On Fri, Mar 05, 2021 at 01:32:57PM +0100, Thomas Frauendorfer wrote: > On Fri, Mar 5, 2021 at 1:12 PM Michael Chang via Grub-devel > <grub-devel@gnu.org> wrote: > > > > While attempting to dual boot Microsoft Windows with efi chainloader, it > > failed with below error when secure boot was enabled. > > > > error ../../grub-core/kern/verifiers.c:119:verification requested but > > nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi. > > > > It is a regression, as previously it worked without problem. > > > > It turns out chainloading image has been locked down introduced by > > > > 578c95298 kern: Add lockdown support > > > > However we should consider it as verifiable object to shim to allow > > booting in secure boot enabled mode. The chainloaded image could also > > have trusted signature signed by vendor with their pubkey cert in db. > > For that matters it's usage should not be locked down in secure boot, > > and instead use shim to validate it's signature before running it. > > > > Signed-off-by: Michael Chang <mch...@suse.com> > > [cut out] > > > /* Fall through. */ > > diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c > > index 0bc70fd42..e1fd1c1e2 100644 > > --- a/grub-core/kern/lockdown.c > > +++ b/grub-core/kern/lockdown.c > > @@ -48,7 +48,6 @@ lockdown_verifier_init (grub_file_t io __attribute__ > > ((unused)), > > case GRUB_FILE_TYPE_PXECHAINLOADER: > > case GRUB_FILE_TYPE_PCCHAINLOADER: > > case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER: > > - case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: > > case GRUB_FILE_TYPE_ACPI_TABLE: > > case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: > > *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; > > -- > > 2.26.2 > > The lockdown verifier makes sure that at least one verifer has > validated the image. > So removing GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE from it is a very bad idea.
Indeed. I will send second patch for not removing it from lockdown. Thanks a lot for your review. Michael > > > _______________________________________________ > > Grub-devel mailing list > > Grub-devel@gnu.orgthe > > https://lists.gnu.org/mailman/listinfo/grub-devel > _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
