Comment 17 for bug 1862279

After working on LP: #1892770, I think that this is the same problem. grub in focal/arm64 is trying to use EFI boot services to start the kernel, after having verified the kernel with the shim. EFI does not have access to the cert in the shim so it refuses to load the kernel. There is a workaround which is adding Canonical Master key to the EFI DB, so EFI can actually verify the kernel.

Looking at "loader/arm64/linux.c" in the sources seems to validate this. In focal [1], grub_arch_efi_linux_boot_image() calls EFI boot services b->load_image() and b->start_image() which is the same in upstream code.

However, in disco [2] the EFI boot services are not used - the sequence is grub_armxx_efi_linux_boot_image() -> grub_efi_linux_boot() -> calls directly an address in the loaded kernel.

The patch that makes the change in disco is debian/patches/linuxefi_load_arm_with_sb.patch (https://github.com/rhboot/grub2/commit/2786ab864cf00c15123320671f653e9a36ba12b4).

[1] https://git.launchpad.net/ubuntu/+source/grub2/tree/grub-core/loader/arm64/linux.c?h=applied/ubuntu/focal-updates#n122
[2] https://git.launchpad.net/ubuntu/+source/grub2/tree/grub-core/loader/arm64/linux.c?h=applied/ubuntu/disco-updates#n157