Re: bug #65889: cryptomount with keyfile fails because of shim lock verifier

Mon, 24 Nov 2025 02:31:41 -0800 

Hi,

Adding John, Denis, Glenn and Patrick...

On Sun, Nov 23, 2025 at 10:27:20PM +0100, Ingo Breßler wrote:
> Hi grub developers,
>
> I found this bug description 
> (https://savannah.gnu.org/bugs/?func=detailitem&item_id=65889) which I can 
> confirm (with 2.14rc1). I am also interested in the suggested modification 
> and I am wondering if there are any security implications which stand against 
> making this change?
>
> Since, there is also GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY allowed in the same 
> file, I guess the other encryption key file types should be ok to add as 
> well? The suggested patch would be:
>
> diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
> index 4409e03c5..b2bf38a54 100644
> --- a/grub-core/kern/efi/sb.c
> +++ b/grub-core/kern/efi/sb.c
> @@ -152,6 +152,8 @@ shim_lock_verifier_init (grub_file_t io __attribute__ 
> ((unused)),
>      case GRUB_FILE_TYPE_TESTLOAD:
>      case GRUB_FILE_TYPE_GET_SIZE:
>      case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
> +    case GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY:
> +    case GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER:
>      case GRUB_FILE_TYPE_CAT:
>      case GRUB_FILE_TYPE_HEXCAT:
>      case GRUB_FILE_TYPE_CMP:
>
> Please let us know, what considerations would discourage the accepting the 
> patch.

I cannot see any problems with these file types but I want to hear from
folks mentioned above what they think about them too. So, please prepare
a patch then send it to grub-devel and CC John, Denis, Glenn and Patrick.

> Thank you very much and best regards!
> Ingo
>
> > Hi. I have posted a bug here and described it .
> >
> > I reviewed source code and find out the cause:
> >
> > type "GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY" which is defined in file 
> > "grub-core/disk/cryptodisk.c" is not included in "grub-core/kern/efi/sb.c" 
> > in "shim_lock_verifier_init" . because of that grub will deny loading 
> > keyfile and says "error: prohibited by secure boot policy" . So in order to 
> > fix that, we should simply add two lines of below in switch case statement 
> > of the image attachment:
> >
> > 1  case GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY:
> > 2  case GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER:
> >
> > I've done and built it with this modification and it was OK.
> >
> > Thanks.

Daniel

_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to