From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
To: grub-devel@gnu.org
Cc: dja@axtens.net, jan.setjeeilers@oracle.com,
julian.klode@canonical.com, mate.kukri@canonical.com,
pjones@redhat.com, msuchanek@suse.com, mlewando@redhat.com,
stefanb@linux.ibm.com, avnish@linux.ibm.com, nayna@linux.ibm.com,
ssrish@linux.ibm.com, Sudhakar Kuppusamy <sudhakar@linux.ibm.com>,
sridharm@linux.ibm.com
Subject: [PATCH v10 17/22] appended signatures: Read default db keys from the ELF Note
Date: Tue, 9 Sep 2025 17:15:25 +0530 [thread overview]
Message-ID: <20250909114530.36863-18-sudhakar@linux.ibm.com> (raw)
In-Reply-To: <20250909114530.36863-1-sudhakar@linux.ibm.com>
If secure boot is enabled with dynamic key management mode and the
use_static_keys flag is set, then read the static keys as a db default
keys from the GRUB ELF Note and add them into the db list.
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
---
grub-core/commands/appendedsig/appendedsig.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
index 98b9e42db..476c2241d 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -1135,9 +1135,19 @@ create_dbs_from_pks (void)
if (err != GRUB_ERR_NONE)
grub_printf ("warning: dbx list might not be fully populated\n");
- err = load_pks2db ();
- if (err != GRUB_ERR_NONE)
- grub_printf ("warning: db list might not be fully populated\n");
+ /*
+ * The static keys from the GRUB ELF Note are populated in the db list
+ * if use_static_keys falg is set to true when secure boot is enabled
+ * with dynamic key management.
+ */
+ if (pks_keystore->use_static_keys == true)
+ load_elf2db ();
+ else
+ {
+ err = load_pks2db ();
+ if (err != GRUB_ERR_NONE)
+ grub_printf ("warning: db list might not be fully populated\n");
+ }
grub_pks_tmp_free ();
grub_dprintf ("appendedsig", "the db list now has %u keys\n"
--
2.39.5 (Apple Git-154)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2025-09-09 11:49 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-09 11:45 [PATCH v10 00/22] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 01/22] powerpc-ieee1275: Add support for signing GRUB with an appended signature Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 02/22] crypto: Move storage for grub_crypto_pk_* to crypto.c Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 03/22] pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 04/22] grub-install: Support embedding x509 certificates Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 05/22] appended signatures: Import GNUTLS's ASN.1 description files Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 06/22] appended signatures: Parse ASN1 node Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 07/22] appended signatures: Parse PKCS#7 signed data Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 08/22] appended signatures: Parse X.509 certificates Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 09/22] powerpc_ieee1275: Enter lockdown based on /ibm, secure-boot Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 10/22] appended signatures: Support verifying appended signatures Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 11/22] powerpc_ieee1275: Read the db and dbx secure boot variables Sudhakar Kuppusamy
2025-09-11 7:54 ` Srish Srinivasan
2025-09-15 10:43 ` Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 12/22] appended signatures: Introducing key management environment variable Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 13/22] appended signatures: Create db and dbx lists Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 14/22] appended signatures: Using db and dbx lists for signature verification Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 15/22] appended signatures: GRUB commands to manage the certificates Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 16/22] powerpc_ieee1275: Introduce use_static_keys flag Sudhakar Kuppusamy
2025-09-09 11:45 ` Sudhakar Kuppusamy [this message]
2025-09-09 11:45 ` [PATCH v10 18/22] appended signatures: GRUB commands to manage the hashes Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 19/22] appended signatures: Verification tests Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 20/22] docs/grub: Document signing GRUB under UEFI Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 21/22] docs/grub: Document signing GRUB with an appended signature Sudhakar Kuppusamy
2025-09-09 11:45 ` [PATCH v10 22/22] docs/grub: Document " Sudhakar Kuppusamy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250909114530.36863-18-sudhakar@linux.ibm.com \
--to=sudhakar@linux.ibm.com \
--cc=avnish@linux.ibm.com \
--cc=dja@axtens.net \
--cc=grub-devel@gnu.org \
--cc=jan.setjeeilers@oracle.com \
--cc=julian.klode@canonical.com \
--cc=mate.kukri@canonical.com \
--cc=mlewando@redhat.com \
--cc=msuchanek@suse.com \
--cc=nayna@linux.ibm.com \
--cc=pjones@redhat.com \
--cc=sridharm@linux.ibm.com \
--cc=ssrish@linux.ibm.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).