Jeremy Linton wrote:
This is IMHO a mistake, the systemd-boot and UKI paths are the perfect time to break with shim and require some form of actual fedora/whatever secure boot key enrollment on the machine. Shim's fundamentally backdooring the UEFI security infrastructure, and frankly some of what is being done is pretty sketchy and its somewhat amazing it hasn't broken by vendors cleaning up their UEFI implementations*. Furthermore, the dependency on MS signing shim is also strongly in the pragmatic but not idea category as well.
How about we just use LogoFAIL to bypass Restricted Boot entirely without bothering with signatures at all?
Kevin Kofler