The GRUB, except the
chainloader command, works with the UEFI secure
boot and the shim. This functionality is provided by the shim_lock verifier. It
is built into the core.img and is registered if the UEFI secure boot is
enabled. The ‘shim_lock’ variable is set to ‘y’ when shim_lock verifier
is registered. If it is desired to use UEFI secure boot without shim, one can
disable shim_lock by disabling shim verification with MokSbState UEFI variable
or by building grub image with ‘--disable-shim-lock’ option.
All GRUB modules not stored in the core.img, OS kernels, ACPI tables,
Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands
that can be used to subvert the UEFI secure boot mechanism, such as
memrw will not be available when the UEFI secure boot is enabled.
This is done for security reasons and are enforced by the GRUB Lockdown mechanism