Info Catalog grub: Using digital signatures grub: Security grub: Secure Boot Advanced Targeting

grub: UEFI secure boot and shim

 
 18.3 UEFI secure boot and shim support
 ======================================
 
 The GRUB, except the 'chainloader' command, works with the UEFI secure
 boot and the shim.  This functionality is provided by the shim_lock
 verifier.  It is built into the 'core.img' and is registered if the UEFI
 secure boot is enabled.  The 'shim_lock' variable is set to 'y' when
 shim_lock verifier is registered.  If it is desired to use UEFI secure
 boot without shim, one can disable shim_lock by disabling shim
 verification with MokSbState UEFI variable or by building grub image
 with '--disable-shim-lock' option.
 
    All GRUB modules not stored in the 'core.img', OS kernels, ACPI
 tables, Device Trees, etc.  have to be signed, e.g, using PGP.
 Additionally, the commands that can be used to subvert the UEFI secure
 boot mechanism, such as 'iorw' and 'memrw' will not be available when
 the UEFI secure boot is enabled.  This is done for security reasons and
 are enforced by the GRUB Lockdown mechanism (⇒Lockdown).
 

Info Catalog grub: Using digital signatures grub: Security grub: Secure Boot Advanced Targeting