help-grub
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to sign fonts?

From: Andrei Borzenkov
Subject: Re: How to sign fonts?
Date: Sun, 12 Feb 2023 19:21:50 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1 
On 12.02.2023 17:18, Siddh Raman Pant wrote:

I recently made a separate partition for /boot because I migrated
my root to btrfs, and this has caused my grub theme to not show
the correct font now.

So I tried to load the font using loadfont on command line, which
throws up "prohibited by secure boot policy". But secure boot was
enabled earlier too, so I'm not sure why this happened.
The error is returned by secure boot (shim) verifier which has whitelist of allowed file types. The file type GRUB_FILE_TYPE_FONT is not listed. 


Some discussion mentioned grub can load signed .pf2 fonts. So, how
to sign the fonts in the first place?
That won't help, if secure boot verifier is enabled it simply does not allow file of type GRUB_FILE_TYPE_FONT. This suggestion may have worked in the past, when grub only used GPG signature to verify files. 


Also, if someone could tell why the font stopped working on making
a separate /boot partition, it would be very helpful.
Likely you installed updated grub version. This is a bug in commit 93a786a00163e50c29f0394df198518617e1c9a5 which intended to enforce verification of fonts, but resulted in fonts being prohibited entirely. Secure boot verifier needs to pass fonts through (which actually invalidates the commit message - end user obviously can create GPG signed fonts). 

commit 93a786a00163e50c29f0394df198518617e1c9a5
Author: Zhang Boyang <zhangboyang.id@gmail.com>
Date:   Sun Aug 14 15:51:54 2022 +0800

    kern/efi/sb: Enforce verification of font files

    As a mitigation and hardening measure enforce verification of font
    files. Then only trusted font files can be load. This will reduce the
    attack surface at cost of losing the ability of end-users to customize
    fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize
    fonts because they have ability to pack fonts into their GRUB bundles.

    This goal is achieved by:

      * Removing GRUB_FILE_TYPE_FONT from shim lock verifier's
        skip-verification list.

      * Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,
so font files must be verified by a verifier before they can be loaded. 

    Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
    Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]