[Bug 2084104] Re: UEFI GRUB2 enforces NX even with a non-NX shim when Secure Boot is disabled
Mate Kukri
2084104 at bugs.launchpad.net
Thu Oct 10 12:58:00 UTC 2024
It looks like something is stopping GRUB from recognizing the MokPolicy
variable exported by shim on these machines, and in turn it decides to
enforce NX despite shim telling it not to.
** Summary changed:
- UEFI GRUB2 enforces NX even with a non-NX shim when Secure Boot is disabled
+ UEFI GRUB2 enforces NX even with a non-NX shim
** Description changed:
- This still needs to be verified, but I have a strong hunch that this is
- a bug...
-
Please see final comments on
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2078307
- What is likely happening is that shim does not export MokPolicy when
- Secure Boot is disabled, thus GRUB decides that it must always enforce
- NX.
+ There are multiple affected machines, correctly running the non-NX shim
+ and 2.12-5ubuntu5 GRUB.
- It might be a more sensible default to never enforce NX if Secure Boot
- is off.
+ Despite this, the GRUB on these machines decides to always enforce NX,
+ likely because the MokPolicy variable is not being exported exactly as
+ GRUB expects.
- The only obvious impact right now is Windows chainloading from GRUB when
- Secure Boot is disabled.
+ I have a suspicion that some of the attribute checks in this function
+ are not behaving as expected on these firmwares:
+ https://git.launchpad.net/~ubuntu-uefi-
+ team/grub/+git/ubuntu/tree/debian/patches/nx/efi-Disallow-fallback-to-
+ legacy-Linux-loader-when-shim-sa.patch#n22
+
+ The only obvious impact right now is Windows chainloading from GRUB on
+ specific affected machines.
** Description changed:
- Please see final comments on
- https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2078307
+ Please also see final comments on
+ https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2078307, this whole
+ thing stareted there.
- There are multiple affected machines, correctly running the non-NX shim
- and 2.12-5ubuntu5 GRUB.
+ There are two known affected machines currently, one is confirmed to
+ correctly be running the non-NX shim and 2.12-5ubuntu5 GRUB.
Despite this, the GRUB on these machines decides to always enforce NX,
likely because the MokPolicy variable is not being exported exactly as
GRUB expects.
+
+ This happens with both Secure Boot enabled and disabled.
I have a suspicion that some of the attribute checks in this function
are not behaving as expected on these firmwares:
https://git.launchpad.net/~ubuntu-uefi-
team/grub/+git/ubuntu/tree/debian/patches/nx/efi-Disallow-fallback-to-
legacy-Linux-loader-when-shim-sa.patch#n22
The only obvious impact right now is Windows chainloading from GRUB on
specific affected machines.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2084104
Title:
UEFI GRUB2 enforces NX even with a non-NX shim
Status in grub2 package in Ubuntu:
In Progress
Bug description:
Please also see final comments on
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2078307, this
whole thing stareted there.
There are two known affected machines currently, one is confirmed to
correctly be running the non-NX shim and 2.12-5ubuntu5 GRUB.
Despite this, the GRUB on these machines decides to always enforce NX,
likely because the MokPolicy variable is not being exported exactly as
GRUB expects.
This happens with both Secure Boot enabled and disabled.
I have a suspicion that some of the attribute checks in this function
are not behaving as expected on these firmwares:
https://git.launchpad.net/~ubuntu-uefi-
team/grub/+git/ubuntu/tree/debian/patches/nx/efi-Disallow-fallback-to-
legacy-Linux-loader-when-shim-sa.patch#n22
The only obvious impact right now is Windows chainloading from GRUB on
specific affected machines.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2084104/+subscriptions
More information about the foundations-bugs
mailing list