Matthew Garrett

No. The issue is with follow-on boot programs from shim that load EFI executables. Currently, rEFInd and gummiboot both launch Linux kernels in this way, using the kernel's EFI stub loader to load and launch the kernel as an EFI application. (So does rEFIt, but it can't pass arguments, so it's very awkward in this role.) GRUB Legacy, GRUB 2, and ELILO all launch kernels without relying on their EFI stub loaders or the EFI system calls that are used to launch EFI applications. Therefore, if you sign one of these boot loaders, it can launch anything. The downside to this is that the commonly-available boot loader binaries don't verify that a kernel has been signed. The Fedora 18 pre-release archives include a version of GRUB 2 that performs such checks, but if anybody's done anything with GRUB Legacy or ELILO that's similar, I don't know about it. The last I checked, Syslinux wasn't an issue because there was no Syslinux EFI support, although I heard the Syslinux people were working on it.

So in summary, shim->F18 GRUB2->kernel and shim->rEFInd 0.5.0->kernel both now provide authenticated boot paths; shim->kernel could in principle be authenticated, but this will depend on getting a patched shim signed; shim->GRUB Legacy->kernel and shim->ELILO->kernel both provide an unauthenticated boot path; and shim->gummiboot->kernel won't work in Secure Boot mode unless/until gummiboot adds shim support. (Note that I've not tried launching either GRUB Legacy or ELILO directly from shim, so I can't be sure those paths will actually work.)