After working on LP: #1892770, I think that this is the same problem. grub in focal/arm64 is trying to use EFI boot services to start the kernel, after having verified the kernel with the shim. EFI does not have access to the cert in the shim so it refuses to load the kernel. There is a workaround which is adding Canonical Master key to the EFI DB, so EFI can actually verify the kernel.
Looking at "loader/arm64/linux.c" in the sources seems to validate this. In focal [1], grub_arch_efi_linux_boot_image() calls EFI boot services b->load_image() and b->start_image() which is the same in upstream code.
However, in disco [2] the EFI boot services are not used - the sequence is grub_armxx_efi_linux_boot_image() -> grub_efi_linux_boot() -> calls directly an address in the loaded kernel.
After working on LP: #1892770, I think that this is the same problem. grub in focal/arm64 is trying to use EFI boot services to start the kernel, after having verified the kernel with the shim. EFI does not have access to the cert in the shim so it refuses to load the kernel. There is a workaround which is adding Canonical Master key to the EFI DB, so EFI can actually verify the kernel.
Looking at "loader/ arm64/linux. c" in the sources seems to validate this. In focal [1], grub_arch_ efi_linux_ boot_image( ) calls EFI boot services b->load_image() and b->start_image() which is the same in upstream code.
However, in disco [2] the EFI boot services are not used - the sequence is grub_armxx_ efi_linux_ boot_image( ) -> grub_efi_ linux_boot( ) -> calls directly an address in the loaded kernel.
The patch that makes the change in disco is debian/ patches/ linuxefi_ load_arm_ with_sb. patch (https:/ /github. com/rhboot/ grub2/commit/ 2786ab864cf00c1 5123320671f653e 9a36ba12b4).
[1] https:/ /git.launchpad. net/ubuntu/ +source/ grub2/tree/ grub-core/ loader/ arm64/linux. c?h=applied/ ubuntu/ focal-updates# n122 /git.launchpad. net/ubuntu/ +source/ grub2/tree/ grub-core/ loader/ arm64/linux. c?h=applied/ ubuntu/ disco-updates# n157
[2] https:/