Adding Jan, Peter, Steve, Marta, Leo, Ard, Mate and Julian. I want to hear an opinion about this patch from at least some of these folks.
On Mon, Nov 24, 2025 at 04:57:59PM +0800, Michael Chang via Grub-devel wrote: > When shim is switched to insecure mode via "mokutil > --disable-validation", GRUB aborts midway when attempting to boot the > kernel. With debug output enabled, the following error is shown: > > error: > ../../grub-core/loader/efi/linux.c:grub_arch_efi_linux_boot_image:227:cannot > load image. > > The failure occurs because UEFI Secure Boot itself remains enabled, but > the kernel is delegated to the firmware LoadImage() path since both the > shim_load and shim_lock protocols appear to be absent. This delegation > was introduced when GRUB gained support for shim_load, allowing kernels What do you mean here? shim_lock? shim_loader? Please use proper names. > to take advantage of the LoadFile2 protocol. That logic assumed both > shim protocols were missing. > > In fact, the shim protocols are still present but become invisible to > GRUB because probing in the shim verifier is skipped. This happens > because grub_efi_get_secureboot() considers MokSBState. When users > disable shim validation, Secure Boot is detected as "off" and as a > result the shim protocols are never processed. > > This patch fixes the issue by introducing > grub_efi_get_secureboot_real(), which allows bypassing MokSBState when > deciding whether to set up the shim verifier. This ensures that the shim > protocols are still correctly discovered and used even if shim is placed > into insecure mode. At the same time, grub_efi_get_secureboot() > continues to preserve the logic that matches the Linux kernel > implementation, keeping the two consistent. > > Signed-off-by: Michael Chang <[email protected]> > --- > grub-core/kern/efi/init.c | 2 +- > grub-core/kern/efi/sb.c | 12 +++++++++--- > include/grub/efi/sb.h | 8 +++++++- > 3 files changed, 17 insertions(+), 5 deletions(-) > > diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c > index 1637077e1..0c6d83635 100644 > --- a/grub-core/kern/efi/init.c > +++ b/grub-core/kern/efi/init.c > @@ -109,7 +109,7 @@ grub_efi_init (void) > * Lockdown the GRUB and register the shim_lock verifier > * if the UEFI Secure Boot is enabled. > */ > - if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) > + if (grub_efi_get_secureboot_real (1) == GRUB_EFI_SECUREBOOT_MODE_ENABLED) s/(1)/(true)/ > { > grub_lockdown (); > grub_shim_lock_verifier_setup (); grub_shim_lock_verifier_setup() calls grub_efi_get_secureboot(). So, we have discrepancy here which should be avoided. Additionally, I can imagine shim_loader protocol is useful when MokSBState != 1 but what about shim_lock protocol? I do not mention grub_shim_lock_verifier_setup() conflates shim_loader and shim_lock protocols setup which should not happen. So, I would split grub_shim_lock_verifier_setup() into grub_shim_lock_verifier_setup() and grub_shim_loader_setup(). And probably OBJ_TYPE_DISABLE_SHIM_LOCK should only disable shim_lock protocol. Do we need OBJ_TYPE_DISABLE_SHIM_LOADER? Of course the GRUB documentation should be updated accordingly... > diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c > index 4409e03c5..6d58ac1af 100644 > --- a/grub-core/kern/efi/sb.c > +++ b/grub-core/kern/efi/sb.c > @@ -45,7 +45,7 @@ static grub_efi_handle_t last_verified_image_handle = NULL; > * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot(). > */ > grub_uint8_t > -grub_efi_get_secureboot (void) > +grub_efi_get_secureboot_real (grub_uint8_t skip_moksbstate) s/grub_uint8_t/bool/ > { > static grub_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; > grub_efi_status_t status; > @@ -81,6 +81,12 @@ grub_efi_get_secureboot (void) > goto out; > } > > + if (skip_moksbstate) if (skip_moksbstate == true) > + { > + secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED; > + goto out; > + } > + > /* > * See if a user has put the shim into insecure mode. If so, and if the > * variable doesn't have the runtime attribute set, we might as well > @@ -114,7 +120,7 @@ grub_efi_get_secureboot (void) > else if (secureboot == GRUB_EFI_SECUREBOOT_MODE_ENABLED) > secureboot_str = "Enabled"; > > - grub_dprintf ("efi", "UEFI Secure Boot state: %s\n", secureboot_str); > + grub_dprintf ("efi", "UEFI Secure Boot state with%s MokSBState: %s\n", > skip_moksbstate ? "out" : "", secureboot_str); grub_dprintf ("efi", "UEFI Secure Boot state: %s\nMokSBState check disabled in GRUB: %s\n", secureboot_str, (skip_moksbstate == true) ? "yes" : "no"); > return secureboot; > } > @@ -227,7 +233,7 @@ grub_shim_lock_verifier_setup (void) > struct grub_module_header *header; > > /* Secure Boot is off. Ignore shim. */ > - if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED) > + if (grub_efi_get_secureboot_real (1) != GRUB_EFI_SECUREBOOT_MODE_ENABLED) > return; > > /* Find both shim protocols. */ > diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h > index 149005ced..98462c030 100644 > --- a/include/grub/efi/sb.h > +++ b/include/grub/efi/sb.h > @@ -30,7 +30,13 @@ > > #ifdef GRUB_MACHINE_EFI > extern grub_uint8_t > -EXPORT_FUNC (grub_efi_get_secureboot) (void); > +EXPORT_FUNC (grub_efi_get_secureboot_real) (grub_uint8_t skip_moksbstate); > + > +static inline grub_uint8_t > +grub_efi_get_secureboot (void) > +{ > + return grub_efi_get_secureboot_real (0); s/(0)/(false)/ Daniel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
