On Wed, Jul 27, 2022, at 4:27 PM, Vitaly Zaitsev via devel wrote:
On 27/07/2022 22:19, Chris Murphy wrote:
> * $BOOT is supposed to be readable by all distros that share $BOOT
It will. efifs will be installed to ESP partition.
> * efifs drivers must be signed in order to be loaded on UEFI Secure Boot enabled
systems
True. But I think Fedora can sign drivers from the efifs package with
own keys.
> * shim is distro specific, and is what provides the key for efifs as well as the 2nd
stage bootloader
I prefer no shim in my computers. I'm using systemd-boot signed by my
own CA.
That is not a generic solution we can ship in Fedora. Since each distro ships their own
shim, they'd each have to ship their own signed fsfs in order to read the shared a
non-FAT $BOOT. It's too high a barrier to adoption.
--
Chris Murphy