Allow support of Secure Boot without touching NVRAM

Bug #1783057 reported by Daniel Richard G.
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
New
Undecided
Unassigned

Bug Description

This concerns shim 13-0ubuntu2 in Ubuntu 18.04/bionic.

(Note: I am not entirely clear on whether this issue belongs to shim, or to grub2; please redirect as appropriate.)

I am installing Ubuntu with EFI support with the following two prerequisites:

  1. No changes are made to NVRAM (the system boots via e.g. "ATA HDD0" instead of a dedicated boot option);

  2. The EFI removable media path (BOOT/BOOTX64.EFI) is used. (This is kind of required by #1)

I have confirmed that this arrangement can be booted in Secure Boot mode if the following two changes are made:

  1. BOOT/fbx64.efi is removed, to eliminate boot-loop behavior (same issue as in https://launchpad.net/bugs/1750351, only unlocking the boot order is not an option), and

  2. grubx64.efi and grub.cfg are copied from ubuntu/ into BOOT/ (as BOOTX64!shim otherwise complains about not being able to find grubx64).

I would like for it to be possible to install Ubuntu in Secure Boot mode in this manner, as the current approach effectively negates the intent of the update_nvram=false debconf selection.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.