| Summary: | sys-boot/shim secureboot.eclass doesn't sign the shim iteself | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Mark Liman <mark> |
| Component: | Current packages | Assignee: | Rick Farina (Zero_Chaos) <zerochaos> |
| Status: | UNCONFIRMED --- | ||
| Severity: | trivial | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
The secureboot_auto_sign --in-place function that is part of the shim ebuild doesn't sign the sign the shim itself, it only signs the mmx64.efi file due to the shim being named BOOTX64.EFI in uppercase it gets missed by the function find "${ED}" -type f \ \( -iname '*.efi' -o -iname '*.efi32' -o -iname '*.efi64' \) \ -print0 || die as it only searches for lowercase named files, this may be intended behavior however, if you want to use the shim with your own secure boot keys your alternatives are building the shim from source, where ironically the secureboot_auto_sign function will work because the source build output is lowercase named, or manually signing which seems like an unnecessary extra step.