Cannot boot into grml with secure boot enabled
Bug #2006063 reported by
no
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| grml-rescueboot (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Ubuntu 22.04 boots fine. Trying to instead boot into grml64-full_2022.11 I can get the grml splash screen but trying to start it up I get the error:
error: bad shim signature.
error: you need to load the kernel first.
Revision history for this message
| Stuart R Balfour (sbalfour) wrote | #1 |
To post a comment you must log in.
It also fails on Kubuntu 22.10. It's not Ubuntu version dependent - this cannot have ever worked off-the-shelf (and probably wasn't intended to). The basic issue is the shim loader is a different program than the system Grub2, and doesn't have enrolled signatures for the kernels it wants to boot. Getting those signatures enrolled is a do - we'd be enrolling those signatures in the firmware forever and a day, and do we really want to enroll foreign kernels on a production system as secure boot targets?? If we're in a test/rescue environment and allowing arbitrary images to be booted on a production system, that's intrinsically insecure. So, I'd call this not-a-bug: booting foreign images should be with secure boot disabled. Stuart