[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2] Add chainloaded image as shim's verifiable object
|
From: |
Daniel Kiper |
|
Subject: |
Re: [PATCH v2] Add chainloaded image as shim's verifiable object |
|
Date: |
Tue, 9 Mar 2021 17:18:22 +0100 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Fri, Mar 05, 2021 at 09:48:53PM +0800, Michael Chang via Grub-devel wrote:
> While attempting to dual boot Microsoft Windows with efi chainloader, it
> failed with below error when secure boot was enabled.
>
> error ../../grub-core/kern/verifiers.c:119:verification requested but
> nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
>
> It is a regression, as previously it worked without problem.
>
> It turns out chainloading image has been locked down introduced by
>
> 578c95298 kern: Add lockdown support
>
> However we should consider it as verifiable object to shim to allow
> booting in secure boot enabled mode. The chainloaded image could also
> have trusted signature signed by vendor with their pubkey cert in db.
> For that matters it's usage should not be locked down in secure boot,
> and instead use shim to validate it's signature before running it.
>
> V2:
> Keep GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE in the lockdown list as it
> ensures at least one verifer has validated the image.
>
> Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Daniel