If secure boot is enabled with dynamic key management mode and the
use_static_keys flag is set, then read the static keys as a db default
keys from the GRUB ELF Note and add them into the db list.
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
---
grub-core/commands/appendedsig/appendedsig.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub-core/commands/appendedsig/appendedsig.c
index 98b9e42db..476c2241d 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -1135,9 +1135,19 @@ create_dbs_from_pks (void)
if (err != GRUB_ERR_NONE)
grub_printf ("warning: dbx list might not be fully populated\n");
- err = load_pks2db ();
- if (err != GRUB_ERR_NONE)
- grub_printf ("warning: db list might not be fully populated\n");
+ /*
+ * The static keys from the GRUB ELF Note are populated in the db list
+ * if use_static_keys falg is set to true when secure boot is enabled
+ * with dynamic key management.
+ */
+ if (pks_keystore->use_static_keys == true)
+ load_elf2db ();
+ else
+ {
+ err = load_pks2db ();
+ if (err != GRUB_ERR_NONE)
+ grub_printf ("warning: db list might not be fully populated\n");
+ }
grub_pks_tmp_free ();
grub_dprintf ("appendedsig", "the db list now has %u keys\n"
--
2.39.5 (Apple Git-154)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
