We have updated the shim bootloader to version 16.1 for AlmaLinux 9.7 and 10.1, following the same pattern that users will see in RHEL releases. This update includes a change in the UEFI Secure Boot signing key for the aarch64 (ARM64) architecture that our users should be aware of.
What is shim?
For those unfamiliar, shim is an open-source bootloader that acts as a bridge between the UEFI firmware and the operating system during the boot process. It is essential for Secure Boot support, as it verifies the signature of the boot loader before loading the operating system. You can learn more about how AlmaLinux handles Secure Boot in our earlier blog post.
What changed in shim 16.1?
The full list of upstream changes can be found in the shim 16.1 release notes. The most significant change in this update for AlmaLinux is related to the Microsoft UEFI signing keys used for Secure Boot, and it differs between architectures.
x86_64: still using the 2011 key
The x86_64 version of the shim continues to use the original Microsoft Windows UEFI Driver Publisher key from 2011. This key has been the standard signer for x86_64 Secure Boot binaries for over a decade and remains in use for this architecture to maintain broad compatibility with existing UEFI firmware implementations.
aarch64: switched to the new 2023 key
The aarch64 (ARM64) version of the shim has been switched to the new Microsoft UEFI CA 2023 signer key, following Red Hat’s decision to adopt it for this architecture. Microsoft is transitioning to the 2023 certificate family because the original 2011 certificates are reaching the end of their lifecycle and begin expiring in June 2026. The 2023 key will eventually become the standard across all architectures.
What does this mean for users?
For the vast majority of users, this update will be seamless.
x86_64: No action is required. Your Secure Boot chain of trust remains unchanged, and the update will apply as a normal package update.
aarch64: The transition to the new Microsoft UEFI CA 2023 key should be transparent if your firmware is up to date. Modern UEFI firmware on aarch64 platforms already includes the new Microsoft UEFI CA 2023 certificate in its trust store.
Note for VMware Fusion users: If your virtual machine was created before the new Microsoft UEFI CA 2023 certificate became supported by the software, the certificate may be missing from the VM’s NVRAM. This can cause Secure Boot failures after the shim update. Follow the Broadcom knowledge base article to regenerate the NVRAM with the updated certificates.
To install the update, run the following depending on your architecture:
For x86_64:
dnf update shim-x64
For aarch64:
dnf update shim-aa64
You can verify that Secure Boot is functioning correctly after the update by running:
mokutil --sb-state
Get involved!
If you run into any issues with the shim update, please report them on bugs.almalinux.org. You can also reach out to us in the Development channel on our Mattermost chat.
If you want to stay up to date, follow us on our forum, Reddit, X, Mastodon, LinkedIn, and YouTube.
