Allow support of Secure Boot without touching NVRAM
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
This concerns shim 13-0ubuntu2 in Ubuntu 18.04/bionic.
(Note: I am not entirely clear on whether this issue belongs to shim, or to grub2; please redirect as appropriate.)
I am installing Ubuntu with EFI support with the following two prerequisites:
1. No changes are made to NVRAM (the system boots via e.g. "ATA HDD0" instead of a dedicated boot option);
2. The EFI removable media path (BOOT/BOOTX64.EFI) is used. (This is kind of required by #1)
I have confirmed that this arrangement can be booted in Secure Boot mode if the following two changes are made:
1. BOOT/fbx64.efi is removed, to eliminate boot-loop behavior (same issue as in https:/
2. grubx64.efi and grub.cfg are copied from ubuntu/ into BOOT/ (as BOOTX64!shim otherwise complains about not being able to find grubx64).
I would like for it to be possible to install Ubuntu in Secure Boot mode in this manner, as the current approach effectively negates the intent of the update_nvram=false debconf selection.