help-grub
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GRUB can't chainload Windows under Secure Boot

From: Andrei Borzenkov
Subject: Re: GRUB can't chainload Windows under Secure Boot
Date: Thu, 8 Dec 2016 21:25:42 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 
08.12.2016 20:34, Andrei Borzenkov пишет:
> 08.12.2016 18:50, Giovanni Santini пишет:
>> Il 08/12/2016 15:05, Andrei Borzenkov ha scritto:
>>>
>>> Well, I do not know about Arch, but Ubuntu is using patch similar to
>>> openSUSE, which means - it REQUIRES shim. Patch replaces default
>>> chainloader command with one that calls shim and fails if it cannot do
>>> it. It should have provided additional one, chainloaderefi similar to
>>> linuxefi, instead.
>>>
>>
>> I see...
>> From what I know, shim is not provided by ArchLinux. The suggested way
>> for Secure Boot is to use Linux Foundation PreLoader and HashTool.
>> From our discussion, I understood that using PreLoader doesn't involve
>> running it again.
>> So, the only needed thing to fix is the 'chainloader' command so that it
>> can read UEFI binaries even under Secure Boot (or provide a new one like
>> 'chainloaderefi'), if I understood correctly.
> 
> If you are using Linux Foundation chainloader I expect normal GRUB
> chainloader command to work. Do you have pointers to preloader binary
> you are using? I am actually interested in testing it as alternate way
> of providing secure boot support in GRUB.
> 
>> Not sure else how to make PreLoader load other UEFI files else, as it
>> tries automatically to load the binary called 'loader.efi'.
>>
> 
> You should only need to load main GRUB binary. Do you have pointers to
> Arch package and patches it uses?
> 

I tested LF preloader in QEMU using OVMF with MS keys (extracted from
openSUSE package), preloader from this link
http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/,
bootmgfw.efi and current grub git. I created standalone GRUB binary
using grub-mkstandalone (simply to avoid need to install it on loop
device), copied PreLoader as \EFI\BOOT\BOOTX64.EFI, HashTool.EFI and
grub binary as \EFI\BOOT\loader.efi. Started emulation, got prompt from
PreLoader, enrolled grub^Wloader.efi hash, rebooted into GRUB CLI and
successfully booted into bootmgfw.efi using

set root=hd0
chainloader \efi\boot\bootmgfw.efi
boot

Of course I was greeted by error screen but this is different story.

So I can confirm that vanilla grub under LF preloder is capable of
launching signed EFI executable.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]