shim-signed (Microsoft-signed binary)

Questions about applications and software
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
JeffF73
Level 2
Level 2
Posts: 63
Joined: Sun May 27, 2012 2:47 pm

shim-signed (Microsoft-signed binary)

Post by JeffF73 »

shim-signed: Secure Boot chain-loading bootloader (Microsoft-signed binary)

I am running LMDE4. I had an update for shim-signed which I had no idea was installed to begin with. I did some searching on it and there isn't much information out there that I can find but what I have read is concerning.

shim is a trivial EFI application that, when run, attempts to open and execute another application. Per: https://launchpad.net/ubuntu/+source/shim-signed

I do not have secure boot enabled on my computers. I do have EFI boot partitions. My question is do I need this installed? If not how can it be removed/uninstalled? Thanks (I have searched for it on the forums but not much comes up)
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: shim-signed (Microsoft-signed binary)

Post by rene »

I don't know how things work out dependency-wise in LMDE but certainly in an essential manner you could remove it --- although you needn't and shouldn't.

On the main Mint editions grub-install creates one UEFI boot entry for \EFI\UBUNTU\SHIMX64.EFI and, if secure boot is disabled, one for \EFI\UBUNTU\GRUBX64.EFI. Former is a copy of /usr/lib/shim/shimx64.efi.signed from the by you questioned shim-signed package. Given that LMDE installs shim-signed in the first place I assume it does much the same; try sudo efibootmgr -v to see your UEFI boot entries.

Secure boot works by having the BIOS verify the signature on whatever it loads against by it pre-trusted keys. Given a Linux distribution's desire to boot out-of-the-box on any given PC, i.e., without needing the user to go into the UEFI setup to disable secure boot let alone without needing the user to enroll a key in the UEFI first, it wants its bootloader signed with the only by default in a regular PC UEFI embedded key, Microsoft's UEFI signing key.

Or that's to say... so as to keep from needing Grub, GRUBX64.EFI, itself signed --- and again on every single change and/or compile --- a two-step approach is taken in which a very simple hence mostly static SHIMX64.EFI which does little other than in turn launch GRUBX64.EFI is in fact signed by Microsoft. Certainly with said signage costing (some; $99 I believe) money this is the friendly thing in a Linux environment where e.g. small distributions and/or hobbyists can not or do not want to deal with signage themselves: they can just grab SHIMX64.EFI from one of their larger brethren.

But that's to say then that SHIMX64.EFI is not Microsoft code and is not "concerning"; it is no more than a small relay-bootloader to sidestep either users needing to go out of their way BIOS-sides or distributions/hobbyists going out of theirs having Microsoft sign the large, ever-changing Grub over and over. No need nor any upside to removing it.
Locked

Return to “Software & Applications”