While attempting to dual boot Microsoft Windows with efi chainloader, it failed with below error when secure boot was enabled.
error ../../grub-core/kern/verifiers.c:119:verification requested but nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi. It is a regression, as previously it worked without problem. It turns out chainloading image has been locked down introduced by 578c95298 kern: Add lockdown support However we should consider it as verifiable object to shim to allow booting in secure boot enabled mode. The chainloaded image could also have trusted signature signed by vendor with their pubkey cert in db. For that matters it's usage should not be locked down in secure boot, and instead use shim to validate it's signature before running it. V2: Keep GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE in the lockdown list as it ensures at least one verifer has validated the image. Signed-off-by: Michael Chang <mch...@suse.com> --- grub-core/kern/efi/sb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c index 41dadcd14..96d237722 100644 --- a/grub-core/kern/efi/sb.c +++ b/grub-core/kern/efi/sb.c @@ -129,6 +129,7 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)), case GRUB_FILE_TYPE_BSD_KERNEL: case GRUB_FILE_TYPE_XNU_KERNEL: case GRUB_FILE_TYPE_PLAN9_KERNEL: + case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK; /* Fall through. */ -- 2.26.2 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel