From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1lJpy9-0001gJ-Dc for mharc-grub-devel@gnu.org; Tue, 09 Mar 2021 22:57:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:46242) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJpy7-0001et-OB for grub-devel@gnu.org; Tue, 09 Mar 2021 22:57:07 -0500 Received: from de-smtp-delivery-102.mimecast.com ([194.104.109.102]:50847) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1lJpy2-0004ci-24 for grub-devel@gnu.org; Tue, 09 Mar 2021 22:57:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=mimecast20200619; t=1615348620; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=j5mCEEejLPDOp4TpD31hlrehfhSLJyz5rrN33HYpJ9M=; b=lnOAs7SnBC1xilnmViIb4gxybVdKM+LMjeeADnvQZlHZxQCRUvIPF2N9LGbGWQCgSVb1Vw 003A5QZHIBB390yB1rcxrOyJGnFg8Cw3kE9WTrMFCDQ7IBgmmEa4GmhDjrKgInCKx5w3g3 ezcsW5mwMy7pfiqAgkYWZzVsyVLVjBo= Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp2056.outbound.protection.outlook.com [104.47.10.56]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-31-DQ5P-RGoPvuREMmfPdVZmw-1; Wed, 10 Mar 2021 04:56:58 +0100 X-MC-Unique: DQ5P-RGoPvuREMmfPdVZmw-1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YP1ieMtVaYnAO10aqtx3Fw8MOOltumo5dyT06UnIzmAzndUXiV8NQepoVwXaMcE4pZXLr1CKKOTrSWhodI88cTR++ae/MGCF9a9Cv06L7RFUUwie8MLTOFuSdlUXqMMwG6HX2jxP3Wu9/8Py25lHL/RMQrt5Irv5cwRHs8tEWhujwNkxhydvUgJ6BU+46A/n6zmCPmTZCmbLRyhdfeNB6MDfPm33Gp6QJ/iWoGzjbx1OaOJ2Ee3eLNA5J5ZjQb4FPR7vbUKHet4y6IVPLMhH0x8cWhoUP+D5SU6pWCcr5A1xOjyINg5nMPrjnVFQgcedEuR/eWkygDDm1tKT56Y1xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j5mCEEejLPDOp4TpD31hlrehfhSLJyz5rrN33HYpJ9M=; b=EedEFma3plUTBf0MYyp283+JB/n8QO8X9uYmidFt8BsIJpln4pzVt5dOAcuYiIGxn3gWRXhaBKnyx0Xh3unB+RTRHOBFORNAAp0YWOe904DPfUWLYWxKZvaRJFLejOu++u4o5Xli895V3TchrnKEeTD9p00ugVYdw1WX/OWHJEy9EdFT0LCUcPIDRUzJUtLm8VL5zDP41sQW0c6tApfrsQEhBhoQhS86ROofT1PdxouXKHGB5C4ETLjXLb3VEDlVELuAtVz3r7QHzZqkeSAL9vomerk5iRTPPoxWBUnfOSIL7+nLYjFjDBKw7opQRiinmNz34D677rjPRnHYueEBMw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none Authentication-Results: net-space.pl; dkim=none (message not signed) header.d=none;net-space.pl; dmarc=none action=none header.from=suse.com; Received: from VI1PR04MB4991.eurprd04.prod.outlook.com (2603:10a6:803:57::28) by VI1PR0401MB2560.eurprd04.prod.outlook.com (2603:10a6:800:58::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.27; Wed, 10 Mar 2021 03:56:57 +0000 Received: from VI1PR04MB4991.eurprd04.prod.outlook.com ([fe80::28b7:e423:c3d7:7ccf]) by VI1PR04MB4991.eurprd04.prod.outlook.com ([fe80::28b7:e423:c3d7:7ccf%6]) with mapi id 15.20.3912.028; Wed, 10 Mar 2021 03:56:56 +0000 Date: Wed, 10 Mar 2021 11:56:47 +0800 From: Michael Chang To: Daniel Kiper Cc: grub-devel@gnu.org, dimitri.ledkov@canonical.com, javierm@redhat.com, thomas.frauendorfer@gmail.com Subject: Re: [PATCH v2] Add chainloaded