Hi Boyang, On Thu, Dec 22, 2022 at 07:25:13PM +0800, Zhang Boyang wrote: > Hi, > > On 2022/12/22 19:14, Leo Yan wrote: > > When boot from menu and the flag GRUB_VERIFY_FLAGS_DEFER_AUTH is set, > > grub returns error: > > > > Booting a command list > > > > error: verification requested but nobody cares: (hd0,gpt1)/Image. > > > > Press any key to continue... > > > > In this case, the image should be deferred for authentication, grub > > should return the file handle and pass down to later firmware (e.g. > > U-Boot, etc) for authentication. > > This is probably not what verification framework designed to be. It seems to > be designed to verify files during GRUB is executing (e.g. check file > signature if UEFI Secure Boot is enabled).
Good point. We expect the solution is grub can defer authentication for an image and invokes EFI LoadImage service, then EFI loader can load and verify the image. For more specific, now I am debugging U-boot EFI with grub, since U-boot EFI provides functionality for loading and authentication image (see efi_load_image() in [1]), this is my purpose to use U-boot EFI to authenticate kernel image (and even for initrd image). > By the way, I didn't understand what does "return the file handle and pass > down to later firmware" means. If you means you want GRUB call into > firmware's function, you can write a verifier to do that and register your > verifier with grub_verifier_register(). To be clear, I am not experienced for EFI and grub, I try my best to give info :) As explained above, we don't want to introduce any new verifier in grub, it's about we want to verify image in U-boot EFT rather than in grub. So this is why I wrote this patch to dimiss the failure in grub and pass image info to U-boot EFI service. (and sorry my commit log introduced confusion). Thanks, Leo [1] https://github.com/u-boot/u-boot/blob/master/lib/efi_loader/efi_boottime.c#L2021 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
