You are not logged in.
- Topics: Active | Unanswered
#1 2023-12-13 11:35:55
- TheCheddarCheese
- Member
- From: Denmark
- Registered: 2023-12-13
- Posts: 6
Could shim secure boot work on other machines?
I have a USB install that I want to set up secure boot on, and the machine I want to boot it from has a BIOS password set so I can't access the settings. From what I've read shim doesn't have to use the firmware keys to verify binaries, so does that mean I could setup secure boot that way and it would work?
i pretend to know what i'm doing
Offline
#2 2023-12-13 12:58:01
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 25,232
Re: Could shim secure boot work on other machines?
Generally, no. Otherwise the secureboot implementation would be beyond broken.
Offline
#3 2023-12-15 08:02:37
- TheCheddarCheese
- Member
- From: Denmark
- Registered: 2023-12-13
- Posts: 6
Re: Could shim secure boot work on other machines?
alright, is there any other way to do it? or is it just impossible?
i pretend to know what i'm doing
Offline
#4 2023-12-15 08:38:35
- nl6720
- The Evil Wiki Admin
- Registered: 2016-07-02
- Posts: 714
Re: Could shim secure boot work on other machines?
It should work as long as it's not one of those "secured-core PCs" that only ships with the certificate that is used to sign the Windows Boot Manager and as long the signed shim EFI binary is not blacklisted in the firmware's dbx.
You probably want "shim with key" from https://wiki.archlinux.org/title/Unifie … oot_loader. You'd need to enroll the MOK certificate on each new PC you boot the drive, but that shouldn't be an issue as MokManager gets automatically launched when needed.
Offline