If validation has been disabled via MokSbState, secure boot on the
firmware is still enabled, and the kernel fails to boot.
This is a bit hacky, because shim_lock is not *fully* enabled, but
it triggers the right code paths.
Ultimately, all this will be resolved by shim gaining it's own image
loading and starting protocol, so this is more a temporary workaround.
Fixes: 6425c12cd (efi: Fallback to legacy mode if shim is loaded on x86 archs)
Cc: Peter Jones <pjo...@redhat.com>
Cc: Michael Chang <mch...@suse.com>
Signed-off-by: Julian Andres Klode <julian.kl...@canonical.com>
---
grub-core/kern/efi/sb.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 60550a6da..8d3e41360 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -95,6 +95,14 @@ grub_efi_get_secureboot (void)
if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1)
{
secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
+ /*
+ * TODO: Replace this all with shim's LoadImage protocol, delegating
policy to it.
+ *
+ * We need to set shim_lock_enabled here because we disabled secure boot
+ * validation *inside* shim but not in the firmware, so we set this
variable
+ * here to trigger that code path, whereas the actual verifier is not
enabled.
+ */
+ shim_lock_enabled = true;
goto out;
}
--
2.40.1
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
