Re: GRUB can't chainload Windows under Secure Boot

[Andrei Borzenkov]

09.12.2016 00:19, Giovanni Santini пишет:
> Il 08/12/2016 19:44, Andrei Borzenkov ha scritto:
>>
>> Works just as fine. I get your error if I attempt to load unsigned image
>> (for which no hash was enrolled).
>>
> 
> What did you exactly do?

Downloaded binary x86_64-efi grub, created grub.efi using
grub-mkstandalone, saved it as \EFI\BOOT\loader.efi, enrolled hash.

> I tried again to boot from GRUB, using also CLI for loading Windows Boot
> Manager (the only difference in the commands were to set root as
> 'hd0,gpt1' as my EFI partition is the first one).
> I am also sure I've enrolled bootmgfw.efi with HashRoll...

Should not be necessary, it is already signed by Microsoft so should be
accepted by firmware.

> I am still on normal grub, not latest git sources; also, I've installed
> grub not in a standalone way, but with the normal grub install.

Well, normal grub-install knows nothing about loader.efi. So probably
now is your turn to explain what you did exactly.

> Not sure what should I try on my side.
> 
Edit grub-core/loader/efi/chainloader.c, print EFI status when loading
fails, then we at least know why it fails. This is in function
grub_cmd_chainloader, after call to b->load_image.

  status = efi_call_6 (b->load_image, 0, grub_efi_image_handle, file_path,
                       boot_image, size,
                       &image_handle);
  if (status != GRUB_EFI_SUCCESS)
    {
      if (status == GRUB_EFI_OUT_OF_RESOURCES)
        grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of resources");
      else
        grub_error (GRUB_ERR_BAD_OS, "cannot load image");

      goto fail;
    }

Change to

grub_error (GRUB_ERROR_BAD_OS, "cannot load image: %08x", status)