The GRUB, except the
chainloader command, works with the UEFI secure
boot and the shim. This functionality is provided by the shim_lock module. It
is recommend to build in this and other required modules into the core.img.
All modules not stored in the core.img and the ACPI tables for the
acpi command have to be signed, e.g. using PGP. Additionally, the
memrw and the
wrmsr commands are
prohibited if the UEFI secure boot is enabled. This is done due to
security reasons. All above mentioned requirements are enforced by the
shim_lock module. And itself it is a persistent module which means that
it cannot be unloaded if it was loaded into the memory.