[Bug 1847458] Re: EFI chainloader no longer uses shim lock protocol

[Mathieu Trudel-Lapierre]

After further discussion with Chris; seems like this might have been a
misunderstanding, looking at two different source trees for the
software.

Chris; can you please confirm whether we've reached consensus on the
state of the chainloader code for SB? From my read, the patches look to
be properly applied, and chainloading Windows certainly works for me
here.

** Changed in: grub2 (Ubuntu Eoan)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1847458

Title:
  EFI chainloader no longer uses shim lock protocol

Status in grub2 package in Ubuntu:
  Incomplete
Status in grub2 source package in Eoan:
  Incomplete

Bug description:
  GRUB versions pre-eoan contain modifications to the EFI chainloader
  command (grub-core/loader/efi/chainloader.c) which allow a chainloaded
  bootloader to be verified using the shim lock EFI protocol (which
  validates an image against signatures enrolled in the UEFI db, MOK db
  and shim's built-in vendor certificate). The verified bootloader is
  subsequently executed directly without the use of the LoadImage() and
  StartImage() EFI boot services.

  This modification was dropped in the GRUB update in eoan (2.04) - the
  EFI chainloader command now always uses the LoadImage() and
  StartImage() EFI boot services, which requires a bootloader to be
  verified using a signature enrolled in the UEFI db. It's no longer
  possible to chainload another bootloader that has to be verified by a
  signature in the MOK db or shim's built-in vendor certificate.

  I'm not sure if this is a deliberate change or an oversight.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1847458/+subscriptions