Re: GRUB can't chainload Windows under Secure Boot

[Andrei Borzenkov]

On Thu, Dec 8, 2016 at 4:18 PM, Giovanni Santini
<address@hidden> wrote:
> Il 08/12/2016 14:01, Andrei Borzenkov ha scritto:
>>
>> There are two preloaders (loosely calling shim also preloader). Linux
>> Foundation's one overrides standard security protocol, so assuming
>> this was successful, it should be fully transparent. Another one is
>> shim, which installs additional protocol and needs explicit support to
>> call it. All distributions I am aware of are based on shim, and so
>> carry additional patches to grub.
>>
>
> I am using Linux Foundation's PreLoader. It is the version signed by
> Microsoft, so it is recognized properly by Secure Boot.
> Also, Linux OSes (tested on ArchLinux and Ubunut) loaded by Preloader +
> grub2 are run under Secure Boot properly (tested using the method at [1]).
>
>>
>> Yes, it should be this one. Although full patch set is rather more extensive.
>>
>
> Nice indeed! I will try to build it applying that patch... and hoping it
> won't broke completely GRUB ;P
>

Well, I do not know about Arch, but Ubuntu is using patch similar to
openSUSE, which means - it REQUIRES shim. Patch replaces default
chainloader command with one that calls shim and fails if it cannot do
it. It should have provided additional one, chainloaderefi similar to
linuxefi, instead.

> Will give you feedback ASAP!
>
> [1] https://wiki.archlinux.org/index.php/Secure_Boot#Booting_archiso
>
> --
> Giovanni Santini
> My blog: http://giovannisantini.tk
> My code: https://git{hub,lab}.com/ItachiSan
> My GPG: 2FADEBF5