[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2] Add chainloaded image as shim's verifiable object
From: |
Michael Chang |
Subject: |
Re: [PATCH v2] Add chainloaded image as shim's verifiable object |
Date: |
Wed, 10 Mar 2021 11:56:47 +0800 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Tue, Mar 09, 2021 at 05:18:22PM +0100, Daniel Kiper wrote:
> On Fri, Mar 05, 2021 at 09:48:53PM +0800, Michael Chang via Grub-devel wrote:
> > While attempting to dual boot Microsoft Windows with efi chainloader, it
> > failed with below error when secure boot was enabled.
> >
> > error ../../grub-core/kern/verifiers.c:119:verification requested but
> > nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
> >
> > It is a regression, as previously it worked without problem.
> >
> > It turns out chainloading image has been locked down introduced by
> >
> > 578c95298 kern: Add lockdown support
> >
> > However we should consider it as verifiable object to shim to allow
> > booting in secure boot enabled mode. The chainloaded image could also
> > have trusted signature signed by vendor with their pubkey cert in db.
> > For that matters it's usage should not be locked down in secure boot,
> > and instead use shim to validate it's signature before running it.
> >
> > V2:
> > Keep GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE in the lockdown list as it
> > ensures at least one verifer has validated the image.
> >
> > Signed-off-by: Michael Chang <mchang@suse.com>
>
> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
May I ask if the patch is planned or going to be merged to the master
hence available in the 2.06-rc1 cut ?
Thanks,
Michael
>
> Daniel
>