grub: UEFI secure boot and shim
18.3 UEFI secure boot and shim support
======================================
The GRUB, except the 'chainloader' command, works with the UEFI secure
boot and the shim. This functionality is provided by the shim_lock
verifier. It is built into the 'core.img' and is registered if the UEFI
secure boot is enabled. The 'shim_lock' variable is set to 'y' when
shim_lock verifier is registered. If it is desired to use UEFI secure
boot without shim, one can disable shim_lock by disabling shim
verification with MokSbState UEFI variable or by building grub image
with '--disable-shim-lock' option.
All GRUB modules not stored in the 'core.img', OS kernels, ACPI
tables, Device Trees, etc. have to be signed, e.g, using PGP.
Additionally, the commands that can be used to subvert the UEFI secure
boot mechanism, such as 'iorw' and 'memrw' will not be available when
the UEFI secure boot is enabled. This is done for security reasons and
are enforced by the GRUB Lockdown mechanism (⇒Lockdown).