diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 9b4c82f8c1..2b0241a0f4 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -195,14 +195,14 @@ case "${FLAGS_target}" in
# Use the test keys for signing unofficial builds
if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
sudo sbsign --key /usr/share/sb_keys/DB.key \
- --cert /usr/share/sb_keys/DB.crt \
+ --cert /usr/share/sb_keys/DB.crt \
"${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
- "${ESP_DIR}/EFI/boot/grub.efi"
+ "${ESP_DIR}/EFI/boot/grubx64.efi"
sudo sbsign --key /usr/share/sb_keys/DB.key \
- --cert /usr/share/sb_keys/DB.crt \
- --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
- "/usr/lib/shim/shim.efi"
+ --cert /usr/share/sb_keys/DB.crt \
+ --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
+ "/usr/lib/shim/shim.efi"
else
sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
"${ESP_DIR}/EFI/boot/grub.efi"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/metadata.xml
deleted file mode 100644
index 097975e3ad..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/metadata.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-
-
-
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
deleted file mode 120000
index ac0bdc5b80..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-shim-9999.ebuild
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
deleted file mode 100644
index 50673ef721..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
+++ /dev/null
@@ -1,43 +0,0 @@
-# Copyright 2015 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-CROS_WORKON_PROJECT="flatcar/shim"
-CROS_WORKON_REPO="https://github.com"
-
-if [[ "${PV}" == 9999 ]]; then
- KEYWORDS="~amd64 ~arm64"
-else
- CROS_WORKON_COMMIT="7ba7440c49d32f911fb9e1c213307947a777085d"
- KEYWORDS="amd64 arm64"
-fi
-
-inherit cros-workon multilib
-
-DESCRIPTION="UEFI Shim loader"
-HOMEPAGE="https://github.com/rhboot/shim"
-
-LICENSE="BSD"
-SLOT="0"
-IUSE=""
-
-RDEPEND=""
-DEPEND="sys-boot/gnu-efi dev-libs/openssl"
-
-src_unpack() {
- cros-workon_src_unpack
- default_src_unpack
-}
-
-src_compile() {
- emake \
- CROSS_COMPILE="${CHOST}-" \
- EFI_INCLUDE="${SYSROOT%/}"/usr/include/efi \
- EFI_PATH="${SYSROOT%/}"/usr/$(get_libdir) \
- shim.efi || die
-}
-
-src_install() {
- insinto /usr/lib/shim
- doins "shim.efi"
-}
diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/shim/Manifest b/sdk_container/src/third_party/portage-stable/sys-boot/shim/Manifest
new file mode 100644
index 0000000000..954368dcbe
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-boot/shim/Manifest
@@ -0,0 +1,3 @@
+DIST shim-aa64-15.6-2.aarch64.rpm 466804 BLAKE2B 706f31835be24fee7202b8f8eb49204741d7726f106fad993ff524f475434ab3f23bebcd427f8a2aa4cd9a9c2494fdec9c2a49c29025364f0ebe989786f74c2f SHA512 72c2a62f380e76c3ea0fe5b13ef4e4bcd5e62e1b26b0b277c6ed8dd5d5e76f0f92770497da09e8ce12e6c60ee57d679d134f960a10639644dd751811563f1f29
+DIST shim-ia32-15.6-2.x86_64.rpm 419081 BLAKE2B f7160dd1330bfd7ad2d64cfe370750f576f1e3291aa8bc8313d52869f3dd23228db8514e7578c2609428479e430a1d39c1992450f4f42197216c00c420a0a150 SHA512 045325802474f53c6e86eff1166f1a966268c9ad706fac4c08966f211dbc32fba21ed3a07c46445ec579ac1e2819a1313ff54d6169737806954962945c61bdc2
+DIST shim-x64-15.6-2.x86_64.rpm 479835 BLAKE2B 7d12b97275c25659f94a8dd4c8678eb7df9e11fd3258966cb65c762467f28744b9403e13d5b5c98d6d6a5244ce4d81ef31b9d802040be99da03c1bb56be21275 SHA512 971978bddee95a6a134ef05c4d88cf5df41926e631de863b74ef772307f3e106c82c8f6889c18280d47187986abd774d8671c5be4b85b1b0bb3d1858b65d02cf
diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/shim/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-boot/shim/metadata.xml
new file mode 100644
index 0000000000..be6f6f5712
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-boot/shim/metadata.xml
@@ -0,0 +1,12 @@
+
+
+
+
+ zerochaos@gentoo.org
+ Rick Farina
+
+
+ cpe:/a:redhat:shim
+ rhboot/shim
+
+
diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/shim/shim-15.6.ebuild b/sdk_container/src/third_party/portage-stable/sys-boot/shim/shim-15.6.ebuild
new file mode 100644
index 0000000000..c4f33913bd
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-boot/shim/shim-15.6.ebuild
@@ -0,0 +1,30 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit rpm secureboot
+
+DESCRIPTION="Fedora's signed UEFI shim"
+HOMEPAGE="https://src.fedoraproject.org/rpms/shim"
+SRC_URI="amd64? ( https://kojipkgs.fedoraproject.org/packages/shim/${PV}/2/x86_64/shim-x64-${PV}-2.x86_64.rpm
+ https://kojipkgs.fedoraproject.org/packages/shim/${PV}/2/x86_64/shim-ia32-${PV}-2.x86_64.rpm )
+ x86? ( https://kojipkgs.fedoraproject.org/packages/shim/${PV}/2/x86_64/shim-x64-${PV}-2.x86_64.rpm
+ https://kojipkgs.fedoraproject.org/packages/shim/${PV}/2/x86_64/shim-ia32-${PV}-2.x86_64.rpm )
+ arm64? ( https://kojipkgs.fedoraproject.org/packages/shim/${PV}/2/aarch64/shim-aa64-${PV}-2.aarch64.rpm )"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="amd64 arm64 x86"
+
+S="${WORKDIR}/boot/efi/EFI"
+
+src_install() {
+ insinto /usr/share/${PN}
+ doins BOOT/BOOT*.EFI
+ doins fedora/mm*.efi
+
+ # Shim is already signed with Microsoft keys, but MokManager still needs
+ # signing with our key otherwise we have to enrol the Fedora key in Mok list
+ secureboot_auto_sign --in-place
+}