Hi grub developers,
I found this bug description
(https://savannah.gnu.org/bugs/?func=detailitem&item_id=65889) which I can
confirm (with 2.14rc1). I am also interested in the suggested modification and I am
wondering if there are any security implications which stand against making this
change?
Since, there is also GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY allowed in the same
file, I guess the other encryption key file types should be ok to add as well?
The suggested patch would be:
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 4409e03c5..b2bf38a54 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -152,6 +152,8 @@ shim_lock_verifier_init (grub_file_t io __attribute__
((unused)),
case GRUB_FILE_TYPE_TESTLOAD:
case GRUB_FILE_TYPE_GET_SIZE:
case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
+ case GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY:
+ case GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER:
case GRUB_FILE_TYPE_CAT:
case GRUB_FILE_TYPE_HEXCAT:
case GRUB_FILE_TYPE_CMP:
Please let us know, what considerations would discourage the accepting the
patch.
Thank you very much and best regards!
Ingo
Hi. I have posted a bug here and described it .
I reviewed source code and find out the cause:
type "GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY" which is defined in file "grub-core/disk/cryptodisk.c" is not
included in "grub-core/kern/efi/sb.c" in "shim_lock_verifier_init" . because of that grub will deny loading
keyfile and says "error: prohibited by secure boot policy" . So in order to fix that, we should simply add two lines of
below in switch case statement of the image attachment:
1 case GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY:
2 case GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER:
I've done and built it with this modification and it was OK.
Thanks.
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
