If Secure Boot is enabled with dynamic key management mode and the
use_static_keys flag is set, then read the static keys as a db default
keys from the ELF Note and add stored in the db list.
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
---
grub-core/commands/appendedsig/appendedsig.c | 57 ++++++++++++++------
1 file changed, 42 insertions(+), 15 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub-core/commands/appendedsig/appendedsig.c
index 2e19316f4..154a4ca6e 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -1051,7 +1051,7 @@ create_dbx_list (void)
* parse it, and add it to the db list.
*/
static grub_err_t
-build_static_db_list (const struct grub_module_header *header)
+build_static_db_list (const struct grub_module_header *header, const bool
is_pks)
{
grub_err_t err;
struct grub_file pseudo_file;
@@ -1070,6 +1070,12 @@ build_static_db_list (const struct grub_module_header
*header)
if (err != GRUB_ERR_NONE)
return err;
+ if (is_pks == true)
+ {
+ if (is_dbx_cert_hash (cert_data, cert_data_size) == true)
+ return GRUB_ERR_ACCESS_DENIED;
+ }
+
err = add_certificate (cert_data, cert_data_size, &db, true);
grub_free (cert_data);
@@ -1122,6 +1128,25 @@ free_dbx_list (void)
grub_memset (&dbx, 0, sizeof (dbx));
}
+static grub_err_t
+load_static_keys (const struct grub_module_header *header, const bool is_pks)
+{
+ int rc = GRUB_ERR_NONE;
+
+ FOR_MODULES (header)
+ {
+ /* Not an ELF module, skip. */
+ if (header->type != OBJ_TYPE_X509_PUBKEY)
+ continue;
+
+ rc = build_static_db_list (header, is_pks);
+ if (rc != GRUB_ERR_NONE)
+ return rc;
+ }
+
+ return rc;
+}
+
GRUB_MOD_INIT (appendedsig)
{
int rc;
@@ -1147,21 +1172,15 @@ GRUB_MOD_INIT (appendedsig)
*/
if (grub_pks_use_keystore == false && check_sigs == true)
{
- FOR_MODULES (header)
+ rc = load_static_keys (header, false);
+ if (rc != GRUB_ERR_NONE)
{
- /* Not an ELF module, skip. */
- if (header->type != OBJ_TYPE_X509_PUBKEY)
- continue;
- rc = build_static_db_list (header);
- if (rc != GRUB_ERR_NONE)
- {
- free_db_list ();
- grub_error (rc, "static db list creation failed");
- }
- else
- grub_dprintf ("appendedsig", "the db list now has %" PRIuGRUB_SIZE
" static keys\n",
- db.cert_entries);
+ free_db_list ();
+ grub_error (rc, "static db list creation failed");
}
+ else
+ grub_dprintf ("appendedsig", "the db list now has %" PRIuGRUB_SIZE "
static keys\n",
+ db.cert_entries);
}
/*
* If signature verification is enabled with dynamic key management mode,
@@ -1169,7 +1188,15 @@ GRUB_MOD_INIT (appendedsig)
*/
else if (grub_pks_use_keystore == true && check_sigs == true)
{
- rc = create_db_list ();
+ if (grub_pks_keystore.use_static_keys == true)
+ {
+ grub_dprintf ("appendedsig", "db variable is not available at PKS
and "
+ "using a static keys as a default key in db list\n");
+ rc = load_static_keys (header, grub_pks_keystore.use_static_keys);
+ }
+ else
+ rc = create_db_list ();
+
if (rc != GRUB_ERR_NONE)
{
free_db_list ();
--
2.39.5 (Apple Git-154)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
