[PATCH v8 14/20] powerpc_ieee1275: Introduce use_static_keys flag

Sudhakar Kuppusamy Thu, 21 Aug 2025 00:59:54 -0700

Introduce the use_static_keys flag to indicate that static keys are to be used
rather than keys from the PKS storage's db variable. This flag is set when
Secure Boot is enabled with PKS but the db variable is not present in the PKS 
storage.
The appendedsig module would use this flag to extract the static keys from
the GRUB ELF Note and stored in the db list.


Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
---
 grub-core/kern/powerpc/ieee1275/platform_keystore.c | 13 ++++++++++++-
 include/grub/powerpc/ieee1275/platform_keystore.h   |  1 +
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/grub-core/kern/powerpc/ieee1275/platform_keystore.c 
b/grub-core/kern/powerpc/ieee1275/platform_keystore.c
index aaf90500f..2c556a563 100644
--- a/grub-core/kern/powerpc/ieee1275/platform_keystore.c
+++ b/grub-core/kern/powerpc/ieee1275/platform_keystore.c
@@ -58,7 +58,8 @@ bool grub_pks_use_keystore = false;
 bool grub_pks_is_support_pks = false;
 
 /* Platform KeyStore db and dbx. */
-grub_pks_t grub_pks_keystore = { .db = NULL, .dbx = NULL, .db_entries = 0, 
.dbx_entries = 0 };
+grub_pks_t grub_pks_keystore = { .db = NULL, .dbx = NULL, .db_entries = 0, 
.dbx_entries = 0,
+                                 .use_static_keys = false };
 
 /*
  * Import the Globally Unique Identifier (GUID), EFI Signature Database (ESD),
@@ -325,6 +326,16 @@ grub_pks_keystore_init (void)
       grub_memset (&grub_pks_keystore, 0, sizeof (grub_pks_t));
       /* Read db from PKS. */
       rc = read_secure_boot_variables (0, DB, &grub_pks_keystore.db, 
&grub_pks_keystore.db_entries);
+      if (rc == GRUB_ERR_UNKNOWN_COMMAND)
+        {
+          rc = GRUB_ERR_NONE;
+          /*
+           * The db variable won't be available by default in PKS.
+           * So, it will use the static key as a default key from the GRUB ELF 
Note.
+           */
+          grub_pks_keystore.use_static_keys = true;
+        }
+
       if (rc == GRUB_ERR_NONE)
         {
           /* Read dbx from PKS. */
diff --git a/include/grub/powerpc/ieee1275/platform_keystore.h 
b/include/grub/powerpc/ieee1275/platform_keystore.h
index 4b34a3198..666f39684 100644
--- a/include/grub/powerpc/ieee1275/platform_keystore.h
+++ b/include/grub/powerpc/ieee1275/platform_keystore.h
@@ -97,6 +97,7 @@ struct grub_pks
   grub_pks_sd_t *dbx;       /* Forbidden signature database. */
   grub_uint32_t db_entries; /* Size of signature database. */
   grub_uint32_t dbx_entries;/* Size of forbidden signature database. */
+  bool use_static_keys;     /* Flag to indicate use of static keys. */
 } GRUB_PACKED;
 typedef struct grub_pks grub_pks_t;
 
-- 
2.39.5 (Apple Git-154)


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v8 14/20] powerpc_ieee1275: Introduce use_static_keys flag

Reply via email to