pass validation if shim protocol is not installed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Won't Fix
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Unassigned | ||
Artful |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Users of UEFI Secure Boot that must disable SB validation in shim, for example to run dkms modules, may notice that the kernel incorrectly reports the SecureBoot/shim states.
[Test case]
1) Install bbswitch-dkms
a) Validate whether you are prompted to disable Secure Boot. If Secure Boot is already disabled, you should not be prompted again. If it isn't, you should be prompted once.
b) If shim validation was previously disabled, verify that the kernel reports /proc/sys/
[Regression Potential]
This affects the loading behavior for the kernel, which will now load as an EFI binary and thus execute some extra code to bring up UEFI, which would otherwise not get loaded in the case shim validation is disabled. Given that the system must have booted successfully once for validation to get disabled, there should not be any issues; but possible resulting regressions would be a failure to correctly load the kernel, or a kernel issue early on during boot. Furthermore, any instance where the incorrect loading behavior was relied upon by installs (though I can think of no examples for this) would regress. The kind of issue that might be seen there is where code relies on /proc/sys/
---
GRUB currently fails SecureBoot validation (ie. calls to grub_linuxefi_
This currently breaks some kernel features relying on starting in the EFI stub code (ie. the kernel being loaded as an EFI binary); and instead falls back to the 'linux' command instead of 'linuxefi'.
description: | updated |
Changed in grub2 (Ubuntu Yakkety): | |
status: | Fix Committed → Won't Fix |
All this can be trivially done by disabling debian/ patches/ linuxefi_ require_ shim.patch. I got some historical rationale from Colin already as to why it was added (and marked temporary at the time); and it seems to me like we can just remove it.
As for a previous question about whether this would affect arm64: it would not; this is only for i386 (well, x86_64-efi, since that's all we support).