+ if (! grub_efi_secure_boot())
+ {
+ grub_dprintf ("linuxefi", "secure boot not enabled, not validating");
+ return 1;
+ }
+
+ grub_dprintf ("linuxefi", "Locating shim protocol\n");
shim_lock = grub_efi_locate_protocol(&guid, NULL);
grub_dprintf ("secureboot", "shim_lock: %p\n", shim_lock);
if (!shim_lock)
if grub_efi_secure_boot() returns 0 then grub_linuxefi_secure_validate() prints "secure boot not enabled" but returns 1? Doesn't sound right. Should return 0 I guess?
And if grub_linuxefi_secure_validate() returns 1 then this chainloader code switches to secureboot:
Take a look at this diff between disco and eoan:
--- grub2-2. 02+dfsg1/ grub-core/ loader/ efi/linux. c 2019-10-29 00:23:53.000000000 +0000 04/grub- core/loader/ efi/linux. c 2019-10-29 00:10:44.000000000 +0000
+++ grub2-2.
@@ -23,6 +23,7 @@
#include <grub/efi/efi.h>
#include <grub/efi/pe32.h>
#include <grub/efi/linux.h>
+#include <grub/efi/sb.h>
#define SHIM_LOCK_GUID \ efi_shim_ lock_t *shim_lock;
{ 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }
@@ -40,6 +41,13 @@
grub_
int status;
+ if (! grub_efi_ secure_ boot()) locate_ protocol( &guid, NULL);
+ {
+ grub_dprintf ("linuxefi", "secure boot not enabled, not validating");
+ return 1;
+ }
+
+ grub_dprintf ("linuxefi", "Locating shim protocol\n");
shim_lock = grub_efi_
grub_dprintf ("secureboot", "shim_lock: %p\n", shim_lock);
if (!shim_lock)
if grub_efi_ secure_ boot() returns 0 then grub_linuxefi_ secure_ validate( ) prints "secure boot not enabled" but returns 1? Doesn't sound right. Should return 0 I guess?
And if grub_linuxefi_ secure_ validate( ) returns 1 then this chainloader code switches to secureboot:
rc = grub_linuxefi_ secure_ validate( (void *)((grub_addr_t) address), fsize); secure_ validate: %d\n", rc); file_close (file); loader_ set (grub_secureboo t_chainloader_ boot,
grub_ secureboot_ chainloader_ unload, 0); load_and_ start_image( boot_image) ; file_close (file); loader_ set (grub_chainload er_boot, grub_chainloade r_unload, 0);
grub_dprintf ("chain", "linuxefi_
if (rc > 0)
{
grub_
grub_
return 0;
}
else if (rc == 0)
{
grub_
grub_
grub_
return 0;
}
resulting in trying to secure boot windows efi image instead of just calling grub_load_ and_start_ image() .