From: Michael Chang <mchang@suse.com>
To: Daniel Kiper <dkiper@net-space.pl>
Cc: grub-devel@gnu.org, dimitri.ledkov@canonical.com,
javierm@redhat.com, thomas.frauendorfer@gmail.com
Subject: Re: IS: 2.06-rc1 cut... WAS: Re: [PATCH v2] Add chainloaded image as shim's verifiable object
Date: Thu, 11 Mar 2021 13:56:52 +0800 [thread overview]
Message-ID: <20210311055652.GA622@mercury> (raw)
In-Reply-To: <20210310160631.quwlvne2b2wkcadr@tomti.i.net-space.pl>
On Wed, Mar 10, 2021 at 05:06:31PM +0100, Daniel Kiper wrote:
> On Wed, Mar 10, 2021 at 11:56:47AM +0800, Michael Chang via Grub-devel wrote:
> > On Tue, Mar 09, 2021 at 05:18:22PM +0100, Daniel Kiper wrote:
> > > On Fri, Mar 05, 2021 at 09:48:53PM +0800, Michael Chang via Grub-devel wrote:
> > > > While attempting to dual boot Microsoft Windows with efi chainloader, it
> > > > failed with below error when secure boot was enabled.
> > > >
> > > > error ../../grub-core/kern/verifiers.c:119:verification requested but
> > > > nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
> > > >
> > > > It is a regression, as previously it worked without problem.
> > > >
> > > > It turns out chainloading image has been locked down introduced by
> > > >
> > > > 578c95298 kern: Add lockdown support
> > > >
> > > > However we should consider it as verifiable object to shim to allow
> > > > booting in secure boot enabled mode. The chainloaded image could also
> > > > have trusted signature signed by vendor with their pubkey cert in db.
> > > > For that matters it's usage should not be locked down in secure boot,
> > > > and instead use shim to validate it's signature before running it.
> > > >
> > > > V2:
> > > > Keep GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE in the lockdown list as it
> > > > ensures at least one verifer has validated the image.
> > > >
> > > > Signed-off-by: Michael Chang <mchang@suse.com>
> > >
> > > Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> >
> > May I ask if the patch is planned or going to be merged to the master
> > hence available in the 2.06-rc1 cut ?
>
> I have just pushed it together with other fixes and cleanups from the
> grub-devel. If you can see something important missing drop me a line
> immediately. Now I am working on 2.06-rc1 cut. If nothing blows up expect
> it tomorrow or on Friday...
Many thanks to picking up the patch. Tested the efi chainloader now
could successfully load and start the signed uefi binary, meanwhile
reject the one with invalid signature in secure boot enabled mode. This
function is restored.
Thanks,
Michael
>
> Daniel
>
prev parent reply other threads:[~2021-03-11 5:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-05 13:48 [PATCH v2] Add chainloaded image as shim's verifiable object Michael Chang
2021-03-09 16:18 ` Daniel Kiper
2021-03-10 3:56 ` Michael Chang
2021-03-10 16:06 ` IS: 2.06-rc1 cut... WAS: " Daniel Kiper
2021-03-10 18:50 ` Didier Spaier
2021-03-11 5:56 ` Michael Chang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210311055652.GA622@mercury \
--to=mchang@suse.com \
--cc=dimitri.ledkov@canonical.com \
--cc=dkiper@net-space.pl \
--cc=grub-devel@gnu.org \
--cc=javierm@redhat.com \
--cc=thomas.frauendorfer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.