If Secure Boot is enabled with dynamic key management mode and the use_static_keys flag is set, then read the static keys as a db default keys from the ELF Note and add them into the db.
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com> Reviewed-by: Stefan Berger <stef...@linux.ibm.com> Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com> --- grub-core/commands/appendedsig/appendedsig.c | 43 +++++++++++++------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c index 87c06b230..0cb6163f3 100644 --- a/grub-core/commands/appendedsig/appendedsig.c +++ b/grub-core/commands/appendedsig/appendedsig.c @@ -1179,7 +1179,8 @@ build_static_db_list (void) grub_err_t err; struct grub_module_header *header; struct grub_file pseudo_file; - struct x509_certificate *cert; + grub_uint8_t *cert_data = NULL; + grub_size_t cert_data_size = 0; FOR_MODULES (header) { @@ -1195,22 +1196,25 @@ build_static_db_list (void) grub_dprintf ("appendedsig", "found an X.509 certificate, size=%" PRIuGRUB_UINT64_T "\n", pseudo_file.size); - err = read_cert_from_file (&pseudo_file, &cert); + err = file_read_whole (&pseudo_file, &cert_data, &cert_data_size); if (err == GRUB_ERR_OUT_OF_MEMORY) return; - else if (err != GRUB_ERR_NONE) + if (err != GRUB_ERR_NONE) + continue; + + if (grub_pks_keystore.use_static_keys == true) { - grub_dprintf ("appendedsig", - "warning: cannot add a certificate %u to the db list\n", - db.cert_entries + 1); - continue; + if (is_dbx_cert_hash (cert_data, cert_data_size) == true) + { + grub_free (cert_data); + continue; + } } - grub_dprintf ("appendedsig", "add a certificate CN='%s' to db\n", cert->subject); - - cert->next = db.certs; - db.certs = cert; - db.cert_entries++; + err = add_certificate (cert_data, cert_data_size, &db, true); + grub_free (cert_data); + if (err == GRUB_ERR_OUT_OF_MEMORY) + return; } } @@ -1277,9 +1281,18 @@ GRUB_MOD_INIT (appendedsig) */ else if (grub_pks_use_keystore == true && check_sigs == true) { - err = create_db_list (); - if (err != GRUB_ERR_NONE) - grub_dprintf ("appendedsig", "warning: db list might not be fully populated\n"); + if (grub_pks_keystore.use_static_keys == true) + { + grub_dprintf ("appendedsig", "db variable is not available at PKS and " + "using a static keys as a default key in db list\n"); + build_static_db_list (); + } + else + { + err = create_db_list (); + if (err != GRUB_ERR_NONE) + grub_dprintf ("appendedsig", "warning: db list might not be fully populated\n"); + } err = create_dbx_list (); if (err != GRUB_ERR_NONE) -- 2.39.5 (Apple Git-154) _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel