[Bug 1961814] Re: grub-mkstandalone ignores the --disable-shim-lock flag

Julian Andres Klode 1961814 at bugs.launchpad.net
Wed Nov 9 19:28:03 UTC 2022 

Ubuntu's grub implements its own security policies which does not allow
loading the grub without shim.

If you want to build custom applications, consider building your own
grub.

** Changed in: grub2 (Ubuntu)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1961814

Title:
  grub-mkstandalone ignores the --disable-shim-lock flag

Status in grub2 package in Ubuntu:
  Won't Fix

Bug description:
  After updating from grub 2.02 to grub 2.04 and grub 2.06 (in Ubuntu
  22.04), an embedded system in which we were using UEFI Secure Boot
  refused to start, with the following message:

  error: /vmlinuz has invalid signature

  Context:
  - We are not using shim
  - We have custom UEFI keys (PK, DB, KEK) enrolled in the system's firmware
  - Both the grub image and the vmlinuz file are signed using sbsign and the DB key
  - The vmlinuz and initrd files are packed in the grub image using grub-mkstandalone
  - The embedded system is not using Ubuntu, however the GRUB image is built under Ubuntu 22.04

  
  After enabling debug=all, grub indicates that the shim can't be found ("Locating shim protocol",  "Shim location: 0x0", "no shim lock protocol") and fails to verify the signature.

  In grub 2.06, we noticed that an option "--disable-shim-lock" has been
  added in both grub-mkimage and grub-mkstandalone. However, the result
  is strictly identical both with and without the flag (signature
  verification fails), making it sounds like it's ignoring the flag or
  at least doesn't seem to have an impact on the generated GRUB image.

  Rebuilding using the same command line using Grub 2.02 (without the
  --disable-shim-lock that didn't exist) makes the system boots find.

  Please find a tar archive attached to this bug report:
  - GrubImage_WithFlag.efi => Image built with --disable-shim-lock
  - GrubImage_WithoutFlag.efi => Image built without --disable-shim-lock

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1961814/+subscriptions

More information about the foundations-bugs mailing list