Hi,
thanks for your feedback so far!
Attached is the patch file - It's just the unified diff output in a file, right?
Please let me know if I can prepare something else.
I'd be happy to learn about any (security) implications with merging that into
grub source.
Thanks & best regards
Ingo
On 24.11.25 11:30, Daniel Kiper wrote:
Hi,
Adding John, Denis, Glenn and Patrick...
On Sun, Nov 23, 2025 at 10:27:20PM +0100, Ingo Breßler wrote:
Hi grub developers,
I found this bug description
(https://savannah.gnu.org/bugs/?func=detailitem&item_id=65889) which I can
confirm (with 2.14rc1). I am also interested in the suggested modification and I am
wondering if there are any security implications which stand against making this
change?
Since, there is also GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY allowed in the same
file, I guess the other encryption key file types should be ok to add as well?
The suggested patch would be:
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 4409e03c5..b2bf38a54 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -152,6 +152,8 @@ shim_lock_verifier_init (grub_file_t io __attribute__
((unused)),
case GRUB_FILE_TYPE_TESTLOAD:
case GRUB_FILE_TYPE_GET_SIZE:
case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
+ case GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY:
+ case GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER:
case GRUB_FILE_TYPE_CAT:
case GRUB_FILE_TYPE_HEXCAT:
case GRUB_FILE_TYPE_CMP:
Please let us know, what considerations would discourage the accepting the
patch.
I cannot see any problems with these file types but I want to hear from
folks mentioned above what they think about them too. So, please prepare
a patch then send it to grub-devel and CC John, Denis, Glenn and Patrick.
Thank you very much and best regards!
Ingo
Hi. I have posted a bug here and described it .
I reviewed source code and find out the cause:
type "GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY" which is defined in file "grub-core/disk/cryptodisk.c" is not
included in "grub-core/kern/efi/sb.c" in "shim_lock_verifier_init" . because of that grub will deny loading
keyfile and says "error: prohibited by secure boot policy" . So in order to fix that, we should simply add two lines of
below in switch case statement of the image attachment:
1 case GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY:
2 case GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER:
I've done and built it with this modification and it was OK.
Thanks.
Daniel
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 4409e03c5..b2bf38a54 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -152,6 +152,8 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
case GRUB_FILE_TYPE_TESTLOAD:
case GRUB_FILE_TYPE_GET_SIZE:
case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
+ case GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY:
+ case GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER:
case GRUB_FILE_TYPE_CAT:
case GRUB_FILE_TYPE_HEXCAT:
case GRUB_FILE_TYPE_CMP:
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
