[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2] Add chainloaded image as shim's verifiable object
|
From: |
Michael Chang |
|
Subject: |
[PATCH v2] Add chainloaded image as shim's verifiable object |
|
Date: |
Fri, 5 Mar 2021 21:48:53 +0800 |
While attempting to dual boot Microsoft Windows with efi chainloader, it
failed with below error when secure boot was enabled.
error ../../grub-core/kern/verifiers.c:119:verification requested but
nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
It is a regression, as previously it worked without problem.
It turns out chainloading image has been locked down introduced by
578c95298 kern: Add lockdown support
However we should consider it as verifiable object to shim to allow
booting in secure boot enabled mode. The chainloaded image could also
have trusted signature signed by vendor with their pubkey cert in db.
For that matters it's usage should not be locked down in secure boot,
and instead use shim to validate it's signature before running it.
V2:
Keep GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE in the lockdown list as it
ensures at least one verifer has validated the image.
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/kern/efi/sb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 41dadcd14..96d237722 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -129,6 +129,7 @@ shim_lock_verifier_init (grub_file_t io __attribute__
((unused)),
case GRUB_FILE_TYPE_BSD_KERNEL:
case GRUB_FILE_TYPE_XNU_KERNEL:
case GRUB_FILE_TYPE_PLAN9_KERNEL:
+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
*flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
/* Fall through. */
--
2.26.2
- [PATCH v2] Add chainloaded image as shim's verifiable object,
Michael Chang <=