When testing shim-15.8 I got a result that I did not expect. The following constellation:

1. I have populated the DB, KEK and PK with my own test-certificate in a test machine in BIOS (only one test certificate is available there)
2. I compiled the shim-15.8 with our vendor-certificate
3. I signed the newly compiled shim with a test-certificate
4. I signed grubx64.efi with the same vendor-certificate as compiled with shim

My expectation was that if I can start shim with secure-boot enabled, then grubx64.efi should also be started by shim as a second-stage loader, because grub was signed with the same certificate as the vendor-certificate in shim.
When I started the shim (start was without any problems), grub could not be started with the following error message from shim:

Who has any idea why it is so and not as expected?

Hi @ Jurij-Ivastsuk, did you check your sbat generation number of grub ?

@dennis-tseng99 Hi, many thanks for the tip! We do not have our own SBAT section in grubx64.efi. That could be the problem. Is the SBAT section of shim compared with the corresponding SBAT section of grub?

Hi @Jurij-Ivastsuk, When loading grub, shim codes will also make use of verify_sbat_helper() and verify_single_entry() functions to compare component_name and generation number of grub. It will return EFI_SECURITY_VIOLATION if comparisons are failed.

@dennis-tseng99 Thank you!