Issues with GRUB 2 and UEFI Secure Boot

[ahferroin7]

This isn't exactly about installing Gentoo, but this seems to be the place to ask about boot issues, and this will end up being about installing Gentoo when I am eventually forced to get a system that won't let me turn off Secure Boot.

I've been trying to get Secure Boot set up on my system recently, as Windows 10 hardware certification no longer requires a switch to turn it off, and I already know of x86 systems in the wild that somehow passed Windows 8 certification despite not having such a switch. Instead of taking the usual approach with SHim or PreLoader, I've actually generated and installed my own keys for PK, KEK, and db. I still have the ceertificates shipped with the system installed, because I need to be able to boot Windows also. I'm using GRUB 2 built from the ~amd64 ebuild, signed using sbsign, to boot, and it works just fine booting Linux this way (interestingly despite not having signed the kernel image).

The issue I've come across though, is that trying to chain load any EFI executable from GRUB, regardless of whether or not it's signed, fails if I have Secure Boot enabled. I've tested this with the Windows 8.1 boot loader and the system diagnostics application from the manufacturer, (both of which boot just fine when invoked from the EFI boot manager itself), as well as a standard EFI shell from TianoCore, and the EFI version of Memtest86 (both of which I've signed with my key using sbsign with exactly the same syntax as I used to sign the GRUB binary). This has been a serious annoyance for me, as the EFI boot manager in the firmware on my system is horribly broken (it completely ignores the timeout variable, and only gets displayed if you manually break in during the boot sequence).

I'm hoping somebody here might have some idea what's going on.

For reference, I'm using a ThinkPad L540 with up to date firmware.

[khayyam]

ahferroin7 ...

I'm really not that familiar with secure boot, however, prehaps this link will provide a solution (with the fourth bullet point in "Secure Boot Caveats" suggesting your issue is resolvable ... though perhaps not one that will allow you to use grub2).

HTH & best ... khay

[DONAHUE]

visit http://www.rodsbooks.com/ May be the best free info available on uefi and secure boot.
A member here as srs5694 .
_________________
Defund the FCC.

[ahferroin7]

Thanks for the replies. I'd seen the page before, and was actually trying to work around most of the problems with shim and preloader, and even the whole issue with MOK's by just avoiding them entirely. I probably should have been a bit more specific, as I'm not using MOK's at all, I've actually got my own key installed as a Platform Key, and have my own keys added to the Key Exchange Key store and the primary signing key store (which is relatively tamper proof without hardware access due to the design of Secure Boot). I've since tested that both memtest86 and the EFI shell start just fine when loaded directly by the firmware, and when loaded from the EFI shell, so it really looks like this is an issue in how GRUB is chainloading EFI binaries. I'm probably going to end up filing a bug, but I'm going to have to do some more testing first.