Secure boot with different SELOADER_CHAINLOADER fails to work with secure boot turned on

[Dvergatal]

Hi I am trying to chain in secure boot chain another efi, let's call it efiupdate.efi. By default SELOADER_CHAINLOADER is set to default which is grubx64.efi. Now I would like to put in between this efiupdate.efi, which I have succeeded by changing SELOADERCHAINLOADER value to efiupdate.efi in my seloader%.bbappend. When secure boot is turned off in UEFI everything is working perfectly fine, but when turning secure boot on I'm getting this error that Loader has been blocked by the current security policy. I must mention that this efiupdate.efi is signed by the same key as seloaderx64.efi and grubx64.efi, meaning Vendor key.

So my question is, if somehow the boot order is hardcoded, meaning verification of vendor efi blobs by names? Another question is, because this efiupdate.efi is running efishell script and I have even created a sign of it by uks_bl_sign function, the same which is used for grub *.inc files, can it be that the cause of the issue that efi shell script is not allowed to run?

[Dvergatal]

OK, I have fixed the issue with error Loader has been blocked by the current security policy and now efiupdate.efi is running without any problems. The issue was I had wrong efi keys in UEFI loaded by LockDown.efi :P

The issue which I'm facing now is that the efishell script which has a line \\EFI\\BOOT\\grubx64.efi for running grub now is causing the error Script Error Status: Security Voilation (line number <number>) where <number> is the number of line where \\EFI\\BOOT\\grubx64.efi is in this efishell script.

As I have already written, I've created a p7b signature file for that efishell script, but it doesn't work. Do you have a better idea how to solve this?

[yizhao1]

Hi, maybe you can file the issue on seloader repo and get help from maintainer: https://github.com/jiazhang0/SELoader