Created attachment 1891366 [details] File system with several shim versions and third-party grub Description of problem: Fedora's shim up to version 15-8 allowed to load any third-party .efi file as long as its hash or signing certificate has been enrolled into moklist with bundled mokmanager (mmx64.efi). Starting with shim-x64-15.4-1, shim no longer allows execution of third-party files with enrolled hashes or certificate, always showing security violation error regardless of moklist contents. Version-Release number of selected component (if applicable): shim-x64-15.4-1.x86_64, shim-x64-15.4-5.x86_64, shim-x64-15.6-1.x86_64 How reproducible: Every time. Steps to Reproduce: Download the attached archive, it contains several shim+mokmanager versions along with third-party grubx64.efi and corresponding ENROLL_THIS_KEY_IN_MOKMANAGER.cer certificate. 1. Run qemu as provided in run_qemu.txt file inside the archive 2. Do that for every shim file system directory Actual results: Only shim-x64-15-8.x86_64 directory successfully loads third-party grub ("grub-rescue" prompt), all others fail with security violation screen, regardless whether the hash or the certificate is enrolled to the moklist. Expected results: All shim versions load third-party enrolled file.
This happens because grubx64.efi does not contain .sbat section, while newer shim versions require it, even for mok-listed files HOWEVER, the file won't boot even when added as a hash, while shim states for db that it should be working that way: > If a binary is enrolled in db by its hash rather than by certificate, the validation result is logged only, not enforced So this is still a bug, I guess?