How to remove "Secure Boot chain-loading bootloader (Microsoft-signed binary) "?

Solution 1:

You can use "Method 2 - Disable Secure Boot in shim-signed" of https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS You will need to install mokutil. Please post feedback if you try this.

Or "Method 3 - Disable Secure Boot from BIOS".

Note that shim-signed is not "undesirable", see this for an explanation of its origin. And if you were to use Secure Boot, you'd rather have shim-signed updated.

Solution 2:

~ tl;dr: ~

While I generally sympathize with the sentiment, I am positive that you are taking the wrong approach here. In fact, it will put you much further from your end goal than you are.

If you are using that chainloader in secure, then your environment is already as "MS-signature-free" as it can get. You have one forged MS signature which lends itself to every thing it loads during boot, recursively. In other words, everything.

Another (temporary) solution: turn off SecureBoot. This way, neither this bootloader nor any other MS signed binaries. Only works if it is still a BIOS setting on your machine. Many newer PCs and laptops are being outfitted with "SecureBoot Only" BIOS syste without a legacy option.

~ Explanation: 2 things.. ~

thing 1:

First of all, in a Linux environment, "Microsoft signed" does not necessarily mean it is really signed by Microsoft. It just means that someone made it look like it is. We do this To software that will run during the boot process so that it will run without restrictions in an environment where SecureBoot (SB) is enabled.

That is all SecureBoot really is. It doesn't secure anything. It just cuts off priveleges, such as internet access, to processes running code during boot that is not tied to a MS digital signature.

Unfortunately, the software that runs at boot time is the some of most system-critical software on your computer. For one thing most of the firmware is loaded at that time. This provides access to physical resources, among other things.

So if you have SecureBoot enabled and you have internet, you are most likely running signed software. As far as I know, Ubuntu has not yet taken the leap and started forging the kernel modules. Or have they?

Thing 2:

One way to get around the "Only signed code during boot" rule of SB is to chain load your software. With a chain loader, trust falls back to the first link in the chain. For you this is the boot loader.

For one (more) thing, this means that if you delete it, SecureBoot will not work.

Actually, that is wrong. If you delete it, Secure boot will work, and that is much worse, imo. This point is important, as it lies at the heart of this answer.

One cannot help but notice the irony here. This answer can best be summerized with the following statement:

~ TAKEAWAY ~

In your question, you make a point of explicitly stating

I don't want to allow any Microsoft signed binaries to be executed during boot...

If this is your end goal, and you are running a SecureBoot-enabled environment, the SecureBoot chain-loading bootloader (Canonical signed??) is the only thing keeping you from needing to swap out every boot-time program on your system for the Microsoft alternative.