forked from pool/grub2
9d81a73a54
- Fix verification requested but nobody cares error when loading external module in secure boot off (bsc#1175766) * 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch OBS-URL: https://build.opensuse.org/request/show/829926 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=363
42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From a60cfeacdeefb21215d35c4cad025e57de900352 Mon Sep 17 00:00:00 2001
|
|
From: Michael Chang <mchang@suse.com>
|
|
Date: Thu, 27 Aug 2020 13:18:25 +0800
|
|
Subject: [PATCH] shim_lock: Disable GRUB_VERIFY_FLAGS_DEFER_AUTH if secure
|
|
boot off
|
|
|
|
The GRUB_VERIFY_FLAGS_DEFER_AUTH is enabled regardless secure boot
|
|
status that will cause error [1] on loading external grub modules if
|
|
secure boot turned off in which shim protocol itself did not verify
|
|
images so should not request verification for external modules either.
|
|
|
|
This patch fixed the problem by adding the secure boot status check
|
|
before requesting other verifiers to verify external module, therefore
|
|
external module loading can work after shim_lock module loaded and
|
|
secure boot turned off.
|
|
|
|
[1] error: verification requested but nobody cares:
|
|
(hd0,gpt10)/boot/grub2/x86_64-efi/linux.mod.
|
|
|
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
---
|
|
grub-core/commands/efi/shim_lock.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c
|
|
index 764098cfc..18d121297 100644
|
|
--- a/grub-core/commands/efi/shim_lock.c
|
|
+++ b/grub-core/commands/efi/shim_lock.c
|
|
@@ -82,7 +82,8 @@ shim_lock_init (grub_file_t io, enum grub_file_type type,
|
|
|
|
case GRUB_FILE_TYPE_ACPI_TABLE:
|
|
case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
|
|
- *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
|
|
+ if (grub_efi_secure_boot())
|
|
+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
|
|
|
|
return GRUB_ERR_NONE;
|
|
|
|
--
|
|
2.26.2
|
|
|