On Fri, Mar 5, 2021 at 1:12 PM Michael Chang via Grub-devel <grub-devel@gnu.org> wrote: > > While attempting to dual boot Microsoft Windows with efi chainloader, it > failed with below error when secure boot was enabled. > > error ../../grub-core/kern/verifiers.c:119:verification requested but > nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi. > > It is a regression, as previously it worked without problem. > > It turns out chainloading image has been locked down introduced by > > 578c95298 kern: Add lockdown support > > However we should consider it as verifiable object to shim to allow > booting in secure boot enabled mode. The chainloaded image could also > have trusted signature signed by vendor with their pubkey cert in db. > For that matters it's usage should not be locked down in secure boot, > and instead use shim to validate it's signature before running it. > > Signed-off-by: Michael Chang <mch...@suse.com>
[cut out] > /* Fall through. */ > diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c > index 0bc70fd42..e1fd1c1e2 100644 > --- a/grub-core/kern/lockdown.c > +++ b/grub-core/kern/lockdown.c > @@ -48,7 +48,6 @@ lockdown_verifier_init (grub_file_t io __attribute__ > ((unused)), > case GRUB_FILE_TYPE_PXECHAINLOADER: > case GRUB_FILE_TYPE_PCCHAINLOADER: > case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER: > - case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: > case GRUB_FILE_TYPE_ACPI_TABLE: > case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: > *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; > -- > 2.26.2 The lockdown verifier makes sure that at least one verifer has validated the image. So removing GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE from it is a very bad idea. > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.orgthe > https://lists.gnu.org/mailman/listinfo/grub-devel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
