On Mon, Nov 24, 2025 at 12:33:13PM +0100, Daniel Kiper wrote: > Adding Jan, Peter, Steve, Marta, Leo, Ard, Mate and Julian. I want to > hear an opinion about this patch from at least some of these folks. > > On Mon, Nov 24, 2025 at 04:57:59PM +0800, Michael Chang via Grub-devel wrote: > > When shim is switched to insecure mode via "mokutil > > --disable-validation", GRUB aborts midway when attempting to boot the > > kernel. With debug output enabled, the following error is shown: > > > > error: > > > > ../../grub-core/loader/efi/linux.c:grub_arch_efi_linux_boot_image:227:cannot > > load image. > > > > The failure occurs because UEFI Secure Boot itself remains enabled, but > > the kernel is delegated to the firmware LoadImage() path since both the > > shim_load and shim_lock protocols appear to be absent. This delegation > > was introduced when GRUB gained support for shim_load, allowing kernels > > What do you mean here? shim_lock? shim_loader? Please use proper names.
s/shim_load/shim_loader/g .. sorry for the confusion. > > > to take advantage of the LoadFile2 protocol. That logic assumed both > > shim protocols were missing. > > > > In fact, the shim protocols are still present but become invisible to > > GRUB because probing in the shim verifier is skipped. This happens > > because grub_efi_get_secureboot() considers MokSBState. When users > > disable shim validation, Secure Boot is detected as "off" and as a > > result the shim protocols are never processed. > > > > This patch fixes the issue by introducing > > grub_efi_get_secureboot_real(), which allows bypassing MokSBState when > > deciding whether to set up the shim verifier. This ensures that the shim > > protocols are still correctly discovered and used even if shim is placed > > into insecure mode. At the same time, grub_efi_get_secureboot() > > continues to preserve the logic that matches the Linux kernel > > implementation, keeping the two consistent. > > > > Signed-off-by: Michael Chang <[email protected]> > > --- > > grub-core/kern/efi/init.c | 2 +- > > grub-core/kern/efi/sb.c | 12 +++++++++--- > > include/grub/efi/sb.h | 8 +++++++- > > 3 files changed, 17 insertions(+), 5 deletions(-) > > > > diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c > > index 1637077e1..0c6d83635 100644 > > --- a/grub-core/kern/efi/init.c > > +++ b/grub-core/kern/efi/init.c > > @@ -109,7 +109,7 @@ grub_efi_init (void) > > * Lockdown the GRUB and register the shim_lock verifier > > * if the UEFI Secure Boot is enabled. > > */ > > - if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) > > + if (grub_efi_get_secureboot_real (1) == GRUB_EFI_SECUREBOOT_MODE_ENABLED) > > s/(1)/(true)/ OK. > > > { > > grub_lockdown (); > > grub_shim_lock_verifier_setup (); > > grub_shim_lock_verifier_setup() calls grub_efi_get_secureboot(). So, we > have discrepancy here which should be avoided. In the later part of the patch, grub_shim_lock_verifier_setup() is patched out to call grub_efi_get_secureboot_real(1) so they are consistent in the end. The issue here is that the excessive Secure Boot state test around grub_shim_lock_verifier_setup() can become unaligned if we are not careful enough to keep them in sync. But that is another topic and is about code refactoring in general, which is out of scope for what this patch is trying to fix anyway ... > > Additionally, I can imagine shim_loader protocol is useful when MokSBState != > 1 > but what about shim_lock protocol? I think both should remain useful as they are controlled by shim which uses MokSBState as a state variable specified by user to decide whether verification can be skipped. In addition the shim_lock is only used when shim_loader is not available and in that situation it will fall back to grub_cmd_linux_x86_legacy(). The fallback path would work as it boots vmlinuz natively, avoids firmware's LoadImage() error here. > > I do not mention grub_shim_lock_verifier_setup() conflates shim_loader > and shim_lock protocols setup which should not happen. So, I would split > grub_shim_lock_verifier_setup() into grub_shim_lock_verifier_setup() and > grub_shim_loader_setup(). And probably OBJ_TYPE_DISABLE_SHIM_LOCK should > only disable shim_lock protocol. Do we need OBJ_TYPE_DISABLE_SHIM_LOADER? > Of course the GRUB documentation should be updated accordingly... I think the idea sort of works, but it is hard to say without someone actually putting their hands on it. I can try to explore that but my intention at first is to do as little change to the existing implementation as possible. > > > diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c > > index 4409e03c5..6d58ac1af 100644 > > --- a/grub-core/kern/efi/sb.c > > +++ b/grub-core/kern/efi/sb.c > > @@ -45,7 +45,7 @@ static grub_efi_handle_t last_verified_image_handle = > > NULL; > > * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot(). > > */ > > grub_uint8_t > > -grub_efi_get_secureboot (void) > > +grub_efi_get_secureboot_real (grub_uint8_t skip_moksbstate) > > s/grub_uint8_t/bool/ OK. I'll use boolean type. > > > { > > static grub_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; > > grub_efi_status_t status; > > @@ -81,6 +81,12 @@ grub_efi_get_secureboot (void) > > goto out; > > } > > > > + if (skip_moksbstate) > > if (skip_moksbstate == true) OK. > > > + { > > + secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED; > > + goto out; > > + } > > + > > /* > > * See if a user has put the shim into insecure mode. If so, and if the > > * variable doesn't have the runtime attribute set, we might as well > > @@ -114,7 +120,7 @@ grub_efi_get_secureboot (void) > > else if (secureboot == GRUB_EFI_SECUREBOOT_MODE_ENABLED) > > secureboot_str = "Enabled"; > > > > - grub_dprintf ("efi", "UEFI Secure Boot state: %s\n", secureboot_str); > > + grub_dprintf ("efi", "UEFI Secure Boot state with%s MokSBState: %s\n", > > skip_moksbstate ? "out" : "", secureboot_str); > > grub_dprintf ("efi", "UEFI Secure Boot state: %s\nMokSBState check disabled > in GRUB: %s\n", > secureboot_str, (skip_moksbstate == true) ? "yes" : "no"); OK. > > > return secureboot; > > } > > @@ -227,7 +233,7 @@ grub_shim_lock_verifier_setup (void) > > struct grub_module_header *header; > > > > /* Secure Boot is off. Ignore shim. */ > > - if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED) > > + if (grub_efi_get_secureboot_real (1) != GRUB_EFI_SECUREBOOT_MODE_ENABLED) > > return; > > > > /* Find both shim protocols. */ > > diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h > > index 149005ced..98462c030 100644 > > --- a/include/grub/efi/sb.h > > +++ b/include/grub/efi/sb.h > > @@ -30,7 +30,13 @@ > > > > #ifdef GRUB_MACHINE_EFI > > extern grub_uint8_t > > -EXPORT_FUNC (grub_efi_get_secureboot) (void); > > +EXPORT_FUNC (grub_efi_get_secureboot_real) (grub_uint8_t skip_moksbstate); > > + > > +static inline grub_uint8_t > > +grub_efi_get_secureboot (void) > > +{ > > + return grub_efi_get_secureboot_real (0); > > s/(0)/(false)/ OK. Thanks, Michael > > Daniel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
