On Tue, Jul 29, 2025 at 08:21:51PM +0530, Sudhakar Kuppusamy wrote: > If Secure Boot is enabled with dynamic key management mode and the > use_static_keys flag is set, then read the static keys as a db default > keys from the ELF Note and add stored in the db list.
s/stored in the db list/them into the db/ > Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com> > Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com> > --- > grub-core/commands/appendedsig/appendedsig.c | 57 ++++++++++++++------ > 1 file changed, 42 insertions(+), 15 deletions(-) > > diff --git a/grub-core/commands/appendedsig/appendedsig.c > b/grub-core/commands/appendedsig/appendedsig.c > index f696ef476..fa908b963 100644 > --- a/grub-core/commands/appendedsig/appendedsig.c > +++ b/grub-core/commands/appendedsig/appendedsig.c > @@ -1051,7 +1051,7 @@ create_dbx_list (void) > * parse it, and add it to the db list. > */ > static grub_err_t > -build_static_db_list (const struct grub_module_header *header) > +build_static_db_list (const struct grub_module_header *header, const bool > is_pks) > { > grub_err_t err; > struct grub_file pseudo_file; > @@ -1070,6 +1070,12 @@ build_static_db_list (const struct grub_module_header > *header) > if (err != GRUB_ERR_NONE) > return err; > > + if (is_pks == true) > + { > + if (is_dbx_cert_hash (cert_data, cert_data_size) == true) > + return GRUB_ERR_ACCESS_DENIED; > + } > + > err = add_certificate (cert_data, cert_data_size, &db, true); > grub_free (cert_data); > > @@ -1122,6 +1128,25 @@ free_dbx_list (void) > grub_memset (&dbx, 0, sizeof (dbx)); > } > > +static grub_err_t > +load_static_keys (const struct grub_module_header *header, const bool is_pks) > +{ > + int rc = GRUB_ERR_NONE; > + > + FOR_MODULES (header) > + { > + /* Not an ELF module, skip. */ Comment says different thing than the "if" below does... > + if (header->type != OBJ_TYPE_X509_PUBKEY) > + continue; > + > + rc = build_static_db_list (header, is_pks); > + if (rc != GRUB_ERR_NONE) > + return rc; > + } > + > + return rc; > +} > + > GRUB_MOD_INIT (appendedsig) > { > int rc; > @@ -1147,21 +1172,15 @@ GRUB_MOD_INIT (appendedsig) > */ > if (grub_pks_use_keystore == false && check_sigs == true) > { > - FOR_MODULES (header) > + rc = load_static_keys (header, false); > + if (rc != GRUB_ERR_NONE) > { > - /* Not an ELF module, skip. */ > - if (header->type != OBJ_TYPE_X509_PUBKEY) > - continue; > - rc = build_static_db_list (header); > - if (rc != GRUB_ERR_NONE) > - { > - free_db_list (); > - grub_error (rc, "static db list creation failed"); > - } > - else > - grub_dprintf ("appendedsig", "the db list now has %" > PRIuGRUB_SIZE " static keys\n", > - db.cert_entries); > + free_db_list (); Again, you should not free partial db lists. I would just print a warning in case of error... Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel