---

19.7 Lockdown when booting on a secure setup

The GRUB can be locked down when booted on a secure boot environment, for example if UEFI or Power secure boot is enabled. On a locked down configuration, the GRUB will be restricted and some operations/commands cannot be executed. This also includes limiting which filesystems are supported to those thought to be more robust and widely used within GRUB.

The filesystems currently allowed in lockdown mode include:

• BtrFS
• cpio
• exFAT
• Enhanced Read-Only File System (EROFS)
• Linux ext2/ext3/ext4
• F2FS
• DOS FAT12/FAT16/FAT32
• HFS+
• ISO9660
• Squash4
• tar
• XFS
• ZFS

The filesystems currently not allowed in lockdown mode include:

• Amiga Fast FileSystem (AFFS)
• AtheOS File System (AFS)
• Bee File System (BFS)
• Coreboot File System (CBFS)
• Hierarchical File System (HFS)
• Journaled File System (JFS)
• Minix filesystem
• New Implementation of Log filesystem (nilfs2)
• Windows New Technology File System (NTFS)
• ReiserFS
• Read-Only Memory File System (ROMFS)
• Amiga Smart File System (SFS)
• Universal Disk Format (UDF)
• Unix File System (UFS)

The ‘lockdown’ variable is set to ‘y’ when the GRUB is locked down. Otherwise it does not exist.