From 7e80c4cc4eece321aeefb7bbd792906024e66733 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Fri, 20 Feb 2026 12:13:49 +0100 Subject: [PATCH] build_library: grub: Bring back linuxefi to stabilize PCR4 With grubs linux command, the kernel image is measured to PCR4 when SecureBoot is enabled but not measured when SecureBoot is enabled. I don't think is intentional, since SecureBoot state is measured to PCR7. Try to switch to linuxefi again, since we're back on the common rhboot grub codebase. --- build_library/grub.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/build_library/grub.cfg b/build_library/grub.cfg index 11743bbb8f..77b083ff07 100644 --- a/build_library/grub.cfg +++ b/build_library/grub.cfg @@ -94,6 +94,12 @@ if [ "$grub_cpu" = arm64 ]; then fi set suf="" +# UEFI uses linuxefi/initrdefi instead of linux/initrd except for arm64 +if [ "$grub_platform" = efi ]; then + if [ "$grub_cpu" != arm64 ]; then + set suf="efi" + fi +fi # Assemble the options applicable to all the kernels below set linux_cmdline="rootflags=rw mount.usrflags=ro consoleblank=0 $linux_root $linux_console $first_boot $randomize_disk_guid $extra_options $oem $linux_append"