URL: <https://savannah.gnu.org/bugs/?67690>
Summary: regression: secureboot: chainloader to shim does not
allow trust of shim keys
Group: GNU GRUB
Submitter: bradh352
Submitted: Mon 10 Nov 2025 02:34:28 PM UTC
Category: Booting
Severity: Major
Priority: 5 - Normal
Item Group: Software Error
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: other
Release:
Reproducibility: Every Time
Planned Release: None
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Mon 10 Nov 2025 02:34:28 PM UTC By: Brad House <bradh352>
Issue Reproduction / Boot Process:
1. SONiC shim loaded
2. SONiC grub loaded, menu shown
3. choose ONIE entry
4. grub then calls chainloader ONIE shim
5. ONIE shim loaded
6. ONIE grub loaded
7. Choose ONIE option (e.g. Rescue)
8. ONIE vmlinuz attempts to be loaded FAILS SIGNATURE
In a SONiC installation, there are 2 OS installations, one is ONIE which is
used to install the NOS, and the other is the NOS itself, in this case SONiC.
Once the NOS is installed, the EFI is told to boot from the NOS partition so
first loads the NOS shim and grub. To make it easy to get into ONIE, SONiC
uses chainload to point to the ONIE partition and shim.
SONiC is upgrading from Debian Bookworm (12) to Trixie (13), which has changed
from grub 2.04 to grub 2.12 (of course Debian has patches they apply). SONiC
is currently using the upstream debian grub and not compiling or modifying its
own patches. This regression occurs when the SONiC grub is updated to the
Trixie grub version.
A few signing details:
- ONIE shim is signed by a DB key, but is compiled with an ephemeral key to
trust, which is used to verify the ONIE grub and ONIE kernel, both of which
are signed with the ephemeral key.
- SONiC shim, grub, and kernel are all signed with the DB key (since SONiC
isn't building the shim or grub itself to embed an ephemeral key).
Just for clarification purposes, yes, ONIE boots fine if you point EFI to boot
onie directly without chainloading through the NOS bootloader. And yes, the
NOS itself boots fine.
This seems to be the embedded chainloaded shim key from ONIE isn't getting
trusted. The shim version itself between bookworm and trixie appear to be the
same (15.8) so I don't think it is related to the shim itself.
There are some more details on
https://github.com/sonic-net/sonic-buildimage/issues/24249
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?67690>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
signature.asc
Description: PGP signature
