Closed Jurij-Ivastsuk closed 4 months ago
Hi @ Jurij-Ivastsuk, did you check your sbat generation number of grub ?
@dennis-tseng99 Hi, many thanks for the tip! We do not have our own SBAT section in grubx64.efi. That could be the problem. Is the SBAT section of shim compared with the corresponding SBAT section of grub?
Hi @Jurij-Ivastsuk, When loading grub, shim codes will also make use of verify_sbat_helper() and verify_single_entry() functions to compare component_name and generation number of grub. It will return EFI_SECURITY_VIOLATION if comparisons are failed.
@dennis-tseng99 Thank you!
When testing shim-15.8 I got a result that I did not expect. The following constellation:
My expectation was that if I can start shim with secure-boot enabled, then grubx64.efi should also be started by shim as a second-stage loader, because grub was signed with the same certificate as the vendor-certificate in shim. When I started the shim (start was without any problems), grub could not be started with the following error message from shim:
Who has any idea why it is so and not as expected?