| commit | 6425c12cd77ad51ad24be84c092aefacf0875089 | |
| author | Daniel Kiper <daniel.kiper@oracle.com> | |
| Fri, 30 Jun 2023 14:02:15 +0000 (30 16:02 +0200) | ||
| committer | Daniel Kiper <daniel.kiper@oracle.com> | |
| Mon, 3 Jul 2023 12:29:22 +0000 (3 14:29 +0200) | ||
| tree | 92dd2b7a7c2ae46ec2dc5eb955b55a51e5f68ecd | treesnapshot (tar.gz zip) |
| parent | 7082a5ca8abd79c1e8840c59759f53c4c80e286d | commitdiff |
efi: Fallback to legacy mode if shim is loaded on x86 archs
The LoadImage() provided by the shim does not consult MOK when loading
an image. So, simply signature verification fails when it should not.
This means we cannot use Linux EFI stub to start the kernel when the
shim is loaded. We have to fallback to legacy mode on x86 architectures.
This is not possible on other architectures due to lack of legacy mode.
This is workaround which should disappear when the shim provides
LoadImage() which looks up MOK during signature verification.
On the occasion align constants in include/grub/efi/sb.h.
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
The LoadImage() provided by the shim does not consult MOK when loading
an image. So, simply signature verification fails when it should not.
This means we cannot use Linux EFI stub to start the kernel when the
shim is loaded. We have to fallback to legacy mode on x86 architectures.
This is not possible on other architectures due to lack of legacy mode.
This is workaround which should disappear when the shim provides
LoadImage() which looks up MOK during signature verification.
On the occasion align constants in include/grub/efi/sb.h.
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
| grub-core/kern/efi/sb.c | diffblobblamehistory | |
| grub-core/loader/efi/linux.c | diffblobblamehistory | |
| include/grub/efi/sb.h | diffblobblamehistory |