It looks like something is stopping GRUB from recognizing the MokPolicy
variable exported by shim on these machines, and in turn it decides to
enforce NX despite shim telling it not to.


** Summary changed:

- UEFI GRUB2 enforces NX even with a non-NX shim when Secure Boot is disabled
+ UEFI GRUB2 enforces NX even with a non-NX shim

** Description changed:

- This still needs to be verified, but I have a strong hunch that this is
- a bug...
- 
  Please see final comments on
  https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2078307
  
- What is likely happening is that shim does not export MokPolicy when
- Secure Boot is disabled, thus GRUB decides that it must always enforce
- NX.
+ There are multiple affected machines, correctly running the non-NX shim
+ and 2.12-5ubuntu5 GRUB.
  
- It might be a more sensible default to never enforce NX if Secure Boot
- is off.
+ Despite this, the GRUB on these machines decides to always enforce NX,
+ likely because the MokPolicy variable is not being exported exactly as
+ GRUB expects.
  
- The only obvious impact right now is Windows chainloading from GRUB when
- Secure Boot is disabled.
+ I have a suspicion that some of the attribute checks in this function
+ are not behaving as expected on these firmwares:
+ https://git.launchpad.net/~ubuntu-uefi-
+ team/grub/+git/ubuntu/tree/debian/patches/nx/efi-Disallow-fallback-to-
+ legacy-Linux-loader-when-shim-sa.patch#n22
+ 
+ The only obvious impact right now is Windows chainloading from GRUB on
+ specific affected machines.

** Description changed:

- Please see final comments on
- https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2078307
+ Please also see final comments on
+ https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2078307, this whole
+ thing stareted there.
  
- There are multiple affected machines, correctly running the non-NX shim
- and 2.12-5ubuntu5 GRUB.
+ There are two known affected machines currently, one is confirmed to
+ correctly be running the non-NX shim and 2.12-5ubuntu5 GRUB.
  
  Despite this, the GRUB on these machines decides to always enforce NX,
  likely because the MokPolicy variable is not being exported exactly as
  GRUB expects.
+ 
+ This happens with both Secure Boot enabled and disabled.
  
  I have a suspicion that some of the attribute checks in this function
  are not behaving as expected on these firmwares:
  https://git.launchpad.net/~ubuntu-uefi-
  team/grub/+git/ubuntu/tree/debian/patches/nx/efi-Disallow-fallback-to-
  legacy-Linux-loader-when-shim-sa.patch#n22
  
  The only obvious impact right now is Windows chainloading from GRUB on
  specific affected machines.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2084104

Title:
  UEFI GRUB2 enforces NX even with a non-NX shim

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2084104/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to