Public bug reported:
GRUB versions pre-eoan contain modifications to the EFI chainloader
command (grub-core/loader/efi/chainloader.c) which allow a chainloaded
bootloader to be verified using the shim lock EFI protocol (which
validates an image against signatures enrolled in the UEFI db, MOK db
and shim's built-in vendor certificate). The verified bootloader is
subsequently executed directly without the use of the LoadImage() and
StartImage() EFI boot services.
This modification was dropped in the GRUB update in eoan (2.04) - the
EFI chainloader command now always uses the LoadImage() and StartImage()
EFI boot services, which requires a bootloader to be verified using a
signature enrolled in the UEFI db. It's no longer possible to chainload
another bootloader that has to be verified by a signature in the MOK db
or shim's built-in vendor certificate.
I'm not sure if this is a deliberate change or an oversight.
** Affects: grub2 (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
GRUB versions pre-eoan contain modifications to the EFI chainloader
command (grub-core/loader/efi/chainloader.c) which allow a chainloaded
bootloader to be verified using the shim lock EFI protocol (which
validates an image against signatures enrolled in the UEFI db, MOK db
and shim's built-in vendor certificate). The verified bootloader is
subsequently executed directly without the use of the LoadImage() and
StartImage() EFI boot services.
This modification was dropped in the GRUB update in eoan (2.04) - the
EFI chainloader command now always uses the LoadImage() and StartImage()
EFI boot services, which requires a bootloader to be verified using a
- signature enrolled in db. It's no longer possible to chainload another
- bootloader that has to be verified by a signature in the MOK db or
- shim's built-in vendor certificate.
+ signature enrolled in the UEFI db. It's no longer possible to chainload
+ another bootloader that has to be verified by a signature in the MOK db
+ or shim's built-in vendor certificate.
I'm not sure if this is a deliberate change or an oversight.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1847458
Title:
EFI chainloader no longer uses shim lock API
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1847458/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
