proxmox-mirrors/grub2
1
0
Fork 0
mirror of https://git.proxmox.com/git/grub2 synced 2025-08-06 13:18:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

kern/efi/sb: Add chainloaded image as shim's verifiable object

Browse Source 
While attempting to dual boot Microsoft Windows with UEFI chainloader,
it failed with below error when UEFI Secure Boot was enabled:

  error ../../grub-core/kern/verifiers.c:119:verification requested but
  nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.

It is a regression, as previously it worked without any problem.

It turns out chainloading PE image has been locked down by commit
578c95298 (kern: Add lockdown support). However, we should consider it
as verifiable object by shim to allow booting in UEFI Secure Boot mode.
The chainloaded PE image could also have trusted signature created by
vendor with their pubkey cert in db. For that matters it's usage should
not be locked down under UEFI Secure Boot, and instead shim should be
allowed to validate a PE binary signature before running it.

Fixes: 578c95298 (kern: Add lockdown support)

Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Michael Chang 2021-03-05 21:48:53 +08:00 committed by Daniel Kiper
parent 308b0495e1
commit 6d05264eec
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
grub-core/kern/efi/sb.c
View File

@ -129,6 +129,7 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
case GRUB_FILE_TYPE_BSD_KERNEL:
case GRUB_FILE_TYPE_XNU_KERNEL:
case GRUB_FILE_TYPE_PLAN9_KERNEL:
case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
*flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
/* Fall through. */