[Bug 1086983] Re: Signed grub doesn't depend on shim-signed

Shawn Rose ShawnAndrewRose at Gmail.Com
Sun Jun 19 21:37:31 UTC 2016 

Assuming I'm understanding this correctly, the issue here is that the
system that you are booting on doesn't have Canonical's secure boot
signing key in the secure boot db. This is because grub2-signed isn't
signed by microsoft directly, as microsoft's secure boot signing
requirements specifically disallow signing GPLv3 binaries due to a GPLv3
restriction on releasing signing keys. This is why the signed-shim
packages exists, to my understanding: it's non GPLv3 code for the
express purpose to load grub2.

To make it easier:

grubx64.efi is signed by Canonical.

bootx64.efi is signed by Microsoft (this is the shim-signed binary).

If Canonical's signing key isn't in the key db, secure boot will refuse
to load that code. If it is, it will.

But if you have shim-signed installed, bootx64.efi IS signed by
Microsoft's key, which is pretty much guaranteed to exist in the key db,
so it will load. It then can install Canonical's signing key into the
key db (as it's signed and likely includes the public key in the
binary), and then boots grubx64.efi. Since Canonical's signing key is
now installed, it will load just fine.

I should note I'm actually not entirely sure if it actually installs
Canonical's key into the db: But if it does, you could likely remove the
shim-signed package after a boot and reboot. If it does install it,
grub2-signed should be all you need to boot successfully: But personally
it's just as well keep the shim installed, just in case.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1086983

Title:
  Signed grub doesn't depend on shim-signed

Status in grub2-signed package in Ubuntu:
  New

Bug description:
  On my system I needed shim-signed installed along side of grub2-signed
  in order to successfully secure boot an UEFI bios.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.10
  Package: grub-efi-amd64-signed 1.9+2.00-7ubuntu11
  ProcVersionSignature: Ubuntu 3.5.0-19.30-generic 3.5.7
  Uname: Linux 3.5.0-19-generic x86_64
  ApportVersion: 2.6.1-0ubuntu6
  Architecture: amd64
  Date: Wed Dec  5 15:34:42 2012
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2012-11-08 (26 days ago)
  InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
  MarkForUpload: True
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: grub2-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1086983/+subscriptions

More information about the foundations-bugs mailing list