Gerd Hoffmann <[email protected]> writes: > Hi, > >> Does that mean that the Linux EFI boot code knows how to call back to >> shim to get the certificates instead of reading the firmware directly? > > No. The linux efi stub doesn't need that. > > shim.efi does: > > (a) Set efi variables, where the linux kernel can read the > certificates from. This works the same way for both traditional > kernels and UKIs. > > (b) provide an efi protocol for bootloaders, which can be called by grub > and systemd-boot to verify the signature for binaries they load > (typically the linux kernel, but could also be fwupd.efi).
Note, the protocol is also used by systemd-stub (the base for UKIs) to verify cmdline addons, see commit 05c9f9c2517c54b98d55f08f8afa67c79be861e8 Author: Luca Boccassi <[email protected]> Date: Fri May 12 00:55:58 2023 +0100 stub: allow loading and verifying cmdline addons this AFAIU means that we also need shim in the boot chain if we want to support these addons. -- Vitaly -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
