#1139248 shim-signed: detect and support systems which won't boot a multi-signed shim

Package:
shim-signed
Source:
shim-signed
Description:
Secure Boot chain-loading bootloader (Microsoft-signed binary)
Submitter:
Steve McIntyre
Date:
2026-06-07 16:09:02 UTC
Severity:
normal
#1139248#5
Date:
2026-06-07 16:07:29 UTC
From:
To:
In #1138983 we have a report of a system which won't boot a
dual-signed shim. While waiting on the result of more testing there to
confirm if it's dual-signing that's the problem, thinking out loud...

We now have code in the shim-signed preinst to detect whether a
particular shim is likely to be supported on a given system. Could we
re-use/extend the logic here?

* As well as the multi-signed shim, include all the
  individually-signed shims too in the package. Maybe in a separate
  "fallback" subdirectory?

* If a system is on a known-bad list for multi-signing, check to see
  if it will work with with one of the fallback shims instead of the
  main multi-signed.

* If we think that should work, install that shim instead with some
  packaging logic. (The RedHat folks are also doing something like
  this with extra tooling.)

* If not, fail loudly.

That's the extent of my thoughts about this so far; I'm not proposing
to actually do any work on this unless we get a reasonably large
number of systems reported that might make this worthwhile.