[Bug 1847458] Re: EFI chainloader no longer uses shim lock protocol
Mathieu Trudel-Lapierre
mathieu.tl at gmail.com
Mon Nov 4 22:30:46 UTC 2019
The code does look like it will chainload via shim:
linuxefi_secure_validate() runs, checks that the image is valid against
firmware stores and the MokList.
Then
grub_cmd_chainloader -> (grub_linuxefi_secure_validate() find the image
valid) -> grub_secureboot_chainloader_boot() -> handle_image() [ read
image header, identify relocations, find entry point, etc.] ->
efi_call_2 (entry point) -> Image is started
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1847458
Title:
EFI chainloader no longer uses shim lock protocol
Status in grub2 package in Ubuntu:
Incomplete
Status in grub2 source package in Eoan:
Incomplete
Bug description:
GRUB versions pre-eoan contain modifications to the EFI chainloader
command (grub-core/loader/efi/chainloader.c) which allow a chainloaded
bootloader to be verified using the shim lock EFI protocol (which
validates an image against signatures enrolled in the UEFI db, MOK db
and shim's built-in vendor certificate). The verified bootloader is
subsequently executed directly without the use of the LoadImage() and
StartImage() EFI boot services.
This modification was dropped in the GRUB update in eoan (2.04) - the
EFI chainloader command now always uses the LoadImage() and
StartImage() EFI boot services, which requires a bootloader to be
verified using a signature enrolled in the UEFI db. It's no longer
possible to chainload another bootloader that has to be verified by a
signature in the MOK db or shim's built-in vendor certificate.
I'm not sure if this is a deliberate change or an oversight.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1847458/+subscriptions
More information about the foundations-bugs
mailing list