-
Notifications
You must be signed in to change notification settings - Fork 293
Home
See the Main README for more details about shim itself, and direct technical details of how it works and what it does.
The current release of shim is version 15.7, published November 16 2022.
Shim is a key component for most Linux distributions wanting to support UEFI Secure Boot. In this case, shim will normally be configured to load and execute GRUB as the bootloader for the platform; GRUB will then load a Linux kernel image and an initramfs and boot as normal.
Another group of users are vendors of tools which are desired to work on most commodity PCs. Some of these users will configure shim to use GRUB (as above); others will instead use a different loader or load and run some other software image directly.
In all of these cases, shim provides one service: it extends trust from the keys known by the computer's firmware (typically Microsoft's keys) to a new set of keys controlled by the operating system vendor. From there, the vendor can sign their own software (GRUB, Linux, other images) and include them in the Secure Boot chain.
If you want shim to work for your use case, you'll need to build shim and get it signed appropriately. If you want that to work on most PCs, you'll need to get it signed by Microsoft. Check Microsoft's signing policies for all their specific requirements. You'll need to set up an account with Microsoft and work through a process to be able to submit a shim for signing.
A key part of this is devolved to the shim development community (#12 in the doc): a shim build must be reviewed by some of the shim developers before Microsoft will accept it for signing.
The following documents should help you work through the shim process.