From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1p8Ji2-00051k-0k for mharc-grub-devel@gnu.org; Thu, 22 Dec 2022 06:25:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p8JhR-0004rN-PB for grub-devel@gnu.org; Thu, 22 Dec 2022 06:25:27 -0500 Received: from mail-pf1-x432.google.com ([2607:f8b0:4864:20::432]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1p8JhO-0004tw-O0 for grub-devel@gnu.org; Thu, 22 Dec 2022 06:25:20 -0500 Received: by mail-pf1-x432.google.com with SMTP id n3so996178pfq.10 for ; Thu, 22 Dec 2022 03:25:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=YeFVqj8bthlBgEkDzi3WxkHaWbjDVpiKSYw5OkoSKc4=; b=aee1Su06viMxnmLvIdSBhULsrHqHZXJBHa0hduYVZdG86mSWN/Jq5lfztzHCo46Uz3 7Mh3fbC0Yujrmn51wVHWlQa0VLQ/ygNwhbg0hkai/dS2LGCMppoAYAG4MUM7Nxs8LP6f kGSrQiZcZl5HtPRfhxvjyhlXIpV5Z6zKD1mVz05o2/7bbmLok/BYzjHXNO3p2KIi5q1b 1FNf9qQHRwzOJk9cNDvKrQ7nrgHDqhU4QBwIQjY1YsRFks0RZ4PofIJvLF3T5j68HO5d pLRrwrHCPuFsNf9CNueb183vN1HDzbHO9qNcQMRQhIxcVUl/s9sYqhtwfkBElU3BT056 N9kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YeFVqj8bthlBgEkDzi3WxkHaWbjDVpiKSYw5OkoSKc4=; b=r9qFJxRyQiU2xK40pvv2oxNkd9mq9BYEFVp9yXjgU9wR3jYuPNIrNuVWCAi8AvUXx/ q5oFrLWPpIiBzAnddojqOx3HOZbplNT2jHi6IxiptLPNTpdpeN3OYTAcEGNDffv89nd1 Gi0nt7n541H3ipx5wI7DEtY/mGSTvoOPwI64/pqhjzFqNQG/FdMBFqCjzkUD1uImj95c R7pRQBa/uWAQtlkoEoZFqbuOOCaWMT3CSxzdiryZ5POwMJaHkrKOPRbF0cxcsukAnPLz VfZ5D+0MUyHctq0EsnAZRbR7E9527Ymx02I2k5AARSQiG2bAkNiwVMb+EEVd37jPV4Cu Kx8w== X-Gm-Message-State: AFqh2kqWMHESb2mAVg8r4eZcNFj4wLP/WNFHREHpMNtUT3EvJ1kUFINR 773BiB9woKKo+7T0PSXOBFcI+29vH6Y= X-Google-Smtp-Source: AMrXdXtPuFdqIBrehM4wOd49k6UcnOwm2sbw25aBfHjKWWgCSNEqC7Muiz9h0XAw7M0DTjAZw63m1Q== X-Received: by 2002:a62:4e93:0:b0:57d:8b30:db07 with SMTP id c141-20020a624e93000000b0057d8b30db07mr5485758pfb.21.1671708316767; Thu, 22 Dec 2022 03:25:16 -0800 (PST) Received: from [0.0.0.0] (ec2-13-113-80-70.ap-northeast-1.compute.amazonaws.com. [13.113.80.70]) by smtp.gmail.com with ESMTPSA id d67-20020a621d46000000b0056d2317455bsm519266pfd.7.2022.12.22.03.25.15 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 22 Dec 2022 03:25:16 -0800 (PST) Message-ID: <824a569a-70db-b5ca-dd8b-b6c1cef0dc67@gmail.com> Date: Thu, 22 Dec 2022 19:25:13 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: Re: [PATCH] verifiers: Don't return error for deferred image Content-Language: en-US To: grub-devel@gnu.org References: <20221222111439.2653118-1-leo.yan@linaro.org> From: Zhang Boyang In-Reply-To: <20221222111439.2653118-1-leo.yan@linaro.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=2607:f8b0:4864:20::432; envelope-from=zhangboyang.id@gmail.com; helo=mail-pf1-x432.google.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.148, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2022 11:25:56 -0000 Hi, On 2022/12/22 19:14, Leo Yan wrote: > When boot from menu and the flag GRUB_VERIFY_FLAGS_DEFER_AUTH is set, > grub returns error: > > Booting a command list > > error: verification requested but nobody cares: (hd0,gpt1)/Image. > > Press any key to continue... > > In this case, the image should be deferred for authentication, grub > should return the file handle and pass down to later firmware (e.g. > U-Boot, etc) for authentication. This is probably not what verification framework designed to be. It seems to be designed to verify files during GRUB is executing (e.g. check file signature if UEFI Secure Boot is enabled). By the way, I didn't understand what does "return the file handle and pass down to later firmware" means. If you means you want GRUB call into firmware's function, you can write a verifier to do that and register your verifier with grub_verifier_register(). Best Regards, Zhang Boyang > > For this purpose, rather than returning error, this patch prints log > and returns file handler. > > Signed-off-by: Leo Yan > --- > grub-core/kern/verifiers.c | 6 +----- > 1 file changed, 1 insertion(+), 5 deletions(-) > > diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c > index 75d7994cf..ada753e69 100644 > --- a/grub-core/kern/verifiers.c > +++ b/grub-core/kern/verifiers.c > @@ -115,11 +115,7 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) > if (!ver) > { > if (defer) > - { > - grub_error (GRUB_ERR_ACCESS_DENIED, > - N_("verification requested but nobody cares: %s"), io->name); > - goto fail_noclose; > - } > + grub_printf("%s verification is deferred\n", io->name); > > /* No verifiers wanted to verify. Just return underlying file. */ > return io;