On Mon, 24 Nov 2025 11:30:52 +0100 Daniel Kiper <[email protected]> wrote:
> Hi, > > Adding John, Denis, Glenn and Patrick... > > On Sun, Nov 23, 2025 at 10:27:20PM +0100, Ingo Breßler wrote: > > Hi grub developers, > > > > I found this bug description > > (https://savannah.gnu.org/bugs/?func=detailitem&item_id=65889) which I can > > confirm (with 2.14rc1). I am also interested in the suggested modification > > and I am wondering if there are any security implications which stand > > against making this change? > > > > Since, there is also GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY allowed in the same > > file, I guess the other encryption key file types should be ok to add as > > well? The suggested patch would be: > > > > diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c > > index 4409e03c5..b2bf38a54 100644 > > --- a/grub-core/kern/efi/sb.c > > +++ b/grub-core/kern/efi/sb.c > > @@ -152,6 +152,8 @@ shim_lock_verifier_init (grub_file_t io __attribute__ > > ((unused)), > > case GRUB_FILE_TYPE_TESTLOAD: > > case GRUB_FILE_TYPE_GET_SIZE: > > case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY: > > + case GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY: > > + case GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER: > > case GRUB_FILE_TYPE_CAT: > > case GRUB_FILE_TYPE_HEXCAT: > > case GRUB_FILE_TYPE_CMP: > > > > Please let us know, what considerations would discourage the accepting the > > patch. > > I cannot see any problems with these file types but I want to hear from > folks mentioned above what they think about them too. So, please prepare > a patch then send it to grub-devel and CC John, Denis, Glenn and Patrick. I concur. I think it would be more valuable to hear from people well versed in the intricacies of SecureBoot. What implications does this change have from a security standpoint? I don't see any, but I'm not an expert in SecureBoot. From a functionality standpoint, I'd very much like something like this to allow using SecureBoot to boot from keyfiles and detached headers. Glenn > > > Thank you very much and best regards! > > Ingo > > > > > Hi. I have posted a bug here and described it . > > > > > > I reviewed source code and find out the cause: > > > > > > type "GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY" which is defined in file > > > "grub-core/disk/cryptodisk.c" is not included in > > > "grub-core/kern/efi/sb.c" in "shim_lock_verifier_init" . because of that > > > grub will deny loading keyfile and says "error: prohibited by secure boot > > > policy" . So in order to fix that, we should simply add two lines of > > > below in switch case statement of the image attachment: > > > > > > 1 case GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY: > > > 2 case GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER: > > > > > > I've done and built it with this modification and it was OK. > > > > > > Thanks. > > Daniel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
