[Bug 1961814] [NEW] grub-mkstandalone ignores the --disable-shim-lock flag

Tue, 22 Feb 2022 08:35:35 -0800 

Public bug reported:

After updating from grub 2.02 to grub 2.04 and grub 2.06 (in Ubuntu
22.04), an embedded system in which we were using UEFI Secure Boot
refused to start, with the following message:

error: /vmlinuz has invalid signature

Context:
- We are not using shim
- We have custom UEFI keys (PK, DB, KEK) enrolled in the system's firmware
- Both the grub image and the vmlinuz file are signed using sbsign and the DB 
key
- The vmlinuz and initrd files are packed in the grub image using 
grub-mkstandalone
- The embedded system is not using Ubuntu, however the GRUB image is built 
under Ubuntu 22.04


After enabling debug=all, grub indicates that the shim can't be found 
("Locating shim protocol",  "Shim location: 0x0", "no shim lock protocol") and 
fails to verify the signature.

In grub 2.06, we noticed that an option "--disable-shim-lock" has been
added in both grub-mkimage and grub-mkstandalone. However, the result is
strictly identical both with and without the flag (signature
verification fails), making it sounds like it's ignoring the flag or at
least doesn't seem to have an impact on the generated GRUB image.

Rebuilding using the same command line using Grub 2.02 (without the
--disable-shim-lock that didn't exist) makes the system boots find.

Please find a tar archive attached to this bug report:
- GrubImage_WithFlag.efi => Image built with --disable-shim-lock
- GrubImage_WithoutFlag.efi => Image built without --disable-shim-lock

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "GrubImages.tgz"
   
https://bugs.launchpad.net/bugs/1961814/+attachment/5562750/+files/GrubImages.tgz

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1961814

Title:
  grub-mkstandalone ignores the --disable-shim-lock flag

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1961814/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to