Next: , Previous: , Up: Security   [Contents][Index]

18.3 UEFI secure boot and shim support

The GRUB, except the chainloader command, works with the UEFI secure boot and the shim. This functionality is provided by the shim_lock verifier. It is built into the core.img and is registered if the UEFI secure boot is enabled. The ‘shim_lock’ variable is set to ‘y’ when shim_lock verifier is registered. If it is desired to use UEFI secure boot without shim, one can disable shim_lock by disabling shim verification with MokSbState UEFI variable or by building grub image with ‘--disable-shim-lock’ option.

All GRUB modules not stored in the core.img, OS kernels, ACPI tables, Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands that can be used to subvert the UEFI secure boot mechanism, such as iorw and memrw will not be available when the UEFI secure boot is enabled. This is done for security reasons and are enforced by the GRUB Lockdown mechanism (see Lockdown).