On Mon, Sep 22, 2025 at 02:57:58PM +0530, Sudhakar Kuppusamy wrote:
> If secure boot is enabled with dynamic key management mode and the
> use_static_keys flag is set, then read the static keys as a db default
> keys from the GRUB ELF Note and add them into the db list.
>
> Signed-off-by: Sudhakar Kuppusamy <[email protected]>
> ---
> grub-core/commands/appendedsig/appendedsig.c | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/grub-core/commands/appendedsig/appendedsig.c
> b/grub-core/commands/appendedsig/appendedsig.c
> index 44412a614..fa97a6440 100644
> --- a/grub-core/commands/appendedsig/appendedsig.c
> +++ b/grub-core/commands/appendedsig/appendedsig.c
> @@ -1135,9 +1135,19 @@ create_dbs_from_pks (void)
> if (err != GRUB_ERR_NONE)
> grub_printf ("warning: dbx list might not be fully populated\n");
>
> - err = load_pks2db ();
> - if (err != GRUB_ERR_NONE)
> - grub_printf ("warning: db list might not be fully populated\n");
> + /*
> + * The static keys from the GRUB ELF Note are populated in the db list
> + * if use_static_keys falg is set to true when secure boot is enabled
> + * with dynamic key management.
> + */
> + if (pks_keystore->use_static_keys == true)
I suppose that earlier patch adds this struct member. However, it should
happen in this patch. Additionally, all code dealing with the use_static_keys
should be here too.
> + load_elf2db ();
> + else
> + {
> + err = load_pks2db ();
> + if (err != GRUB_ERR_NONE)
> + grub_printf ("warning: db list might not be fully populated\n");
> + }
I can imagine that third option could be to call both load_pks2db() and
load_elf2db(). So, use_static_keys could be an enum with three values:
NO_STATIC_KEYS, ONLY_STATIC_KEYS, PKS_AND_STATIC_KEYS.
Daniel
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
