Debian+Ubuntu dual boot with UEFI secure boot and shim+grub

To: "debian-efi@lists.debian.org" <debian-efi@lists.debian.org>
Subject: Debian+Ubuntu dual boot with UEFI secure boot and shim+grub
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Sun, 14 Jan 2024 13:23:43 +0100
Message-id: <[🔎] 342422ef-1d87-4981-b51e-380ef39cb129@plouf.fr.eu.org>

Hello,

Here are the results of some tests I did in QEMU/KVM using OVMF withsecure boot enabled.

Debian 12.4
Ubuntu 22.04
No additional keys are enrolled in MOK or secure boot db.

In the following tables, the "result" column contains the result of"linux" and "boot" grub commands.


1) Booting without chainloading

UEFI > shim > grub
grub> linux vmlinuz
grub> boot

shim   | kernel | result
------ | ------ | ------
debian | debian | linux, boot -> OK
debian | ubuntu | linux -> bad shim signature
ubuntu | ubuntu | linux, boot -> OK
ubuntu | debian | linux -> bad shim signature

As expected, the "linux" command fails to verify a "foreign" kernel.

2) Booting with chainloading

UEFI > shim#1 > grub#1
grub#1> chainloader shim#2
grub#2> linux vmlinuz
grub#2> boot

1st shim | 2nd shim | kernel | result
-------- | -------- | ------ | ------
debian   | ubuntu   | ubuntu | linux, boot -> OK
debian   | ubuntu   | debian | linux -> bad shim signature
ubuntu   | debian   | ubuntu | linux OK, boot -> Bootloader has not
         |          |        | verified image
ubuntu   | debian   | debian | linux OK, boot -> Bootloader has not
         |          |        | verified image

When booting Debian's shim and chainloading Ubuntu's shim, the behaviouris the same as if Ubuntu's shim is booted directly.

However when booting Ubuntu's shim and chainloading Debian's shim, the"linux" command loads either kernel without error but after the "boot"command the following lines are displayed:


 Bootloader has not verified image.
 System is compromised.  halting.

This message seems to be from shim in function exit_boot_services().Note that it is displayed after the message "EFI Stub: UEFI Secure bootis enabled." which is from the kernel (without "quiet").


What could be wrong and cause this difference ?

PS: I received the following answer in #debian-efi, but it does notfully explain the above results:

Chainloading shims is not a valid use case. You can only load one shimin the boot process because there can only be one shim owning the GUID.And the 2nd shim can't unload the first shim's implementation oroverride it.But I'd expect it to fail to verify the kernel, not complain at theExitBootServices stage because it should be using Ubuntu's shim toverify the kernel.

Reply to:

Prev by Date: Bug#1060577: fwupd: Please switch Build-Depends to systemd-dev
Next by Date: Processing of libjcat_0.2.0-1_source.changes
Previous by thread: Bug#1060577: marked as done (fwupd: Please switch Build-Depends to systemd-dev)
Next by thread: Processing of libjcat_0.2.0-1_source.changes
Index(es):
- Date
- Thread