Marketplace Root > > # sbverify --list /boot/vmlinuz-6.15.9-201.fc42.x86_64 > > signature 1 > > image signature issuers: > > - /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot > > CA 20200709/CN=fedoraca > > image signature certificates: > > - subject: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora > > Secure Boot Signer/OU=bkernel01 kernel/CN=kernel-signer > > issuer: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora > > Secure Boot CA 20200709/CN=fedoraca > > # > > > > > > > > > > > > > -- > _______________________________________________ > arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/arm@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
