https://bugzilla.suse.com/show_bug.cgi?id=1179492 Bug ID: 1179492 Summary: Test grub booting using pe/coff boot entry to support shim and MOK Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: aarch64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs@suse.de Reporter: mchang@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- To support shim lock protocol and use MOK (Machine Owner Key), grub has to load and boot the kernel on it's own without resorting to firmware protocols, namely UEFI LoadImage and StartImage protocols, which would only know about keys in db and dbx and thus would reject image with signature of MOK. To finalize UEFI Secure Boot to fully utilize the capability of shim, the grub package with needed implementation to achieve that is available here. https://build.opensuse.org/package/show/home:michael-chang:arm64-linuxefi/gr... In a nut shell, it will call out shim_lock protocol to verify the image, and then jump directly to the PE/COFF entry to boot the image if preceding verification goes successfully. This ticket is opened to track any issue in grub with respect to needed change to adopt shim and MOK on aarch64. -- You are receiving this mail because: You are on the CC list for the bug.