Anonymous user
UEFI: Difference between revisions
m
added shim description
| [unchecked revision] | [unchecked revision] |
(→Developing with GNU-EFI: Mention that callbacks need to use the right ABI, not just main) |
m (added shim description) |
||
Line 80:
Not all UEFI firmwares support Secure Boot, although it is a requirement for Windows 10. Some UEFI firmwares support Secure Boot and do not allow it to be disabled, which poses a problem for independent developers that do not have access to the PK or any of the keys in the KEK, and therefore can't install their own key or application signature or hash to the whitelist database. Independent developers should develop on systems that either do not support Secure Boot or allow Secure Boot to be turned off.
An easy way out to use a loader that is signed by Microsoft, and allows you to load another binary signed by a key and certificate owned by you (called MOK, Machine Owner's Key). Such a loader is [https://github.com/rhboot/shim shim], used by RedHat, Fedora, Suse, Ubuntu, Arch and many other distros to load GRUB. The filename of the EFI executable is hardwired in shim, but if you rename your loader to GRUBX64.EFI (or GRUBIA32.EFI), you sign it with your MOK key and certificate using [https://github.com/imedias/sbsigntool sbsigntool], then you can load any loader in Secure Boot you want.
===How to use UEFI===
| |||