So I'm pretty sure that this bug concerns Debian shim but I want your thoughts before opening a proper bug.
1) The overall bug is described as such (assuming all the packages are signed for Microsoft secure boot):
Ubuntu shim -> Ubuntu grub -> Debian shim -> Debian grub -> Debian kernel
Kernel cannot be loaded with error: "error: /kernelfilename has invalid signature."
This should work because we supposedly using Debian shim and not Ubuntu shim.
You can demo this problem at the ubuntu disk.
2) You can easily prove that this bug is not present on Ubuntu shim.
The debian disk is a demo of this correct behaviour:
Debian shim -> Debian grub -> Ubuntu shim -> Ubuntu grub -> Ubuntu kernel
Kernel loads perfectly without any 'invalid signature' error.
3) What I suspect is not working ok would be:
although I must admit that I think that the same code is present on Ubuntu shim so I'm a bit confused.
/*
* Did another instance of shim earlier already install the
* protocol? If so, get rid of it.
*
* We have to uninstall shim's protocol here, because if we're
* On the fallback.efi path, then our call pathway is:
*
* shim->fallback->shim->grub
* ^ ^ ^
* | | \- gets protocol #0
* | \- installs its protocol (#1)
* \- installs its protocol (#0)
* and if we haven't removed this, then grub will get the *first*
* shim's protocol, but it'll get the second shim's systab
* replacements. So even though it will participate and verify
* the kernel, the systab never finds out.
*/
efi_status = LibLocateProtocol(&SHIM_LOCK_GUID, (VOID **)&shim_lock);
if (!EFI_ERROR(efi_status))
uninstall_shim_protocols();
4) I have built two disks with nice grub menues to demo both behaviours.
You can download them here:
* shim-chainload-1-ubuntu.img (The ubuntu disk)
* shim-chainload-2-debian.img (The debian disk)
5) In order to test these images first of all I setup my kvm to work as a secure boot machine per these instructions:
.
Then I just run either:
sudo kvm -m 2048 --machine pc-q35-2.5 -drive if=pflash,format=raw,readonly,file=./OVMF_CODE.fd -drive if=pflash,format=raw,file=./OVMF_VARS.fd -drive file=/path-to/shim-chainload-1-ubuntu.img,format=raw,index=0,media=disk -boot menu=on
or:
sudo kvm -m 2048 --machine pc-q35-2.5 -drive if=pflash,format=raw,readonly,file=./OVMF_CODE.fd -drive if=pflash,format=raw,file=./OVMF_VARS.fd -drive file=/path-to/shim-chainload-2-debian.img,format=raw,index=0,media=disk -boot menu=on
so that I can play with them.
6) How I built both of the disks (efi images only):
7) So... what do you think?
Is this actually a Debian specific shim bug or... am I missing something obvious?
Thank you!
adrian15
--