hi,
I am trying to enable uefi secure boot feature on an aarch64 platform, booting Fedora 27. Going through the Admin Guide and the different content available online, i understand that the Secure boot feature is supported by booting a first stage boot-loader, shim which is signed by Microsoft keys. The shim boot-loader has Fedora CA keys embedded, and the Fedora keys are used to validate the Grub2 and linux kernel images. The kernel subsequently uses keys that are embedded during it's build stage to validate the kernel modules. Please correct me if my understanding is not correct. Also, I have a few doubts pertaining to the public key management.

* Is the shim efi binary for aarch64 platforms which is part of the Fedora distribution, signed with Microsoft keys, similar to what is done for x86/amd
platforms. If so, where can i find the Microssoft CA certificate, which would be used to validate the shim. Are the Microsoft CA public keys stored at
some location on the root filesystem of the Fedora distribution, or are they uploaded by Microsoft to some known location.

* Are the Fedora CA public keys, which are used for validation of the grub2 and kernel images part of the shim efi binary(embedded in the shim image).
Or do i need to install the Fedora keys through the 'mokutil' userspace utility. If it's the later, where can i find the public keys. Are the Fedora CA
public keys stored at some location on the root filesystem of the Fedora distribution, or are they uploaded by Fedora to some known location.