diff --git a/shim.conf b/shim.conf
new file mode 100644
index 0000000000000000000000000000000000000000..39cc4ffca67a900b7ab4e061852a0774d9ed2832
--- /dev/null
+++ b/shim.conf
@@ -0,0 +1 @@
+shim
diff --git a/shim.spec b/shim.spec
index 97dedce8fddcc71d5e0eee8b7e682d08357e7a4f..be2f2441286366add0cd07b2883d9f3a57de8357 100644
--- a/shim.spec
+++ b/shim.spec
@@ -25,7 +25,7 @@
 
 Name:	   	   shim
 Version:	   15.7
-Release:	   16
+Release:	   17
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@@ -36,6 +36,7 @@ Source2:	   BOOTX64.CSV
 Source3:	   openEuler_ca.der
 Source4:	   shimaa64-cfca.efi
 Source5:	   shimx64-cfca.efi
+Source6:	   shim.conf
 
 Patch1:backport-CVE-2023-40546.patch
 Patch2:backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch
@@ -180,6 +181,10 @@ install -m 644 fb%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefi
 install -m 644 mm%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor}
 install -m 644 shim%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor}
 
+# install dnf protection config
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+install -m 0644 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+
 cd ..
 
 %check
@@ -193,6 +198,7 @@ make test
 %{shimefivendor}/%{bootcsv}
 %{shimefivendor}/*.efi
 %{shimefivendor}/*.hash
+%{_sysconfdir}/dnf/protected.d/shim.conf
 
 %files signed
 %ifarch aarch64 
@@ -213,6 +219,9 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Thu Jul 31 2025 Qin Fandong <qinfandong@kylinos.cn> - 15.7-17
+- Add shim to dnf protected packages list
+
 * Mon Jan 20 2025 xuce <xuce10@h-partners.com> -15.7-16
 - fix the issue that the gBS->LoadImage pointer was empty.