* Re: [PATCH] efi/sb: Fix boot failure when shim validation is disabled
[not found] <mailman.277.1757320267.1172.grub-devel@gnu.org>
@ 2025-09-11 12:25 ` Avnish Chouhan
0 siblings, 0 replies; 2+ messages in thread
From: Avnish Chouhan @ 2025-09-11 12:25 UTC (permalink / raw)
To: mchang; +Cc: grub-devel, Daniel Kiper
On 2025-09-08 14:01, grub-devel-request@gnu.org wrote:
> Message: 4
> Date: Mon, 8 Sep 2025 16:30:20 +0800
> From: Michael Chang <mchang@suse.com>
> To: The development of GNU GRUB <grub-devel@gnu.org>
> Subject: [PATCH] efi/sb: Fix boot failure when shim validation is
> disabled
> Message-ID: <20250908083020.352813-1-mchang@suse.com>
>
> When shim is switched to insecure mode via "mokutil
> --disable-validation", GRUB aborts midway when attempting to boot the
> kernel. With debug output enabled, the following error is shown:
>
> error: ../../grub-core/loader/efi/linux.c:219: cannot load image.
>
> The failure occurs because UEFI Secure Boot itself remains enabled, but
> the kernel is delegated to the firmware LoadImage() path since both the
> shim_load and shim_lock protocols appear to be absent. This delegation
> was introduced when GRUB gained support for shim_load, allowing kernels
> to take advantage of the LoadFile2 protocol. That logic assumed both
> shim protocols were missing.
>
> In fact, the shim protocols are still present but become invisible to
> GRUB because probing in the shim verifier is skipped. This happens
> because grub_efi_get_secureboot() considers MokSBState. When users
> disable shim validation, Secure Boot is detected as "off" and as a
> result the shim protocols are never processed.
>
> This patch fixes the issue by introducing
> grub_efi_get_secureboot_real(), which allows bypassing MokSBState when
> deciding whether to set up the shim verifier. This ensures that the
> shim
> protocols are still correctly discovered and used even if shim is
> placed
> into insecure mode. At the same time, grub_efi_get_secureboot()
> continues to preserve the logic that matches the Linux kernel
> implementation, keeping the two consistent.
>
> Signed-off-by: Michael Chang <mchang@suse.com>
> ---
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH] efi/sb: Fix boot failure when shim validation is disabled
@ 2025-09-08 8:30 Michael Chang via Grub-devel
0 siblings, 0 replies; 2+ messages in thread
From: Michael Chang via Grub-devel @ 2025-09-08 8:30 UTC (permalink / raw)
To: The development of GNU GRUB; +Cc: Michael Chang
When shim is switched to insecure mode via "mokutil
--disable-validation", GRUB aborts midway when attempting to boot the
kernel. With debug output enabled, the following error is shown:
error: ../../grub-core/loader/efi/linux.c:219: cannot load image.
The failure occurs because UEFI Secure Boot itself remains enabled, but
the kernel is delegated to the firmware LoadImage() path since both the
shim_load and shim_lock protocols appear to be absent. This delegation
was introduced when GRUB gained support for shim_load, allowing kernels
to take advantage of the LoadFile2 protocol. That logic assumed both
shim protocols were missing.
In fact, the shim protocols are still present but become invisible to
GRUB because probing in the shim verifier is skipped. This happens
because grub_efi_get_secureboot() considers MokSBState. When users
disable shim validation, Secure Boot is detected as "off" and as a
result the shim protocols are never processed.
This patch fixes the issue by introducing
grub_efi_get_secureboot_real(), which allows bypassing MokSBState when
deciding whether to set up the shim verifier. This ensures that the shim
protocols are still correctly discovered and used even if shim is placed
into insecure mode. At the same time, grub_efi_get_secureboot()
continues to preserve the logic that matches the Linux kernel
implementation, keeping the two consistent.
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/kern/efi/init.c | 2 +-
grub-core/kern/efi/sb.c | 12 +++++++++---
include/grub/efi/sb.h | 8 +++++++-
3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index 1637077e1..0c6d83635 100644
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -109,7 +109,7 @@ grub_efi_init (void)
* Lockdown the GRUB and register the shim_lock verifier
* if the UEFI Secure Boot is enabled.
*/
- if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_get_secureboot_real (1) == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
{
grub_lockdown ();
grub_shim_lock_verifier_setup ();
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 4409e03c5..6d58ac1af 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -45,7 +45,7 @@ static grub_efi_handle_t last_verified_image_handle = NULL;
* drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot().
*/
grub_uint8_t
-grub_efi_get_secureboot (void)
+grub_efi_get_secureboot_real (grub_uint8_t skip_moksbstate)
{
static grub_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
grub_efi_status_t status;
@@ -81,6 +81,12 @@ grub_efi_get_secureboot (void)
goto out;
}
+ if (skip_moksbstate)
+ {
+ secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED;
+ goto out;
+ }
+
/*
* See if a user has put the shim into insecure mode. If so, and if the
* variable doesn't have the runtime attribute set, we might as well
@@ -114,7 +120,7 @@ grub_efi_get_secureboot (void)
else if (secureboot == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
secureboot_str = "Enabled";
- grub_dprintf ("efi", "UEFI Secure Boot state: %s\n", secureboot_str);
+ grub_dprintf ("efi", "UEFI Secure Boot state with%s MokSBState: %s\n", skip_moksbstate ? "out" : "", secureboot_str);
return secureboot;
}
@@ -227,7 +233,7 @@ grub_shim_lock_verifier_setup (void)
struct grub_module_header *header;
/* Secure Boot is off. Ignore shim. */
- if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_get_secureboot_real (1) != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
return;
/* Find both shim protocols. */
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
index 149005ced..98462c030 100644
--- a/include/grub/efi/sb.h
+++ b/include/grub/efi/sb.h
@@ -30,7 +30,13 @@
#ifdef GRUB_MACHINE_EFI
extern grub_uint8_t
-EXPORT_FUNC (grub_efi_get_secureboot) (void);
+EXPORT_FUNC (grub_efi_get_secureboot_real) (grub_uint8_t skip_moksbstate);
+
+static inline grub_uint8_t
+grub_efi_get_secureboot (void)
+{
+ return grub_efi_get_secureboot_real (0);
+}
extern bool
EXPORT_FUNC (grub_is_using_legacy_shim_lock_protocol) (void);
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-11 12:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <mailman.277.1757320267.1172.grub-devel@gnu.org>
2025-09-11 12:25 ` [PATCH] efi/sb: Fix boot failure when shim validation is disabled Avnish Chouhan
2025-09-08 8:30 Michael Chang via Grub-devel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).