On 02/19/2018 12:13 PM, Stephen Morris wrote:
I thought that with SB all your drivers etc had to be signed to be
able
to boot from a SecureBoot system, and as such Fedora were using
Microsoft certificates, whereas Ubuntu was going down the path of self
signing. Given what you said around the /usrlib/grub/x86_64-efi-signed
directory, which doesn't exist on my system, and if I understood you
correctly doesn't exist in fedora anyway, where are fedora's
certificates, and, if I enable SecureBoot in my bios do I have to also
load the default certificates that the bios offers?
Each OS has to get their bootloader to be signed by Microsoft's
certificate for the BIOS to accept it. It is usually possible to add
your own certificate to the BIOS store, but that is a somewhat
convoluted process that most users would not want to try going through.
Fedora's signed bootloader shim is in the shim-x64 package and the EFI
grub executables are in the grub2-efi-x64 package.