Comment 41 for bug 1865515

I can use grub from hirsute, to boot into Ubuntu's grub, then execute `exit 1` to fallback to the next BootOrder bootentry and boot into centos8 with Secureboot on.

Meaning the chain of events is Ubuntu's Shim => Ubuntu's grub => exit 1 => Centos Shim => Centos Grub => complete boot, and bootctl still reports that secureboot is on & dmesg/kernel too.

This will need the new grub and changes to MAAS how it does the "boot from local drive" menu entry.

See https://launchpad.net/ubuntu/+source/grub2/2.04-1ubuntu37

The file that maas streams use from https://images.maas.io/ephemeral-v3/stable/bootloaders/uefi/amd64/20201123.0/grub2-signed.tar.xz is this one http://archive.ubuntu.com/ubuntu/dists/hirsute/main/uefi/grub2-amd64/2.04-1ubuntu37/grubnetx64.efi.signed

This is what needs to be deployed on the Maas provisioning side.

Then in MAAS for the boot from local drive menuentry should change i.e. https://github.com/maas/maas/blob/master/src/provisioningserver/templates/uefi/config.local.amd64.template

should be "just"

---8<---
set default="0"
set timeout=0

menuentry 'Local' {
    echo 'Booting local disk...'
    exit 1
}
---8<---

And then assuming that provisioning / curtin sets up correct bootorder entries _or_ a removable media path is autodetected by the device firmware, things should "just work".

I note that maas streams use grubnetx64.efi.signed from bionic-updates, and this change is currently only in hirsute.