diff --git a/shim.conf b/shim.conf
new file mode 100644
index 0000000000000000000000000000000000000000..39cc4ffca67a900b7ab4e061852a0774d9ed2832
--- /dev/null
+++ b/shim.conf
@@ -0,0 +1 @@
+shim
diff --git a/shim.spec b/shim.spec
index abf0f3f06f90b95ddd59ee0e01ba80cc583422af..7a5842306504f5fe9ed380d157b2d7c83e953411 100644
--- a/shim.spec
+++ b/shim.spec
@@ -22,7 +22,7 @@
 
 Name:		shim
 Version:	15
-Release:        37
+Release:        38
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:  x86_64 aarch64
 License:	BSD
@@ -30,6 +30,7 @@ URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
 Source1:        BOOTAA64.CSV
 Source2:        BOOTX64.CSV
+Source3:	shim.conf
 
 Patch0:         Hook-exit-when-shim_lock-protocol-installed.patch
 Patch1:         VLogError-Avoid-NULL-pointer-dereferences-in-V-Sprint.patch
@@ -145,6 +146,10 @@ install -m 0700 %{SOURCE1} ${RPM_BUILD_ROOT}/%{shimefivendor}
 install -m 0700 %{SOURCE2} ${RPM_BUILD_ROOT}/%{shimefivendor}
 %endif
 
+# install dnf protection config
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+install -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+
 cd ..
 
 %files
@@ -155,6 +160,7 @@ cd ..
 %{shimefivendor}/%{bootcsv}
 %{shimefivendor}/*.efi
 %{shimefivendor}/*.hash
+%{_sysconfdir}/dnf/protected.d/shim.conf
 
 %files debuginfo
 %defattr(-,root,root,-)
@@ -167,6 +173,9 @@ cd ..
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Thu Jul 31 2025 Qin Fandong <qinfandong@kylinos.cn> - 15-38
+- Add shim to dnf protected packages list
+
 * Wed Jun 25 2025 Linux_zhang <zhangruifang@h-partners.com> - 15-37
 - fix CVE-2024-0727