Making a MOK-signed GRUB with extra modules

Question

I have a Wake-on-LAN situation where I'd like GRUB to make a network request to decide "should I boot Windows?", perhaps by load_env (http,192.168.1.123)/grubenv (so I can write that file just before waking the machine). Unfortunately the default Ubuntu-signed GRUB lacks modules such as http and tftp, and with Secure Boot on, it will refuse to load them from disk.

So I thought enrolling a MOK and signing a standalone version of GRUB would be a solution, but I'm getting a blue text-mode dialog that I believe comes from the shim, saying:

Verification failed: (0x1A) Security Violation

There are subsequent "Shim UEFI key management" dialogs through which I can enroll the hash of grubx64.efi but weirdly having done that I still get the same result on the next boot, and the presented hash did not match a direct sha256sum of grubx64.efi or any other file in /boot/efi.

My MOK has "X509v3 Extended Key Usage: Code Signing, 1.3.6.1.4.1.311.10.3.6" i.e. does not have the "1.3.6.1.4.1.2312.16.1.2" ID like the distro-generated ones which would restrict it to kernel-module signing.

Here's what I did:

# cat >grub-initial.cfg <<EOF
search.fs_uuid [……/boot uuid……] root
set prefix=($root)/grub
configfile $prefix/grub.cfg
EOF

# MODULES="tpm part_gpt lvm ext2 fat chain linux efifwsetup \
  efi_uga efi_gop efinet configfile normal gzio gfxterm ls cat \
  test echo http gfxterm_background png gfxterm_menu gfxmenu \
  sleep videoinfo gettext loadenv search luks password_pbkdf2 \
  extcmd terminal play linuxefi search_fs_uuid search_label \
  search_fs_file regexp reboot halt memdisk lsefi"

# grub-mkstandalone --compress=xz -O x86_64-efi -o grubx64.unsigned \
  --install-modules="$MODULES" --modules="$MODULES" --themes="" \
  --locales="en@quot" boot/grub/grub.cfg=grub-initial.cfg

# sbsign --key /etc/keys/MOK.priv --cert /etc/keys/MOK.pem \
  --output grubx64.efi grubx64.unsigned

# mokutil --test-key /etc/keys/MOK.der
/etc/keys/MOK.der is already enrolled

# sbverify --cert /etc/keys/MOK.pem /boot/efi/EFI/bifrost/grubx64.efi
Signature verification OK

# mkdir /boot/efi/EFI/bifrost
# cp grubx64.efi /boot/efi/EFI/bifrost/
# cp /boot/efi/EFI/ubuntu/{shimx64.efi,mmx64.efi} /boot/efi/EFI/bifrost/

# efibootmgr -c -d /dev/nvme0n1p1 -L "bifrost auto select" -l "\EFI\bifrost\shimx64.efi"

# efibootmgr -v
[…]
Boot0001* bifrost auto select   HD(1,GPT,[……ESP uuid……],0x800,0x82000)/File(\EFI\BIFROST\SHIMX64.EFI)
Boot0002* ubuntu    HD(1,GPT,[……ESP uuid……],0x800,0x82000)/File(\EFI\UBUNTU\SHIMX64.EFI)..BO
[…]

...and then reboot and manually choose the new boot entry, for now.

What I think is happening:

• When booting stock GRUB: Boot0002 -> Ubuntu shim -> Ubuntu GRUB -> Linux or Windows
• When booting local GRUB: Boot0001 -> copy of Ubuntu shim -> rejects my GRUB but I don't know why

Possible theories:

• I'm somehow booting some other shim somewhere?
• The copied Ubuntu shim is trying to boot something other than the grubx64.efi next to it?
• The copied Ubuntu shim is somehow expecting different keys from what mokutil is looking at?
• …or, most likely, I've misunderstood something.

Answer 1

It turned out I needed to add SBAT (Secure Boot Advanced Targeting) which is basically a form of version information so that signatures on vulnerable software can be more efficiently revoked. As mentioned on the Arch wiki, shim version 15.3 onwards will not launch EFI binaries without a valid .sbat section. Both grub-mkstandalone that I used above and grub-mkimage have an option to add it:

--sbat some-sbat-file.csv

The first link above includes several example SBAT CSV files. I thought it best to use the information from the Ubuntu GRUB package I was using, which did not package this information as a separate file, but it can be extracted:

objcopy -O binary --only-section=.sbat grubx64.efi /dev/stdout

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.ubuntu,1,Ubuntu,grub2,2.06-2ubuntu14.1,https://www.ubuntu.com/