Re: [PATCH] verifiers: Don't return error for deferred image

[Zhang Boyang]

Hi,

On 2022/12/22 19:14, Leo Yan wrote:
> When boot from menu and the flag GRUB_VERIFY_FLAGS_DEFER_AUTH is set,
> grub returns error:
>
>   Booting a command list
>
>   error: verification requested but nobody cares: (hd0,gpt1)/Image.
>
>   Press any key to continue...
>
> In this case, the image should be deferred for authentication, grub
> should return the file handle and pass down to later firmware (e.g.
> U-Boot, etc) for authentication.

This is probably not what verification framework designed to be. It 
seems to be designed to verify files during GRUB is executing (e.g. 
check file signature if UEFI Secure Boot is enabled).

By the way, I didn't understand what does "return the file handle and 
pass down to later firmware" means. If you means you want GRUB call into 
firmware's function, you can write a verifier to do that and register 
your verifier with grub_verifier_register().

Best Regards,
Zhang Boyang

> For this purpose, rather than returning error, this patch prints log
> and returns file handler.
>
> Signed-off-by: Leo Yan <leo.yan@linaro.org>
> ---
>   grub-core/kern/verifiers.c | 6 +-----
>   1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
> index 75d7994cf..ada753e69 100644
> --- a/grub-core/kern/verifiers.c
> +++ b/grub-core/kern/verifiers.c
> @@ -115,11 +115,7 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type 
> type)
>     if (!ver)
>       {
>         if (defer)
> -       {
> -         grub_error (GRUB_ERR_ACCESS_DENIED,
> -                     N_("verification requested but nobody cares: %s"), 
> io->name);
> -         goto fail_noclose;
> -       }
> +       grub_printf("%s verification is deferred\n", io->name);
>   
>         /* No verifiers wanted to verify. Just return underlying file. */
>         return io;