On 2025-09-08 14:01, [email protected] wrote:
Message: 4
Date: Mon, 8 Sep 2025 16:30:20 +0800
From: Michael Chang <[email protected]>
To: The development of GNU GRUB <[email protected]>
Subject: [PATCH] efi/sb: Fix boot failure when shim validation is
disabled
Message-ID: <[email protected]>
When shim is switched to insecure mode via "mokutil
--disable-validation", GRUB aborts midway when attempting to boot the
kernel. With debug output enabled, the following error is shown:
error: ../../grub-core/loader/efi/linux.c:219: cannot load image.
The failure occurs because UEFI Secure Boot itself remains enabled, but
the kernel is delegated to the firmware LoadImage() path since both the
shim_load and shim_lock protocols appear to be absent. This delegation
was introduced when GRUB gained support for shim_load, allowing kernels
to take advantage of the LoadFile2 protocol. That logic assumed both
shim protocols were missing.
In fact, the shim protocols are still present but become invisible to
GRUB because probing in the shim verifier is skipped. This happens
because grub_efi_get_secureboot() considers MokSBState. When users
disable shim validation, Secure Boot is detected as "off" and as a
result the shim protocols are never processed.
This patch fixes the issue by introducing
grub_efi_get_secureboot_real(), which allows bypassing MokSBState when
deciding whether to set up the shim verifier. This ensures that the
shim
protocols are still correctly discovered and used even if shim is
placed
into insecure mode. At the same time, grub_efi_get_secureboot()
continues to preserve the logic that matches the Linux kernel
implementation, keeping the two consistent.
Signed-off-by: Michael Chang <[email protected]>
---
Reviewed-by: Avnish Chouhan <[email protected]>
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
