git.ipfire.org Git - thirdparty/grub.git/commit

author	Michael Chang <mchang@suse.com>
	Fri, 5 Mar 2021 13:48:53 +0000 (21:48 +0800)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Wed, 10 Mar 2021 12:49:42 +0000 (13:49 +0100)
commit	6d05264eeceaa2be991093d7fc31b78130bf5453
tree	a4c158d00b4298000454fde1fa0442f6be5c7f05	tree
parent	308b0495e1aea41c1b0adc32d3e8799738a8acfc	commit \| diff

kern/efi/sb: Add chainloaded image as shim's verifiable object

While attempting to dual boot Microsoft Windows with UEFI chainloader,
it failed with below error when UEFI Secure Boot was enabled:

error ../../grub-core/kern/verifiers.c:119:verification requested but
nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.

It is a regression, as previously it worked without any problem.

It turns out chainloading PE image has been locked down by commit
578c95298 (kern: Add lockdown support). However, we should consider it
as verifiable object by shim to allow booting in UEFI Secure Boot mode.
The chainloaded PE image could also have trusted signature created by
vendor with their pubkey cert in db. For that matters it's usage should
not be locked down under UEFI Secure Boot, and instead shim should be
allowed to validate a PE binary signature before running it.

Fixes: 578c95298 (kern: Add lockdown support)
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>