Re: IS: 2.06-rc1 cut... WAS: Re: [PATCH v2] Add chainloaded image as shi

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IS: 2.06-rc1 cut... WAS: Re: [PATCH v2] Add chainloaded image as shi

From:	Michael Chang
Subject:	Re: IS: 2.06-rc1 cut... WAS: Re: [PATCH v2] Add chainloaded image as shim's verifiable object
Date:	Thu, 11 Mar 2021 13:56:52 +0800
User-agent:	Mutt/1.10.1 (2018-07-13)

On Wed, Mar 10, 2021 at 05:06:31PM +0100, Daniel Kiper wrote:
> On Wed, Mar 10, 2021 at 11:56:47AM +0800, Michael Chang via Grub-devel wrote:
> > On Tue, Mar 09, 2021 at 05:18:22PM +0100, Daniel Kiper wrote:
> > > On Fri, Mar 05, 2021 at 09:48:53PM +0800, Michael Chang via Grub-devel 
> > > wrote:
> > > > While attempting to dual boot Microsoft Windows with efi chainloader, it
> > > > failed with below error when secure boot was enabled.
> > > >
> > > > error ../../grub-core/kern/verifiers.c:119:verification requested but
> > > > nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
> > > >
> > > > It is a regression, as previously it worked without problem.
> > > >
> > > > It turns out chainloading image has been locked down introduced by
> > > >
> > > > 578c95298 kern: Add lockdown support
> > > >
> > > > However we should consider it as verifiable object to shim to allow
> > > > booting in secure boot enabled mode. The chainloaded image could also
> > > > have trusted signature signed by vendor with their pubkey cert in db.
> > > > For that matters it's usage should not be locked down in secure boot,
> > > > and instead use shim to validate it's signature before running it.
> > > >
> > > > V2:
> > > > Keep GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE in the lockdown list as it
> > > > ensures at least one verifer has validated the image.
> > > >
> > > > Signed-off-by: Michael Chang <mchang@suse.com>
> > >
> > > Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> >
> > May I ask if the patch is planned or going to be merged to the master
> > hence available in the 2.06-rc1 cut ?
> 
> I have just pushed it together with other fixes and cleanups from the
> grub-devel. If you can see something important missing drop me a line
> immediately. Now I am working on 2.06-rc1 cut. If nothing blows up expect
> it tomorrow or on Friday...

Many thanks to picking up the patch. Tested the efi chainloader now
could successfully load and start the signed uefi binary, meanwhile
reject the one with invalid signature in secure boot enabled mode. This
function is restored.

Thanks,
Michael

> 
> Daniel
>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v2] Add chainloaded image as shim's verifiable object, Michael Chang, 2021/03/05
- Re: [PATCH v2] Add chainloaded image as shim's verifiable object, Daniel Kiper, 2021/03/09
  - Re: [PATCH v2] Add chainloaded image as shim's verifiable object, Michael Chang, 2021/03/09
    - IS: 2.06-rc1 cut... WAS: Re: [PATCH v2] Add chainloaded image as shim's verifiable object, Daniel Kiper, 2021/03/10
    - Re: IS: 2.06-rc1 cut... WAS: Re: [PATCH v2] Add chainloaded image as shim's verifiable object, Didier Spaier, 2021/03/10
    - Re: IS: 2.06-rc1 cut... WAS: Re: [PATCH v2] Add chainloaded image as shim's verifiable object, Michael Chang <=

Prev by Date: Re: IS: 2.06-rc1 cut... WAS: Re: [PATCH v2] Add chainloaded image as shim's verifiable object
Next by Date: [PATCH v2 1/8] linux/arm: fix ARM Linux header layout
Previous by thread: Re: IS: 2.06-rc1 cut... WAS: Re: [PATCH v2] Add chainloaded image as shim's verifiable object
Next by thread: [PATCH] templates: Properly disable the os-prober by default
Index(es):
- Date
- Thread