[PATCH v7 15/20] appended signatures: Read default db keys from the ELF Note

Tue, 19 Aug 2025 06:17:10 -0700 

If Secure Boot is enabled with dynamic key management mode and the
use_static_keys flag is set, then read the static keys as a db default
keys from the ELF Note and add them into the db.

Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
---
 grub-core/commands/appendedsig/appendedsig.c | 43 +++++++++++++-------
 1 file changed, 28 insertions(+), 15 deletions(-)

diff --git a/grub-core/commands/appendedsig/appendedsig.c 
b/grub-core/commands/appendedsig/appendedsig.c
index 87c06b230..0cb6163f3 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -1179,7 +1179,8 @@ build_static_db_list (void)
   grub_err_t err;
   struct grub_module_header *header;
   struct grub_file pseudo_file;
-  struct x509_certificate *cert;
+  grub_uint8_t *cert_data = NULL;
+  grub_size_t cert_data_size = 0;
 
   FOR_MODULES (header)
     {
@@ -1195,22 +1196,25 @@ build_static_db_list (void)
       grub_dprintf ("appendedsig", "found an X.509 certificate, size=%" 
PRIuGRUB_UINT64_T "\n",
                     pseudo_file.size);
 
-      err = read_cert_from_file (&pseudo_file, &cert);
+      err = file_read_whole (&pseudo_file, &cert_data, &cert_data_size);
       if (err == GRUB_ERR_OUT_OF_MEMORY)
         return;
-      else if (err != GRUB_ERR_NONE)
+      if (err != GRUB_ERR_NONE)
+        continue;
+
+      if (grub_pks_keystore.use_static_keys == true)
         {
-          grub_dprintf ("appendedsig",
-                        "warning: cannot add a certificate %u to the db 
list\n",
-                        db.cert_entries + 1);
-          continue;
+          if (is_dbx_cert_hash (cert_data, cert_data_size) == true)
+            {
+              grub_free (cert_data);
+              continue;
+            }
         }
 
-      grub_dprintf ("appendedsig", "add a certificate CN='%s' to db\n", 
cert->subject);
-
-      cert->next = db.certs;
-      db.certs = cert;
-      db.cert_entries++;
+      err = add_certificate (cert_data, cert_data_size, &db, true);
+      grub_free (cert_data);
+      if (err == GRUB_ERR_OUT_OF_MEMORY)
+        return;
     }
 }
 
@@ -1277,9 +1281,18 @@ GRUB_MOD_INIT (appendedsig)
    */
   else if (grub_pks_use_keystore == true && check_sigs == true)
     {
-      err = create_db_list ();
-      if (err != GRUB_ERR_NONE)
-        grub_dprintf ("appendedsig", "warning: db list might not be fully 
populated\n");
+      if (grub_pks_keystore.use_static_keys == true)
+        {
+          grub_dprintf ("appendedsig", "db variable is not available at PKS 
and "
+                        "using a static keys as a default key in db list\n");
+          build_static_db_list ();
+        }
+      else
+        {
+          err = create_db_list ();
+          if (err != GRUB_ERR_NONE)
+            grub_dprintf ("appendedsig", "warning: db list might not be fully 
populated\n");
+        }
 
       err = create_dbx_list ();
       if (err != GRUB_ERR_NONE)
-- 
2.39.5 (Apple Git-154)


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to