NOTE that leaving in the shim lock fallback has a downside, which is that the following contrived scenario will let all checks pass, and create unavoidable crashes: 1. you are running a system with a real NX mode 2. you have signed an NX_COMPAT + NX_REQUIRE (no one should _ever_ sign NX_COMPAT without NX_REQUIRE) shim 15.8 (this will switch NX mode on in the firmware) 3. you have signed an NX_COMPAT GRUB (shim will let the GRUB pass and the GRUB will run) 4. you have signed a NX_COMPAT kernel (shim_lock->verify() will allow the kernel, but GRUB will use the legacy loader due to the presence of only shim 15.8)
The reasons I am calling said crashes unavoidable is due to: - for 1. no api to query the firmware NX mode being on or not - for 2., no api to query shim NX_COMPAT or NX_REQUIRE: NX_COMPAT is only available via gross hacks that parse the shim PE header in memory, and the MokPolicy variable (and NX_REQUIRE) is only exposed via EFI vars or config tables if using non-default value. - so grub in 3. has no reliable way to tell if it can ever allow the legacy loader fallback, hence why I initially removed it. On Tue, Apr 1, 2025 at 11:26 AM Mate Kukri <mate.ku...@canonical.com> wrote: > > Julian Andres Klode (1): > efi: Provide wrappers for load_image, start_image, unload_image > > Mate Kukri (4): > efi/sb: Add support for the shim loader protocol > efi/sb: Add API for retrieving shim loader image handles > loader/efi/chainloader: Use shim loader image handle where available > loader/efi/linux: Use shim loader image handle where available > > grub-core/kern/efi/efi.c | 57 +++++++++++++++++++++++ > grub-core/kern/efi/sb.c | 74 +++++++++++++++++++----------- > grub-core/loader/efi/chainloader.c | 30 ++++++------ > grub-core/loader/efi/linux.c | 26 ++++++----- > include/grub/efi/api.h | 5 ++ > include/grub/efi/efi.h | 42 +++++++++++++++++ > include/grub/efi/sb.h | 6 ++- > 7 files changed, 187 insertions(+), 53 deletions(-) > > -- > 2.39.5 > _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
