Comment 1 for bug 2006063

It also fails on Kubuntu 22.10. It's not Ubuntu version dependent - this cannot have ever worked off-the-shelf (and probably wasn't intended to). The basic issue is the shim loader is a different program than the system Grub2, and doesn't have enrolled signatures for the kernels it wants to boot. Getting those signatures enrolled is a do - we'd be enrolling those signatures in the firmware forever and a day, and do we really want to enroll foreign kernels on a production system as secure boot targets?? If we're in a test/rescue environment and allowing arbitrary images to be booted on a production system, that's intrinsically insecure. So, I'd call this not-a-bug: booting foreign images should be with secure boot disabled. Stuart