[Bug 1847458] Re: EFI chainloader no longer uses shim lock protocol
Chris Coulson
chris.coulson at canonical.com
Wed Oct 9 10:22:42 UTC 2019
** Summary changed:
- EFI chainloader no longer uses shim lock API
+ EFI chainloader no longer uses shim lock protocol
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1847458
Title:
EFI chainloader no longer uses shim lock protocol
Status in grub2 package in Ubuntu:
New
Bug description:
GRUB versions pre-eoan contain modifications to the EFI chainloader
command (grub-core/loader/efi/chainloader.c) which allow a chainloaded
bootloader to be verified using the shim lock EFI protocol (which
validates an image against signatures enrolled in the UEFI db, MOK db
and shim's built-in vendor certificate). The verified bootloader is
subsequently executed directly without the use of the LoadImage() and
StartImage() EFI boot services.
This modification was dropped in the GRUB update in eoan (2.04) - the
EFI chainloader command now always uses the LoadImage() and
StartImage() EFI boot services, which requires a bootloader to be
verified using a signature enrolled in the UEFI db. It's no longer
possible to chainload another bootloader that has to be verified by a
signature in the MOK db or shim's built-in vendor certificate.
I'm not sure if this is a deliberate change or an oversight.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1847458/+subscriptions
More information about the foundations-bugs
mailing list