After working on LP: #1892770, I think that this is the same problem. grub in focal/arm64 is trying to use EFI boot services to start the kernel, after having verified the kernel with the shim. EFI does not have access to the cert in the shim so it refuses to load the kernel. There is a workaround which is adding Canonical Master key to the EFI DB, so EFI can actually verify the kernel.
Looking at "loader/arm64/linux.c" in the sources seems to validate this. In focal [1], grub_arch_efi_linux_boot_image() calls EFI boot services b->load_image() and b->start_image() which is the same in upstream code. However, in disco [2] the EFI boot services are not used - the sequence is grub_armxx_efi_linux_boot_image() -> grub_efi_linux_boot() -> calls directly an address in the loaded kernel. The patch that makes the change in disco is debian/patches/linuxefi_load_arm_with_sb.patch (https://github.com/rhboot/grub2/commit/2786ab864cf00c15123320671f653e9a36ba12b4). [1] https://git.launchpad.net/ubuntu/+source/grub2/tree/grub-core/loader/arm64/linux.c?h=applied/ubuntu/focal-updates#n122 [2] https://git.launchpad.net/ubuntu/+source/grub2/tree/grub-core/loader/arm64/linux.c?h=applied/ubuntu/disco-updates#n157 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862279 Title: arm64 Secure Boot fails w/ "error: cannot load image." To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1862279/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
