If Secure Boot is enabled with dynamic key management mode and the
use_static_keys flag is not set, then read the keys from the PKS
keystore as well from ELF Note, and add them into the db.
Otherwise, it only reads the static keys from the ELF Note and
adds them into the db.
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
---
grub-core/commands/appendedsig/appendedsig.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub-core/commands/appendedsig/appendedsig.c
index 83e97814a..5da603eb6 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -1154,9 +1154,17 @@ build_pks_keystore (void)
if (err != GRUB_ERR_NONE)
grub_printf ("warning: dbx list might not be fully populated\n");
- err = create_db_list ();
- if (err != GRUB_ERR_NONE)
- grub_printf ("warning: db list might not be fully populated\n");
+ if (grub_pks_keystore.use_static_keys == true)
+ grub_dprintf ("appendedsig", "db variable is not available at PKS and "
+ "using a static keys as a default key in db list\n");
+
+ build_static_db_list ();
+ if (grub_pks_keystore.use_static_keys == false)
+ {
+ err = create_db_list ();
+ if (err != GRUB_ERR_NONE)
+ grub_printf ("warning: db list might not be fully populated\n");
+ }
grub_pks_free_keystore ();
grub_dprintf ("appendedsig", "the db list now has %u keys\n"
--
2.39.5 (Apple Git-154)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
