Re: GRUB can't chainload Windows under Secure Boot

[Andrei Borzenkov]

On Thu, Dec 8, 2016 at 2:04 PM, Giovanni Santini
<address@hidden> wrote:
> Il 08/12/2016 05:03, Andrei Borzenkov ha scritto:
>>
>> Upstream GRUB does not support secure boot at all, so you need to raise
>> bug report to your distribution. Each is using slightly different
>> version of secure boot patch so it is impossible to give blanket answer.
>>
>
> Any chances to have this fixed upstream?
>

I understand that this needs clarification.

GRUB itself is completely Secure Boot agnostic - if you sign binary it
will likely work and will be able to also chainload other signed
binaries as long as firmware accepts them.

What it does not support is explicit signature verification using
popular shim protocol which can be considered bypassing firmware check
entirely.

>
>>> /EndEntire
>>> file path:
>>> /ACPI(yadda)/PCI(yadda)/Sata(0,0,0)/HD(yaddayadda)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire
>>> error: cannot load image.
>>>
>>
>> I am aware of at least one problem (incorrect parsing of executable
>> format when secure boot is active) that was fixed in openSUSE grub package.
>>
>
> I see.
> If you've have a link to it, it would be great.

https://bugzilla.opensuse.org/show_bug.cgi?id=954126#c6