Re: [PATCH v9 16/21] appended signatures: Read default db keys from the ELF Note

Thu, 28 Aug 2025 10:54:03 -0700 

On Mon, Aug 25, 2025 at 04:38:38PM +0530, Sudhakar Kuppusamy wrote:
> If Secure Boot is enabled with dynamic key management mode and the
> use_static_keys flag is not set, then read the keys from the PKS
> keystore as well from ELF Note, and add them into the db.
> Otherwise, it only reads the static keys from the ELF Note and
> adds them into the db.
>
> Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
> Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
> Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
> ---
>  grub-core/commands/appendedsig/appendedsig.c | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/grub-core/commands/appendedsig/appendedsig.c 
> b/grub-core/commands/appendedsig/appendedsig.c
> index 83e97814a..5da603eb6 100644
> --- a/grub-core/commands/appendedsig/appendedsig.c
> +++ b/grub-core/commands/appendedsig/appendedsig.c
> @@ -1154,9 +1154,17 @@ build_pks_keystore (void)
>    if (err != GRUB_ERR_NONE)
>      grub_printf ("warning: dbx list might not be fully populated\n");
>
> -  err = create_db_list ();
> -  if (err != GRUB_ERR_NONE)
> -    grub_printf ("warning: db list might not be fully populated\n");
> +  if (grub_pks_keystore.use_static_keys == true)
> +    grub_dprintf ("appendedsig", "db variable is not available at PKS and "
> +                  "using a static keys as a default key in db list\n");
> +
> +  build_static_db_list ();

I find some function names very confusing...

s/build_static_db_list/load_elf2db/

> +  if (grub_pks_keystore.use_static_keys == false)
> +    {
> +      err = create_db_list ();

s/create_db_list/load_pks2db/, etc...

> +      if (err != GRUB_ERR_NONE)
> +        grub_printf ("warning: db list might not be fully populated\n");
> +    }

If you shuffle the code a bit then you need one if/else only.

>    grub_pks_free_keystore ();

s/grub_pks_free_keystore/grub_pks_tmp_free/, etc...

>    grub_dprintf ("appendedsig", "the db list now has %u keys\n"

Daniel

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to