[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] efi: Set shim_lock_enabled even if validation is disabled
|
From: |
Daniel Kiper |
|
Subject: |
Re: [PATCH] efi: Set shim_lock_enabled even if validation is disabled |
|
Date: |
Tue, 31 Oct 2023 19:19:13 +0100 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Wed, Jul 19, 2023 at 03:16:00PM +0200, Julian Andres Klode wrote:
> If validation has been disabled via MokSbState, secure boot on the
> firmware is still enabled, and the kernel fails to boot.
>
> This is a bit hacky, because shim_lock is not *fully* enabled, but
> it triggers the right code paths.
>
> Ultimately, all this will be resolved by shim gaining it's own image
> loading and starting protocol, so this is more a temporary workaround.
>
> Fixes: 6425c12cd (efi: Fallback to legacy mode if shim is loaded on x86 archs)
>
> Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
> ---
> grub-core/kern/efi/sb.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
> index 60550a6da..ea15d4514 100644
> --- a/grub-core/kern/efi/sb.c
> +++ b/grub-core/kern/efi/sb.c
> @@ -95,6 +95,7 @@ grub_efi_get_secureboot (void)
> if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1)
> {
> secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
> + shim_lock_enabled = true;
I am not happy with this change but I understand we need it. So, I will
accept the change but it has to be marked as "TODO" thing in the comment.
Additionally, the comment has to explain why we need it. Please do not
forget CC distro maintainers and other folks who may be interested in
this change. If you do that you can add my RB.
Daniel