image as shim's verifiable object Message-ID: <20210310035647.GA6796@mercury> References: <20210305134853.32586-1-mchang@suse.com> <20210309161822.bokjfdo6jjilqxfx@tomti.i.net-space.pl> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210309161822.bokjfdo6jjilqxfx@tomti.i.net-space.pl> User-Agent: Mutt/1.10.1 (2018-07-13) X-Originating-IP: [2001:b011:30d0:19a2:5231:f6e2:a0cb:7586] X-ClientProxiedBy: HK0PR03CA0102.apcprd03.prod.outlook.com (2603:1096:203:b0::18) To VI1PR04MB4991.eurprd04.prod.outlook.com (2603:10a6:803:57::28) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from mercury (2001:b011:30d0:19a2:5231:f6e2:a0cb:7586) by HK0PR03CA0102.apcprd03.prod.outlook.com (2603:1096:203:b0::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Wed, 10 Mar 2021 03:56:55 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3146ae9d-024e-41cd-a546-08d8e3788c86 X-MS-TrafficTypeDiagnostic: VI1PR0401MB2560: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KInaqQClYFEwuiYyDC2swKYJzHT/Y5jR+Fk5Rj635lqPwO+ke4sIP7HlACAyd4jL8tGROaaEvnAeQ+lwQIZUJ39l45L48B14fVLdcESkYhSbxN+tvlJ7ehcgEt1TW0kLBjUE1LwT2Q6/l/Ebp6GjFkX3M33QJLfRx6V5z/m1+Ec9Hjswsdn48g8WeJYUyR1Aqaz5Y0Z+cezbpMS1xqugxY85pV1cOjPRbRhtzTGICPPv9nxv2tJWebz/rCXov4D6LbWZ5zMNkOKLgaveS1VOFgXGXDmv4tyO/tB9tn2LNIjT421+QRc0hvkRvoZ45CgTNxReDXmXrYIQNHICvnhrsANEKuPCZWVuswzdJn0stFn+s8LXeh9F929ewsbi87pPNBDlcSG82iYhmHGBVMIjheob9UPJ6jYfgU+GYJOxj6AgWdzKe9rylUqFCIugFiJ+A6YkntpjqzByTjGL0BOOK8z05+B3eFTzidWKq/QbyWqA+GrnI+Sg10Y/eJMWVwiJnz2hV+GoAQVHLjOe/06TYQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR04MB4991.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(346002)(136003)(376002)(366004)(396003)(8936002)(4326008)(6916009)(316002)(8676002)(66476007)(6496006)(5660300002)(45080400002)(9576002)(1076003)(478600001)(6666004)(33656002)(66946007)(52116002)(9686003)(186003)(2906002)(33716001)(83380400001)(66556008)(16526019)(86362001)(55016002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?bj2AdptHgMlbPR1vr8tbzMrouyGBXVHMKoon30/LrSi+YFQk9I9nBGOgMZkf?= =?us-ascii?Q?Gi2wGkNRme+PBaQvqGOCw+YC6kUkbcf8nwOtcvT9RGMZhAhJgaVVkZMnSIly?= =?us-ascii?Q?0HFsSXaLeNcbiwPBUJAVLP4UdbvgKnX16RCXtP6G07NmJK8+ac2+UJPu1ITd?= =?us-ascii?Q?6Lx82Kns8omjnFyt+gIw1vmmSr0YPRdR9MFNoFkyy/fpNO9j8sek8zYctoIC?= =?us-ascii?Q?sXUFzGd/fEVpWOgAv8sCYnIYd87Dj8IbUEGPSsYmcCXJGe5Ef8w7s6CUPLuf?= =?us-ascii?Q?v9cI5pBYyMAJ0DDGXANRUC8rL9IdxxzrjVE87giW23Yiofhc2fzRRlPJSYQy?= =?us-ascii?Q?XVJhE5yAhOPlOG2CoZymX/4j+0RjPHFK8bDOQefApMOuUoINXjahe3nKZtXM?= =?us-ascii?Q?++IjPe3631UMz9XdlDpxIVw6ZH5BcU8esESR82eRZtMIkqZoXQ/uGFBPihpi?= =?us-ascii?Q?GkZi3dzDmItmCR/X1/yPtFvebeDc/OmXOIa4sxpLccAXj+wDZ882a+4pKdF+?= =?us-ascii?Q?a+eCfzORgC2SDs3I3aL40bVRioJlnFDM3eIViTQGoYUe12S++V+YKsZdtR0Q?= =?us-ascii?Q?Gno7rJ+5adcFSPo+6s06MmOyEMffy2UB5Hluy2T7QadrGfTVrx1Gpw1twSrN?= =?us-ascii?Q?Msk+01637GdShmuXkrOB6eLMCoUm0b06uhYFMxGShP1gHPgsuXa8rMWutySS?