MJG's signed Shim for UEFI Secure Boot available

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help

MJG's signed Shim for UEFI Secure Boot available

Postby srs5694 on Sat Dec 01, 2012 2:12 pm

There have been a number of threads recently about Secure Boot, so I thought I'd call attention to the following:


This is Matthew J. Garrett's blog post in which he announces the availability of a signed version of his Shim boot loader. For those not already familiar with it, Shim is a way to launch boot loaders signed by you or by third parties in a Secure Boot environment. Shim itself is signed by Microsoft (via a convoluted process you needn't be concerned with), so a UEFI system with Secure Boot active in its default configuration will launch Shim. Shim then implements its own security measures to launch only boot loaders that are signed using keys that you control.

Ultimately, distributions can incorporate versions of Shim that they sign to make booting on Secure Boot systems work as transparently as on non-Secure Boot systems. Right now, you can use Shim to boot on a Secure Boot system by adding your own signing key and signing your boot loader yourself. The process is described in outline on MJG's blog. (I've not yet tried it in this configuration, so I can't elaborate.)

This is still a bit awkward, but it will improve once Mint incorporates their own version of Shim (assuming they do so; I don't know what their plans are). In the meantime, this new binary provides an additional option for booting in Secure Boot that's more secure than disabling Secure Boot and less awkward than setting up your own Secure Boot signing keys.
Level 6
Level 6
Posts: 1087
Joined: Mon Feb 27, 2012 1:42 pm

Linux Mint is funded by ads and donations.

Return to Installation & Boot

Who is online

Users browsing this forum: No registered users and 29 guests