On Mon, Feb 19, 2018 at 3:13 PM, Stephen Morris samorris@netspace.net.au wrote:
I thought that with SB all your drivers etc had to be signed to be able to boot from a SecureBoot system, and as such Fedora were using Microsoft certificates, whereas Ubuntu was going down the path of self signing. Given what you said around the /usrlib/grub/x86_64-efi-signed directory, which doesn't exist on my system, and if I understood you correctly doesn't exist in fedora anyway, where are fedora's certificates, and, if I enable SecureBoot in my bios do I have to also load the default certificates that the bios offers?
Ubuntu's using an MS sig. The difference between Fedora and Ubuntu is that the latter doesn't require that kernel modules be signed.
The "/usr/lib/grub/x86_64-efi-signed/" is an Ubuntu directory. So the signed grub EFI executable is in "/boot/efi/EFI/ubuntu/" and "/usr/lib/grub/x86_64-efi-signed/". Fedora only ships the grub EFI executable in "/boot/efi/EFI/fedora/". So, if you run "grub-install" it's recreated and unsigned (I assume!).
AFAIK, "shim" is signed by MS (and is validated by an MS-supplied and -signed "thingy" in the firmware) and it embeds the Fedora sig with which grub, the kernel, and the kernel modules are signed and validated.