Created attachment 1891366 [details]
File system with several shim versions and third-party grub
Description of problem:
Fedora's shim up to version 15-8 allowed to load any third-party .efi file as long as its hash or signing certificate has been enrolled into moklist with bundled mokmanager (mmx64.efi).
Starting with shim-x64-15.4-1, shim no longer allows execution of third-party files with enrolled hashes or certificate, always showing security violation error regardless of moklist contents.
Version-Release number of selected component (if applicable):
shim-x64-15.4-1.x86_64, shim-x64-15.4-5.x86_64, shim-x64-15.6-1.x86_64
Steps to Reproduce:
Download the attached archive, it contains several shim+mokmanager versions along with third-party grubx64.efi and corresponding ENROLL_THIS_KEY_IN_MOKMANAGER.cer certificate.
1. Run qemu as provided in run_qemu.txt file inside the archive
2. Do that for every shim file system directory
Only shim-x64-15-8.x86_64 directory successfully loads third-party grub ("grub-rescue" prompt), all others fail with security violation screen, regardless whether the hash or the certificate is enrolled to the moklist.
All shim versions load third-party enrolled file.
This happens because grubx64.efi does not contain .sbat section, while newer shim versions require it, even for mok-listed files
HOWEVER, the file won't boot even when added as a hash, while shim states for db that it should be working that way:
> If a binary is enrolled in db by its hash rather than by certificate, the validation result is logged only, not enforced
So this is still a bug, I guess?