The Shim bootloader plays a crucial role in enabling UEFI Secure Boot for Linux distributions by acting as a first-stage bootloader linked to trusted certificates. Installing and configuring Shim correctly ensures that your system loads securely and complies with modern UEFI standards. Whether you’re setting up a server or configuring a secure Linux machine, understanding how to implement Shim is vital.
Table of Contents
TL;DR Summary
This guide walks through the full installation and configuration process of the Shim bootloader on UEFI-enabled systems. Shin is designed to work with Secure Boot and requires a proper signing of boot components. You will learn what prerequisites are needed, how to install Shim, how to sign kernels and bootloaders, and how to troubleshoot common issues. By the end, your Linux system should be booting securely using Shim.
What is Shim?
Shim is a UEFI bootloader designed to bridge the gap between UEFI Secure Boot and non-Microsoft operating systems, particularly Linux. It is typically signed by Microsoft, enabling it to be loaded by most UEFI firmware implementations that support Secure Boot. Shim then loads the next-stage bootloader, usually GRUB or systemd-boot, which proceed to load the Linux kernel.
Why Use Shim?
- UEFI Secure Boot Compatibility – Ensures that only signed and trusted binaries are loaded at boot time.
- Linux Support – Makes Linux compatible with firmware that enforces Secure Boot policies.
- User Key Management – Allows managing custom signing keys for kernels and modules.
Prerequisites
Before installing Shim, make sure to have the following:
- A computer with UEFI firmware and Secure Boot enabled in the BIOS settings.
- A Linux distribution that supports Secure Boot (e.g., Ubuntu, Fedora, Debian).
- Administrator privileges or root access.
- Installed packages: efibootmgr, grub-efi, sbsigntool, and optionally mokutil.
Step-by-Step: Installing and Configuring Shim Bootloader
Step 1: Obtain Shim Packages
Depending on your Linux distribution, the Shim package may already be available through official repositories. For example:
sudo apt install shim-signed
For Red Hat-based systems:
sudo dnf install shim
This package includes the necessary shim.efi binary along with its signature.
Step 2: Copy Shim to the EFI Partition
The EFI partition is usually mounted under /boot/efi. If it’s not mounted:
sudo mount /dev/sdX1 /boot/efi
Replace /dev/sdX1 with the correct EFI partition for your system.
After mounting:
sudo cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/ubuntu/shimx64.efi sudo cp /usr/lib/grub/x86_64-efi-signed/grubx64.efi /boot/efi/EFI/ubuntu/grubx64.efi
Step 3: Set Up UEFI Boot Entry
sudo efibootmgr --create \ --disk /dev/sdX \ --part 1 \ --label "Shim Bootloader" \ --loader '\EFI\ubuntu\shimx64.efi'
This tells the firmware to boot via Shim by default.
Step 4: Configure GRUB (or your chosen bootloader)
Once Shim is installed, GRUB settings should reflect the Secure Boot environment.
sudo grub-mkconfig -o /boot/grub/grub.cfg
You can customize /etc/default/grub for additional boot parameters before generating the config.
Step 5: Sign Linux Kernel and Bootloaders
Shim uses a secure boot certificate system, which means all subsequent binaries (kernel, drivers) must be signed using a key recognized by Shim or added via Machine Owner Key (MOK).
Generate Keys
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key \ -out MOK.crt -days 3650 -nodes -subj "/CN=My Secure Boot/"
Enroll Key
sudo mokutil --import MOK.crt
Reboot the machine and follow the MOK Manager interface to complete enrollment.
Sign Binaries
sbsign --key MOK.key --cert MOK.crt --output vmlinuz.signed vmlinuz
Repeat this process for additional binaries like initramfs or other kernel modules.
Step 6: Validate Secure Boot Status
To confirm Secure Boot is active and working with Shim:
dmesg | grep -i secure mokutil --sb-state
Or verify via firmware settings during boot-up.
Troubleshooting Tips
- Boot failure? – Check EFI boot entry and verify file paths.
- Not loading GRUB? – Ensure shimx64.efi points to the signed version of GRUB correctly.
- “Invalid signature” errors? – Confirm that the kernel and initramfs have been signed with the enrolled MOK.
- MOK Manager not appearing? – Some UEFI firmware implementations require enabling during boot (check BIOS/UEFI manual).
Advanced Configurations
For advanced users and system administrators looking to configure custom policies or support multiboot environments:
- Create a custom
grub.cfgwith signed payload paths. - Set up multiple boot directories under
/boot/efifor isolation. - Use SBAT metadata for verifying trust in Shim and GRUB at runtime.
- Integrate with systemd-boot by generating appropriately signed stubs and configurations.
Conclusion
The Shim bootloader is an essential tool for anyone seeking to use Linux with Secure Boot enabled. By carefully following each step in this guide—installing the Shim binary, configuring GRUB, signing necessary components, and managing keys—the system can boot securely and efficiently. Proper installation not only enhances system trust but aligns with enterprise-grade security practices.
Frequently Asked Questions (FAQ)
- Q: Can I use Shim without Secure Boot?
- A: Yes, Shim can be used even with Secure Boot disabled, but its intended use is to enable secure booting of Linux systems on Secure Boot-enabled firmware.
- Q: Do I need to sign every kernel update manually?
- A: Yes, unless you’re using a distribution that automatically signs kernels with an accepted key. If using a custom kernel, each must be signed.
- Q: What is the difference between Shim and GRUB?
- A: Shim is the first-stage bootloader signed by Microsoft to work with Secure Boot. It then loads the second-stage bootloader (usually GRUB), which handles OS selection.
- Q: Is Shim available for ARM systems?
- A: Yes, Shim has ARM support, but availability and installation steps can differ depending on the distribution and hardware.
- Q: Can Shim boot multiple Linux distributions?
- A: Yes, as long as each distribution’s bootloader and kernel are properly signed and recognized by the enrolled keys.
