| multi-signed shim test day | |
|---|---|
| |
| Date | 2026-01-12 to 2026-01-16 |
| Time | all week |
| Website | QA/Test Days |
| Matrix | #test-day:fedoraproject.org(other clients|?) |
| Mailing list | test |
If you come to this page after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.
What to test?[edit]
This Test Day will focus on booting shims that are signed by different Microsoft certificates.
UEFI Secure Boot is a chain of trust that originates in firmware, goes through the boot loaders, and to the kernel and kernel modules, ensuring that only signed, trusted components are loaded and malicious code is not executed. It is realized using asymmetric cryptography such that private keys are used to sign executable programs and public certificates are used to verify proper signatures. Microsoft acts as the Signing Authority, signing a primitive boot loader, called the shim, whose purpose is to verify and load further trusted components.
In June 2026, Microsoft will no longer be signing shim with the 2011 key, which is the key they have always used. As a result, firmware is being updated to also include the new 2023 certificate, and shim is currently being signed with both the 2011 and the 2023 keys.
The point of the test days is to find out how various hardware and firmware will deal with a shim that is signed with multiple signatures in order to make this transition as smooth as possible.
Who's available[edit]
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:
- Development - Peter Jones (pjones), Nicolas Frayer (@nfrayer:fedora.im), Marta Lewandowska (@marta-lewandowska:matrix.org)
- Quality - Lukáš Růžička (lruzicka), Kamil Paral (kparal), Adam Williamson (adamw), Petr Sklenář (psklenar), Jaroslav Groman (jgroman)
You can chat with us on Matrix. See the infobox on top of the page to learn where to join.
Prerequisite for Test Day[edit]
- A virtual machine or [preferably] a bare metal machine on which you are able and willing to toggle the Secure Boot state. Secure Boot needs to be enabled for test results to be relevant. (Use a test machine if possible.)
- There are two ways to test, so choose whichever one seems simplest or most comfortable.
- Fresh boot test: If you don't have fedora installed or you don't want to install additional packages, you can download these installer images, write them to a USB stick and try to boot each one:
- signed by the 2023 key only: Fedora-Server-netinst-x86_64-43-1.6.msft2023.img
- signed first by the 2011 and then by the 2023 key: Fedora-Server-netinst-x86_64-43-1.6.msft2011.msft2023.img
- signed first by the 2023 and then by the 2011 key: Fedora-Server-netinst-x86_64-43-1.6.msft2023.msft2011.img
- Boot from rpm: If you have a recent fedora installed, you can install the following rpms and try to boot each of them:
- signed by the 2023 key only: shimx64.msft2023-1-1.x86_64.rpm
- signed first by the 2011 and then by the 2023 key: shimx64.msft2011.msft2023-1-1.x86_64.rpm
- signed first by the 2023 and then by the 2011 key: shimx64.msft2023.msft2011-1-1.x86_64.rpm
- Fresh boot test: If you don't have fedora installed or you don't want to install additional packages, you can download these installer images, write them to a USB stick and try to boot each one:
How to test?[edit]
Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the ➕ (plus) button for that test case.
Please also try to experiment and explore and perform tasks not mentioned in any of the pre-defined test cases.
Test cases[edit]
Make sure you've read the prerequisites section.
There are two possible ways to test. Please choose the method that is most comfortable for you. In both cases, please make sure that Secure Boot is enabled and make sure the option Allow Microsoft 3rd Party UEFI CA is enabled if present.
Fresh boot test[edit]
- Download each installation image, write it to a USB stick and try to boot your machine
- If you see the GRUB menu, the test succeeded.
- If you don't see the GRUB menu and instead see a Security Violation, the test has failed.
- Enter the results of each test on the results page.
- Boot to your installed OS
- Download and run show-trusted.sh:
bash show-trusted.sh - Install lshw:
sudo dnf install -y lshw - Run
sudo lshw -short - Post the results of the above commands to pastebin with Paste Expiration set to Never. Copy the final URL to the Comments column on the results page.
- Download and run show-trusted.sh:
Boot from rpm[edit]
- Download the three rpms and install them:
sudo rpm -Uvh shimx64.msft*.rpm- They will install themselves in /boot/efi/EFI/shimx64.msft* and copy grubx64.efi and grub.cfg from /boot/efi/EFI/fedora so that the system can boot.
- EFI boot entries will also be created for them:
efibootmgr, please see the screenshot below - Set the first entry you want to test to BootNext:
sudo efibootmgr -n 0003 - Reboot your machine
- When your machine comes back up, check if the correct entry actually booted:
sudo efibootmgr | grep BootCurrent- If BootCurrent is the same as the entry you previously set to BootNext, then the test succeeded.
- If a different entry booted instead, like your Fedora installation, then the test failed.
- Enter your results on the results page.
- Boot to your installed OS
- Download and run show-trusted.sh:
source show-trusted.sh - Install lshw:
sudo dnf install -y lshw - Run
sudo lshw -short - Post the results of the above commands to pastebin with Paste Expiration set to Never. Copy the final URL to the Comments column on the results page.
- Download and run show-trusted.sh:
Reporting bugs[edit]
All new bugs should be reported into Red Hat Bugzilla, in most cases against the shim component.
Please note that just mentioning your problem into the comments section on the results page is not very helpful. Very often those problems only happen in specific circumstances, or with specific steps taken. We need the logs and screenshots, and we need to be able to ask you followup questions. Please file bug reports, it's much more useful than a short comment. Thank you!
When filing the bug, it's very helpful to include:
- exact steps you've performed (and whether you can reproduce it again)
- screenshots or videos, if applicable
- system journal (log), which you can retrieve by
journalctl -b > journal.txt - your system description
If you are unsure about exactly how to file the report or what other information to include, just ask us.
Please make sure to link to the bug when submitting your test result, thanks!
Test Results[edit]
Test results will be exported here once the test day is over. See How to test? section for information how to submit results and see the live results.