= =?us-ascii?Q?Ycs2F75YTAiDT/lxaFP2l3ZHoV1pMiDQ4b75F8I5R7HT+vC5g85SKo816rMA?= =?us-ascii?Q?9PQnCJajt0omu06RTgF+KnF9ttYWMLQY4iEc2g/GIXdKWyuPEyUIYiKteLUR?= =?us-ascii?Q?1wISwZXJRtniayR9sqJbkxLBOStgX+7UoMzDUB4J/esbIeBifvbjGdjcYNId?= =?us-ascii?Q?A4zAp/XQPUdWHn273zoYGYuZFXXKm8gWAbu9fTs5HzD8vkH6hls2F20oLuF3?= =?us-ascii?Q?oRWbYNjAuwMT1QOns4MUpZTjUPiCwEUEf976fmMEM3vBL6ehnNbLq0/7+DP0?= =?us-ascii?Q?d5KDlWIhjYVz1hcZ9Gaj39VOORpVX4VvtdBdsaspwr+q/YNsR6SYaiO9CTGE?= =?us-ascii?Q?W6eveG1Bs/1I0upBxi7hO1RFkCp3KZQHL8wdMz3USwdg7fM+RhT0zZgD0bAr?= =?us-ascii?Q?8DB/y2dhrNbML2oFM5itNP3zE3WZEphDwxh04ttJ9eAPDiNezC3l3wtnIjhu?= =?us-ascii?Q?HBT9Ou01e1hhANfBS3QXcT3LpbaNkK+Tlq5/1t7XNoOUDqRlGwm0xmyaTvnn?= =?us-ascii?Q?9KggZJQ5FMSJdyOcxQ93ISXxo3hBYnzRuXx4eZ5A05vhpo5n0nFQ7eTDTt3m?= =?us-ascii?Q?WnYkPvC5MsU7lzkZ09uL6QUwoKgPayDLFxleRMoMqI+uHLmSBh+p91IJ4G6J?= =?us-ascii?Q?5wfX/KAVJITnS3DdDCq7Mk+gx2Y9?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3146ae9d-024e-41cd-a546-08d8e3788c86 X-MS-Exchange-CrossTenant-AuthSource: VI1PR04MB4991.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Mar 2021 03:56:56.8109 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: zFRncs0vuz+oZjn2BHvuBHIh/l9JzsVhMUpq150el/Ae2g+IVQTrapz7VgTCiHY3 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0401MB2560 Received-SPF: pass client-ip=194.104.109.102; envelope-from=mchang@suse.com; helo=de-smtp-delivery-102.mimecast.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2021 03:57:08 -0000 On Tue, Mar 09, 2021 at 05:18:22PM +0100, Daniel Kiper wrote: > On Fri, Mar 05, 2021 at 09:48:53PM +0800, Michael Chang via Grub-devel wrote: > > While attempting to dual boot Microsoft Windows with efi chainloader, it > > failed with below error when secure boot was enabled. > > > > error ../../grub-core/kern/verifiers.c:119:verification requested but > > nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi. > > > > It is a regression, as previously it worked without problem. > > > > It turns out chainloading image has been locked down introduced by > > > > 578c95298 kern: Add lockdown support > > > > However we should consider it as verifiable object to shim to allow > > booting in secure boot enabled mode. The chainloaded image could also > > have trusted signature signed by vendor with their pubkey cert in db. > > For that matters it's usage should not be locked down in secure boot, > > and instead use shim to validate it's signature before running it. > > > > V2: > > Keep GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE in the lockdown list as it > > ensures at least one verifer has validated the image. > > > > Signed-off-by: Michael Chang > > Reviewed-by: Daniel Kiper May I ask if the patch is planned or going to be merged to the master hence available in the 2.06-rc1 cut ? Thanks, Michael > > Daniel >