Re: [PATCH] Add chainloaded image as shim's verifiable object

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Add chainloaded image as shim's verifiable object

From:	Michael Chang
Subject:	Re: [PATCH] Add chainloaded image as shim's verifiable object
Date:	Fri, 5 Mar 2021 21:19:11 +0800
User-agent:	Mutt/1.10.1 (2018-07-13)

On Fri, Mar 05, 2021 at 01:32:57PM +0100, Thomas Frauendorfer wrote:
> On Fri, Mar 5, 2021 at 1:12 PM Michael Chang via Grub-devel
> <grub-devel@gnu.org> wrote:
> >
> > While attempting to dual boot Microsoft Windows with efi chainloader, it
> > failed with below error when secure boot was enabled.
> >
> > error ../../grub-core/kern/verifiers.c:119:verification requested but
> > nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
> >
> > It is a regression, as previously it worked without problem.
> >
> > It turns out chainloading image has been locked down introduced by
> >
> > 578c95298 kern: Add lockdown support
> >
> > However we should consider it as verifiable object to shim to allow
> > booting in secure boot enabled mode. The chainloaded image could also
> > have trusted signature signed by vendor with their pubkey cert in db.
> > For that matters it's usage should not be locked down in secure boot,
> > and instead use shim to validate it's signature before running it.
> >
> > Signed-off-by: Michael Chang <mchang@suse.com>
> 
> [cut out]
> 
> >        /* Fall through. */
> > diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
> > index 0bc70fd42..e1fd1c1e2 100644
> > --- a/grub-core/kern/lockdown.c
> > +++ b/grub-core/kern/lockdown.c
> > @@ -48,7 +48,6 @@ lockdown_verifier_init (grub_file_t io __attribute__ 
> > ((unused)),
> >      case GRUB_FILE_TYPE_PXECHAINLOADER:
> >      case GRUB_FILE_TYPE_PCCHAINLOADER:
> >      case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
> > -    case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
> >      case GRUB_FILE_TYPE_ACPI_TABLE:
> >      case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
> >        *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
> > --
> > 2.26.2
> 
> The lockdown verifier makes sure that at least one verifer has
> validated the image.
> So removing GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE from it is a very bad idea.

Indeed. I will send second patch for not removing it from lockdown.

Thanks a lot for your review.

Michael

> 
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.orgthe
> > https://lists.gnu.org/mailman/listinfo/grub-devel
>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] Add chainloaded image as shim's verifiable object, Michael Chang, 2021/03/05
- Re: [PATCH] Add chainloaded image as shim's verifiable object, Thomas Frauendorfer, 2021/03/05
  - Re: [PATCH] Add chainloaded image as shim's verifiable object, Michael Chang <=
- Re: [PATCH] Add chainloaded image as shim's verifiable object, Dimitri John Ledkov, 2021/03/05
  - Re: [PATCH] Add chainloaded image as shim's verifiable object, Michael Chang, 2021/03/05
    - Re: [PATCH] Add chainloaded image as shim's verifiable object, Dimitri John Ledkov, 2021/03/05
    - Re: [PATCH] Add chainloaded image as shim's verifiable object, Michael Chang, 2021/03/07
    - Re: [PATCH] Add chainloaded image as shim's verifiable object, Thomas Frauendorfer, 2021/03/09
    - Re: [PATCH] Add chainloaded image as shim's verifiable object, Michael Chang, 2021/03/09

Prev by Date: Re: [PATCH] Add chainloaded image as shim's verifiable object
Next by Date: Re: [PATCH] Add chainloaded image as shim's verifiable object
Previous by thread: Re: [PATCH] Add chainloaded image as shim's verifiable object
Next by thread: Re: [PATCH] Add chainloaded image as shim's verifiable object
Index(es):
- Date
- Thread