SHA256
1
0
forked from pool/grub2
grub2/0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch

42 lines
1.5 KiB
Diff
Raw Normal View History

From a60cfeacdeefb21215d35c4cad025e57de900352 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Thu, 27 Aug 2020 13:18:25 +0800
Subject: [PATCH] shim_lock: Disable GRUB_VERIFY_FLAGS_DEFER_AUTH if secure
boot off
The GRUB_VERIFY_FLAGS_DEFER_AUTH is enabled regardless secure boot
status that will cause error [1] on loading external grub modules if
secure boot turned off in which shim protocol itself did not verify
images so should not request verification for external modules either.
This patch fixed the problem by adding the secure boot status check
before requesting other verifiers to verify external module, therefore
external module loading can work after shim_lock module loaded and
secure boot turned off.
[1] error: verification requested but nobody cares:
(hd0,gpt10)/boot/grub2/x86_64-efi/linux.mod.
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/commands/efi/shim_lock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c
index 764098cfc..18d121297 100644
--- a/grub-core/commands/efi/shim_lock.c
+++ b/grub-core/commands/efi/shim_lock.c
@@ -82,7 +82,8 @@ shim_lock_init (grub_file_t io, enum grub_file_type type,
case GRUB_FILE_TYPE_ACPI_TABLE:
case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
- *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
+ if (grub_efi_secure_boot())
+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
return GRUB_ERR_NONE;
--
2.26.2