Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-81188

get RHEL-10 shim signed for Secure Boot (x86 and aarch)

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Blocker Blocker
    • rhel-10.1
    • rhel-10.0
    • shim
    • shim-16.1-3.el10_1
    • No
    • Critical
    • rhel-bootloader
    • ssg_core_services
    • 31
    • 32
    • 5
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Approved Blocker
    • Enhancement
    • Hide
      .Secure boot `shim` signing for RHEL 10 on `x86_64` and `aarch64`

      RHEL 10 requires a signed `shim` binary to enable secure boot on AMD and Intel 64-bit architectures and on the 64-bit ARM architecture. Without a signed and trusted `shim`, systems with enforced secure boot did not boot, which affected both enterprise and cloud deployments.

      With this release, the `shim` package was signed and updated for ‎`x86_64` and ‎`aarch64`. On ‎`x86_64`, `shim` is signed by Microsoft Windows UEFI Driver Publisher and includes Red Hat Secure Boot CA 5 and CA 8 in the vendor database. On ‎`aarch64`, `shim` is signed by Microsoft UEFI CA 2023 and includes Red Hat Secure Boot CA 8. The SBAT entries were updated to the latest levels.

      As a result, RHEL boots with the secure boot feature enabled. Additionally, the fallback works properly, and all other bootloader components are correctly signed.
      Show
      .Secure boot `shim` signing for RHEL 10 on `x86_64` and `aarch64` RHEL 10 requires a signed `shim` binary to enable secure boot on AMD and Intel 64-bit architectures and on the 64-bit ARM architecture. Without a signed and trusted `shim`, systems with enforced secure boot did not boot, which affected both enterprise and cloud deployments. With this release, the `shim` package was signed and updated for ‎`x86_64` and ‎`aarch64`. On ‎`x86_64`, `shim` is signed by Microsoft Windows UEFI Driver Publisher and includes Red Hat Secure Boot CA 5 and CA 8 in the vendor database. On ‎`aarch64`, `shim` is signed by Microsoft UEFI CA 2023 and includes Red Hat Secure Boot CA 8. The SBAT entries were updated to the latest levels. As a result, RHEL boots with the secure boot feature enabled. Additionally, the fallback works properly, and all other bootloader components are correctly signed.
    • Done
    • Done
    • Unspecified
    • Done
    • aarch64
    • None

      What were you trying to do that didn't work?

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      How reproducible is this bug?:

      Steps to reproduce

      Expected results

      Actual results

              bootloader-eng-team bootloader -eng-team
              rhn-support-mlewando Marta Lewandowska
              Mirek Jahoda
              bootloader -eng-team bootloader -eng-team
              Release Test Team Release Test Team
              Malhar Jivrajani Malhar Jivrajani
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: