* UEFI Secureboot not succeeding with Grub 2.06 and later version
@ 2021-07-01 15:23 Sayanta Pattanayak
2021-07-07 13:14 ` Daniel Kiper
0 siblings, 1 reply; 20+ messages in thread
From: Sayanta Pattanayak @ 2021-07-01 15:23 UTC (permalink / raw)
To: grub-devel; +Cc: nd
Hi All,
I am new to grub and UEFI secure boot and so a beginners question. UEFI secureboot on a Arm64 platform works fine with Grub 2.04 version. The linux kernel image is authenticated and loaded. But the same with Grub 2.06 version does not progress - following error messages are displayed.
error: shim_lock protocol not found.
error: you need to load the kernel first.
With reference of "https://www.mail-archive.com/help-grub@gnu.org/msg05375.html", created Grub image with "--disable-shim-lock" option. This change solved the "shim_lock" error but then the following error message started appearing-
error: verification requested but nobody cares: /Image.
error: you need to load the kernel first.
Press any key to continue...
A large set of patches addressing bootHole vulnerability (https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html) have been merged in the Grub 2.06 version. Does this change the way images are signed or is there any other change introduced that required UEFI secure boot to be handled differently on the platform.
Request any suggestion that would help validate UEFI secure boot with Grub 2.06 and later version.
Thanks,
Sayanta
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-01 15:23 UEFI Secureboot not succeeding with Grub 2.06 and later version Sayanta Pattanayak
@ 2021-07-07 13:14 ` Daniel Kiper
2021-07-08 7:04 ` Sayanta Pattanayak
0 siblings, 1 reply; 20+ messages in thread
From: Daniel Kiper @ 2021-07-07 13:14 UTC (permalink / raw)
To: Sayanta Pattanayak; +Cc: grub-devel, nd, javierm, xnox, pjones, leif
Hi Sayanta,
Sorry for late reply but I am just recovering after vacation...
CC-ing Javier, Dimitri, Peter and Leif.
On Thu, Jul 01, 2021 at 03:23:03PM +0000, Sayanta Pattanayak wrote:
> Hi All,
> I am new to grub and UEFI secure boot and so a beginners question.
> UEFI secureboot on a Arm64 platform works fine with Grub 2.04 version.
> The linux kernel image is authenticated and loaded. But the same with
> Grub 2.06 version does not progress - following error messages are
> displayed.
>
> error: shim_lock protocol not found.
> error: you need to load the kernel first.
>
> With reference of
> "https://www.mail-archive.com/help-grub@gnu.org/msg05375.html",
> created Grub image with "--disable-shim-lock" option. This change
> solved the "shim_lock" error but then the following error message
> started appearing-
>
> error: verification requested but nobody cares: /Image.
> error: you need to load the kernel first.
> Press any key to continue...
>
> A large set of patches addressing bootHole vulnerability
> (https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html)
> have been merged in the Grub 2.06 version. Does this change the way
> images are signed or is there any other change introduced that
> required UEFI secure boot to be handled differently on the platform.
>
> Request any suggestion that would help validate UEFI secure boot with
> Grub 2.06 and later version.
Do you use GRUB 2.06 upstream or a Linux distribution variant? If
upstream could you provide us commands used to build the GRUB and
console output when debug is enabled, i.e. "set debug=all"?
Daniel
^ permalink raw reply [flat|nested] 20+ messages in thread
* RE: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-07 13:14 ` Daniel Kiper
@ 2021-07-08 7:04 ` Sayanta Pattanayak
2021-07-08 10:51 ` Dimitri John Ledkov
2021-07-08 13:27 ` Daniel Kiper
0 siblings, 2 replies; 20+ messages in thread
From: Sayanta Pattanayak @ 2021-07-08 7:04 UTC (permalink / raw)
To: Daniel Kiper; +Cc: grub-devel, nd, javierm, xnox, pjones, leif
Hi Daniel,
Thanks for your reply and hope you had a great vacation.
We use Upstream 2.06 tagged version. Mentioning below the Build Commands and Console Output.
>-----Original Message-----
>From: Daniel Kiper <dkiper@net-space.pl>
>Sent: Wednesday, July 7, 2021 6:45 PM
>To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
>Cc: grub-devel@gnu.org; nd <nd@arm.com>; javierm@redhat.com;
>xnox@ubuntu.com; pjones@redhat.com; leif@nuviainc.com
>Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
>
>Hi Sayanta,
>
>Sorry for late reply but I am just recovering after vacation...
>
>CC-ing Javier, Dimitri, Peter and Leif.
>
>On Thu, Jul 01, 2021 at 03:23:03PM +0000, Sayanta Pattanayak wrote:
>> Hi All,
>> I am new to grub and UEFI secure boot and so a beginners question.
>> UEFI secureboot on a Arm64 platform works fine with Grub 2.04 version.
>> The linux kernel image is authenticated and loaded. But the same with
>> Grub 2.06 version does not progress - following error messages are
>> displayed.
>>
>> error: shim_lock protocol not found.
>> error: you need to load the kernel first.
>>
>> With reference of
>> "https://www.mail-archive.com/help-grub@gnu.org/msg05375.html",
>> created Grub image with "--disable-shim-lock" option. This change
>> solved the "shim_lock" error but then the following error message
>> started appearing-
>>
>> error: verification requested but nobody cares: /Image.
>> error: you need to load the kernel first.
>> Press any key to continue...
>>
>> A large set of patches addressing bootHole vulnerability
>> (https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html)
>> have been merged in the Grub 2.06 version. Does this change the way
>> images are signed or is there any other change introduced that
>> required UEFI secure boot to be handled differently on the platform.
>>
>> Request any suggestion that would help validate UEFI secure boot with
>> Grub 2.06 and later version.
>
>Do you use GRUB 2.06 upstream or a Linux distribution variant? If upstream
>could you provide us commands used to build the GRUB and console output
>when debug is enabled, i.e. "set debug=all"?
>
Commands used -
./autogen.sh
./configure STRIP=gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-strip --target=aarch64-none-linux-gnu --with-platform=efi --prefix=grub/output/ --disable-werror
Make
make -j $PARALLELISM install
output/bin/grub-mkimage -v -c ${GRUB_PLAT_CONFIG_FILE} -o output/grubaa64.efi -O arm64-efi -p "" part_gpt part_msdos ntfs ntfscomp hfsplus fat ext2 normal chain boot configfile linux help part_msdos terminal terminfo configfile lsefi search normal gettext loadenv read search_fs_file search_fs_uuid search_label
Following is the console output when "--disable-shim-lock" Not used -
[2J[04D[=3h[2J[09DPress ESCAPE for boot options ...........[Bds]Booting UEFI Non-Block Boot Device [Bds]Booting UEFI Misc Device [Bds]Booting UEFI Misc Device 2 Installed Fat filesystem on FE6E9318 Loading driver at 0x000F9264000 EntryPoint=0x000F9265000 Loading driver at 0x000F9264000 EntryPoint=0x000F9265000 [0m[30m[47mWelcome to GRUB!
[0m[37m[40mscript/script.c:65: free 0x81fff49d60
script/script.c:65: free 0x81fff49da0
script/script.c:65: free 0x81fff49de0
script/script.c:65: free 0x81fff497c0
script/script.c:65: free 0x81fff49820
script/script.c:65: free 0x81fff49860
script/script.c:65: free 0x81fff498c0
script/script.c:65: free 0x81fff49920
script/script.c:65: free 0x81fff49b40
script/script.c:65: free 0x81fff49960
script/script.c:65: free 0x81fff499a0
script/script.c:65: free 0x81fff49a00
script/script.c:65: free 0x81fff49a40
script/script.c:65: free 0x81fff49c20
script/script.c:65: free 0x81fff49c80
script/script.c:65: free 0x81fff49cc0
script/lexer.c:336: token 288 text [set]
script/script.c:50: malloc 0x81fff49cc0
script/script.c:50: malloc 0x81fff49c80
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49c20
script/lexer.c:336: token 289 text [term=]
script/script.c:50: malloc 0x81fff49a40
script/script.c:50: malloc 0x81fff49a00
script/lexer.c:336: token 289 text [vt100]
script/script.c:50: malloc 0x81fff499a0
script/script.c:50: malloc 0x81fff49960
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x81fff49900
script/script.c:50: malloc 0x81fff498c0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49860
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff49800
script/script.c:50: malloc 0x81fff497c0
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff49760
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff49de0
script/script.c:50: malloc 0x81fff49da0
script/script.c:294: append command
script/script.c:50: malloc 0x81fff49d60
kern/verifiers.c:212: string: set term=vt100, type: 2
script/script.c:65: free 0x81fff49d60
script/script.c:65: free 0x81fff49da0
...
script/script.c:294: append command
script/script.c:50: malloc 0x81fff49d60
kern/verifiers.c:212: string: set timeout=1, type: 2
script/script.c:65: free 0x81fff49d60
...
script/script.c:65: free 0x81fff49cc0
script/lexer.c:336: token 288 text [search]
script/script.c:50: malloc 0x81fff49de0
script/script.c:50: malloc 0x81fff49c60
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49c00
script/lexer.c:336: token 289 text [--set=root]
script/script.c:50: malloc 0x81fff49a20
script/script.c:50: malloc 0x81fff499e0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49980
script/lexer.c:336: token 289 text [--fs-uuid]
script/script.c:50: malloc 0x81fff49920
script/script.c:50: malloc 0x81fff498e0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49880
script/lexer.c:336: token 289 text [535add81-5875-4b4a-b44a-464aee5f5cbd]
script/script.c:50: malloc 0x81fff496e0
script/script.c:50: malloc 0x81fff49680
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49620
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff495c0
script/script.c:50: malloc 0x81fff49580
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff49520
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff49d80
script/script.c:50: malloc 0x81fff49d40
script/script.c:294: append command
script/script.c:50: malloc 0x81fff49d00
kern/verifiers.c:212: string: search --set=root --fs-uuid 535add81-5875-4b4a-b44a-464aee5f5cbd, type: 2
disk/efi/efidisk.c:413: iterating hd0
kern/disk.c:196: Opening `hd0'...
disk/efi/efidisk.c:482: opening hd0
disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size = 200, io align = 0
disk/efi/efidisk.c:531: opening hd0 succeeded
kern/fs.c:56: Detecting ext2...
kern/fs.c:78: ext2 detection failed.
kern/fs.c:56: Detecting fat...
kern/fs.c:78: fat detection failed.
kern/fs.c:56: Detecting hfsplus...
kern/fs.c:78: hfsplus detection failed.
kern/fs.c:56: Detecting ntfs...
kern/fs.c:78: ntfs detection failed.
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
kern/disk.c:196: Opening `hd0'...
disk/efi/efidisk.c:482: opening hd0
disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size = 200, io align = 0
disk/efi/efidisk.c:531: opening hd0 succeeded
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
partmap/msdos.c:184: partition 0: flag 0x0, type 0x0, start 0x0, len 0x0
partmap/msdos.c:184: partition 1: flag 0x0, type 0x0, start 0x0, len 0x0
partmap/msdos.c:184: partition 2: flag 0x0, type 0x0, start 0x0, len 0x0
partmap/msdos.c:184: partition 3: flag 0x0, type 0x0, start 0x0, len 0x0
partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xa800 from hd0
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
kern/disk.c:196: Opening `hd0,gpt2'...
disk/efi/efidisk.c:482: opening hd0
disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size = 200, io align = 0
disk/efi/efidisk.c:531: opening hd0 succeeded
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
kern/fs.c:56: Detecting ext2...
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xaa00 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xac00 from hd0
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
script/script.c:65: free 0x81fff49d00
script/script.c:65: free 0x81fff49d40
...
script/script.c:65: free 0x81fff49de0
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff49cc0
script/script.c:50: malloc 0x81fff49c80
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff49de0
script/script.c:50: malloc 0x81fff49da0
script/script.c:65: free 0x81fff49da0
script/script.c:65: free 0x81fff49de0
script/script.c:65: free 0x81fff49c80
script/script.c:65: free 0x81fff49cc0
script/lexer.c:336: token 288 text [menuentry]
script/script.c:50: malloc 0x81fff49cc0
script/script.c:50: malloc 0x81fff49c80
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49c20
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x81fff49a40
script/script.c:50: malloc 0x81fff49a00
script/lexer.c:336: token 289 text [SGI-575 BusyBox]
script/script.c:50: malloc 0x81fff499a0
script/script.c:50: malloc 0x81fff49960
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x81fff49900
script/script.c:50: malloc 0x81fff498c0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49860
script/lexer.c:336: token 266 text [{]
script/script.c:50: malloc 0x81fff49800
script/script.c:50: malloc 0x81fff497c0
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff49640
script/script.c:50: malloc 0x81fff49600
script/lexer.c:336: token 288 text [linux]
script/script.c:50: malloc 0x81fff494e0
script/script.c:50: malloc 0x81fff494a0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49440
script/lexer.c:336: token 289 text [/Image]
script/script.c:50: malloc 0x81fff49320
script/script.c:50: malloc 0x81fff492e0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49280
script/lexer.c:336: token 289 text [acpi=force]
script/script.c:50: malloc 0x81fff49220
script/script.c:50: malloc 0x81fff491e0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49180
script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
script/script.c:50: malloc 0x81fff49120
script/script.c:50: malloc 0x81fff490c0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49060
script/lexer.c:336: token 289 text [ip=dhcp]
script/script.c:50: malloc 0x81fff49000
script/script.c:50: malloc 0x81fff48fc0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48f60
script/lexer.c:336: token 289 text
[root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
script/script.c:50: malloc 0x81fff48da0
script/script.c:50: malloc 0x81fff48d20
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48cc0
script/lexer.c:336: token 288 text [rootwait]
script/script.c:50: malloc 0x81fff48c60
script/script.c:50: malloc 0x81fff48c20
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48bc0
script/lexer.c:336: token 288 text [verbose]
script/script.c:50: malloc 0x81fff48b60
script/script.c:50: malloc 0x81fff48b20
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48ac0
script/lexer.c:336: token 288 text [debug]
script/script.c:50: malloc 0x81fff48a60
script/script.c:50: malloc 0x81fff48a20
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff489c0
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff48960
script/script.c:50: malloc 0x81fff48920
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff488c0
script/script.c:294: append command
script/script.c:50: malloc 0x81fff48880
script/lexer.c:336: token 288 text [initrd]
script/script.c:50: malloc 0x81fff48720
script/script.c:50: malloc 0x81fff486e0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48680
script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
script/script.c:50: malloc 0x81fff48620
script/script.c:50: malloc 0x81fff485c0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48560
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff48500
script/script.c:50: malloc 0x81fff484c0
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff48460
script/script.c:294: append command
script/lexer.c:336: token 267 text [}]
script/script.c:50: malloc 0x81fff48300
script/script.c:50: malloc 0x81fff482c0
script/script.c:50: malloc 0x81fff481e0
script/script.c:50: malloc 0x81fff49760
script/script.c:50: malloc 0x81fff48100
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48040
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff47fe0
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff47f80
script/script.c:50: malloc 0x81fff47f40
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff48400
script/script.c:50: malloc 0x81fff483c0
script/script.c:294: append command
script/script.c:50: malloc 0x81fff47f00
kern/verifiers.c:212: string: menuentry SGI-575 BusyBox {
linux /Image acpi=force console=ttyAMA0,115200 ip=dhcp
root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug
initrd /ramdisk-busybox.img
}, type: 2
script/script.c:65: free 0x81fff47f00
script/script.c:65: free 0x81fff483c0
script/script.c:65: free 0x81fff48400
script/script.c:65: free 0x81fff47f40
...
script/script.c:65: free 0x81fff49440
script/script.c:65: free 0x81fff494a0
script/script.c:65: free 0x81fff494e0
script/script.c:65: free 0x81fff49600
script/script.c:65: free 0x81fff49640
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
[0m[30m[40m[2J[01;01H[0m[37m[40m[02;30HGNU GRUB version 2.11
[01C/----------------------------------------------------------------------------\[05;02H|[76C|[06;02H|[76C|[07;02H|[76C|[08;02H|[76C|[09;02H|[76C|[10;02H|[76C|[11;02H|[76C|[12;02H|[76C|[13;02H|[76C|[14;02H|[76C|[15;02H|[76C|[16;02H|[76C|[17;02H|[76C|[18;02H\----------------------------------------------------------------------------/[19;02H[20;02H Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line. [05;80H
[0m[30m[47m[05;03H*SGI-575 BusyBox [0m[37m[40m[01D[06;03H [01D[07;03H [01D[08;03H [01D[09;03H [01D[10;03H [01D[11;03H [01D[12;03H [01D[13;03H [01D[14;03H [01D[15;03H [01D[16;03H [01D[17;03H [01D[02C
[05;78H[23;01H The highlighted entry will be executed automatically in 1s. [05;78H[23;01H The highlighted entry will be executed automatically in 0s. [05;78H[0m[30m[40m[2J[01;01H[0m[37m[40m
Booting `SGI-575 BusyBox'
script/lexer.c:336: token 288 text [setparams]
script/script.c:50: malloc 0x81fff4a6a0
script/script.c:50: malloc 0x81fff4a660
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a600
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x81fff4a420
script/script.c:50: malloc 0x81fff4a3e0
script/lexer.c:336: token 289 text [SGI-575 BusyBox]
script/script.c:50: malloc 0x81fff4a380
script/script.c:50: malloc 0x81fff4a340
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x81fff4a2e0
script/script.c:50: malloc 0x81fff4a2a0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a240
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff4a1e0
script/script.c:50: malloc 0x81fff4a1a0
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff4a140
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff4a7c0
script/script.c:50: malloc 0x81fff4a780
script/script.c:294: append command
script/script.c:50: malloc 0x81fff4a740
kern/verifiers.c:212: string: setparams SGI-575 BusyBox, type: 2
script/script.c:65: free 0x81fff4a740
script/script.c:65: free 0x81fff4a780
...
script/script.c:65: free 0x81fff4a660
script/script.c:65: free 0x81fff4a6a0
script/lexer.c:336: token 288 text [linux]
script/script.c:50: malloc 0x81fff4a7c0
script/script.c:50: malloc 0x81fff4a5c0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a560
script/lexer.c:336: token 289 text [/Image]
script/script.c:50: malloc 0x81fff4a380
script/script.c:50: malloc 0x81fff4a340
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a2e0
script/lexer.c:336: token 289 text [acpi=force]
script/script.c:50: malloc 0x81fff4a280
script/script.c:50: malloc 0x81fff4a240
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a1e0
script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
script/script.c:50: malloc 0x81fff4a180
script/script.c:50: malloc 0x81fff4a120
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a0c0
script/lexer.c:336: token 289 text [ip=dhcp]
script/script.c:50: malloc 0x81fff4a060
script/script.c:50: malloc 0x81fff4a020
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49fc0
script/lexer.c:336: token 289 text
[root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
script/script.c:50: malloc 0x81fff49d00
script/script.c:50: malloc 0x81fff49c80
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49c20
script/lexer.c:336: token 288 text [rootwait]
script/script.c:50: malloc 0x81fff49bc0
script/script.c:50: malloc 0x81fff49b80
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49b20
script/lexer.c:336: token 288 text [verbose]
script/script.c:50: malloc 0x81fff49ac0
script/script.c:50: malloc 0x81fff49a80
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49a20
script/lexer.c:336: token 288 text [debug]
script/script.c:50: malloc 0x81fff499c0
script/script.c:50: malloc 0x81fff49980
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49920
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff498c0
script/script.c:50: malloc 0x81fff49880
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff49820
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff4a760
script/script.c:50: malloc 0x81fff4a720
script/script.c:294: append command
script/script.c:50: malloc 0x81fff4a6e0
kern/verifiers.c:212: string: linux /Image acpi=force console=ttyAMA0,115200 ip=dhcp root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug, type: 2
kern/disk.c:196: Opening `hd0,gpt2'...
disk/efi/efidisk.c:482: opening hd0
disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size = 200, io align = 0
disk/efi/efidisk.c:531: opening hd0 succeeded
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
kern/fs.c:56: Detecting ext2...
kern/verifiers.c:88: file: /Image type: 3
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd00 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd40 from hd0 ...
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1db80 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dbc0 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc00 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc40 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc80 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dcc0 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dd00 from hd0
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
error: shim_lock protocol not found.
script/script.c:65: free 0x81fff4a6e0
script/script.c:65: free 0x81fff4a720
script/script.c:65: free 0x81fff4a760
script/script.c:65: free 0x81fff49820
...
script/script.c:65: free 0x81fff4a560
script/script.c:65: free 0x81fff4a5c0
script/script.c:65: free 0x81fff4a7c0
script/lexer.c:336: token 288 text [initrd]
script/script.c:50: malloc 0x81fff4a660
script/script.c:50: malloc 0x81fff4a620
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a5c0
script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
script/script.c:50: malloc 0x81fff4a3e0
script/script.c:50: malloc 0x81fff4a380
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a320
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff4a2c0
script/script.c:50: malloc 0x81fff4a280
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff4a220
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff4a780
script/script.c:50: malloc 0x81fff4a740
script/script.c:294: append command
script/script.c:50: malloc 0x81fff4a700
kern/verifiers.c:212: string: initrd /ramdisk-busybox.img, type: 2
error: you need to load the kernel first.
script/script.c:65: free 0x81fff4a700
script/script.c:65: free 0x81fff4a740
script/script.c:65: free 0x81fff4a780
...
script/script.c:65: free 0x81fff4a660
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff4a6a0
script/script.c:50: malloc 0x81fff4a660
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff4a7c0
script/script.c:50: malloc 0x81fff4a780
script/script.c:65: free 0x81fff4a780
script/script.c:65: free 0x81fff4a7c0
script/script.c:65: free 0x81fff4a660
script/script.c:65: free 0x81fff4a6a0
Press any key to continue...
>Daniel
Thanks,
Sayanta
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-08 7:04 ` Sayanta Pattanayak
@ 2021-07-08 10:51 ` Dimitri John Ledkov
2021-07-08 12:01 ` Michael Chang
2021-07-12 16:15 ` Sayanta Pattanayak
2021-07-08 13:27 ` Daniel Kiper
1 sibling, 2 replies; 20+ messages in thread
From: Dimitri John Ledkov @ 2021-07-08 10:51 UTC (permalink / raw)
To: Sayanta Pattanayak; +Cc: The development of GNU GRUB, nd
[-- Attachment #1: Type: text/plain, Size: 25630 bytes --]
Hi,
The below mentioned commands are useful. Hence we need to debug this
further and establish further details about your setup.
1) which keys are in DB? ( mokutil --db --list-enrolled )
2) which keys are used to sign grub image? ( sbverify --list grub*.efi )
3) which keys are used to sign grub image? ( sbverify --list Image )
4) since shim verifier was not disabled during grub mkimage build, which
Shim did you compile, with what toolchain, and which keys was it signed
with?
5) if you don't want to use Shim (and loose ability for users to enroll
their own machine owner key, and revoke grub via sbat revocation - if
underlying firmware can do those things i.e. secure edk2 builds), you must
create grub image with disable shim lock verifier option.
6) if you do not want to sbsign kernel image using secureboot keys, you can
alternative provide detached gpg signature and create grub image with a gpg
public key built-in.
8) maybe there is some other way to verify kernel, i.e. you could implement
a new verifier module that that use calls to a prior stage bootloader or
firmware to verify kernel authenticity.
9) if you do not want to sign kernel at all in any way, you must disable
secureboot at either firmware level (SecureBoot variable) or
shim/grub/linux-only level (MokSBState see mokutil --disable-validation).
Because if firmware SecureBoot is on, and mokutil validation is on, loading
unverifiable kernels is not supported in grub 2.06 thanks to implementing
lockdown.
If the kernel is expected to be verifiable and yet fails to verify please
provide further details. We have experienced buggy compilers, binutils,
sbsign tooling which would produce invalid / unverifiable signatures in the
past. Also we have seen buggy firmware that fail to verify correctly signed
binaries.
On Thu, 8 Jul 2021, 08:05 Sayanta Pattanayak, <Sayanta.Pattanayak@arm.com>
wrote:
> Hi Daniel,
>
> Thanks for your reply and hope you had a great vacation.
> We use Upstream 2.06 tagged version. Mentioning below the Build Commands
> and Console Output.
>
> >-----Original Message-----
> >From: Daniel Kiper <dkiper@net-space.pl>
> >Sent: Wednesday, July 7, 2021 6:45 PM
> >To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
> >Cc: grub-devel@gnu.org; nd <nd@arm.com>; javierm@redhat.com;
> >xnox@ubuntu.com; pjones@redhat.com; leif@nuviainc.com
> >Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later
> version
> >
> >Hi Sayanta,
> >
> >Sorry for late reply but I am just recovering after vacation...
> >
> >CC-ing Javier, Dimitri, Peter and Leif.
> >
> >On Thu, Jul 01, 2021 at 03:23:03PM +0000, Sayanta Pattanayak wrote:
> >> Hi All,
> >> I am new to grub and UEFI secure boot and so a beginners question.
> >> UEFI secureboot on a Arm64 platform works fine with Grub 2.04 version.
> >> The linux kernel image is authenticated and loaded. But the same with
> >> Grub 2.06 version does not progress - following error messages are
> >> displayed.
> >>
> >> error: shim_lock protocol not found.
> >> error: you need to load the kernel first.
> >>
> >> With reference of
> >> "https://www.mail-archive.com/help-grub@gnu.org/msg05375.html",
> >> created Grub image with "--disable-shim-lock" option. This change
> >> solved the "shim_lock" error but then the following error message
> >> started appearing-
> >>
> >> error: verification requested but nobody cares: /Image.
> >> error: you need to load the kernel first.
> >> Press any key to continue...
> >>
> >> A large set of patches addressing bootHole vulnerability
> >> (https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html)
> >> have been merged in the Grub 2.06 version. Does this change the way
> >> images are signed or is there any other change introduced that
> >> required UEFI secure boot to be handled differently on the platform.
> >>
> >> Request any suggestion that would help validate UEFI secure boot with
> >> Grub 2.06 and later version.
> >
> >Do you use GRUB 2.06 upstream or a Linux distribution variant? If upstream
> >could you provide us commands used to build the GRUB and console output
> >when debug is enabled, i.e. "set debug=all"?
> >
>
>
> Commands used -
>
> ./autogen.sh
> ./configure
> STRIP=gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-strip
> --target=aarch64-none-linux-gnu --with-platform=efi --prefix=grub/output/
> --disable-werror
> Make
> make -j $PARALLELISM install
> output/bin/grub-mkimage -v -c ${GRUB_PLAT_CONFIG_FILE} -o
> output/grubaa64.efi -O arm64-efi -p "" part_gpt part_msdos ntfs ntfscomp
> hfsplus fat ext2 normal chain boot configfile linux help part_msdos
> terminal terminfo configfile lsefi search normal gettext loadenv read
> search_fs_file search_fs_uuid search_label
>
>
>
> Following is the console output when "--disable-shim-lock" Not used -
>
> [2J[04D[=3h[2J[09DPress ESCAPE for boot options ...........[Bds]Booting
> UEFI Non-Block Boot Device [Bds]Booting UEFI Misc Device [Bds]Booting UEFI
> Misc Device 2 Installed Fat filesystem on FE6E9318 Loading driver at
> 0x000F9264000 EntryPoint=0x000F9265000 Loading driver at 0x000F9264000
> EntryPoint=0x000F9265000 [0m[30m[47mWelcome to GRUB!
>
> [0m[37m[40mscript/script.c:65: free 0x81fff49d60
> script/script.c:65: free 0x81fff49da0
> script/script.c:65: free 0x81fff49de0
> script/script.c:65: free 0x81fff497c0
> script/script.c:65: free 0x81fff49820
> script/script.c:65: free 0x81fff49860
> script/script.c:65: free 0x81fff498c0
> script/script.c:65: free 0x81fff49920
> script/script.c:65: free 0x81fff49b40
> script/script.c:65: free 0x81fff49960
> script/script.c:65: free 0x81fff499a0
> script/script.c:65: free 0x81fff49a00
> script/script.c:65: free 0x81fff49a40
> script/script.c:65: free 0x81fff49c20
> script/script.c:65: free 0x81fff49c80
> script/script.c:65: free 0x81fff49cc0
> script/lexer.c:336: token 288 text [set]
> script/script.c:50: malloc 0x81fff49cc0
> script/script.c:50: malloc 0x81fff49c80
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49c20
> script/lexer.c:336: token 289 text [term=]
> script/script.c:50: malloc 0x81fff49a40
> script/script.c:50: malloc 0x81fff49a00
> script/lexer.c:336: token 289 text [vt100]
> script/script.c:50: malloc 0x81fff499a0
> script/script.c:50: malloc 0x81fff49960
> script/lexer.c:336: token 289 text []
> script/script.c:50: malloc 0x81fff49900
> script/script.c:50: malloc 0x81fff498c0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49860
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff49800
> script/script.c:50: malloc 0x81fff497c0
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff49760
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff49de0
> script/script.c:50: malloc 0x81fff49da0
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff49d60
> kern/verifiers.c:212: string: set term=vt100, type: 2
> script/script.c:65: free 0x81fff49d60
> script/script.c:65: free 0x81fff49da0
> ...
>
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff49d60
> kern/verifiers.c:212: string: set timeout=1, type: 2
> script/script.c:65: free 0x81fff49d60
> ...
>
> script/script.c:65: free 0x81fff49cc0
> script/lexer.c:336: token 288 text [search]
> script/script.c:50: malloc 0x81fff49de0
> script/script.c:50: malloc 0x81fff49c60
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49c00
> script/lexer.c:336: token 289 text [--set=root]
> script/script.c:50: malloc 0x81fff49a20
> script/script.c:50: malloc 0x81fff499e0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49980
> script/lexer.c:336: token 289 text [--fs-uuid]
> script/script.c:50: malloc 0x81fff49920
> script/script.c:50: malloc 0x81fff498e0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49880
> script/lexer.c:336: token 289 text [535add81-5875-4b4a-b44a-464aee5f5cbd]
> script/script.c:50: malloc 0x81fff496e0
> script/script.c:50: malloc 0x81fff49680
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49620
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff495c0
> script/script.c:50: malloc 0x81fff49580
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff49520
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff49d80
> script/script.c:50: malloc 0x81fff49d40
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff49d00
> kern/verifiers.c:212: string: search --set=root --fs-uuid
> 535add81-5875-4b4a-b44a-464aee5f5cbd, type: 2
> disk/efi/efidisk.c:413: iterating hd0
> kern/disk.c:196: Opening `hd0'...
> disk/efi/efidisk.c:482: opening hd0
> disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> 200, io align = 0
> disk/efi/efidisk.c:531: opening hd0 succeeded
> kern/fs.c:56: Detecting ext2...
> kern/fs.c:78: ext2 detection failed.
> kern/fs.c:56: Detecting fat...
> kern/fs.c:78: fat detection failed.
> kern/fs.c:56: Detecting hfsplus...
> kern/fs.c:78: hfsplus detection failed.
> kern/fs.c:56: Detecting ntfs...
> kern/fs.c:78: ntfs detection failed.
> kern/disk.c:295: Closing `hd0'.
> disk/efi/efidisk.c:540: closing hd0
> kern/disk.c:196: Opening `hd0'...
> disk/efi/efidisk.c:482: opening hd0
> disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> 200, io align = 0
> disk/efi/efidisk.c:531: opening hd0 succeeded
> partmap/gpt.c:93: Read a valid GPT header
> partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> partmap/msdos.c:184: partition 0: flag 0x0, type 0x0, start 0x0, len 0x0
> partmap/msdos.c:184: partition 1: flag 0x0, type 0x0, start 0x0, len 0x0
> partmap/msdos.c:184: partition 2: flag 0x0, type 0x0, start 0x0, len 0x0
> partmap/msdos.c:184: partition 3: flag 0x0, type 0x0, start 0x0, len 0x0
> partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xa800 from hd0
> kern/disk.c:295: Closing `hd0'.
> disk/efi/efidisk.c:540: closing hd0
> kern/disk.c:196: Opening `hd0,gpt2'...
> disk/efi/efidisk.c:482: opening hd0
> disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> 200, io align = 0
> disk/efi/efidisk.c:531: opening hd0 succeeded
> partmap/gpt.c:93: Read a valid GPT header
> partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> kern/fs.c:56: Detecting ext2...
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xaa00 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xac00 from hd0
> kern/disk.c:295: Closing `hd0'.
> disk/efi/efidisk.c:540: closing hd0
> script/script.c:65: free 0x81fff49d00
> script/script.c:65: free 0x81fff49d40
> ...
>
> script/script.c:65: free 0x81fff49de0
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff49cc0
> script/script.c:50: malloc 0x81fff49c80
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff49de0
> script/script.c:50: malloc 0x81fff49da0
> script/script.c:65: free 0x81fff49da0
> script/script.c:65: free 0x81fff49de0
> script/script.c:65: free 0x81fff49c80
> script/script.c:65: free 0x81fff49cc0
> script/lexer.c:336: token 288 text [menuentry]
> script/script.c:50: malloc 0x81fff49cc0
> script/script.c:50: malloc 0x81fff49c80
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49c20
> script/lexer.c:336: token 289 text []
> script/script.c:50: malloc 0x81fff49a40
> script/script.c:50: malloc 0x81fff49a00
> script/lexer.c:336: token 289 text [SGI-575 BusyBox]
> script/script.c:50: malloc 0x81fff499a0
> script/script.c:50: malloc 0x81fff49960
> script/lexer.c:336: token 289 text []
> script/script.c:50: malloc 0x81fff49900
> script/script.c:50: malloc 0x81fff498c0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49860
> script/lexer.c:336: token 266 text [{]
> script/script.c:50: malloc 0x81fff49800
> script/script.c:50: malloc 0x81fff497c0
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff49640
> script/script.c:50: malloc 0x81fff49600
> script/lexer.c:336: token 288 text [linux]
> script/script.c:50: malloc 0x81fff494e0
> script/script.c:50: malloc 0x81fff494a0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49440
> script/lexer.c:336: token 289 text [/Image]
> script/script.c:50: malloc 0x81fff49320
> script/script.c:50: malloc 0x81fff492e0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49280
> script/lexer.c:336: token 289 text [acpi=force]
> script/script.c:50: malloc 0x81fff49220
> script/script.c:50: malloc 0x81fff491e0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49180
> script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
> script/script.c:50: malloc 0x81fff49120
> script/script.c:50: malloc 0x81fff490c0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49060
> script/lexer.c:336: token 289 text [ip=dhcp]
> script/script.c:50: malloc 0x81fff49000
> script/script.c:50: malloc 0x81fff48fc0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48f60
> script/lexer.c:336: token 289 text
> [root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
> script/script.c:50: malloc 0x81fff48da0
> script/script.c:50: malloc 0x81fff48d20
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48cc0
> script/lexer.c:336: token 288 text [rootwait]
> script/script.c:50: malloc 0x81fff48c60
> script/script.c:50: malloc 0x81fff48c20
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48bc0
> script/lexer.c:336: token 288 text [verbose]
> script/script.c:50: malloc 0x81fff48b60
> script/script.c:50: malloc 0x81fff48b20
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48ac0
> script/lexer.c:336: token 288 text [debug]
> script/script.c:50: malloc 0x81fff48a60
> script/script.c:50: malloc 0x81fff48a20
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff489c0
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff48960
> script/script.c:50: malloc 0x81fff48920
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff488c0
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff48880
> script/lexer.c:336: token 288 text [initrd]
> script/script.c:50: malloc 0x81fff48720
> script/script.c:50: malloc 0x81fff486e0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48680
> script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
> script/script.c:50: malloc 0x81fff48620
> script/script.c:50: malloc 0x81fff485c0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48560
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff48500
> script/script.c:50: malloc 0x81fff484c0
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff48460
> script/script.c:294: append command
> script/lexer.c:336: token 267 text [}]
> script/script.c:50: malloc 0x81fff48300
> script/script.c:50: malloc 0x81fff482c0
> script/script.c:50: malloc 0x81fff481e0
> script/script.c:50: malloc 0x81fff49760
> script/script.c:50: malloc 0x81fff48100
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48040
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff47fe0
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff47f80
> script/script.c:50: malloc 0x81fff47f40
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff48400
> script/script.c:50: malloc 0x81fff483c0
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff47f00
> kern/verifiers.c:212: string: menuentry SGI-575 BusyBox {
> linux /Image acpi=force console=ttyAMA0,115200 ip=dhcp
> root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug
> initrd /ramdisk-busybox.img
> }, type: 2
> script/script.c:65: free 0x81fff47f00
> script/script.c:65: free 0x81fff483c0
> script/script.c:65: free 0x81fff48400
> script/script.c:65: free 0x81fff47f40
> ...
>
> script/script.c:65: free 0x81fff49440
> script/script.c:65: free 0x81fff494a0
> script/script.c:65: free 0x81fff494e0
> script/script.c:65: free 0x81fff49600
> script/script.c:65: free 0x81fff49640
> kern/disk.c:295: Closing `hd0'.
> disk/efi/efidisk.c:540: closing hd0
> [0m[30m[40m[2J[01;01H[0m[37m[40m[02;30HGNU GRUB version 2.11
>
> [01C/----------------------------------------------------------------------------\[05;02H|[76C|[06;02H|[76C|[07;02H|[76C|[08;02H|[76C|[09;02H|[76C|[10;02H|[76C|[11;02H|[76C|[12;02H|[76C|[13;02H|[76C|[14;02H|[76C|[15;02H|[76C|[16;02H|[76C|[17;02H|[76C|[18;02H\----------------------------------------------------------------------------/[19;02H[20;02H
> Use the ^ and v keys to select which entry is highlighted.
> Press enter to boot the selected OS, `e' to edit the commands
> before booting or `c' for a command-line.
> [05;80H
> [0m[30m[47m[05;03H*SGI-575 BusyBox
> [0m[37m[40m[01D[06;03H
> [01D[07;03H
> [01D[08;03H
>
> [01D[09;03H
> [01D[10;03H
> [01D[11;03H
> [01D[12;03H
> [01D[13;03H
> [01D[14;03H
>
> [01D[15;03H
> [01D[16;03H
> [01D[17;03H
> [01D[02C
> [05;78H[23;01H The highlighted entry will be executed automatically in
> 1s. [05;78H[23;01H The highlighted entry will be executed
> automatically in 0s. [05;78H[0m[30m[40m[2J[01;01H[0m[37m[40m
> Booting `SGI-575 BusyBox'
>
> script/lexer.c:336: token 288 text [setparams]
> script/script.c:50: malloc 0x81fff4a6a0
> script/script.c:50: malloc 0x81fff4a660
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a600
> script/lexer.c:336: token 289 text []
> script/script.c:50: malloc 0x81fff4a420
> script/script.c:50: malloc 0x81fff4a3e0
> script/lexer.c:336: token 289 text [SGI-575 BusyBox]
> script/script.c:50: malloc 0x81fff4a380
> script/script.c:50: malloc 0x81fff4a340
> script/lexer.c:336: token 289 text []
> script/script.c:50: malloc 0x81fff4a2e0
> script/script.c:50: malloc 0x81fff4a2a0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a240
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff4a1e0
> script/script.c:50: malloc 0x81fff4a1a0
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff4a140
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff4a7c0
> script/script.c:50: malloc 0x81fff4a780
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff4a740
> kern/verifiers.c:212: string: setparams SGI-575 BusyBox, type: 2
> script/script.c:65: free 0x81fff4a740
> script/script.c:65: free 0x81fff4a780
> ...
>
> script/script.c:65: free 0x81fff4a660
> script/script.c:65: free 0x81fff4a6a0
> script/lexer.c:336: token 288 text [linux]
> script/script.c:50: malloc 0x81fff4a7c0
> script/script.c:50: malloc 0x81fff4a5c0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a560
> script/lexer.c:336: token 289 text [/Image]
> script/script.c:50: malloc 0x81fff4a380
> script/script.c:50: malloc 0x81fff4a340
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a2e0
> script/lexer.c:336: token 289 text [acpi=force]
> script/script.c:50: malloc 0x81fff4a280
> script/script.c:50: malloc 0x81fff4a240
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a1e0
> script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
> script/script.c:50: malloc 0x81fff4a180
> script/script.c:50: malloc 0x81fff4a120
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a0c0
> script/lexer.c:336: token 289 text [ip=dhcp]
> script/script.c:50: malloc 0x81fff4a060
> script/script.c:50: malloc 0x81fff4a020
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49fc0
> script/lexer.c:336: token 289 text
> [root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
> script/script.c:50: malloc 0x81fff49d00
> script/script.c:50: malloc 0x81fff49c80
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49c20
> script/lexer.c:336: token 288 text [rootwait]
> script/script.c:50: malloc 0x81fff49bc0
> script/script.c:50: malloc 0x81fff49b80
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49b20
> script/lexer.c:336: token 288 text [verbose]
> script/script.c:50: malloc 0x81fff49ac0
> script/script.c:50: malloc 0x81fff49a80
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49a20
> script/lexer.c:336: token 288 text [debug]
> script/script.c:50: malloc 0x81fff499c0
> script/script.c:50: malloc 0x81fff49980
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49920
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff498c0
> script/script.c:50: malloc 0x81fff49880
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff49820
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff4a760
> script/script.c:50: malloc 0x81fff4a720
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff4a6e0
> kern/verifiers.c:212: string: linux /Image acpi=force
> console=ttyAMA0,115200 ip=dhcp
> root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug,
> type: 2
> kern/disk.c:196: Opening `hd0,gpt2'...
> disk/efi/efidisk.c:482: opening hd0
> disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> 200, io align = 0
> disk/efi/efidisk.c:531: opening hd0 succeeded
> partmap/gpt.c:93: Read a valid GPT header
> partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> kern/fs.c:56: Detecting ext2...
> kern/verifiers.c:88: file: /Image type: 3
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd00 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd40 from hd0
> ...
>
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1db80 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dbc0 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc00 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc40 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc80 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dcc0 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dd00 from hd0
> kern/disk.c:295: Closing `hd0'.
> disk/efi/efidisk.c:540: closing hd0
> error: shim_lock protocol not found.
> script/script.c:65: free 0x81fff4a6e0
> script/script.c:65: free 0x81fff4a720
> script/script.c:65: free 0x81fff4a760
> script/script.c:65: free 0x81fff49820
> ...
>
> script/script.c:65: free 0x81fff4a560
> script/script.c:65: free 0x81fff4a5c0
> script/script.c:65: free 0x81fff4a7c0
> script/lexer.c:336: token 288 text [initrd]
> script/script.c:50: malloc 0x81fff4a660
> script/script.c:50: malloc 0x81fff4a620
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a5c0
> script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
> script/script.c:50: malloc 0x81fff4a3e0
> script/script.c:50: malloc 0x81fff4a380
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a320
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff4a2c0
> script/script.c:50: malloc 0x81fff4a280
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff4a220
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff4a780
> script/script.c:50: malloc 0x81fff4a740
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff4a700
> kern/verifiers.c:212: string: initrd /ramdisk-busybox.img, type: 2
> error: you need to load the kernel first.
> script/script.c:65: free 0x81fff4a700
> script/script.c:65: free 0x81fff4a740
> script/script.c:65: free 0x81fff4a780
> ...
>
> script/script.c:65: free 0x81fff4a660
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff4a6a0
> script/script.c:50: malloc 0x81fff4a660
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff4a7c0
> script/script.c:50: malloc 0x81fff4a780
> script/script.c:65: free 0x81fff4a780
> script/script.c:65: free 0x81fff4a7c0
> script/script.c:65: free 0x81fff4a660
> script/script.c:65: free 0x81fff4a6a0
>
> Press any key to continue...
>
> >Daniel
>
> Thanks,
> Sayanta
>
[-- Attachment #2: Type: text/html, Size: 29656 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-08 10:51 ` Dimitri John Ledkov
@ 2021-07-08 12:01 ` Michael Chang
2021-07-08 12:18 ` Dimitri John Ledkov
2021-07-08 13:31 ` Daniel Kiper
2021-07-12 16:15 ` Sayanta Pattanayak
1 sibling, 2 replies; 20+ messages in thread
From: Michael Chang @ 2021-07-08 12:01 UTC (permalink / raw)
To: The development of GNU GRUB; +Cc: Sayanta Pattanayak, nd
Hi Dimitri,
On Thu, Jul 08, 2021 at 11:51:25AM +0100, Dimitri John Ledkov wrote:
> Hi,
>
> The below mentioned commands are useful. Hence we need to debug this
> further and establish further details about your setup.
I think the problem here is that arm64 already uses LoadImage to verify
the kernel image so the shim lock is not really required. IMHO the
lockdown verifier should be relaxed for the arm platform as always will
be a verifier (LoadImage) used to booting the kernel.
Thanks,
Michael
>
> 1) which keys are in DB? ( mokutil --db --list-enrolled )
>
> 2) which keys are used to sign grub image? ( sbverify --list grub*.efi )
>
> 3) which keys are used to sign grub image? ( sbverify --list Image )
>
> 4) since shim verifier was not disabled during grub mkimage build, which
> Shim did you compile, with what toolchain, and which keys was it signed
> with?
>
> 5) if you don't want to use Shim (and loose ability for users to enroll
> their own machine owner key, and revoke grub via sbat revocation - if
> underlying firmware can do those things i.e. secure edk2 builds), you must
> create grub image with disable shim lock verifier option.
>
> 6) if you do not want to sbsign kernel image using secureboot keys, you can
> alternative provide detached gpg signature and create grub image with a gpg
> public key built-in.
>
> 8) maybe there is some other way to verify kernel, i.e. you could implement
> a new verifier module that that use calls to a prior stage bootloader or
> firmware to verify kernel authenticity.
>
> 9) if you do not want to sign kernel at all in any way, you must disable
> secureboot at either firmware level (SecureBoot variable) or
> shim/grub/linux-only level (MokSBState see mokutil --disable-validation).
> Because if firmware SecureBoot is on, and mokutil validation is on, loading
> unverifiable kernels is not supported in grub 2.06 thanks to implementing
> lockdown.
>
> If the kernel is expected to be verifiable and yet fails to verify please
> provide further details. We have experienced buggy compilers, binutils,
> sbsign tooling which would produce invalid / unverifiable signatures in the
> past. Also we have seen buggy firmware that fail to verify correctly signed
> binaries.
>
> On Thu, 8 Jul 2021, 08:05 Sayanta Pattanayak, <Sayanta.Pattanayak@arm.com>
> wrote:
>
> > Hi Daniel,
> >
> > Thanks for your reply and hope you had a great vacation.
> > We use Upstream 2.06 tagged version. Mentioning below the Build Commands
> > and Console Output.
> >
> > >-----Original Message-----
> > >From: Daniel Kiper <dkiper@net-space.pl>
> > >Sent: Wednesday, July 7, 2021 6:45 PM
> > >To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
> > >Cc: grub-devel@gnu.org; nd <nd@arm.com>; javierm@redhat.com;
> > >xnox@ubuntu.com; pjones@redhat.com; leif@nuviainc.com
> > >Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later
> > version
> > >
> > >Hi Sayanta,
> > >
> > >Sorry for late reply but I am just recovering after vacation...
> > >
> > >CC-ing Javier, Dimitri, Peter and Leif.
> > >
> > >On Thu, Jul 01, 2021 at 03:23:03PM +0000, Sayanta Pattanayak wrote:
> > >> Hi All,
> > >> I am new to grub and UEFI secure boot and so a beginners question.
> > >> UEFI secureboot on a Arm64 platform works fine with Grub 2.04 version.
> > >> The linux kernel image is authenticated and loaded. But the same with
> > >> Grub 2.06 version does not progress - following error messages are
> > >> displayed.
> > >>
> > >> error: shim_lock protocol not found.
> > >> error: you need to load the kernel first.
> > >>
> > >> With reference of
> > >> "https://www.mail-archive.com/help-grub@gnu.org/msg05375.html",
> > >> created Grub image with "--disable-shim-lock" option. This change
> > >> solved the "shim_lock" error but then the following error message
> > >> started appearing-
> > >>
> > >> error: verification requested but nobody cares: /Image.
> > >> error: you need to load the kernel first.
> > >> Press any key to continue...
> > >>
> > >> A large set of patches addressing bootHole vulnerability
> > >> (https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html)
> > >> have been merged in the Grub 2.06 version. Does this change the way
> > >> images are signed or is there any other change introduced that
> > >> required UEFI secure boot to be handled differently on the platform.
> > >>
> > >> Request any suggestion that would help validate UEFI secure boot with
> > >> Grub 2.06 and later version.
> > >
> > >Do you use GRUB 2.06 upstream or a Linux distribution variant? If upstream
> > >could you provide us commands used to build the GRUB and console output
> > >when debug is enabled, i.e. "set debug=all"?
> > >
> >
> >
> > Commands used -
> >
> > ./autogen.sh
> > ./configure
> > STRIP=gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-strip
> > --target=aarch64-none-linux-gnu --with-platform=efi --prefix=grub/output/
> > --disable-werror
> > Make
> > make -j $PARALLELISM install
> > output/bin/grub-mkimage -v -c ${GRUB_PLAT_CONFIG_FILE} -o
> > output/grubaa64.efi -O arm64-efi -p "" part_gpt part_msdos ntfs ntfscomp
> > hfsplus fat ext2 normal chain boot configfile linux help part_msdos
> > terminal terminfo configfile lsefi search normal gettext loadenv read
> > search_fs_file search_fs_uuid search_label
> >
> >
> >
> > Following is the console output when "--disable-shim-lock" Not used -
> >
> > [2J[04D[=3h[2J[09DPress ESCAPE for boot options ...........[Bds]Booting
> > UEFI Non-Block Boot Device [Bds]Booting UEFI Misc Device [Bds]Booting UEFI
> > Misc Device 2 Installed Fat filesystem on FE6E9318 Loading driver at
> > 0x000F9264000 EntryPoint=0x000F9265000 Loading driver at 0x000F9264000
> > EntryPoint=0x000F9265000 [0m[30m[47mWelcome to GRUB!
> >
> > [0m[37m[40mscript/script.c:65: free 0x81fff49d60
> > script/script.c:65: free 0x81fff49da0
> > script/script.c:65: free 0x81fff49de0
> > script/script.c:65: free 0x81fff497c0
> > script/script.c:65: free 0x81fff49820
> > script/script.c:65: free 0x81fff49860
> > script/script.c:65: free 0x81fff498c0
> > script/script.c:65: free 0x81fff49920
> > script/script.c:65: free 0x81fff49b40
> > script/script.c:65: free 0x81fff49960
> > script/script.c:65: free 0x81fff499a0
> > script/script.c:65: free 0x81fff49a00
> > script/script.c:65: free 0x81fff49a40
> > script/script.c:65: free 0x81fff49c20
> > script/script.c:65: free 0x81fff49c80
> > script/script.c:65: free 0x81fff49cc0
> > script/lexer.c:336: token 288 text [set]
> > script/script.c:50: malloc 0x81fff49cc0
> > script/script.c:50: malloc 0x81fff49c80
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49c20
> > script/lexer.c:336: token 289 text [term=]
> > script/script.c:50: malloc 0x81fff49a40
> > script/script.c:50: malloc 0x81fff49a00
> > script/lexer.c:336: token 289 text [vt100]
> > script/script.c:50: malloc 0x81fff499a0
> > script/script.c:50: malloc 0x81fff49960
> > script/lexer.c:336: token 289 text []
> > script/script.c:50: malloc 0x81fff49900
> > script/script.c:50: malloc 0x81fff498c0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49860
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff49800
> > script/script.c:50: malloc 0x81fff497c0
> > script/script.c:198: cmdline
> > script/script.c:50: malloc 0x81fff49760
> > script/lexer.c:336: token 0 text []
> > script/script.c:50: malloc 0x81fff49de0
> > script/script.c:50: malloc 0x81fff49da0
> > script/script.c:294: append command
> > script/script.c:50: malloc 0x81fff49d60
> > kern/verifiers.c:212: string: set term=vt100, type: 2
> > script/script.c:65: free 0x81fff49d60
> > script/script.c:65: free 0x81fff49da0
> > ...
> >
> > script/script.c:294: append command
> > script/script.c:50: malloc 0x81fff49d60
> > kern/verifiers.c:212: string: set timeout=1, type: 2
> > script/script.c:65: free 0x81fff49d60
> > ...
> >
> > script/script.c:65: free 0x81fff49cc0
> > script/lexer.c:336: token 288 text [search]
> > script/script.c:50: malloc 0x81fff49de0
> > script/script.c:50: malloc 0x81fff49c60
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49c00
> > script/lexer.c:336: token 289 text [--set=root]
> > script/script.c:50: malloc 0x81fff49a20
> > script/script.c:50: malloc 0x81fff499e0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49980
> > script/lexer.c:336: token 289 text [--fs-uuid]
> > script/script.c:50: malloc 0x81fff49920
> > script/script.c:50: malloc 0x81fff498e0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49880
> > script/lexer.c:336: token 289 text [535add81-5875-4b4a-b44a-464aee5f5cbd]
> > script/script.c:50: malloc 0x81fff496e0
> > script/script.c:50: malloc 0x81fff49680
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49620
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff495c0
> > script/script.c:50: malloc 0x81fff49580
> > script/script.c:198: cmdline
> > script/script.c:50: malloc 0x81fff49520
> > script/lexer.c:336: token 0 text []
> > script/script.c:50: malloc 0x81fff49d80
> > script/script.c:50: malloc 0x81fff49d40
> > script/script.c:294: append command
> > script/script.c:50: malloc 0x81fff49d00
> > kern/verifiers.c:212: string: search --set=root --fs-uuid
> > 535add81-5875-4b4a-b44a-464aee5f5cbd, type: 2
> > disk/efi/efidisk.c:413: iterating hd0
> > kern/disk.c:196: Opening `hd0'...
> > disk/efi/efidisk.c:482: opening hd0
> > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> > 200, io align = 0
> > disk/efi/efidisk.c:531: opening hd0 succeeded
> > kern/fs.c:56: Detecting ext2...
> > kern/fs.c:78: ext2 detection failed.
> > kern/fs.c:56: Detecting fat...
> > kern/fs.c:78: fat detection failed.
> > kern/fs.c:56: Detecting hfsplus...
> > kern/fs.c:78: hfsplus detection failed.
> > kern/fs.c:56: Detecting ntfs...
> > kern/fs.c:78: ntfs detection failed.
> > kern/disk.c:295: Closing `hd0'.
> > disk/efi/efidisk.c:540: closing hd0
> > kern/disk.c:196: Opening `hd0'...
> > disk/efi/efidisk.c:482: opening hd0
> > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> > 200, io align = 0
> > disk/efi/efidisk.c:531: opening hd0 succeeded
> > partmap/gpt.c:93: Read a valid GPT header
> > partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> > partmap/msdos.c:184: partition 0: flag 0x0, type 0x0, start 0x0, len 0x0
> > partmap/msdos.c:184: partition 1: flag 0x0, type 0x0, start 0x0, len 0x0
> > partmap/msdos.c:184: partition 2: flag 0x0, type 0x0, start 0x0, len 0x0
> > partmap/msdos.c:184: partition 3: flag 0x0, type 0x0, start 0x0, len 0x0
> > partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xa800 from hd0
> > kern/disk.c:295: Closing `hd0'.
> > disk/efi/efidisk.c:540: closing hd0
> > kern/disk.c:196: Opening `hd0,gpt2'...
> > disk/efi/efidisk.c:482: opening hd0
> > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> > 200, io align = 0
> > disk/efi/efidisk.c:531: opening hd0 succeeded
> > partmap/gpt.c:93: Read a valid GPT header
> > partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> > partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> > kern/fs.c:56: Detecting ext2...
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xaa00 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xac00 from hd0
> > kern/disk.c:295: Closing `hd0'.
> > disk/efi/efidisk.c:540: closing hd0
> > script/script.c:65: free 0x81fff49d00
> > script/script.c:65: free 0x81fff49d40
> > ...
> >
> > script/script.c:65: free 0x81fff49de0
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff49cc0
> > script/script.c:50: malloc 0x81fff49c80
> > script/lexer.c:336: token 0 text []
> > script/script.c:50: malloc 0x81fff49de0
> > script/script.c:50: malloc 0x81fff49da0
> > script/script.c:65: free 0x81fff49da0
> > script/script.c:65: free 0x81fff49de0
> > script/script.c:65: free 0x81fff49c80
> > script/script.c:65: free 0x81fff49cc0
> > script/lexer.c:336: token 288 text [menuentry]
> > script/script.c:50: malloc 0x81fff49cc0
> > script/script.c:50: malloc 0x81fff49c80
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49c20
> > script/lexer.c:336: token 289 text []
> > script/script.c:50: malloc 0x81fff49a40
> > script/script.c:50: malloc 0x81fff49a00
> > script/lexer.c:336: token 289 text [SGI-575 BusyBox]
> > script/script.c:50: malloc 0x81fff499a0
> > script/script.c:50: malloc 0x81fff49960
> > script/lexer.c:336: token 289 text []
> > script/script.c:50: malloc 0x81fff49900
> > script/script.c:50: malloc 0x81fff498c0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49860
> > script/lexer.c:336: token 266 text [{]
> > script/script.c:50: malloc 0x81fff49800
> > script/script.c:50: malloc 0x81fff497c0
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff49640
> > script/script.c:50: malloc 0x81fff49600
> > script/lexer.c:336: token 288 text [linux]
> > script/script.c:50: malloc 0x81fff494e0
> > script/script.c:50: malloc 0x81fff494a0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49440
> > script/lexer.c:336: token 289 text [/Image]
> > script/script.c:50: malloc 0x81fff49320
> > script/script.c:50: malloc 0x81fff492e0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49280
> > script/lexer.c:336: token 289 text [acpi=force]
> > script/script.c:50: malloc 0x81fff49220
> > script/script.c:50: malloc 0x81fff491e0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49180
> > script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
> > script/script.c:50: malloc 0x81fff49120
> > script/script.c:50: malloc 0x81fff490c0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49060
> > script/lexer.c:336: token 289 text [ip=dhcp]
> > script/script.c:50: malloc 0x81fff49000
> > script/script.c:50: malloc 0x81fff48fc0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff48f60
> > script/lexer.c:336: token 289 text
> > [root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
> > script/script.c:50: malloc 0x81fff48da0
> > script/script.c:50: malloc 0x81fff48d20
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff48cc0
> > script/lexer.c:336: token 288 text [rootwait]
> > script/script.c:50: malloc 0x81fff48c60
> > script/script.c:50: malloc 0x81fff48c20
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff48bc0
> > script/lexer.c:336: token 288 text [verbose]
> > script/script.c:50: malloc 0x81fff48b60
> > script/script.c:50: malloc 0x81fff48b20
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff48ac0
> > script/lexer.c:336: token 288 text [debug]
> > script/script.c:50: malloc 0x81fff48a60
> > script/script.c:50: malloc 0x81fff48a20
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff489c0
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff48960
> > script/script.c:50: malloc 0x81fff48920
> > script/script.c:198: cmdline
> > script/script.c:50: malloc 0x81fff488c0
> > script/script.c:294: append command
> > script/script.c:50: malloc 0x81fff48880
> > script/lexer.c:336: token 288 text [initrd]
> > script/script.c:50: malloc 0x81fff48720
> > script/script.c:50: malloc 0x81fff486e0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff48680
> > script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
> > script/script.c:50: malloc 0x81fff48620
> > script/script.c:50: malloc 0x81fff485c0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff48560
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff48500
> > script/script.c:50: malloc 0x81fff484c0
> > script/script.c:198: cmdline
> > script/script.c:50: malloc 0x81fff48460
> > script/script.c:294: append command
> > script/lexer.c:336: token 267 text [}]
> > script/script.c:50: malloc 0x81fff48300
> > script/script.c:50: malloc 0x81fff482c0
> > script/script.c:50: malloc 0x81fff481e0
> > script/script.c:50: malloc 0x81fff49760
> > script/script.c:50: malloc 0x81fff48100
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff48040
> > script/script.c:198: cmdline
> > script/script.c:50: malloc 0x81fff47fe0
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff47f80
> > script/script.c:50: malloc 0x81fff47f40
> > script/lexer.c:336: token 0 text []
> > script/script.c:50: malloc 0x81fff48400
> > script/script.c:50: malloc 0x81fff483c0
> > script/script.c:294: append command
> > script/script.c:50: malloc 0x81fff47f00
> > kern/verifiers.c:212: string: menuentry SGI-575 BusyBox {
> > linux /Image acpi=force console=ttyAMA0,115200 ip=dhcp
> > root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug
> > initrd /ramdisk-busybox.img
> > }, type: 2
> > script/script.c:65: free 0x81fff47f00
> > script/script.c:65: free 0x81fff483c0
> > script/script.c:65: free 0x81fff48400
> > script/script.c:65: free 0x81fff47f40
> > ...
> >
> > script/script.c:65: free 0x81fff49440
> > script/script.c:65: free 0x81fff494a0
> > script/script.c:65: free 0x81fff494e0
> > script/script.c:65: free 0x81fff49600
> > script/script.c:65: free 0x81fff49640
> > kern/disk.c:295: Closing `hd0'.
> > disk/efi/efidisk.c:540: closing hd0
> > [0m[30m[40m[2J[01;01H[0m[37m[40m[02;30HGNU GRUB version 2.11
> >
> > [01C/----------------------------------------------------------------------------\[05;02H|[76C|[06;02H|[76C|[07;02H|[76C|[08;02H|[76C|[09;02H|[76C|[10;02H|[76C|[11;02H|[76C|[12;02H|[76C|[13;02H|[76C|[14;02H|[76C|[15;02H|[76C|[16;02H|[76C|[17;02H|[76C|[18;02H\----------------------------------------------------------------------------/[19;02H[20;02H
> > Use the ^ and v keys to select which entry is highlighted.
> > Press enter to boot the selected OS, `e' to edit the commands
> > before booting or `c' for a command-line.
> > [05;80H
> > [0m[30m[47m[05;03H*SGI-575 BusyBox
> > [0m[37m[40m[01D[06;03H
> > [01D[07;03H
> > [01D[08;03H
> >
> > [01D[09;03H
> > [01D[10;03H
> > [01D[11;03H
> > [01D[12;03H
> > [01D[13;03H
> > [01D[14;03H
> >
> > [01D[15;03H
> > [01D[16;03H
> > [01D[17;03H
> > [01D[02C
> > [05;78H[23;01H The highlighted entry will be executed automatically in
> > 1s. [05;78H[23;01H The highlighted entry will be executed
> > automatically in 0s. [05;78H[0m[30m[40m[2J[01;01H[0m[37m[40m
> > Booting `SGI-575 BusyBox'
> >
> > script/lexer.c:336: token 288 text [setparams]
> > script/script.c:50: malloc 0x81fff4a6a0
> > script/script.c:50: malloc 0x81fff4a660
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff4a600
> > script/lexer.c:336: token 289 text []
> > script/script.c:50: malloc 0x81fff4a420
> > script/script.c:50: malloc 0x81fff4a3e0
> > script/lexer.c:336: token 289 text [SGI-575 BusyBox]
> > script/script.c:50: malloc 0x81fff4a380
> > script/script.c:50: malloc 0x81fff4a340
> > script/lexer.c:336: token 289 text []
> > script/script.c:50: malloc 0x81fff4a2e0
> > script/script.c:50: malloc 0x81fff4a2a0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff4a240
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff4a1e0
> > script/script.c:50: malloc 0x81fff4a1a0
> > script/script.c:198: cmdline
> > script/script.c:50: malloc 0x81fff4a140
> > script/lexer.c:336: token 0 text []
> > script/script.c:50: malloc 0x81fff4a7c0
> > script/script.c:50: malloc 0x81fff4a780
> > script/script.c:294: append command
> > script/script.c:50: malloc 0x81fff4a740
> > kern/verifiers.c:212: string: setparams SGI-575 BusyBox, type: 2
> > script/script.c:65: free 0x81fff4a740
> > script/script.c:65: free 0x81fff4a780
> > ...
> >
> > script/script.c:65: free 0x81fff4a660
> > script/script.c:65: free 0x81fff4a6a0
> > script/lexer.c:336: token 288 text [linux]
> > script/script.c:50: malloc 0x81fff4a7c0
> > script/script.c:50: malloc 0x81fff4a5c0
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff4a560
> > script/lexer.c:336: token 289 text [/Image]
> > script/script.c:50: malloc 0x81fff4a380
> > script/script.c:50: malloc 0x81fff4a340
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff4a2e0
> > script/lexer.c:336: token 289 text [acpi=force]
> > script/script.c:50: malloc 0x81fff4a280
> > script/script.c:50: malloc 0x81fff4a240
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff4a1e0
> > script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
> > script/script.c:50: malloc 0x81fff4a180
> > script/script.c:50: malloc 0x81fff4a120
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff4a0c0
> > script/lexer.c:336: token 289 text [ip=dhcp]
> > script/script.c:50: malloc 0x81fff4a060
> > script/script.c:50: malloc 0x81fff4a020
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49fc0
> > script/lexer.c:336: token 289 text
> > [root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
> > script/script.c:50: malloc 0x81fff49d00
> > script/script.c:50: malloc 0x81fff49c80
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49c20
> > script/lexer.c:336: token 288 text [rootwait]
> > script/script.c:50: malloc 0x81fff49bc0
> > script/script.c:50: malloc 0x81fff49b80
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49b20
> > script/lexer.c:336: token 288 text [verbose]
> > script/script.c:50: malloc 0x81fff49ac0
> > script/script.c:50: malloc 0x81fff49a80
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49a20
> > script/lexer.c:336: token 288 text [debug]
> > script/script.c:50: malloc 0x81fff499c0
> > script/script.c:50: malloc 0x81fff49980
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff49920
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff498c0
> > script/script.c:50: malloc 0x81fff49880
> > script/script.c:198: cmdline
> > script/script.c:50: malloc 0x81fff49820
> > script/lexer.c:336: token 0 text []
> > script/script.c:50: malloc 0x81fff4a760
> > script/script.c:50: malloc 0x81fff4a720
> > script/script.c:294: append command
> > script/script.c:50: malloc 0x81fff4a6e0
> > kern/verifiers.c:212: string: linux /Image acpi=force
> > console=ttyAMA0,115200 ip=dhcp
> > root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug,
> > type: 2
> > kern/disk.c:196: Opening `hd0,gpt2'...
> > disk/efi/efidisk.c:482: opening hd0
> > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> > 200, io align = 0
> > disk/efi/efidisk.c:531: opening hd0 succeeded
> > partmap/gpt.c:93: Read a valid GPT header
> > partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> > partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> > kern/fs.c:56: Detecting ext2...
> > kern/verifiers.c:88: file: /Image type: 3
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd00 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd40 from hd0
> > ...
> >
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1db80 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dbc0 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc00 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc40 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc80 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dcc0 from hd0
> > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dd00 from hd0
> > kern/disk.c:295: Closing `hd0'.
> > disk/efi/efidisk.c:540: closing hd0
> > error: shim_lock protocol not found.
> > script/script.c:65: free 0x81fff4a6e0
> > script/script.c:65: free 0x81fff4a720
> > script/script.c:65: free 0x81fff4a760
> > script/script.c:65: free 0x81fff49820
> > ...
> >
> > script/script.c:65: free 0x81fff4a560
> > script/script.c:65: free 0x81fff4a5c0
> > script/script.c:65: free 0x81fff4a7c0
> > script/lexer.c:336: token 288 text [initrd]
> > script/script.c:50: malloc 0x81fff4a660
> > script/script.c:50: malloc 0x81fff4a620
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff4a5c0
> > script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
> > script/script.c:50: malloc 0x81fff4a3e0
> > script/script.c:50: malloc 0x81fff4a380
> > script/script.c:163: arglist
> > script/script.c:50: malloc 0x81fff4a320
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff4a2c0
> > script/script.c:50: malloc 0x81fff4a280
> > script/script.c:198: cmdline
> > script/script.c:50: malloc 0x81fff4a220
> > script/lexer.c:336: token 0 text []
> > script/script.c:50: malloc 0x81fff4a780
> > script/script.c:50: malloc 0x81fff4a740
> > script/script.c:294: append command
> > script/script.c:50: malloc 0x81fff4a700
> > kern/verifiers.c:212: string: initrd /ramdisk-busybox.img, type: 2
> > error: you need to load the kernel first.
> > script/script.c:65: free 0x81fff4a700
> > script/script.c:65: free 0x81fff4a740
> > script/script.c:65: free 0x81fff4a780
> > ...
> >
> > script/script.c:65: free 0x81fff4a660
> > script/lexer.c:336: token 259 text []
> > script/script.c:50: malloc 0x81fff4a6a0
> > script/script.c:50: malloc 0x81fff4a660
> > script/lexer.c:336: token 0 text []
> > script/script.c:50: malloc 0x81fff4a7c0
> > script/script.c:50: malloc 0x81fff4a780
> > script/script.c:65: free 0x81fff4a780
> > script/script.c:65: free 0x81fff4a7c0
> > script/script.c:65: free 0x81fff4a660
> > script/script.c:65: free 0x81fff4a6a0
> >
> > Press any key to continue...
> >
> > >Daniel
> >
> > Thanks,
> > Sayanta
> >
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-08 12:01 ` Michael Chang
@ 2021-07-08 12:18 ` Dimitri John Ledkov
2021-07-09 6:18 ` Michael Chang
2021-07-08 13:31 ` Daniel Kiper
1 sibling, 1 reply; 20+ messages in thread
From: Dimitri John Ledkov @ 2021-07-08 12:18 UTC (permalink / raw)
To: The development of GNU GRUB; +Cc: Michael Chang, Sayanta Pattanayak, nd
[-- Attachment #1: Type: text/plain, Size: 29823 bytes --]
On Thu, 8 Jul 2021, 13:05 Michael Chang via Grub-devel, <grub-devel@gnu.org>
wrote:
> Hi Dimitri,
>
> On Thu, Jul 08, 2021 at 11:51:25AM +0100, Dimitri John Ledkov wrote:
> > Hi,
> >
> > The below mentioned commands are useful. Hence we need to debug this
> > further and establish further details about your setup.
>
> I think the problem here is that arm64 already uses LoadImage to verify
> the kernel image so the shim lock is not really required. IMHO the
> lockdown verifier should be relaxed for the arm platform as always will
> be a verifier (LoadImage) used to booting the kernel.
>
But UX is not nice. Many production arm64 servers and cloud instances ship
with UEFI 2011 db keys, and some shims ship revocations. If grub calls into
shim to verify a kernel and gets a reject, grub can stay up and still let
someone choose another boot option. Can grub still do that when calling
LoadImage?
Also, many shims at the moment still ship with EBS Protection turned on on
ARM64 which prevents booting with just LoadImage without first using shim
protocol to verify. Ubuntu's shim has that disabled, but not others and
upstream still do.
Indeed it would be ideal if all grub EFI platforms used LoadImage2 API
without explicit calls to shim protocol, and it would be upto shim to
install LoadImage2 API. Such that from grub's point of view it wouldn't
care if Shim or Firmware verified things. I guess it is 2.08 material.
Thanks,
> Michael
>
> >
> > 1) which keys are in DB? ( mokutil --db --list-enrolled )
> >
> > 2) which keys are used to sign grub image? ( sbverify --list grub*.efi )
> >
> > 3) which keys are used to sign grub image? ( sbverify --list Image )
> >
> > 4) since shim verifier was not disabled during grub mkimage build, which
> > Shim did you compile, with what toolchain, and which keys was it signed
> > with?
> >
> > 5) if you don't want to use Shim (and loose ability for users to enroll
> > their own machine owner key, and revoke grub via sbat revocation - if
> > underlying firmware can do those things i.e. secure edk2 builds), you
> must
> > create grub image with disable shim lock verifier option.
> >
> > 6) if you do not want to sbsign kernel image using secureboot keys, you
> can
> > alternative provide detached gpg signature and create grub image with a
> gpg
> > public key built-in.
> >
> > 8) maybe there is some other way to verify kernel, i.e. you could
> implement
> > a new verifier module that that use calls to a prior stage bootloader or
> > firmware to verify kernel authenticity.
> >
> > 9) if you do not want to sign kernel at all in any way, you must disable
> > secureboot at either firmware level (SecureBoot variable) or
> > shim/grub/linux-only level (MokSBState see mokutil --disable-validation).
> > Because if firmware SecureBoot is on, and mokutil validation is on,
> loading
> > unverifiable kernels is not supported in grub 2.06 thanks to implementing
> > lockdown.
> >
> > If the kernel is expected to be verifiable and yet fails to verify please
> > provide further details. We have experienced buggy compilers, binutils,
> > sbsign tooling which would produce invalid / unverifiable signatures in
> the
> > past. Also we have seen buggy firmware that fail to verify correctly
> signed
> > binaries.
> >
> > On Thu, 8 Jul 2021, 08:05 Sayanta Pattanayak, <
> Sayanta.Pattanayak@arm.com>
> > wrote:
> >
> > > Hi Daniel,
> > >
> > > Thanks for your reply and hope you had a great vacation.
> > > We use Upstream 2.06 tagged version. Mentioning below the Build
> Commands
> > > and Console Output.
> > >
> > > >-----Original Message-----
> > > >From: Daniel Kiper <dkiper@net-space.pl>
> > > >Sent: Wednesday, July 7, 2021 6:45 PM
> > > >To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
> > > >Cc: grub-devel@gnu.org; nd <nd@arm.com>; javierm@redhat.com;
> > > >xnox@ubuntu.com; pjones@redhat.com; leif@nuviainc.com
> > > >Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later
> > > version
> > > >
> > > >Hi Sayanta,
> > > >
> > > >Sorry for late reply but I am just recovering after vacation...
> > > >
> > > >CC-ing Javier, Dimitri, Peter and Leif.
> > > >
> > > >On Thu, Jul 01, 2021 at 03:23:03PM +0000, Sayanta Pattanayak wrote:
> > > >> Hi All,
> > > >> I am new to grub and UEFI secure boot and so a beginners question.
> > > >> UEFI secureboot on a Arm64 platform works fine with Grub 2.04
> version.
> > > >> The linux kernel image is authenticated and loaded. But the same
> with
> > > >> Grub 2.06 version does not progress - following error messages are
> > > >> displayed.
> > > >>
> > > >> error: shim_lock protocol not found.
> > > >> error: you need to load the kernel first.
> > > >>
> > > >> With reference of
> > > >> "https://www.mail-archive.com/help-grub@gnu.org/msg05375.html",
> > > >> created Grub image with "--disable-shim-lock" option. This change
> > > >> solved the "shim_lock" error but then the following error message
> > > >> started appearing-
> > > >>
> > > >> error: verification requested but nobody cares: /Image.
> > > >> error: you need to load the kernel first.
> > > >> Press any key to continue...
> > > >>
> > > >> A large set of patches addressing bootHole vulnerability
> > > >> (
> https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html)
> > > >> have been merged in the Grub 2.06 version. Does this change the way
> > > >> images are signed or is there any other change introduced that
> > > >> required UEFI secure boot to be handled differently on the platform.
> > > >>
> > > >> Request any suggestion that would help validate UEFI secure boot
> with
> > > >> Grub 2.06 and later version.
> > > >
> > > >Do you use GRUB 2.06 upstream or a Linux distribution variant? If
> upstream
> > > >could you provide us commands used to build the GRUB and console
> output
> > > >when debug is enabled, i.e. "set debug=all"?
> > > >
> > >
> > >
> > > Commands used -
> > >
> > > ./autogen.sh
> > > ./configure
> > >
> STRIP=gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-strip
> > > --target=aarch64-none-linux-gnu --with-platform=efi
> --prefix=grub/output/
> > > --disable-werror
> > > Make
> > > make -j $PARALLELISM install
> > > output/bin/grub-mkimage -v -c ${GRUB_PLAT_CONFIG_FILE} -o
> > > output/grubaa64.efi -O arm64-efi -p "" part_gpt part_msdos ntfs
> ntfscomp
> > > hfsplus fat ext2 normal chain boot configfile linux help part_msdos
> > > terminal terminfo configfile lsefi search normal gettext loadenv read
> > > search_fs_file search_fs_uuid search_label
> > >
> > >
> > >
> > > Following is the console output when "--disable-shim-lock" Not used -
> > >
> > > [2J[04D[=3h[2J[09DPress ESCAPE for boot options ...........[Bds]Booting
> > > UEFI Non-Block Boot Device [Bds]Booting UEFI Misc Device [Bds]Booting
> UEFI
> > > Misc Device 2 Installed Fat filesystem on FE6E9318 Loading driver at
> > > 0x000F9264000 EntryPoint=0x000F9265000 Loading driver at 0x000F9264000
> > > EntryPoint=0x000F9265000 [0m[30m[47mWelcome to GRUB!
> > >
> > > [0m[37m[40mscript/script.c:65: free 0x81fff49d60
> > > script/script.c:65: free 0x81fff49da0
> > > script/script.c:65: free 0x81fff49de0
> > > script/script.c:65: free 0x81fff497c0
> > > script/script.c:65: free 0x81fff49820
> > > script/script.c:65: free 0x81fff49860
> > > script/script.c:65: free 0x81fff498c0
> > > script/script.c:65: free 0x81fff49920
> > > script/script.c:65: free 0x81fff49b40
> > > script/script.c:65: free 0x81fff49960
> > > script/script.c:65: free 0x81fff499a0
> > > script/script.c:65: free 0x81fff49a00
> > > script/script.c:65: free 0x81fff49a40
> > > script/script.c:65: free 0x81fff49c20
> > > script/script.c:65: free 0x81fff49c80
> > > script/script.c:65: free 0x81fff49cc0
> > > script/lexer.c:336: token 288 text [set]
> > > script/script.c:50: malloc 0x81fff49cc0
> > > script/script.c:50: malloc 0x81fff49c80
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49c20
> > > script/lexer.c:336: token 289 text [term=]
> > > script/script.c:50: malloc 0x81fff49a40
> > > script/script.c:50: malloc 0x81fff49a00
> > > script/lexer.c:336: token 289 text [vt100]
> > > script/script.c:50: malloc 0x81fff499a0
> > > script/script.c:50: malloc 0x81fff49960
> > > script/lexer.c:336: token 289 text []
> > > script/script.c:50: malloc 0x81fff49900
> > > script/script.c:50: malloc 0x81fff498c0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49860
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff49800
> > > script/script.c:50: malloc 0x81fff497c0
> > > script/script.c:198: cmdline
> > > script/script.c:50: malloc 0x81fff49760
> > > script/lexer.c:336: token 0 text []
> > > script/script.c:50: malloc 0x81fff49de0
> > > script/script.c:50: malloc 0x81fff49da0
> > > script/script.c:294: append command
> > > script/script.c:50: malloc 0x81fff49d60
> > > kern/verifiers.c:212: string: set term=vt100, type: 2
> > > script/script.c:65: free 0x81fff49d60
> > > script/script.c:65: free 0x81fff49da0
> > > ...
> > >
> > > script/script.c:294: append command
> > > script/script.c:50: malloc 0x81fff49d60
> > > kern/verifiers.c:212: string: set timeout=1, type: 2
> > > script/script.c:65: free 0x81fff49d60
> > > ...
> > >
> > > script/script.c:65: free 0x81fff49cc0
> > > script/lexer.c:336: token 288 text [search]
> > > script/script.c:50: malloc 0x81fff49de0
> > > script/script.c:50: malloc 0x81fff49c60
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49c00
> > > script/lexer.c:336: token 289 text [--set=root]
> > > script/script.c:50: malloc 0x81fff49a20
> > > script/script.c:50: malloc 0x81fff499e0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49980
> > > script/lexer.c:336: token 289 text [--fs-uuid]
> > > script/script.c:50: malloc 0x81fff49920
> > > script/script.c:50: malloc 0x81fff498e0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49880
> > > script/lexer.c:336: token 289 text
> [535add81-5875-4b4a-b44a-464aee5f5cbd]
> > > script/script.c:50: malloc 0x81fff496e0
> > > script/script.c:50: malloc 0x81fff49680
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49620
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff495c0
> > > script/script.c:50: malloc 0x81fff49580
> > > script/script.c:198: cmdline
> > > script/script.c:50: malloc 0x81fff49520
> > > script/lexer.c:336: token 0 text []
> > > script/script.c:50: malloc 0x81fff49d80
> > > script/script.c:50: malloc 0x81fff49d40
> > > script/script.c:294: append command
> > > script/script.c:50: malloc 0x81fff49d00
> > > kern/verifiers.c:212: string: search --set=root --fs-uuid
> > > 535add81-5875-4b4a-b44a-464aee5f5cbd, type: 2
> > > disk/efi/efidisk.c:413: iterating hd0
> > > kern/disk.c:196: Opening `hd0'...
> > > disk/efi/efidisk.c:482: opening hd0
> > > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size
> =
> > > 200, io align = 0
> > > disk/efi/efidisk.c:531: opening hd0 succeeded
> > > kern/fs.c:56: Detecting ext2...
> > > kern/fs.c:78: ext2 detection failed.
> > > kern/fs.c:56: Detecting fat...
> > > kern/fs.c:78: fat detection failed.
> > > kern/fs.c:56: Detecting hfsplus...
> > > kern/fs.c:78: hfsplus detection failed.
> > > kern/fs.c:56: Detecting ntfs...
> > > kern/fs.c:78: ntfs detection failed.
> > > kern/disk.c:295: Closing `hd0'.
> > > disk/efi/efidisk.c:540: closing hd0
> > > kern/disk.c:196: Opening `hd0'...
> > > disk/efi/efidisk.c:482: opening hd0
> > > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size
> =
> > > 200, io align = 0
> > > disk/efi/efidisk.c:531: opening hd0 succeeded
> > > partmap/gpt.c:93: Read a valid GPT header
> > > partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> > > partmap/msdos.c:184: partition 0: flag 0x0, type 0x0, start 0x0, len
> 0x0
> > > partmap/msdos.c:184: partition 1: flag 0x0, type 0x0, start 0x0, len
> 0x0
> > > partmap/msdos.c:184: partition 2: flag 0x0, type 0x0, start 0x0, len
> 0x0
> > > partmap/msdos.c:184: partition 3: flag 0x0, type 0x0, start 0x0, len
> 0x0
> > > partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xa800 from
> hd0
> > > kern/disk.c:295: Closing `hd0'.
> > > disk/efi/efidisk.c:540: closing hd0
> > > kern/disk.c:196: Opening `hd0,gpt2'...
> > > disk/efi/efidisk.c:482: opening hd0
> > > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size
> =
> > > 200, io align = 0
> > > disk/efi/efidisk.c:531: opening hd0 succeeded
> > > partmap/gpt.c:93: Read a valid GPT header
> > > partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> > > partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> > > kern/fs.c:56: Detecting ext2...
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xaa00 from
> hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xac00 from
> hd0
> > > kern/disk.c:295: Closing `hd0'.
> > > disk/efi/efidisk.c:540: closing hd0
> > > script/script.c:65: free 0x81fff49d00
> > > script/script.c:65: free 0x81fff49d40
> > > ...
> > >
> > > script/script.c:65: free 0x81fff49de0
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff49cc0
> > > script/script.c:50: malloc 0x81fff49c80
> > > script/lexer.c:336: token 0 text []
> > > script/script.c:50: malloc 0x81fff49de0
> > > script/script.c:50: malloc 0x81fff49da0
> > > script/script.c:65: free 0x81fff49da0
> > > script/script.c:65: free 0x81fff49de0
> > > script/script.c:65: free 0x81fff49c80
> > > script/script.c:65: free 0x81fff49cc0
> > > script/lexer.c:336: token 288 text [menuentry]
> > > script/script.c:50: malloc 0x81fff49cc0
> > > script/script.c:50: malloc 0x81fff49c80
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49c20
> > > script/lexer.c:336: token 289 text []
> > > script/script.c:50: malloc 0x81fff49a40
> > > script/script.c:50: malloc 0x81fff49a00
> > > script/lexer.c:336: token 289 text [SGI-575 BusyBox]
> > > script/script.c:50: malloc 0x81fff499a0
> > > script/script.c:50: malloc 0x81fff49960
> > > script/lexer.c:336: token 289 text []
> > > script/script.c:50: malloc 0x81fff49900
> > > script/script.c:50: malloc 0x81fff498c0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49860
> > > script/lexer.c:336: token 266 text [{]
> > > script/script.c:50: malloc 0x81fff49800
> > > script/script.c:50: malloc 0x81fff497c0
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff49640
> > > script/script.c:50: malloc 0x81fff49600
> > > script/lexer.c:336: token 288 text [linux]
> > > script/script.c:50: malloc 0x81fff494e0
> > > script/script.c:50: malloc 0x81fff494a0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49440
> > > script/lexer.c:336: token 289 text [/Image]
> > > script/script.c:50: malloc 0x81fff49320
> > > script/script.c:50: malloc 0x81fff492e0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49280
> > > script/lexer.c:336: token 289 text [acpi=force]
> > > script/script.c:50: malloc 0x81fff49220
> > > script/script.c:50: malloc 0x81fff491e0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49180
> > > script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
> > > script/script.c:50: malloc 0x81fff49120
> > > script/script.c:50: malloc 0x81fff490c0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49060
> > > script/lexer.c:336: token 289 text [ip=dhcp]
> > > script/script.c:50: malloc 0x81fff49000
> > > script/script.c:50: malloc 0x81fff48fc0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff48f60
> > > script/lexer.c:336: token 289 text
> > > [root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
> > > script/script.c:50: malloc 0x81fff48da0
> > > script/script.c:50: malloc 0x81fff48d20
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff48cc0
> > > script/lexer.c:336: token 288 text [rootwait]
> > > script/script.c:50: malloc 0x81fff48c60
> > > script/script.c:50: malloc 0x81fff48c20
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff48bc0
> > > script/lexer.c:336: token 288 text [verbose]
> > > script/script.c:50: malloc 0x81fff48b60
> > > script/script.c:50: malloc 0x81fff48b20
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff48ac0
> > > script/lexer.c:336: token 288 text [debug]
> > > script/script.c:50: malloc 0x81fff48a60
> > > script/script.c:50: malloc 0x81fff48a20
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff489c0
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff48960
> > > script/script.c:50: malloc 0x81fff48920
> > > script/script.c:198: cmdline
> > > script/script.c:50: malloc 0x81fff488c0
> > > script/script.c:294: append command
> > > script/script.c:50: malloc 0x81fff48880
> > > script/lexer.c:336: token 288 text [initrd]
> > > script/script.c:50: malloc 0x81fff48720
> > > script/script.c:50: malloc 0x81fff486e0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff48680
> > > script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
> > > script/script.c:50: malloc 0x81fff48620
> > > script/script.c:50: malloc 0x81fff485c0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff48560
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff48500
> > > script/script.c:50: malloc 0x81fff484c0
> > > script/script.c:198: cmdline
> > > script/script.c:50: malloc 0x81fff48460
> > > script/script.c:294: append command
> > > script/lexer.c:336: token 267 text [}]
> > > script/script.c:50: malloc 0x81fff48300
> > > script/script.c:50: malloc 0x81fff482c0
> > > script/script.c:50: malloc 0x81fff481e0
> > > script/script.c:50: malloc 0x81fff49760
> > > script/script.c:50: malloc 0x81fff48100
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff48040
> > > script/script.c:198: cmdline
> > > script/script.c:50: malloc 0x81fff47fe0
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff47f80
> > > script/script.c:50: malloc 0x81fff47f40
> > > script/lexer.c:336: token 0 text []
> > > script/script.c:50: malloc 0x81fff48400
> > > script/script.c:50: malloc 0x81fff483c0
> > > script/script.c:294: append command
> > > script/script.c:50: malloc 0x81fff47f00
> > > kern/verifiers.c:212: string: menuentry SGI-575 BusyBox {
> > > linux /Image acpi=force console=ttyAMA0,115200 ip=dhcp
> > > root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose
> debug
> > > initrd /ramdisk-busybox.img
> > > }, type: 2
> > > script/script.c:65: free 0x81fff47f00
> > > script/script.c:65: free 0x81fff483c0
> > > script/script.c:65: free 0x81fff48400
> > > script/script.c:65: free 0x81fff47f40
> > > ...
> > >
> > > script/script.c:65: free 0x81fff49440
> > > script/script.c:65: free 0x81fff494a0
> > > script/script.c:65: free 0x81fff494e0
> > > script/script.c:65: free 0x81fff49600
> > > script/script.c:65: free 0x81fff49640
> > > kern/disk.c:295: Closing `hd0'.
> > > disk/efi/efidisk.c:540: closing hd0
> > > [0m[30m[40m[2J[01;01H[0m[37m[40m[02;30HGNU GRUB version 2.11
> > >
> > >
> [01C/----------------------------------------------------------------------------\[05;02H|[76C|[06;02H|[76C|[07;02H|[76C|[08;02H|[76C|[09;02H|[76C|[10;02H|[76C|[11;02H|[76C|[12;02H|[76C|[13;02H|[76C|[14;02H|[76C|[15;02H|[76C|[16;02H|[76C|[17;02H|[76C|[18;02H\----------------------------------------------------------------------------/[19;02H[20;02H
> > > Use the ^ and v keys to select which entry is highlighted.
> > > Press enter to boot the selected OS, `e' to edit the commands
> > > before booting or `c' for a command-line.
> > > [05;80H
> > > [0m[30m[47m[05;03H*SGI-575 BusyBox
> > > [0m[37m[40m[01D[06;03H
> > > [01D[07;03H
> > > [01D[08;03H
> > >
> > > [01D[09;03H
> > > [01D[10;03H
> > > [01D[11;03H
> > > [01D[12;03H
> > > [01D[13;03H
> > > [01D[14;03H
> > >
> > > [01D[15;03H
> > > [01D[16;03H
> > > [01D[17;03H
> > > [01D[02C
> > > [05;78H[23;01H The highlighted entry will be executed automatically
> in
> > > 1s. [05;78H[23;01H The highlighted entry will be
> executed
> > > automatically in 0s.
> [05;78H[0m[30m[40m[2J[01;01H[0m[37m[40m
> > > Booting `SGI-575 BusyBox'
> > >
> > > script/lexer.c:336: token 288 text [setparams]
> > > script/script.c:50: malloc 0x81fff4a6a0
> > > script/script.c:50: malloc 0x81fff4a660
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff4a600
> > > script/lexer.c:336: token 289 text []
> > > script/script.c:50: malloc 0x81fff4a420
> > > script/script.c:50: malloc 0x81fff4a3e0
> > > script/lexer.c:336: token 289 text [SGI-575 BusyBox]
> > > script/script.c:50: malloc 0x81fff4a380
> > > script/script.c:50: malloc 0x81fff4a340
> > > script/lexer.c:336: token 289 text []
> > > script/script.c:50: malloc 0x81fff4a2e0
> > > script/script.c:50: malloc 0x81fff4a2a0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff4a240
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff4a1e0
> > > script/script.c:50: malloc 0x81fff4a1a0
> > > script/script.c:198: cmdline
> > > script/script.c:50: malloc 0x81fff4a140
> > > script/lexer.c:336: token 0 text []
> > > script/script.c:50: malloc 0x81fff4a7c0
> > > script/script.c:50: malloc 0x81fff4a780
> > > script/script.c:294: append command
> > > script/script.c:50: malloc 0x81fff4a740
> > > kern/verifiers.c:212: string: setparams SGI-575 BusyBox, type: 2
> > > script/script.c:65: free 0x81fff4a740
> > > script/script.c:65: free 0x81fff4a780
> > > ...
> > >
> > > script/script.c:65: free 0x81fff4a660
> > > script/script.c:65: free 0x81fff4a6a0
> > > script/lexer.c:336: token 288 text [linux]
> > > script/script.c:50: malloc 0x81fff4a7c0
> > > script/script.c:50: malloc 0x81fff4a5c0
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff4a560
> > > script/lexer.c:336: token 289 text [/Image]
> > > script/script.c:50: malloc 0x81fff4a380
> > > script/script.c:50: malloc 0x81fff4a340
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff4a2e0
> > > script/lexer.c:336: token 289 text [acpi=force]
> > > script/script.c:50: malloc 0x81fff4a280
> > > script/script.c:50: malloc 0x81fff4a240
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff4a1e0
> > > script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
> > > script/script.c:50: malloc 0x81fff4a180
> > > script/script.c:50: malloc 0x81fff4a120
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff4a0c0
> > > script/lexer.c:336: token 289 text [ip=dhcp]
> > > script/script.c:50: malloc 0x81fff4a060
> > > script/script.c:50: malloc 0x81fff4a020
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49fc0
> > > script/lexer.c:336: token 289 text
> > > [root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
> > > script/script.c:50: malloc 0x81fff49d00
> > > script/script.c:50: malloc 0x81fff49c80
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49c20
> > > script/lexer.c:336: token 288 text [rootwait]
> > > script/script.c:50: malloc 0x81fff49bc0
> > > script/script.c:50: malloc 0x81fff49b80
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49b20
> > > script/lexer.c:336: token 288 text [verbose]
> > > script/script.c:50: malloc 0x81fff49ac0
> > > script/script.c:50: malloc 0x81fff49a80
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49a20
> > > script/lexer.c:336: token 288 text [debug]
> > > script/script.c:50: malloc 0x81fff499c0
> > > script/script.c:50: malloc 0x81fff49980
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff49920
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff498c0
> > > script/script.c:50: malloc 0x81fff49880
> > > script/script.c:198: cmdline
> > > script/script.c:50: malloc 0x81fff49820
> > > script/lexer.c:336: token 0 text []
> > > script/script.c:50: malloc 0x81fff4a760
> > > script/script.c:50: malloc 0x81fff4a720
> > > script/script.c:294: append command
> > > script/script.c:50: malloc 0x81fff4a6e0
> > > kern/verifiers.c:212: string: linux /Image acpi=force
> > > console=ttyAMA0,115200 ip=dhcp
> > > root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose
> debug,
> > > type: 2
> > > kern/disk.c:196: Opening `hd0,gpt2'...
> > > disk/efi/efidisk.c:482: opening hd0
> > > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size
> =
> > > 200, io align = 0
> > > disk/efi/efidisk.c:531: opening hd0 succeeded
> > > partmap/gpt.c:93: Read a valid GPT header
> > > partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> > > partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> > > kern/fs.c:56: Detecting ext2...
> > > kern/verifiers.c:88: file: /Image type: 3
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from
> hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from
> hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from
> hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd00 from
> hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd40 from
> hd0
> > > ...
> > >
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1db80
> from hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dbc0
> from hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc00
> from hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc40
> from hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc80
> from hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dcc0
> from hd0
> > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dd00
> from hd0
> > > kern/disk.c:295: Closing `hd0'.
> > > disk/efi/efidisk.c:540: closing hd0
> > > error: shim_lock protocol not found.
> > > script/script.c:65: free 0x81fff4a6e0
> > > script/script.c:65: free 0x81fff4a720
> > > script/script.c:65: free 0x81fff4a760
> > > script/script.c:65: free 0x81fff49820
> > > ...
> > >
> > > script/script.c:65: free 0x81fff4a560
> > > script/script.c:65: free 0x81fff4a5c0
> > > script/script.c:65: free 0x81fff4a7c0
> > > script/lexer.c:336: token 288 text [initrd]
> > > script/script.c:50: malloc 0x81fff4a660
> > > script/script.c:50: malloc 0x81fff4a620
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff4a5c0
> > > script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
> > > script/script.c:50: malloc 0x81fff4a3e0
> > > script/script.c:50: malloc 0x81fff4a380
> > > script/script.c:163: arglist
> > > script/script.c:50: malloc 0x81fff4a320
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff4a2c0
> > > script/script.c:50: malloc 0x81fff4a280
> > > script/script.c:198: cmdline
> > > script/script.c:50: malloc 0x81fff4a220
> > > script/lexer.c:336: token 0 text []
> > > script/script.c:50: malloc 0x81fff4a780
> > > script/script.c:50: malloc 0x81fff4a740
> > > script/script.c:294: append command
> > > script/script.c:50: malloc 0x81fff4a700
> > > kern/verifiers.c:212: string: initrd /ramdisk-busybox.img, type: 2
> > > error: you need to load the kernel first.
> > > script/script.c:65: free 0x81fff4a700
> > > script/script.c:65: free 0x81fff4a740
> > > script/script.c:65: free 0x81fff4a780
> > > ...
> > >
> > > script/script.c:65: free 0x81fff4a660
> > > script/lexer.c:336: token 259 text []
> > > script/script.c:50: malloc 0x81fff4a6a0
> > > script/script.c:50: malloc 0x81fff4a660
> > > script/lexer.c:336: token 0 text []
> > > script/script.c:50: malloc 0x81fff4a7c0
> > > script/script.c:50: malloc 0x81fff4a780
> > > script/script.c:65: free 0x81fff4a780
> > > script/script.c:65: free 0x81fff4a7c0
> > > script/script.c:65: free 0x81fff4a660
> > > script/script.c:65: free 0x81fff4a6a0
> > >
> > > Press any key to continue...
> > >
> > > >Daniel
> > >
> > > Thanks,
> > > Sayanta
> > >
>
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>
[-- Attachment #2: Type: text/html, Size: 37157 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-08 7:04 ` Sayanta Pattanayak
2021-07-08 10:51 ` Dimitri John Ledkov
@ 2021-07-08 13:27 ` Daniel Kiper
2021-07-12 16:20 ` Sayanta Pattanayak
1 sibling, 1 reply; 20+ messages in thread
From: Daniel Kiper @ 2021-07-08 13:27 UTC (permalink / raw)
To: Sayanta Pattanayak; +Cc: grub-devel, nd, javierm, xnox, pjones, leif
On Thu, Jul 08, 2021 at 07:04:46AM +0000, Sayanta Pattanayak wrote:
> Hi Daniel,
>
> Thanks for your reply and hope you had a great vacation.
Yeah, I had nice time.
> We use Upstream 2.06 tagged version. Mentioning below the Build Commands and Console Output.
Thanks! Please look below.
[...]
> kern/disk.c:196: Opening `hd0,gpt2'...
> disk/efi/efidisk.c:482: opening hd0
> disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size = 200, io align = 0
> disk/efi/efidisk.c:531: opening hd0 succeeded
> partmap/gpt.c:93: Read a valid GPT header
> partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> kern/fs.c:56: Detecting ext2...
> kern/verifiers.c:88: file: /Image type: 3
If you use LoadImage() interface this should not happen.
I think the following code in grub-core/loader/arm64/linux.c is a culprit:
285 static grub_err_t
286 grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
287 int argc, char *argv[])
288 {
289 grub_file_t file = 0;
290 struct linux_arch_kernel_header lh;
291 grub_err_t err;
292
293 grub_dl_ref (my_mod);
294
295 if (argc == 0)
296 {
297 grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
298 goto fail;
299 }
300
301 file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
This ---------------------------------> ^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can do test and replace GRUB_FILE_TYPE_LINUX_KERNEL with GRUB_FILE_TYPE_NONE.
Daniel
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-08 12:01 ` Michael Chang
2021-07-08 12:18 ` Dimitri John Ledkov
@ 2021-07-08 13:31 ` Daniel Kiper
2021-07-09 6:27 ` Michael Chang
1 sibling, 1 reply; 20+ messages in thread
From: Daniel Kiper @ 2021-07-08 13:31 UTC (permalink / raw)
To: Michael Chang; +Cc: grub-devel, Sayanta Pattanayak, nd
On Thu, Jul 08, 2021 at 08:01:31PM +0800, Michael Chang via Grub-devel wrote:
> Hi Dimitri,
>
> On Thu, Jul 08, 2021 at 11:51:25AM +0100, Dimitri John Ledkov wrote:
> > Hi,
> >
> > The below mentioned commands are useful. Hence we need to debug this
> > further and establish further details about your setup.
>
> I think the problem here is that arm64 already uses LoadImage to verify
> the kernel image so the shim lock is not really required. IMHO the
> lockdown verifier should be relaxed for the arm platform as always will
> be a verifier (LoadImage) used to booting the kernel.
To some extent you are right. However, please do not forget about
detached PGP signatures case.
Daniel
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-08 12:18 ` Dimitri John Ledkov
@ 2021-07-09 6:18 ` Michael Chang
0 siblings, 0 replies; 20+ messages in thread
From: Michael Chang @ 2021-07-09 6:18 UTC (permalink / raw)
To: Dimitri John Ledkov; +Cc: The development of GNU GRUB, Sayanta Pattanayak, nd
On Thu, Jul 08, 2021 at 01:18:34PM +0100, Dimitri John Ledkov wrote:
> On Thu, 8 Jul 2021, 13:05 Michael Chang via Grub-devel, <grub-devel@gnu.org>
> wrote:
>
> > Hi Dimitri,
> >
> > On Thu, Jul 08, 2021 at 11:51:25AM +0100, Dimitri John Ledkov wrote:
> > > Hi,
> > >
> > > The below mentioned commands are useful. Hence we need to debug this
> > > further and establish further details about your setup.
> >
> > I think the problem here is that arm64 already uses LoadImage to verify
> > the kernel image so the shim lock is not really required. IMHO the
> > lockdown verifier should be relaxed for the arm platform as always will
> > be a verifier (LoadImage) used to booting the kernel.
> >
>
> But UX is not nice. Many production arm64 servers and cloud instances ship
> with UEFI 2011 db keys, and some shims ship revocations. If grub calls into
> shim to verify a kernel and gets a reject, grub can stay up and still let
> someone choose another boot option. Can grub still do that when calling
> LoadImage?
Yes it can. In that case the linux command would ouput error like
"cannot load image ..." press any any and return to menu, allowing
people to choose other boot entry/option.
>
> Also, many shims at the moment still ship with EBS Protection turned on on
> ARM64 which prevents booting with just LoadImage without first using shim
> protocol to verify. Ubuntu's shim has that disabled, but not others and
> upstream still do.
To my understanding that will need shim to be present and booting as
preloader for grub, right ? Certainly it sounds reasonable to adapt the
LoadImage to honer shim key's database, but that is not the case here.
Here no shim is used, the user enrolls their keys to db via the custom
mode and expect that the signature verificaition is done by firmware for
later loaded images. This has been working on arm64-efi since upstream
grub 2.04.
> Indeed it would be ideal if all grub EFI platforms used LoadImage2 API
> without explicit calls to shim protocol, and it would be upto shim to
> install LoadImage2 API. Such that from grub's point of view it wouldn't
> care if Shim or Firmware verified things. I guess it is 2.08 material.
Would you please consider to spare arm64 the trouble of booting failure
for secure boot before the said implementation is merged ?
Thanks,
Michael
>
>
>
> Thanks,
> > Michael
> >
> > >
> > > 1) which keys are in DB? ( mokutil --db --list-enrolled )
> > >
> > > 2) which keys are used to sign grub image? ( sbverify --list grub*.efi )
> > >
> > > 3) which keys are used to sign grub image? ( sbverify --list Image )
> > >
> > > 4) since shim verifier was not disabled during grub mkimage build, which
> > > Shim did you compile, with what toolchain, and which keys was it signed
> > > with?
> > >
> > > 5) if you don't want to use Shim (and loose ability for users to enroll
> > > their own machine owner key, and revoke grub via sbat revocation - if
> > > underlying firmware can do those things i.e. secure edk2 builds), you
> > must
> > > create grub image with disable shim lock verifier option.
> > >
> > > 6) if you do not want to sbsign kernel image using secureboot keys, you
> > can
> > > alternative provide detached gpg signature and create grub image with a
> > gpg
> > > public key built-in.
> > >
> > > 8) maybe there is some other way to verify kernel, i.e. you could
> > implement
> > > a new verifier module that that use calls to a prior stage bootloader or
> > > firmware to verify kernel authenticity.
> > >
> > > 9) if you do not want to sign kernel at all in any way, you must disable
> > > secureboot at either firmware level (SecureBoot variable) or
> > > shim/grub/linux-only level (MokSBState see mokutil --disable-validation).
> > > Because if firmware SecureBoot is on, and mokutil validation is on,
> > loading
> > > unverifiable kernels is not supported in grub 2.06 thanks to implementing
> > > lockdown.
> > >
> > > If the kernel is expected to be verifiable and yet fails to verify please
> > > provide further details. We have experienced buggy compilers, binutils,
> > > sbsign tooling which would produce invalid / unverifiable signatures in
> > the
> > > past. Also we have seen buggy firmware that fail to verify correctly
> > signed
> > > binaries.
> > >
> > > On Thu, 8 Jul 2021, 08:05 Sayanta Pattanayak, <
> > Sayanta.Pattanayak@arm.com>
> > > wrote:
> > >
> > > > Hi Daniel,
> > > >
> > > > Thanks for your reply and hope you had a great vacation.
> > > > We use Upstream 2.06 tagged version. Mentioning below the Build
> > Commands
> > > > and Console Output.
> > > >
> > > > >-----Original Message-----
> > > > >From: Daniel Kiper <dkiper@net-space.pl>
> > > > >Sent: Wednesday, July 7, 2021 6:45 PM
> > > > >To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
> > > > >Cc: grub-devel@gnu.org; nd <nd@arm.com>; javierm@redhat.com;
> > > > >xnox@ubuntu.com; pjones@redhat.com; leif@nuviainc.com
> > > > >Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later
> > > > version
> > > > >
> > > > >Hi Sayanta,
> > > > >
> > > > >Sorry for late reply but I am just recovering after vacation...
> > > > >
> > > > >CC-ing Javier, Dimitri, Peter and Leif.
> > > > >
> > > > >On Thu, Jul 01, 2021 at 03:23:03PM +0000, Sayanta Pattanayak wrote:
> > > > >> Hi All,
> > > > >> I am new to grub and UEFI secure boot and so a beginners question.
> > > > >> UEFI secureboot on a Arm64 platform works fine with Grub 2.04
> > version.
> > > > >> The linux kernel image is authenticated and loaded. But the same
> > with
> > > > >> Grub 2.06 version does not progress - following error messages are
> > > > >> displayed.
> > > > >>
> > > > >> error: shim_lock protocol not found.
> > > > >> error: you need to load the kernel first.
> > > > >>
> > > > >> With reference of
> > > > >> "https://www.mail-archive.com/help-grub@gnu.org/msg05375.html",
> > > > >> created Grub image with "--disable-shim-lock" option. This change
> > > > >> solved the "shim_lock" error but then the following error message
> > > > >> started appearing-
> > > > >>
> > > > >> error: verification requested but nobody cares: /Image.
> > > > >> error: you need to load the kernel first.
> > > > >> Press any key to continue...
> > > > >>
> > > > >> A large set of patches addressing bootHole vulnerability
> > > > >> (
> > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html)
> > > > >> have been merged in the Grub 2.06 version. Does this change the way
> > > > >> images are signed or is there any other change introduced that
> > > > >> required UEFI secure boot to be handled differently on the platform.
> > > > >>
> > > > >> Request any suggestion that would help validate UEFI secure boot
> > with
> > > > >> Grub 2.06 and later version.
> > > > >
> > > > >Do you use GRUB 2.06 upstream or a Linux distribution variant? If
> > upstream
> > > > >could you provide us commands used to build the GRUB and console
> > output
> > > > >when debug is enabled, i.e. "set debug=all"?
> > > > >
> > > >
> > > >
> > > > Commands used -
> > > >
> > > > ./autogen.sh
> > > > ./configure
> > > >
> > STRIP=gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-strip
> > > > --target=aarch64-none-linux-gnu --with-platform=efi
> > --prefix=grub/output/
> > > > --disable-werror
> > > > Make
> > > > make -j $PARALLELISM install
> > > > output/bin/grub-mkimage -v -c ${GRUB_PLAT_CONFIG_FILE} -o
> > > > output/grubaa64.efi -O arm64-efi -p "" part_gpt part_msdos ntfs
> > ntfscomp
> > > > hfsplus fat ext2 normal chain boot configfile linux help part_msdos
> > > > terminal terminfo configfile lsefi search normal gettext loadenv read
> > > > search_fs_file search_fs_uuid search_label
> > > >
> > > >
> > > >
> > > > Following is the console output when "--disable-shim-lock" Not used -
> > > >
> > > > [2J[04D[=3h[2J[09DPress ESCAPE for boot options ...........[Bds]Booting
> > > > UEFI Non-Block Boot Device [Bds]Booting UEFI Misc Device [Bds]Booting
> > UEFI
> > > > Misc Device 2 Installed Fat filesystem on FE6E9318 Loading driver at
> > > > 0x000F9264000 EntryPoint=0x000F9265000 Loading driver at 0x000F9264000
> > > > EntryPoint=0x000F9265000 [0m[30m[47mWelcome to GRUB!
> > > >
> > > > [0m[37m[40mscript/script.c:65: free 0x81fff49d60
> > > > script/script.c:65: free 0x81fff49da0
> > > > script/script.c:65: free 0x81fff49de0
> > > > script/script.c:65: free 0x81fff497c0
> > > > script/script.c:65: free 0x81fff49820
> > > > script/script.c:65: free 0x81fff49860
> > > > script/script.c:65: free 0x81fff498c0
> > > > script/script.c:65: free 0x81fff49920
> > > > script/script.c:65: free 0x81fff49b40
> > > > script/script.c:65: free 0x81fff49960
> > > > script/script.c:65: free 0x81fff499a0
> > > > script/script.c:65: free 0x81fff49a00
> > > > script/script.c:65: free 0x81fff49a40
> > > > script/script.c:65: free 0x81fff49c20
> > > > script/script.c:65: free 0x81fff49c80
> > > > script/script.c:65: free 0x81fff49cc0
> > > > script/lexer.c:336: token 288 text [set]
> > > > script/script.c:50: malloc 0x81fff49cc0
> > > > script/script.c:50: malloc 0x81fff49c80
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49c20
> > > > script/lexer.c:336: token 289 text [term=]
> > > > script/script.c:50: malloc 0x81fff49a40
> > > > script/script.c:50: malloc 0x81fff49a00
> > > > script/lexer.c:336: token 289 text [vt100]
> > > > script/script.c:50: malloc 0x81fff499a0
> > > > script/script.c:50: malloc 0x81fff49960
> > > > script/lexer.c:336: token 289 text []
> > > > script/script.c:50: malloc 0x81fff49900
> > > > script/script.c:50: malloc 0x81fff498c0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49860
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff49800
> > > > script/script.c:50: malloc 0x81fff497c0
> > > > script/script.c:198: cmdline
> > > > script/script.c:50: malloc 0x81fff49760
> > > > script/lexer.c:336: token 0 text []
> > > > script/script.c:50: malloc 0x81fff49de0
> > > > script/script.c:50: malloc 0x81fff49da0
> > > > script/script.c:294: append command
> > > > script/script.c:50: malloc 0x81fff49d60
> > > > kern/verifiers.c:212: string: set term=vt100, type: 2
> > > > script/script.c:65: free 0x81fff49d60
> > > > script/script.c:65: free 0x81fff49da0
> > > > ...
> > > >
> > > > script/script.c:294: append command
> > > > script/script.c:50: malloc 0x81fff49d60
> > > > kern/verifiers.c:212: string: set timeout=1, type: 2
> > > > script/script.c:65: free 0x81fff49d60
> > > > ...
> > > >
> > > > script/script.c:65: free 0x81fff49cc0
> > > > script/lexer.c:336: token 288 text [search]
> > > > script/script.c:50: malloc 0x81fff49de0
> > > > script/script.c:50: malloc 0x81fff49c60
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49c00
> > > > script/lexer.c:336: token 289 text [--set=root]
> > > > script/script.c:50: malloc 0x81fff49a20
> > > > script/script.c:50: malloc 0x81fff499e0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49980
> > > > script/lexer.c:336: token 289 text [--fs-uuid]
> > > > script/script.c:50: malloc 0x81fff49920
> > > > script/script.c:50: malloc 0x81fff498e0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49880
> > > > script/lexer.c:336: token 289 text
> > [535add81-5875-4b4a-b44a-464aee5f5cbd]
> > > > script/script.c:50: malloc 0x81fff496e0
> > > > script/script.c:50: malloc 0x81fff49680
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49620
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff495c0
> > > > script/script.c:50: malloc 0x81fff49580
> > > > script/script.c:198: cmdline
> > > > script/script.c:50: malloc 0x81fff49520
> > > > script/lexer.c:336: token 0 text []
> > > > script/script.c:50: malloc 0x81fff49d80
> > > > script/script.c:50: malloc 0x81fff49d40
> > > > script/script.c:294: append command
> > > > script/script.c:50: malloc 0x81fff49d00
> > > > kern/verifiers.c:212: string: search --set=root --fs-uuid
> > > > 535add81-5875-4b4a-b44a-464aee5f5cbd, type: 2
> > > > disk/efi/efidisk.c:413: iterating hd0
> > > > kern/disk.c:196: Opening `hd0'...
> > > > disk/efi/efidisk.c:482: opening hd0
> > > > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size
> > =
> > > > 200, io align = 0
> > > > disk/efi/efidisk.c:531: opening hd0 succeeded
> > > > kern/fs.c:56: Detecting ext2...
> > > > kern/fs.c:78: ext2 detection failed.
> > > > kern/fs.c:56: Detecting fat...
> > > > kern/fs.c:78: fat detection failed.
> > > > kern/fs.c:56: Detecting hfsplus...
> > > > kern/fs.c:78: hfsplus detection failed.
> > > > kern/fs.c:56: Detecting ntfs...
> > > > kern/fs.c:78: ntfs detection failed.
> > > > kern/disk.c:295: Closing `hd0'.
> > > > disk/efi/efidisk.c:540: closing hd0
> > > > kern/disk.c:196: Opening `hd0'...
> > > > disk/efi/efidisk.c:482: opening hd0
> > > > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size
> > =
> > > > 200, io align = 0
> > > > disk/efi/efidisk.c:531: opening hd0 succeeded
> > > > partmap/gpt.c:93: Read a valid GPT header
> > > > partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> > > > partmap/msdos.c:184: partition 0: flag 0x0, type 0x0, start 0x0, len
> > 0x0
> > > > partmap/msdos.c:184: partition 1: flag 0x0, type 0x0, start 0x0, len
> > 0x0
> > > > partmap/msdos.c:184: partition 2: flag 0x0, type 0x0, start 0x0, len
> > 0x0
> > > > partmap/msdos.c:184: partition 3: flag 0x0, type 0x0, start 0x0, len
> > 0x0
> > > > partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xa800 from
> > hd0
> > > > kern/disk.c:295: Closing `hd0'.
> > > > disk/efi/efidisk.c:540: closing hd0
> > > > kern/disk.c:196: Opening `hd0,gpt2'...
> > > > disk/efi/efidisk.c:482: opening hd0
> > > > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size
> > =
> > > > 200, io align = 0
> > > > disk/efi/efidisk.c:531: opening hd0 succeeded
> > > > partmap/gpt.c:93: Read a valid GPT header
> > > > partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> > > > partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> > > > kern/fs.c:56: Detecting ext2...
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xaa00 from
> > hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xac00 from
> > hd0
> > > > kern/disk.c:295: Closing `hd0'.
> > > > disk/efi/efidisk.c:540: closing hd0
> > > > script/script.c:65: free 0x81fff49d00
> > > > script/script.c:65: free 0x81fff49d40
> > > > ...
> > > >
> > > > script/script.c:65: free 0x81fff49de0
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff49cc0
> > > > script/script.c:50: malloc 0x81fff49c80
> > > > script/lexer.c:336: token 0 text []
> > > > script/script.c:50: malloc 0x81fff49de0
> > > > script/script.c:50: malloc 0x81fff49da0
> > > > script/script.c:65: free 0x81fff49da0
> > > > script/script.c:65: free 0x81fff49de0
> > > > script/script.c:65: free 0x81fff49c80
> > > > script/script.c:65: free 0x81fff49cc0
> > > > script/lexer.c:336: token 288 text [menuentry]
> > > > script/script.c:50: malloc 0x81fff49cc0
> > > > script/script.c:50: malloc 0x81fff49c80
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49c20
> > > > script/lexer.c:336: token 289 text []
> > > > script/script.c:50: malloc 0x81fff49a40
> > > > script/script.c:50: malloc 0x81fff49a00
> > > > script/lexer.c:336: token 289 text [SGI-575 BusyBox]
> > > > script/script.c:50: malloc 0x81fff499a0
> > > > script/script.c:50: malloc 0x81fff49960
> > > > script/lexer.c:336: token 289 text []
> > > > script/script.c:50: malloc 0x81fff49900
> > > > script/script.c:50: malloc 0x81fff498c0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49860
> > > > script/lexer.c:336: token 266 text [{]
> > > > script/script.c:50: malloc 0x81fff49800
> > > > script/script.c:50: malloc 0x81fff497c0
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff49640
> > > > script/script.c:50: malloc 0x81fff49600
> > > > script/lexer.c:336: token 288 text [linux]
> > > > script/script.c:50: malloc 0x81fff494e0
> > > > script/script.c:50: malloc 0x81fff494a0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49440
> > > > script/lexer.c:336: token 289 text [/Image]
> > > > script/script.c:50: malloc 0x81fff49320
> > > > script/script.c:50: malloc 0x81fff492e0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49280
> > > > script/lexer.c:336: token 289 text [acpi=force]
> > > > script/script.c:50: malloc 0x81fff49220
> > > > script/script.c:50: malloc 0x81fff491e0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49180
> > > > script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
> > > > script/script.c:50: malloc 0x81fff49120
> > > > script/script.c:50: malloc 0x81fff490c0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49060
> > > > script/lexer.c:336: token 289 text [ip=dhcp]
> > > > script/script.c:50: malloc 0x81fff49000
> > > > script/script.c:50: malloc 0x81fff48fc0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff48f60
> > > > script/lexer.c:336: token 289 text
> > > > [root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
> > > > script/script.c:50: malloc 0x81fff48da0
> > > > script/script.c:50: malloc 0x81fff48d20
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff48cc0
> > > > script/lexer.c:336: token 288 text [rootwait]
> > > > script/script.c:50: malloc 0x81fff48c60
> > > > script/script.c:50: malloc 0x81fff48c20
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff48bc0
> > > > script/lexer.c:336: token 288 text [verbose]
> > > > script/script.c:50: malloc 0x81fff48b60
> > > > script/script.c:50: malloc 0x81fff48b20
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff48ac0
> > > > script/lexer.c:336: token 288 text [debug]
> > > > script/script.c:50: malloc 0x81fff48a60
> > > > script/script.c:50: malloc 0x81fff48a20
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff489c0
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff48960
> > > > script/script.c:50: malloc 0x81fff48920
> > > > script/script.c:198: cmdline
> > > > script/script.c:50: malloc 0x81fff488c0
> > > > script/script.c:294: append command
> > > > script/script.c:50: malloc 0x81fff48880
> > > > script/lexer.c:336: token 288 text [initrd]
> > > > script/script.c:50: malloc 0x81fff48720
> > > > script/script.c:50: malloc 0x81fff486e0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff48680
> > > > script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
> > > > script/script.c:50: malloc 0x81fff48620
> > > > script/script.c:50: malloc 0x81fff485c0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff48560
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff48500
> > > > script/script.c:50: malloc 0x81fff484c0
> > > > script/script.c:198: cmdline
> > > > script/script.c:50: malloc 0x81fff48460
> > > > script/script.c:294: append command
> > > > script/lexer.c:336: token 267 text [}]
> > > > script/script.c:50: malloc 0x81fff48300
> > > > script/script.c:50: malloc 0x81fff482c0
> > > > script/script.c:50: malloc 0x81fff481e0
> > > > script/script.c:50: malloc 0x81fff49760
> > > > script/script.c:50: malloc 0x81fff48100
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff48040
> > > > script/script.c:198: cmdline
> > > > script/script.c:50: malloc 0x81fff47fe0
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff47f80
> > > > script/script.c:50: malloc 0x81fff47f40
> > > > script/lexer.c:336: token 0 text []
> > > > script/script.c:50: malloc 0x81fff48400
> > > > script/script.c:50: malloc 0x81fff483c0
> > > > script/script.c:294: append command
> > > > script/script.c:50: malloc 0x81fff47f00
> > > > kern/verifiers.c:212: string: menuentry SGI-575 BusyBox {
> > > > linux /Image acpi=force console=ttyAMA0,115200 ip=dhcp
> > > > root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose
> > debug
> > > > initrd /ramdisk-busybox.img
> > > > }, type: 2
> > > > script/script.c:65: free 0x81fff47f00
> > > > script/script.c:65: free 0x81fff483c0
> > > > script/script.c:65: free 0x81fff48400
> > > > script/script.c:65: free 0x81fff47f40
> > > > ...
> > > >
> > > > script/script.c:65: free 0x81fff49440
> > > > script/script.c:65: free 0x81fff494a0
> > > > script/script.c:65: free 0x81fff494e0
> > > > script/script.c:65: free 0x81fff49600
> > > > script/script.c:65: free 0x81fff49640
> > > > kern/disk.c:295: Closing `hd0'.
> > > > disk/efi/efidisk.c:540: closing hd0
> > > > [0m[30m[40m[2J[01;01H[0m[37m[40m[02;30HGNU GRUB version 2.11
> > > >
> > > >
> > [01C/----------------------------------------------------------------------------\[05;02H|[76C|[06;02H|[76C|[07;02H|[76C|[08;02H|[76C|[09;02H|[76C|[10;02H|[76C|[11;02H|[76C|[12;02H|[76C|[13;02H|[76C|[14;02H|[76C|[15;02H|[76C|[16;02H|[76C|[17;02H|[76C|[18;02H\----------------------------------------------------------------------------/[19;02H[20;02H
> > > > Use the ^ and v keys to select which entry is highlighted.
> > > > Press enter to boot the selected OS, `e' to edit the commands
> > > > before booting or `c' for a command-line.
> > > > [05;80H
> > > > [0m[30m[47m[05;03H*SGI-575 BusyBox
> > > > [0m[37m[40m[01D[06;03H
> > > > [01D[07;03H
> > > > [01D[08;03H
> > > >
> > > > [01D[09;03H
> > > > [01D[10;03H
> > > > [01D[11;03H
> > > > [01D[12;03H
> > > > [01D[13;03H
> > > > [01D[14;03H
> > > >
> > > > [01D[15;03H
> > > > [01D[16;03H
> > > > [01D[17;03H
> > > > [01D[02C
> > > > [05;78H[23;01H The highlighted entry will be executed automatically
> > in
> > > > 1s. [05;78H[23;01H The highlighted entry will be
> > executed
> > > > automatically in 0s.
> > [05;78H[0m[30m[40m[2J[01;01H[0m[37m[40m
> > > > Booting `SGI-575 BusyBox'
> > > >
> > > > script/lexer.c:336: token 288 text [setparams]
> > > > script/script.c:50: malloc 0x81fff4a6a0
> > > > script/script.c:50: malloc 0x81fff4a660
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff4a600
> > > > script/lexer.c:336: token 289 text []
> > > > script/script.c:50: malloc 0x81fff4a420
> > > > script/script.c:50: malloc 0x81fff4a3e0
> > > > script/lexer.c:336: token 289 text [SGI-575 BusyBox]
> > > > script/script.c:50: malloc 0x81fff4a380
> > > > script/script.c:50: malloc 0x81fff4a340
> > > > script/lexer.c:336: token 289 text []
> > > > script/script.c:50: malloc 0x81fff4a2e0
> > > > script/script.c:50: malloc 0x81fff4a2a0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff4a240
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff4a1e0
> > > > script/script.c:50: malloc 0x81fff4a1a0
> > > > script/script.c:198: cmdline
> > > > script/script.c:50: malloc 0x81fff4a140
> > > > script/lexer.c:336: token 0 text []
> > > > script/script.c:50: malloc 0x81fff4a7c0
> > > > script/script.c:50: malloc 0x81fff4a780
> > > > script/script.c:294: append command
> > > > script/script.c:50: malloc 0x81fff4a740
> > > > kern/verifiers.c:212: string: setparams SGI-575 BusyBox, type: 2
> > > > script/script.c:65: free 0x81fff4a740
> > > > script/script.c:65: free 0x81fff4a780
> > > > ...
> > > >
> > > > script/script.c:65: free 0x81fff4a660
> > > > script/script.c:65: free 0x81fff4a6a0
> > > > script/lexer.c:336: token 288 text [linux]
> > > > script/script.c:50: malloc 0x81fff4a7c0
> > > > script/script.c:50: malloc 0x81fff4a5c0
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff4a560
> > > > script/lexer.c:336: token 289 text [/Image]
> > > > script/script.c:50: malloc 0x81fff4a380
> > > > script/script.c:50: malloc 0x81fff4a340
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff4a2e0
> > > > script/lexer.c:336: token 289 text [acpi=force]
> > > > script/script.c:50: malloc 0x81fff4a280
> > > > script/script.c:50: malloc 0x81fff4a240
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff4a1e0
> > > > script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
> > > > script/script.c:50: malloc 0x81fff4a180
> > > > script/script.c:50: malloc 0x81fff4a120
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff4a0c0
> > > > script/lexer.c:336: token 289 text [ip=dhcp]
> > > > script/script.c:50: malloc 0x81fff4a060
> > > > script/script.c:50: malloc 0x81fff4a020
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49fc0
> > > > script/lexer.c:336: token 289 text
> > > > [root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
> > > > script/script.c:50: malloc 0x81fff49d00
> > > > script/script.c:50: malloc 0x81fff49c80
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49c20
> > > > script/lexer.c:336: token 288 text [rootwait]
> > > > script/script.c:50: malloc 0x81fff49bc0
> > > > script/script.c:50: malloc 0x81fff49b80
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49b20
> > > > script/lexer.c:336: token 288 text [verbose]
> > > > script/script.c:50: malloc 0x81fff49ac0
> > > > script/script.c:50: malloc 0x81fff49a80
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49a20
> > > > script/lexer.c:336: token 288 text [debug]
> > > > script/script.c:50: malloc 0x81fff499c0
> > > > script/script.c:50: malloc 0x81fff49980
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff49920
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff498c0
> > > > script/script.c:50: malloc 0x81fff49880
> > > > script/script.c:198: cmdline
> > > > script/script.c:50: malloc 0x81fff49820
> > > > script/lexer.c:336: token 0 text []
> > > > script/script.c:50: malloc 0x81fff4a760
> > > > script/script.c:50: malloc 0x81fff4a720
> > > > script/script.c:294: append command
> > > > script/script.c:50: malloc 0x81fff4a6e0
> > > > kern/verifiers.c:212: string: linux /Image acpi=force
> > > > console=ttyAMA0,115200 ip=dhcp
> > > > root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose
> > debug,
> > > > type: 2
> > > > kern/disk.c:196: Opening `hd0,gpt2'...
> > > > disk/efi/efidisk.c:482: opening hd0
> > > > disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size
> > =
> > > > 200, io align = 0
> > > > disk/efi/efidisk.c:531: opening hd0 succeeded
> > > > partmap/gpt.c:93: Read a valid GPT header
> > > > partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> > > > partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> > > > kern/fs.c:56: Detecting ext2...
> > > > kern/verifiers.c:88: file: /Image type: 3
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from
> > hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from
> > hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from
> > hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd00 from
> > hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd40 from
> > hd0
> > > > ...
> > > >
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1db80
> > from hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dbc0
> > from hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc00
> > from hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc40
> > from hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc80
> > from hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dcc0
> > from hd0
> > > > disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dd00
> > from hd0
> > > > kern/disk.c:295: Closing `hd0'.
> > > > disk/efi/efidisk.c:540: closing hd0
> > > > error: shim_lock protocol not found.
> > > > script/script.c:65: free 0x81fff4a6e0
> > > > script/script.c:65: free 0x81fff4a720
> > > > script/script.c:65: free 0x81fff4a760
> > > > script/script.c:65: free 0x81fff49820
> > > > ...
> > > >
> > > > script/script.c:65: free 0x81fff4a560
> > > > script/script.c:65: free 0x81fff4a5c0
> > > > script/script.c:65: free 0x81fff4a7c0
> > > > script/lexer.c:336: token 288 text [initrd]
> > > > script/script.c:50: malloc 0x81fff4a660
> > > > script/script.c:50: malloc 0x81fff4a620
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff4a5c0
> > > > script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
> > > > script/script.c:50: malloc 0x81fff4a3e0
> > > > script/script.c:50: malloc 0x81fff4a380
> > > > script/script.c:163: arglist
> > > > script/script.c:50: malloc 0x81fff4a320
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff4a2c0
> > > > script/script.c:50: malloc 0x81fff4a280
> > > > script/script.c:198: cmdline
> > > > script/script.c:50: malloc 0x81fff4a220
> > > > script/lexer.c:336: token 0 text []
> > > > script/script.c:50: malloc 0x81fff4a780
> > > > script/script.c:50: malloc 0x81fff4a740
> > > > script/script.c:294: append command
> > > > script/script.c:50: malloc 0x81fff4a700
> > > > kern/verifiers.c:212: string: initrd /ramdisk-busybox.img, type: 2
> > > > error: you need to load the kernel first.
> > > > script/script.c:65: free 0x81fff4a700
> > > > script/script.c:65: free 0x81fff4a740
> > > > script/script.c:65: free 0x81fff4a780
> > > > ...
> > > >
> > > > script/script.c:65: free 0x81fff4a660
> > > > script/lexer.c:336: token 259 text []
> > > > script/script.c:50: malloc 0x81fff4a6a0
> > > > script/script.c:50: malloc 0x81fff4a660
> > > > script/lexer.c:336: token 0 text []
> > > > script/script.c:50: malloc 0x81fff4a7c0
> > > > script/script.c:50: malloc 0x81fff4a780
> > > > script/script.c:65: free 0x81fff4a780
> > > > script/script.c:65: free 0x81fff4a7c0
> > > > script/script.c:65: free 0x81fff4a660
> > > > script/script.c:65: free 0x81fff4a6a0
> > > >
> > > > Press any key to continue...
> > > >
> > > > >Daniel
> > > >
> > > > Thanks,
> > > > Sayanta
> > > >
> >
> > > _______________________________________________
> > > Grub-devel mailing list
> > > Grub-devel@gnu.org
> > > https://lists.gnu.org/mailman/listinfo/grub-devel
> >
> >
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel
> >
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-08 13:31 ` Daniel Kiper
@ 2021-07-09 6:27 ` Michael Chang
0 siblings, 0 replies; 20+ messages in thread
From: Michael Chang @ 2021-07-09 6:27 UTC (permalink / raw)
To: The development of GNU GRUB; +Cc: Sayanta Pattanayak, nd
On Thu, Jul 08, 2021 at 03:31:15PM +0200, Daniel Kiper wrote:
> On Thu, Jul 08, 2021 at 08:01:31PM +0800, Michael Chang via Grub-devel wrote:
> > Hi Dimitri,
> >
> > On Thu, Jul 08, 2021 at 11:51:25AM +0100, Dimitri John Ledkov wrote:
> > > Hi,
> > >
> > > The below mentioned commands are useful. Hence we need to debug this
> > > further and establish further details about your setup.
> >
> > I think the problem here is that arm64 already uses LoadImage to verify
> > the kernel image so the shim lock is not really required. IMHO the
> > lockdown verifier should be relaxed for the arm platform as always will
> > be a verifier (LoadImage) used to booting the kernel.
>
> To some extent you are right. However, please do not forget about
> detached PGP signatures case.
Indeed. I should make it clear that this is specific to
GRUB_FILE_TYPE_LINUX_KERNEL asked to be relaxed in the lockdown list for
arm64.
Thanks,
Michael
>
> Daniel
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* RE: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-08 10:51 ` Dimitri John Ledkov
2021-07-08 12:01 ` Michael Chang
@ 2021-07-12 16:15 ` Sayanta Pattanayak
2021-07-12 16:23 ` Dimitri John Ledkov
1 sibling, 1 reply; 20+ messages in thread
From: Sayanta Pattanayak @ 2021-07-12 16:15 UTC (permalink / raw)
To: Dimitri John Ledkov; +Cc: The development of GNU GRUB, nd
[-- Attachment #1: Type: text/plain, Size: 26473 bytes --]
Hi Dimitri,
Thanks for detailed response. Sorry for bit late response.
We are generating own keys and signing with same.
You can kindly have a look at the steps, which are followed for Generating Secure Keys and Secure Busybox boot https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-docs/-/blob/master/docs/infra/common/secure-boot.rst
In addition, during UEFI Secureboot image building, Grub image is signed with following command-
sbsign --key DB.key --cert DB.crt --output bootaa64_signed.efi bootaa64.efi
And also Kernel Image is signed -
sbsign --key DB.key --cert DB.crt --output Image_signed Image
We don't intend to Shim, but if we use "--disable-shim-lock" then the image is locked down. Does that mean we need to implement a new verifier as you suggested in one of your point?
Thanks,
Sayanta
From: Dimitri John Ledkov <xnox@ubuntu.com>
Sent: Thursday, July 8, 2021 4:21 PM
To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
Cc: The development of GNU GRUB <grub-devel@gnu.org>; nd <nd@arm.com>
Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
Hi,
The below mentioned commands are useful. Hence we need to debug this further and establish further details about your setup.
1) which keys are in DB? ( mokutil --db --list-enrolled )
2) which keys are used to sign grub image? ( sbverify --list grub*.efi )
3) which keys are used to sign grub image? ( sbverify --list Image )
4) since shim verifier was not disabled during grub mkimage build, which Shim did you compile, with what toolchain, and which keys was it signed with?
5) if you don't want to use Shim (and loose ability for users to enroll their own machine owner key, and revoke grub via sbat revocation - if underlying firmware can do those things i.e. secure edk2 builds), you must create grub image with disable shim lock verifier option.
6) if you do not want to sbsign kernel image using secureboot keys, you can alternative provide detached gpg signature and create grub image with a gpg public key built-in.
8) maybe there is some other way to verify kernel, i.e. you could implement a new verifier module that that use calls to a prior stage bootloader or firmware to verify kernel authenticity.
9) if you do not want to sign kernel at all in any way, you must disable secureboot at either firmware level (SecureBoot variable) or shim/grub/linux-only level (MokSBState see mokutil --disable-validation). Because if firmware SecureBoot is on, and mokutil validation is on, loading unverifiable kernels is not supported in grub 2.06 thanks to implementing lockdown.
If the kernel is expected to be verifiable and yet fails to verify please provide further details. We have experienced buggy compilers, binutils, sbsign tooling which would produce invalid / unverifiable signatures in the past. Also we have seen buggy firmware that fail to verify correctly signed binaries.
On Thu, 8 Jul 2021, 08:05 Sayanta Pattanayak, <Sayanta.Pattanayak@arm.com<mailto:Sayanta.Pattanayak@arm.com>> wrote:
Hi Daniel,
Thanks for your reply and hope you had a great vacation.
We use Upstream 2.06 tagged version. Mentioning below the Build Commands and Console Output.
>-----Original Message-----
>From: Daniel Kiper <dkiper@net-space.pl<mailto:dkiper@net-space.pl>>
>Sent: Wednesday, July 7, 2021 6:45 PM
>To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com<mailto:Sayanta.Pattanayak@arm.com>>
>Cc: grub-devel@gnu.org<mailto:grub-devel@gnu.org>; nd <nd@arm.com<mailto:nd@arm.com>>; javierm@redhat.com<mailto:javierm@redhat.com>;
>xnox@ubuntu.com<mailto:xnox@ubuntu.com>; pjones@redhat.com<mailto:pjones@redhat.com>; leif@nuviainc.com<mailto:leif@nuviainc.com>
>Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
>
>Hi Sayanta,
>
>Sorry for late reply but I am just recovering after vacation...
>
>CC-ing Javier, Dimitri, Peter and Leif.
>
>On Thu, Jul 01, 2021 at 03:23:03PM +0000, Sayanta Pattanayak wrote:
>> Hi All,
>> I am new to grub and UEFI secure boot and so a beginners question.
>> UEFI secureboot on a Arm64 platform works fine with Grub 2.04 version.
>> The linux kernel image is authenticated and loaded. But the same with
>> Grub 2.06 version does not progress - following error messages are
>> displayed.
>>
>> error: shim_lock protocol not found.
>> error: you need to load the kernel first.
>>
>> With reference of
>> "https://www.mail-archive.com/help-grub@gnu.org/msg05375.html",
>> created Grub image with "--disable-shim-lock" option. This change
>> solved the "shim_lock" error but then the following error message
>> started appearing-
>>
>> error: verification requested but nobody cares: /Image.
>> error: you need to load the kernel first.
>> Press any key to continue...
>>
>> A large set of patches addressing bootHole vulnerability
>> (https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html)
>> have been merged in the Grub 2.06 version. Does this change the way
>> images are signed or is there any other change introduced that
>> required UEFI secure boot to be handled differently on the platform.
>>
>> Request any suggestion that would help validate UEFI secure boot with
>> Grub 2.06 and later version.
>
>Do you use GRUB 2.06 upstream or a Linux distribution variant? If upstream
>could you provide us commands used to build the GRUB and console output
>when debug is enabled, i.e. "set debug=all"?
>
Commands used -
./autogen.sh
./configure STRIP=gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-strip --target=aarch64-none-linux-gnu --with-platform=efi --prefix=grub/output/ --disable-werror
Make
make -j $PARALLELISM install
output/bin/grub-mkimage -v -c ${GRUB_PLAT_CONFIG_FILE} -o output/grubaa64.efi -O arm64-efi -p "" part_gpt part_msdos ntfs ntfscomp hfsplus fat ext2 normal chain boot configfile linux help part_msdos terminal terminfo configfile lsefi search normal gettext loadenv read search_fs_file search_fs_uuid search_label
Following is the console output when "--disable-shim-lock" Not used -
[2J[04D[=3h[2J[09DPress ESCAPE for boot options ...........[Bds]Booting UEFI Non-Block Boot Device [Bds]Booting UEFI Misc Device [Bds]Booting UEFI Misc Device 2 Installed Fat filesystem on FE6E9318 Loading driver at 0x000F9264000 EntryPoint=0x000F9265000 Loading driver at 0x000F9264000 EntryPoint=0x000F9265000 [0m[30m[47mWelcome to GRUB!
[0m[37m[40mscript/script.c:65: free 0x81fff49d60
script/script.c:65: free 0x81fff49da0
script/script.c:65: free 0x81fff49de0
script/script.c:65: free 0x81fff497c0
script/script.c:65: free 0x81fff49820
script/script.c:65: free 0x81fff49860
script/script.c:65: free 0x81fff498c0
script/script.c:65: free 0x81fff49920
script/script.c:65: free 0x81fff49b40
script/script.c:65: free 0x81fff49960
script/script.c:65: free 0x81fff499a0
script/script.c:65: free 0x81fff49a00
script/script.c:65: free 0x81fff49a40
script/script.c:65: free 0x81fff49c20
script/script.c:65: free 0x81fff49c80
script/script.c:65: free 0x81fff49cc0
script/lexer.c:336: token 288 text [set]
script/script.c:50: malloc 0x81fff49cc0
script/script.c:50: malloc 0x81fff49c80
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49c20
script/lexer.c:336: token 289 text [term=]
script/script.c:50: malloc 0x81fff49a40
script/script.c:50: malloc 0x81fff49a00
script/lexer.c:336: token 289 text [vt100]
script/script.c:50: malloc 0x81fff499a0
script/script.c:50: malloc 0x81fff49960
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x81fff49900
script/script.c:50: malloc 0x81fff498c0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49860
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff49800
script/script.c:50: malloc 0x81fff497c0
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff49760
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff49de0
script/script.c:50: malloc 0x81fff49da0
script/script.c:294: append command
script/script.c:50: malloc 0x81fff49d60
kern/verifiers.c:212: string: set term=vt100, type: 2
script/script.c:65: free 0x81fff49d60
script/script.c:65: free 0x81fff49da0
...
script/script.c:294: append command
script/script.c:50: malloc 0x81fff49d60
kern/verifiers.c:212: string: set timeout=1, type: 2
script/script.c:65: free 0x81fff49d60
...
script/script.c:65: free 0x81fff49cc0
script/lexer.c:336: token 288 text [search]
script/script.c:50: malloc 0x81fff49de0
script/script.c:50: malloc 0x81fff49c60
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49c00
script/lexer.c:336: token 289 text [--set=root]
script/script.c:50: malloc 0x81fff49a20
script/script.c:50: malloc 0x81fff499e0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49980
script/lexer.c:336: token 289 text [--fs-uuid]
script/script.c:50: malloc 0x81fff49920
script/script.c:50: malloc 0x81fff498e0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49880
script/lexer.c:336: token 289 text [535add81-5875-4b4a-b44a-464aee5f5cbd]
script/script.c:50: malloc 0x81fff496e0
script/script.c:50: malloc 0x81fff49680
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49620
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff495c0
script/script.c:50: malloc 0x81fff49580
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff49520
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff49d80
script/script.c:50: malloc 0x81fff49d40
script/script.c:294: append command
script/script.c:50: malloc 0x81fff49d00
kern/verifiers.c:212: string: search --set=root --fs-uuid 535add81-5875-4b4a-b44a-464aee5f5cbd, type: 2
disk/efi/efidisk.c:413: iterating hd0
kern/disk.c:196: Opening `hd0'...
disk/efi/efidisk.c:482: opening hd0
disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size = 200, io align = 0
disk/efi/efidisk.c:531: opening hd0 succeeded
kern/fs.c:56: Detecting ext2...
kern/fs.c:78: ext2 detection failed.
kern/fs.c:56: Detecting fat...
kern/fs.c:78: fat detection failed.
kern/fs.c:56: Detecting hfsplus...
kern/fs.c:78: hfsplus detection failed.
kern/fs.c:56: Detecting ntfs...
kern/fs.c:78: ntfs detection failed.
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
kern/disk.c:196: Opening `hd0'...
disk/efi/efidisk.c:482: opening hd0
disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size = 200, io align = 0
disk/efi/efidisk.c:531: opening hd0 succeeded
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
partmap/msdos.c:184: partition 0: flag 0x0, type 0x0, start 0x0, len 0x0
partmap/msdos.c:184: partition 1: flag 0x0, type 0x0, start 0x0, len 0x0
partmap/msdos.c:184: partition 2: flag 0x0, type 0x0, start 0x0, len 0x0
partmap/msdos.c:184: partition 3: flag 0x0, type 0x0, start 0x0, len 0x0
partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xa800 from hd0
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
kern/disk.c:196: Opening `hd0,gpt2'...
disk/efi/efidisk.c:482: opening hd0
disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size = 200, io align = 0
disk/efi/efidisk.c:531: opening hd0 succeeded
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
kern/fs.c:56: Detecting ext2...
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xaa00 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xac00 from hd0
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
script/script.c:65: free 0x81fff49d00
script/script.c:65: free 0x81fff49d40
...
script/script.c:65: free 0x81fff49de0
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff49cc0
script/script.c:50: malloc 0x81fff49c80
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff49de0
script/script.c:50: malloc 0x81fff49da0
script/script.c:65: free 0x81fff49da0
script/script.c:65: free 0x81fff49de0
script/script.c:65: free 0x81fff49c80
script/script.c:65: free 0x81fff49cc0
script/lexer.c:336: token 288 text [menuentry]
script/script.c:50: malloc 0x81fff49cc0
script/script.c:50: malloc 0x81fff49c80
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49c20
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x81fff49a40
script/script.c:50: malloc 0x81fff49a00
script/lexer.c:336: token 289 text [SGI-575 BusyBox]
script/script.c:50: malloc 0x81fff499a0
script/script.c:50: malloc 0x81fff49960
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x81fff49900
script/script.c:50: malloc 0x81fff498c0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49860
script/lexer.c:336: token 266 text [{]
script/script.c:50: malloc 0x81fff49800
script/script.c:50: malloc 0x81fff497c0
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff49640
script/script.c:50: malloc 0x81fff49600
script/lexer.c:336: token 288 text [linux]
script/script.c:50: malloc 0x81fff494e0
script/script.c:50: malloc 0x81fff494a0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49440
script/lexer.c:336: token 289 text [/Image]
script/script.c:50: malloc 0x81fff49320
script/script.c:50: malloc 0x81fff492e0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49280
script/lexer.c:336: token 289 text [acpi=force]
script/script.c:50: malloc 0x81fff49220
script/script.c:50: malloc 0x81fff491e0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49180
script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
script/script.c:50: malloc 0x81fff49120
script/script.c:50: malloc 0x81fff490c0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49060
script/lexer.c:336: token 289 text [ip=dhcp]
script/script.c:50: malloc 0x81fff49000
script/script.c:50: malloc 0x81fff48fc0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48f60
script/lexer.c:336: token 289 text
[root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
script/script.c:50: malloc 0x81fff48da0
script/script.c:50: malloc 0x81fff48d20
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48cc0
script/lexer.c:336: token 288 text [rootwait]
script/script.c:50: malloc 0x81fff48c60
script/script.c:50: malloc 0x81fff48c20
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48bc0
script/lexer.c:336: token 288 text [verbose]
script/script.c:50: malloc 0x81fff48b60
script/script.c:50: malloc 0x81fff48b20
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48ac0
script/lexer.c:336: token 288 text [debug]
script/script.c:50: malloc 0x81fff48a60
script/script.c:50: malloc 0x81fff48a20
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff489c0
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff48960
script/script.c:50: malloc 0x81fff48920
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff488c0
script/script.c:294: append command
script/script.c:50: malloc 0x81fff48880
script/lexer.c:336: token 288 text [initrd]
script/script.c:50: malloc 0x81fff48720
script/script.c:50: malloc 0x81fff486e0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48680
script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
script/script.c:50: malloc 0x81fff48620
script/script.c:50: malloc 0x81fff485c0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48560
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff48500
script/script.c:50: malloc 0x81fff484c0
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff48460
script/script.c:294: append command
script/lexer.c:336: token 267 text [}]
script/script.c:50: malloc 0x81fff48300
script/script.c:50: malloc 0x81fff482c0
script/script.c:50: malloc 0x81fff481e0
script/script.c:50: malloc 0x81fff49760
script/script.c:50: malloc 0x81fff48100
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff48040
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff47fe0
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff47f80
script/script.c:50: malloc 0x81fff47f40
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff48400
script/script.c:50: malloc 0x81fff483c0
script/script.c:294: append command
script/script.c:50: malloc 0x81fff47f00
kern/verifiers.c:212: string: menuentry SGI-575 BusyBox {
linux /Image acpi=force console=ttyAMA0,115200 ip=dhcp
root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug
initrd /ramdisk-busybox.img
}, type: 2
script/script.c:65: free 0x81fff47f00
script/script.c:65: free 0x81fff483c0
script/script.c:65: free 0x81fff48400
script/script.c:65: free 0x81fff47f40
...
script/script.c:65: free 0x81fff49440
script/script.c:65: free 0x81fff494a0
script/script.c:65: free 0x81fff494e0
script/script.c:65: free 0x81fff49600
script/script.c:65: free 0x81fff49640
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
[0m[30m[40m[2J[01;01H[0m[37m[40m[02;30HGNU GRUB version 2.11
[01C/----------------------------------------------------------------------------\[05;02H|[76C|[06;02H|[76C|[07;02H|[76C|[08;02H|[76C|[09;02H|[76C|[10;02H|[76C|[11;02H|[76C|[12;02H|[76C|[13;02H|[76C|[14;02H|[76C|[15;02H|[76C|[16;02H|[76C|[17;02H|[76C|[18;02H\----------------------------------------------------------------------------/[19;02H[20;02H Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line. [05;80H
[0m[30m[47m[05;03H*SGI-575 BusyBox [0m[37m[40m[01D[06;03H [01D[07;03H [01D[08;03H [01D[09;03H [01D[10;03H [01D[11;03H [01D[12;03H [01D[13;03H [01D[14;03H [01D[15;03H [01D[16;03H [01D[17;03H [01D[02C
[05;78H[23;01H The highlighted entry will be executed automatically in 1s. [05;78H[23;01H The highlighted entry will be executed automatically in 0s. [05;78H[0m[30m[40m[2J[01;01H[0m[37m[40m
Booting `SGI-575 BusyBox'
script/lexer.c:336: token 288 text [setparams]
script/script.c:50: malloc 0x81fff4a6a0
script/script.c:50: malloc 0x81fff4a660
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a600
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x81fff4a420
script/script.c:50: malloc 0x81fff4a3e0
script/lexer.c:336: token 289 text [SGI-575 BusyBox]
script/script.c:50: malloc 0x81fff4a380
script/script.c:50: malloc 0x81fff4a340
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x81fff4a2e0
script/script.c:50: malloc 0x81fff4a2a0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a240
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff4a1e0
script/script.c:50: malloc 0x81fff4a1a0
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff4a140
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff4a7c0
script/script.c:50: malloc 0x81fff4a780
script/script.c:294: append command
script/script.c:50: malloc 0x81fff4a740
kern/verifiers.c:212: string: setparams SGI-575 BusyBox, type: 2
script/script.c:65: free 0x81fff4a740
script/script.c:65: free 0x81fff4a780
...
script/script.c:65: free 0x81fff4a660
script/script.c:65: free 0x81fff4a6a0
script/lexer.c:336: token 288 text [linux]
script/script.c:50: malloc 0x81fff4a7c0
script/script.c:50: malloc 0x81fff4a5c0
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a560
script/lexer.c:336: token 289 text [/Image]
script/script.c:50: malloc 0x81fff4a380
script/script.c:50: malloc 0x81fff4a340
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a2e0
script/lexer.c:336: token 289 text [acpi=force]
script/script.c:50: malloc 0x81fff4a280
script/script.c:50: malloc 0x81fff4a240
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a1e0
script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
script/script.c:50: malloc 0x81fff4a180
script/script.c:50: malloc 0x81fff4a120
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a0c0
script/lexer.c:336: token 289 text [ip=dhcp]
script/script.c:50: malloc 0x81fff4a060
script/script.c:50: malloc 0x81fff4a020
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49fc0
script/lexer.c:336: token 289 text
[root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
script/script.c:50: malloc 0x81fff49d00
script/script.c:50: malloc 0x81fff49c80
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49c20
script/lexer.c:336: token 288 text [rootwait]
script/script.c:50: malloc 0x81fff49bc0
script/script.c:50: malloc 0x81fff49b80
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49b20
script/lexer.c:336: token 288 text [verbose]
script/script.c:50: malloc 0x81fff49ac0
script/script.c:50: malloc 0x81fff49a80
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49a20
script/lexer.c:336: token 288 text [debug]
script/script.c:50: malloc 0x81fff499c0
script/script.c:50: malloc 0x81fff49980
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff49920
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff498c0
script/script.c:50: malloc 0x81fff49880
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff49820
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff4a760
script/script.c:50: malloc 0x81fff4a720
script/script.c:294: append command
script/script.c:50: malloc 0x81fff4a6e0
kern/verifiers.c:212: string: linux /Image acpi=force console=ttyAMA0,115200 ip=dhcp root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug, type: 2
kern/disk.c:196: Opening `hd0,gpt2'...
disk/efi/efidisk.c:482: opening hd0
disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size = 200, io align = 0
disk/efi/efidisk.c:531: opening hd0 succeeded
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
kern/fs.c:56: Detecting ext2...
kern/verifiers.c:88: file: /Image type: 3
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd00 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd40 from hd0 ...
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1db80 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dbc0 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc00 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc40 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc80 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dcc0 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dd00 from hd0
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
error: shim_lock protocol not found.
script/script.c:65: free 0x81fff4a6e0
script/script.c:65: free 0x81fff4a720
script/script.c:65: free 0x81fff4a760
script/script.c:65: free 0x81fff49820
...
script/script.c:65: free 0x81fff4a560
script/script.c:65: free 0x81fff4a5c0
script/script.c:65: free 0x81fff4a7c0
script/lexer.c:336: token 288 text [initrd]
script/script.c:50: malloc 0x81fff4a660
script/script.c:50: malloc 0x81fff4a620
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a5c0
script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
script/script.c:50: malloc 0x81fff4a3e0
script/script.c:50: malloc 0x81fff4a380
script/script.c:163: arglist
script/script.c:50: malloc 0x81fff4a320
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff4a2c0
script/script.c:50: malloc 0x81fff4a280
script/script.c:198: cmdline
script/script.c:50: malloc 0x81fff4a220
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff4a780
script/script.c:50: malloc 0x81fff4a740
script/script.c:294: append command
script/script.c:50: malloc 0x81fff4a700
kern/verifiers.c:212: string: initrd /ramdisk-busybox.img, type: 2
error: you need to load the kernel first.
script/script.c:65: free 0x81fff4a700
script/script.c:65: free 0x81fff4a740
script/script.c:65: free 0x81fff4a780
...
script/script.c:65: free 0x81fff4a660
script/lexer.c:336: token 259 text []
script/script.c:50: malloc 0x81fff4a6a0
script/script.c:50: malloc 0x81fff4a660
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x81fff4a7c0
script/script.c:50: malloc 0x81fff4a780
script/script.c:65: free 0x81fff4a780
script/script.c:65: free 0x81fff4a7c0
script/script.c:65: free 0x81fff4a660
script/script.c:65: free 0x81fff4a6a0
Press any key to continue...
>Daniel
Thanks,
Sayanta
[-- Attachment #2: Type: text/html, Size: 36311 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* RE: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-08 13:27 ` Daniel Kiper
@ 2021-07-12 16:20 ` Sayanta Pattanayak
2021-07-14 13:14 ` Daniel Kiper
0 siblings, 1 reply; 20+ messages in thread
From: Sayanta Pattanayak @ 2021-07-12 16:20 UTC (permalink / raw)
To: Daniel Kiper; +Cc: grub-devel, nd, javierm, xnox, pjones, leif
Hi Daniel,
Secureboot worked fine with the change(GRUB_FILE_TYPE_LINUX_KERNEL -> GRUB_FILE_TYPE_NONE) you suggested.
disk/efi/efidisk.c:531: opening hd0 succeeded
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
kern/fs.c:56: Detecting ext2...
kern/verifiers.c:88: file: /Image type: 0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from hd0
loader/arm64/linux.c:61: UEFI stub kernel:
loader/arm64/linux.c:62: PE/COFF header @ 00000040
loader/arm64/linux.c:316: kernel file size: 34054136
loader/arm64/linux.c:318: kernel numpages: 8314
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from hd0
....
loader/efi/fdt.c:63: allocating 1155 bytes for fdt
loader/arm64/linux.c:89: Initrd @ 0xf6e20000-0xf6fffa00
loader/efi/fdt.c:97: Installed/updated FDT configuration table @ 0xf71d0000
Loading driver at 0x000F4D10000 EntryPoint=0x000F650EDD8
Loading driver at 0x000F4D10000 EntryPoint=0x000F650EDD8
loader/arm64/linux.c:144: linux command line: 'BOOT_IMAGE=/Image acpi=force
console=ttyAMA0,115200 ip=dhcp
root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug'
loader/arm64/linux.c:159: starting image 0xfca9a798
EFI stub: Booting Linux Kernel...
EFI stub: EFI_RNG_PROTOCOL unavailable
EFI stub: UEFI Secure Boot is enabled.
EFI stub: Using DTB from configuration table
EFI stub: Exiting boot services and installing virtual address map...
We understand LoadImage() interface is used in our platform, but if the error scenario is not expected with LoadImage() interface then we need further investigation. We are trying to look into it.
What can we infer from the change you suggested and that it worked? Do we need to make certain changes in our platform?
Thanks,
Sayanta
>-----Original Message-----
>From: Daniel Kiper <dkiper@net-space.pl>
>Sent: Thursday, July 8, 2021 6:58 PM
>To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
>Cc: grub-devel@gnu.org; nd <nd@arm.com>; javierm@redhat.com;
>xnox@ubuntu.com; pjones@redhat.com; leif@nuviainc.com
>Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
>
>On Thu, Jul 08, 2021 at 07:04:46AM +0000, Sayanta Pattanayak wrote:
>> Hi Daniel,
>>
>> Thanks for your reply and hope you had a great vacation.
>
>Yeah, I had nice time.
>
>> We use Upstream 2.06 tagged version. Mentioning below the Build
>Commands and Console Output.
>
>Thanks! Please look below.
>
>[...]
>
>> kern/disk.c:196: Opening `hd0,gpt2'...
>> disk/efi/efidisk.c:482: opening hd0
>> disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size = 200, io
>align = 0
>> disk/efi/efidisk.c:531: opening hd0 succeeded
>> partmap/gpt.c:93: Read a valid GPT header
>> partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
>> partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
>> kern/fs.c:56: Detecting ext2...
>> kern/verifiers.c:88: file: /Image type: 3
>
>If you use LoadImage() interface this should not happen.
>
>I think the following code in grub-core/loader/arm64/linux.c is a culprit:
>
> 285 static grub_err_t
> 286 grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
> 287 int argc, char *argv[])
> 288 {
> 289 grub_file_t file = 0;
> 290 struct linux_arch_kernel_header lh;
> 291 grub_err_t err;
> 292
> 293 grub_dl_ref (my_mod);
> 294
> 295 if (argc == 0)
> 296 {
> 297 grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
> 298 goto fail;
> 299 }
> 300
> 301 file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
>This ---------------------------------> ^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>You can do test and replace GRUB_FILE_TYPE_LINUX_KERNEL with
>GRUB_FILE_TYPE_NONE.
>
>Daniel
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-12 16:15 ` Sayanta Pattanayak
@ 2021-07-12 16:23 ` Dimitri John Ledkov
0 siblings, 0 replies; 20+ messages in thread
From: Dimitri John Ledkov @ 2021-07-12 16:23 UTC (permalink / raw)
To: Sayanta Pattanayak; +Cc: The development of GNU GRUB, nd
[-- Attachment #1: Type: text/plain, Size: 27435 bytes --]
On Mon, 12 Jul 2021, 17:16 Sayanta Pattanayak, <Sayanta.Pattanayak@arm.com>
wrote:
> Hi Dimitri,
>
>
>
> Thanks for detailed response. Sorry for bit late response.
>
>
>
> We are generating own keys and signing with same.
>
> You can kindly have a look at the steps, which are followed for Generating
> Secure Keys and Secure Busybox boot
> https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-docs/-/blob/master/docs/infra/common/secure-boot.rst
>
>
>
> In addition, during UEFI Secureboot image building, Grub image is signed
> with following command-
>
> sbsign --key DB.key --cert DB.crt --output bootaa64_signed.efi bootaa64.efi
>
>
>
> And also Kernel Image is signed -
>
> sbsign --key DB.key --cert DB.crt --output Image_signed Image
>
>
>
> We don't intend to Shim, but if we use "--disable-shim-lock" then the
> image is locked down. Does that mean we need to implement a new verifier as
> you suggested in one of your point?
>
>
>
Above all looks sensible to me.
Own db keys, grub-mkimage with disable-shim-lock, signing grub, signing
kernel = should be all working with secureboot on with grub&kernel going
into lockdown without any extra steps or code.
So we probably have a bug somewhere, as others have started to triage
already.
> Thanks,
>
> Sayanta
>
> *From:* Dimitri John Ledkov <xnox@ubuntu.com>
> *Sent:* Thursday, July 8, 2021 4:21 PM
> *To:* Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
> *Cc:* The development of GNU GRUB <grub-devel@gnu.org>; nd <nd@arm.com>
> *Subject:* Re: UEFI Secureboot not succeeding with Grub 2.06 and later
> version
>
>
>
> Hi,
>
>
>
> The below mentioned commands are useful. Hence we need to debug this
> further and establish further details about your setup.
>
>
>
> 1) which keys are in DB? ( mokutil --db --list-enrolled )
>
>
>
> 2) which keys are used to sign grub image? ( sbverify --list grub*.efi )
>
>
>
> 3) which keys are used to sign grub image? ( sbverify --list Image )
>
>
>
> 4) since shim verifier was not disabled during grub mkimage build, which
> Shim did you compile, with what toolchain, and which keys was it signed
> with?
>
>
>
> 5) if you don't want to use Shim (and loose ability for users to enroll
> their own machine owner key, and revoke grub via sbat revocation - if
> underlying firmware can do those things i.e. secure edk2 builds), you must
> create grub image with disable shim lock verifier option.
>
>
>
> 6) if you do not want to sbsign kernel image using secureboot keys, you
> can alternative provide detached gpg signature and create grub image with a
> gpg public key built-in.
>
>
>
> 8) maybe there is some other way to verify kernel, i.e. you could
> implement a new verifier module that that use calls to a prior stage
> bootloader or firmware to verify kernel authenticity.
>
>
>
> 9) if you do not want to sign kernel at all in any way, you must disable
> secureboot at either firmware level (SecureBoot variable) or
> shim/grub/linux-only level (MokSBState see mokutil --disable-validation).
> Because if firmware SecureBoot is on, and mokutil validation is on, loading
> unverifiable kernels is not supported in grub 2.06 thanks to implementing
> lockdown.
>
>
>
> If the kernel is expected to be verifiable and yet fails to verify please
> provide further details. We have experienced buggy compilers, binutils,
> sbsign tooling which would produce invalid / unverifiable signatures in the
> past. Also we have seen buggy firmware that fail to verify correctly signed
> binaries.
>
>
>
> On Thu, 8 Jul 2021, 08:05 Sayanta Pattanayak, <Sayanta.Pattanayak@arm.com>
> wrote:
>
> Hi Daniel,
>
> Thanks for your reply and hope you had a great vacation.
> We use Upstream 2.06 tagged version. Mentioning below the Build Commands
> and Console Output.
>
> >-----Original Message-----
> >From: Daniel Kiper <dkiper@net-space.pl>
> >Sent: Wednesday, July 7, 2021 6:45 PM
> >To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
> >Cc: grub-devel@gnu.org; nd <nd@arm.com>; javierm@redhat.com;
> >xnox@ubuntu.com; pjones@redhat.com; leif@nuviainc.com
> >Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later
> version
> >
> >Hi Sayanta,
> >
> >Sorry for late reply but I am just recovering after vacation...
> >
> >CC-ing Javier, Dimitri, Peter and Leif.
> >
> >On Thu, Jul 01, 2021 at 03:23:03PM +0000, Sayanta Pattanayak wrote:
> >> Hi All,
> >> I am new to grub and UEFI secure boot and so a beginners question.
> >> UEFI secureboot on a Arm64 platform works fine with Grub 2.04 version.
> >> The linux kernel image is authenticated and loaded. But the same with
> >> Grub 2.06 version does not progress - following error messages are
> >> displayed.
> >>
> >> error: shim_lock protocol not found.
> >> error: you need to load the kernel first.
> >>
> >> With reference of
> >> "https://www.mail-archive.com/help-grub@gnu.org/msg05375.html",
> >> created Grub image with "--disable-shim-lock" option. This change
> >> solved the "shim_lock" error but then the following error message
> >> started appearing-
> >>
> >> error: verification requested but nobody cares: /Image.
> >> error: you need to load the kernel first.
> >> Press any key to continue...
> >>
> >> A large set of patches addressing bootHole vulnerability
> >> (https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html)
> >> have been merged in the Grub 2.06 version. Does this change the way
> >> images are signed or is there any other change introduced that
> >> required UEFI secure boot to be handled differently on the platform.
> >>
> >> Request any suggestion that would help validate UEFI secure boot with
> >> Grub 2.06 and later version.
> >
> >Do you use GRUB 2.06 upstream or a Linux distribution variant? If upstream
> >could you provide us commands used to build the GRUB and console output
> >when debug is enabled, i.e. "set debug=all"?
> >
>
>
> Commands used -
>
> ./autogen.sh
> ./configure
> STRIP=gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-strip
> --target=aarch64-none-linux-gnu --with-platform=efi --prefix=grub/output/
> --disable-werror
> Make
> make -j $PARALLELISM install
> output/bin/grub-mkimage -v -c ${GRUB_PLAT_CONFIG_FILE} -o
> output/grubaa64.efi -O arm64-efi -p "" part_gpt part_msdos ntfs ntfscomp
> hfsplus fat ext2 normal chain boot configfile linux help part_msdos
> terminal terminfo configfile lsefi search normal gettext loadenv read
> search_fs_file search_fs_uuid search_label
>
>
>
> Following is the console output when "--disable-shim-lock" Not used -
>
> [2J[04D[=3h[2J[09DPress ESCAPE for boot options ...........[Bds]Booting
> UEFI Non-Block Boot Device [Bds]Booting UEFI Misc Device [Bds]Booting UEFI
> Misc Device 2 Installed Fat filesystem on FE6E9318 Loading driver at
> 0x000F9264000 EntryPoint=0x000F9265000 Loading driver at 0x000F9264000
> EntryPoint=0x000F9265000 [0m[30m[47mWelcome to GRUB!
>
> [0m[37m[40mscript/script.c:65: free 0x81fff49d60
> script/script.c:65: free 0x81fff49da0
> script/script.c:65: free 0x81fff49de0
> script/script.c:65: free 0x81fff497c0
> script/script.c:65: free 0x81fff49820
> script/script.c:65: free 0x81fff49860
> script/script.c:65: free 0x81fff498c0
> script/script.c:65: free 0x81fff49920
> script/script.c:65: free 0x81fff49b40
> script/script.c:65: free 0x81fff49960
> script/script.c:65: free 0x81fff499a0
> script/script.c:65: free 0x81fff49a00
> script/script.c:65: free 0x81fff49a40
> script/script.c:65: free 0x81fff49c20
> script/script.c:65: free 0x81fff49c80
> script/script.c:65: free 0x81fff49cc0
> script/lexer.c:336: token 288 text [set]
> script/script.c:50: malloc 0x81fff49cc0
> script/script.c:50: malloc 0x81fff49c80
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49c20
> script/lexer.c:336: token 289 text [term=]
> script/script.c:50: malloc 0x81fff49a40
> script/script.c:50: malloc 0x81fff49a00
> script/lexer.c:336: token 289 text [vt100]
> script/script.c:50: malloc 0x81fff499a0
> script/script.c:50: malloc 0x81fff49960
> script/lexer.c:336: token 289 text []
> script/script.c:50: malloc 0x81fff49900
> script/script.c:50: malloc 0x81fff498c0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49860
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff49800
> script/script.c:50: malloc 0x81fff497c0
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff49760
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff49de0
> script/script.c:50: malloc 0x81fff49da0
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff49d60
> kern/verifiers.c:212: string: set term=vt100, type: 2
> script/script.c:65: free 0x81fff49d60
> script/script.c:65: free 0x81fff49da0
> ...
>
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff49d60
> kern/verifiers.c:212: string: set timeout=1, type: 2
> script/script.c:65: free 0x81fff49d60
> ...
>
> script/script.c:65: free 0x81fff49cc0
> script/lexer.c:336: token 288 text [search]
> script/script.c:50: malloc 0x81fff49de0
> script/script.c:50: malloc 0x81fff49c60
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49c00
> script/lexer.c:336: token 289 text [--set=root]
> script/script.c:50: malloc 0x81fff49a20
> script/script.c:50: malloc 0x81fff499e0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49980
> script/lexer.c:336: token 289 text [--fs-uuid]
> script/script.c:50: malloc 0x81fff49920
> script/script.c:50: malloc 0x81fff498e0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49880
> script/lexer.c:336: token 289 text [535add81-5875-4b4a-b44a-464aee5f5cbd]
> script/script.c:50: malloc 0x81fff496e0
> script/script.c:50: malloc 0x81fff49680
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49620
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff495c0
> script/script.c:50: malloc 0x81fff49580
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff49520
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff49d80
> script/script.c:50: malloc 0x81fff49d40
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff49d00
> kern/verifiers.c:212: string: search --set=root --fs-uuid
> 535add81-5875-4b4a-b44a-464aee5f5cbd, type: 2
> disk/efi/efidisk.c:413: iterating hd0
> kern/disk.c:196: Opening `hd0'...
> disk/efi/efidisk.c:482: opening hd0
> disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> 200, io align = 0
> disk/efi/efidisk.c:531: opening hd0 succeeded
> kern/fs.c:56: Detecting ext2...
> kern/fs.c:78: ext2 detection failed.
> kern/fs.c:56: Detecting fat...
> kern/fs.c:78: fat detection failed.
> kern/fs.c:56: Detecting hfsplus...
> kern/fs.c:78: hfsplus detection failed.
> kern/fs.c:56: Detecting ntfs...
> kern/fs.c:78: ntfs detection failed.
> kern/disk.c:295: Closing `hd0'.
> disk/efi/efidisk.c:540: closing hd0
> kern/disk.c:196: Opening `hd0'...
> disk/efi/efidisk.c:482: opening hd0
> disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> 200, io align = 0
> disk/efi/efidisk.c:531: opening hd0 succeeded
> partmap/gpt.c:93: Read a valid GPT header
> partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> partmap/msdos.c:184: partition 0: flag 0x0, type 0x0, start 0x0, len 0x0
> partmap/msdos.c:184: partition 1: flag 0x0, type 0x0, start 0x0, len 0x0
> partmap/msdos.c:184: partition 2: flag 0x0, type 0x0, start 0x0, len 0x0
> partmap/msdos.c:184: partition 3: flag 0x0, type 0x0, start 0x0, len 0x0
> partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xa800 from hd0
> kern/disk.c:295: Closing `hd0'.
> disk/efi/efidisk.c:540: closing hd0
> kern/disk.c:196: Opening `hd0,gpt2'...
> disk/efi/efidisk.c:482: opening hd0
> disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> 200, io align = 0
> disk/efi/efidisk.c:531: opening hd0 succeeded
> partmap/gpt.c:93: Read a valid GPT header
> partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> kern/fs.c:56: Detecting ext2...
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xaa00 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xac00 from hd0
> kern/disk.c:295: Closing `hd0'.
> disk/efi/efidisk.c:540: closing hd0
> script/script.c:65: free 0x81fff49d00
> script/script.c:65: free 0x81fff49d40
> ...
>
> script/script.c:65: free 0x81fff49de0
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff49cc0
> script/script.c:50: malloc 0x81fff49c80
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff49de0
> script/script.c:50: malloc 0x81fff49da0
> script/script.c:65: free 0x81fff49da0
> script/script.c:65: free 0x81fff49de0
> script/script.c:65: free 0x81fff49c80
> script/script.c:65: free 0x81fff49cc0
> script/lexer.c:336: token 288 text [menuentry]
> script/script.c:50: malloc 0x81fff49cc0
> script/script.c:50: malloc 0x81fff49c80
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49c20
> script/lexer.c:336: token 289 text []
> script/script.c:50: malloc 0x81fff49a40
> script/script.c:50: malloc 0x81fff49a00
> script/lexer.c:336: token 289 text [SGI-575 BusyBox]
> script/script.c:50: malloc 0x81fff499a0
> script/script.c:50: malloc 0x81fff49960
> script/lexer.c:336: token 289 text []
> script/script.c:50: malloc 0x81fff49900
> script/script.c:50: malloc 0x81fff498c0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49860
> script/lexer.c:336: token 266 text [{]
> script/script.c:50: malloc 0x81fff49800
> script/script.c:50: malloc 0x81fff497c0
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff49640
> script/script.c:50: malloc 0x81fff49600
> script/lexer.c:336: token 288 text [linux]
> script/script.c:50: malloc 0x81fff494e0
> script/script.c:50: malloc 0x81fff494a0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49440
> script/lexer.c:336: token 289 text [/Image]
> script/script.c:50: malloc 0x81fff49320
> script/script.c:50: malloc 0x81fff492e0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49280
> script/lexer.c:336: token 289 text [acpi=force]
> script/script.c:50: malloc 0x81fff49220
> script/script.c:50: malloc 0x81fff491e0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49180
> script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
> script/script.c:50: malloc 0x81fff49120
> script/script.c:50: malloc 0x81fff490c0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49060
> script/lexer.c:336: token 289 text [ip=dhcp]
> script/script.c:50: malloc 0x81fff49000
> script/script.c:50: malloc 0x81fff48fc0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48f60
> script/lexer.c:336: token 289 text
> [root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
> script/script.c:50: malloc 0x81fff48da0
> script/script.c:50: malloc 0x81fff48d20
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48cc0
> script/lexer.c:336: token 288 text [rootwait]
> script/script.c:50: malloc 0x81fff48c60
> script/script.c:50: malloc 0x81fff48c20
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48bc0
> script/lexer.c:336: token 288 text [verbose]
> script/script.c:50: malloc 0x81fff48b60
> script/script.c:50: malloc 0x81fff48b20
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48ac0
> script/lexer.c:336: token 288 text [debug]
> script/script.c:50: malloc 0x81fff48a60
> script/script.c:50: malloc 0x81fff48a20
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff489c0
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff48960
> script/script.c:50: malloc 0x81fff48920
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff488c0
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff48880
> script/lexer.c:336: token 288 text [initrd]
> script/script.c:50: malloc 0x81fff48720
> script/script.c:50: malloc 0x81fff486e0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48680
> script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
> script/script.c:50: malloc 0x81fff48620
> script/script.c:50: malloc 0x81fff485c0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48560
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff48500
> script/script.c:50: malloc 0x81fff484c0
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff48460
> script/script.c:294: append command
> script/lexer.c:336: token 267 text [}]
> script/script.c:50: malloc 0x81fff48300
> script/script.c:50: malloc 0x81fff482c0
> script/script.c:50: malloc 0x81fff481e0
> script/script.c:50: malloc 0x81fff49760
> script/script.c:50: malloc 0x81fff48100
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff48040
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff47fe0
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff47f80
> script/script.c:50: malloc 0x81fff47f40
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff48400
> script/script.c:50: malloc 0x81fff483c0
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff47f00
> kern/verifiers.c:212: string: menuentry SGI-575 BusyBox {
> linux /Image acpi=force console=ttyAMA0,115200 ip=dhcp
> root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug
> initrd /ramdisk-busybox.img
> }, type: 2
> script/script.c:65: free 0x81fff47f00
> script/script.c:65: free 0x81fff483c0
> script/script.c:65: free 0x81fff48400
> script/script.c:65: free 0x81fff47f40
> ...
>
> script/script.c:65: free 0x81fff49440
> script/script.c:65: free 0x81fff494a0
> script/script.c:65: free 0x81fff494e0
> script/script.c:65: free 0x81fff49600
> script/script.c:65: free 0x81fff49640
> kern/disk.c:295: Closing `hd0'.
> disk/efi/efidisk.c:540: closing hd0
> [0m[30m[40m[2J[01;01H[0m[37m[40m[02;30HGNU GRUB version 2.11
>
> [01C/----------------------------------------------------------------------------\[05;02H|[76C|[06;02H|[76C|[07;02H|[76C|[08;02H|[76C|[09;02H|[76C|[10;02H|[76C|[11;02H|[76C|[12;02H|[76C|[13;02H|[76C|[14;02H|[76C|[15;02H|[76C|[16;02H|[76C|[17;02H|[76C|[18;02H\----------------------------------------------------------------------------/[19;02H[20;02H
> Use the ^ and v keys to select which entry is highlighted.
> Press enter to boot the selected OS, `e' to edit the commands
> before booting or `c' for a command-line.
> [05;80H
> [0m[30m[47m[05;03H*SGI-575 BusyBox
> [0m[37m[40m[01D[06;03H
> [01D[07;03H
> [01D[08;03H
>
> [01D[09;03H
> [01D[10;03H
> [01D[11;03H
> [01D[12;03H
> [01D[13;03H
> [01D[14;03H
>
> [01D[15;03H
> [01D[16;03H
> [01D[17;03H
> [01D[02C
> [05;78H[23;01H The highlighted entry will be executed automatically in
> 1s. [05;78H[23;01H The highlighted entry will be executed
> automatically in 0s. [05;78H[0m[30m[40m[2J[01;01H[0m[37m[40m
> Booting `SGI-575 BusyBox'
>
> script/lexer.c:336: token 288 text [setparams]
> script/script.c:50: malloc 0x81fff4a6a0
> script/script.c:50: malloc 0x81fff4a660
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a600
> script/lexer.c:336: token 289 text []
> script/script.c:50: malloc 0x81fff4a420
> script/script.c:50: malloc 0x81fff4a3e0
> script/lexer.c:336: token 289 text [SGI-575 BusyBox]
> script/script.c:50: malloc 0x81fff4a380
> script/script.c:50: malloc 0x81fff4a340
> script/lexer.c:336: token 289 text []
> script/script.c:50: malloc 0x81fff4a2e0
> script/script.c:50: malloc 0x81fff4a2a0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a240
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff4a1e0
> script/script.c:50: malloc 0x81fff4a1a0
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff4a140
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff4a7c0
> script/script.c:50: malloc 0x81fff4a780
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff4a740
> kern/verifiers.c:212: string: setparams SGI-575 BusyBox, type: 2
> script/script.c:65: free 0x81fff4a740
> script/script.c:65: free 0x81fff4a780
> ...
>
> script/script.c:65: free 0x81fff4a660
> script/script.c:65: free 0x81fff4a6a0
> script/lexer.c:336: token 288 text [linux]
> script/script.c:50: malloc 0x81fff4a7c0
> script/script.c:50: malloc 0x81fff4a5c0
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a560
> script/lexer.c:336: token 289 text [/Image]
> script/script.c:50: malloc 0x81fff4a380
> script/script.c:50: malloc 0x81fff4a340
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a2e0
> script/lexer.c:336: token 289 text [acpi=force]
> script/script.c:50: malloc 0x81fff4a280
> script/script.c:50: malloc 0x81fff4a240
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a1e0
> script/lexer.c:336: token 289 text [console=ttyAMA0,115200]
> script/script.c:50: malloc 0x81fff4a180
> script/script.c:50: malloc 0x81fff4a120
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a0c0
> script/lexer.c:336: token 289 text [ip=dhcp]
> script/script.c:50: malloc 0x81fff4a060
> script/script.c:50: malloc 0x81fff4a020
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49fc0
> script/lexer.c:336: token 289 text
> [root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94]
> script/script.c:50: malloc 0x81fff49d00
> script/script.c:50: malloc 0x81fff49c80
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49c20
> script/lexer.c:336: token 288 text [rootwait]
> script/script.c:50: malloc 0x81fff49bc0
> script/script.c:50: malloc 0x81fff49b80
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49b20
> script/lexer.c:336: token 288 text [verbose]
> script/script.c:50: malloc 0x81fff49ac0
> script/script.c:50: malloc 0x81fff49a80
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49a20
> script/lexer.c:336: token 288 text [debug]
> script/script.c:50: malloc 0x81fff499c0
> script/script.c:50: malloc 0x81fff49980
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff49920
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff498c0
> script/script.c:50: malloc 0x81fff49880
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff49820
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff4a760
> script/script.c:50: malloc 0x81fff4a720
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff4a6e0
> kern/verifiers.c:212: string: linux /Image acpi=force
> console=ttyAMA0,115200 ip=dhcp
> root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug,
> type: 2
> kern/disk.c:196: Opening `hd0,gpt2'...
> disk/efi/efidisk.c:482: opening hd0
> disk/efi/efidisk.c:511: m = 0xfe6e8dc0, last block = 6efff, block size =
> 200, io align = 0
> disk/efi/efidisk.c:531: opening hd0 succeeded
> partmap/gpt.c:93: Read a valid GPT header
> partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> kern/fs.c:56: Detecting ext2...
> kern/verifiers.c:88: file: /Image type: 3
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd00 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd40 from hd0
> ...
>
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1db80 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dbc0 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc00 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc40 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc80 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dcc0 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dd00 from hd0
> kern/disk.c:295: Closing `hd0'.
> disk/efi/efidisk.c:540: closing hd0
> error: shim_lock protocol not found.
> script/script.c:65: free 0x81fff4a6e0
> script/script.c:65: free 0x81fff4a720
> script/script.c:65: free 0x81fff4a760
> script/script.c:65: free 0x81fff49820
> ...
>
> script/script.c:65: free 0x81fff4a560
> script/script.c:65: free 0x81fff4a5c0
> script/script.c:65: free 0x81fff4a7c0
> script/lexer.c:336: token 288 text [initrd]
> script/script.c:50: malloc 0x81fff4a660
> script/script.c:50: malloc 0x81fff4a620
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a5c0
> script/lexer.c:336: token 289 text [/ramdisk-busybox.img]
> script/script.c:50: malloc 0x81fff4a3e0
> script/script.c:50: malloc 0x81fff4a380
> script/script.c:163: arglist
> script/script.c:50: malloc 0x81fff4a320
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff4a2c0
> script/script.c:50: malloc 0x81fff4a280
> script/script.c:198: cmdline
> script/script.c:50: malloc 0x81fff4a220
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff4a780
> script/script.c:50: malloc 0x81fff4a740
> script/script.c:294: append command
> script/script.c:50: malloc 0x81fff4a700
> kern/verifiers.c:212: string: initrd /ramdisk-busybox.img, type: 2
> error: you need to load the kernel first.
> script/script.c:65: free 0x81fff4a700
> script/script.c:65: free 0x81fff4a740
> script/script.c:65: free 0x81fff4a780
> ...
>
> script/script.c:65: free 0x81fff4a660
> script/lexer.c:336: token 259 text []
> script/script.c:50: malloc 0x81fff4a6a0
> script/script.c:50: malloc 0x81fff4a660
> script/lexer.c:336: token 0 text []
> script/script.c:50: malloc 0x81fff4a7c0
> script/script.c:50: malloc 0x81fff4a780
> script/script.c:65: free 0x81fff4a780
> script/script.c:65: free 0x81fff4a7c0
> script/script.c:65: free 0x81fff4a660
> script/script.c:65: free 0x81fff4a6a0
>
> Press any key to continue...
>
> >Daniel
>
> Thanks,
> Sayanta
>
>
[-- Attachment #2: Type: text/html, Size: 34376 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-12 16:20 ` Sayanta Pattanayak
@ 2021-07-14 13:14 ` Daniel Kiper
2021-07-15 5:26 ` Sayanta Pattanayak
0 siblings, 1 reply; 20+ messages in thread
From: Daniel Kiper @ 2021-07-14 13:14 UTC (permalink / raw)
To: Sayanta Pattanayak; +Cc: grub-devel, nd, javierm, xnox, pjones, leif
On Mon, Jul 12, 2021 at 04:20:56PM +0000, Sayanta Pattanayak wrote:
> Hi Daniel,
>
> Secureboot worked fine with the change(GRUB_FILE_TYPE_LINUX_KERNEL -> GRUB_FILE_TYPE_NONE) you suggested.
Great!
> disk/efi/efidisk.c:531: opening hd0 succeeded
> partmap/gpt.c:93: Read a valid GPT header
> partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
> partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
> kern/fs.c:56: Detecting ext2...
> kern/verifiers.c:88: file: /Image type: 0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from hd0
> loader/arm64/linux.c:61: UEFI stub kernel:
> loader/arm64/linux.c:62: PE/COFF header @ 00000040
> loader/arm64/linux.c:316: kernel file size: 34054136
> loader/arm64/linux.c:318: kernel numpages: 8314
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from hd0
> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from hd0
> ....
> loader/efi/fdt.c:63: allocating 1155 bytes for fdt
> loader/arm64/linux.c:89: Initrd @ 0xf6e20000-0xf6fffa00
> loader/efi/fdt.c:97: Installed/updated FDT configuration table @ 0xf71d0000
> Loading driver at 0x000F4D10000 EntryPoint=0x000F650EDD8
> Loading driver at 0x000F4D10000 EntryPoint=0x000F650EDD8
> loader/arm64/linux.c:144: linux command line: 'BOOT_IMAGE=/Image acpi=force
> console=ttyAMA0,115200 ip=dhcp
> root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug'
> loader/arm64/linux.c:159: starting image 0xfca9a798
> EFI stub: Booting Linux Kernel...
> EFI stub: EFI_RNG_PROTOCOL unavailable
> EFI stub: UEFI Secure Boot is enabled.
> EFI stub: Using DTB from configuration table
> EFI stub: Exiting boot services and installing virtual address map...
>
> We understand LoadImage() interface is used in our platform, but if
> the error scenario is not expected with LoadImage() interface then we
> need further investigation. We are trying to look into it.
>
> What can we infer from the change you suggested and that it worked? Do
> we need to make certain changes in our platform?
The change which I suggested was just a check for my theory. It is not
real fix. We have to fix this issue in the GRUB in a different way. This
is not your fault. When we have a fix we will ask you for some tests.
Daniel
^ permalink raw reply [flat|nested] 20+ messages in thread
* RE: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-14 13:14 ` Daniel Kiper
@ 2021-07-15 5:26 ` Sayanta Pattanayak
2021-07-15 11:27 ` Javier Martinez Canillas
0 siblings, 1 reply; 20+ messages in thread
From: Sayanta Pattanayak @ 2021-07-15 5:26 UTC (permalink / raw)
To: Daniel Kiper; +Cc: grub-devel, nd, javierm, xnox, pjones, leif
>-----Original Message-----
>From: Daniel Kiper <dkiper@net-space.pl>
>Sent: Wednesday, July 14, 2021 6:45 PM
>To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
>Cc: grub-devel@gnu.org; nd <nd@arm.com>; javierm@redhat.com;
>xnox@ubuntu.com; pjones@redhat.com; leif@nuviainc.com
>Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
>
>On Mon, Jul 12, 2021 at 04:20:56PM +0000, Sayanta Pattanayak wrote:
>> Hi Daniel,
>>
>> Secureboot worked fine with the change(GRUB_FILE_TYPE_LINUX_KERNEL
>-> GRUB_FILE_TYPE_NONE) you suggested.
>
>Great!
>
>> disk/efi/efidisk.c:531: opening hd0 succeeded
>> partmap/gpt.c:93: Read a valid GPT header
>> partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
>> partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
>> kern/fs.c:56: Detecting ext2...
>> kern/verifiers.c:88: file: /Image type: 0
>> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from
>> hd0
>> loader/arm64/linux.c:61: UEFI stub kernel:
>> loader/arm64/linux.c:62: PE/COFF header @ 00000040
>> loader/arm64/linux.c:316: kernel file size: 34054136
>> loader/arm64/linux.c:318: kernel numpages: 8314
>> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from
>> hd0
>> disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from
>> hd0 ....
>> loader/efi/fdt.c:63: allocating 1155 bytes for fdt
>> loader/arm64/linux.c:89: Initrd @ 0xf6e20000-0xf6fffa00
>> loader/efi/fdt.c:97: Installed/updated FDT configuration table @
>> 0xf71d0000 Loading driver at 0x000F4D10000 EntryPoint=0x000F650EDD8
>> Loading driver at 0x000F4D10000 EntryPoint=0x000F650EDD8
>> loader/arm64/linux.c:144: linux command line: 'BOOT_IMAGE=/Image
>> acpi=force
>> console=ttyAMA0,115200 ip=dhcp
>> root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose
>debug'
>> loader/arm64/linux.c:159: starting image 0xfca9a798 EFI stub: Booting
>> Linux Kernel...
>> EFI stub: EFI_RNG_PROTOCOL unavailable EFI stub: UEFI Secure Boot is
>> enabled.
>> EFI stub: Using DTB from configuration table EFI stub: Exiting boot
>> services and installing virtual address map...
>>
>> We understand LoadImage() interface is used in our platform, but if
>> the error scenario is not expected with LoadImage() interface then we
>> need further investigation. We are trying to look into it.
>>
>> What can we infer from the change you suggested and that it worked? Do
>> we need to make certain changes in our platform?
>
>The change which I suggested was just a check for my theory. It is not real fix.
>We have to fix this issue in the GRUB in a different way. This is not your fault.
>When we have a fix we will ask you for some tests.
Thanks for the information. Sure, will look forward for the change and further experiments to perform.
>
>Daniel
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-15 5:26 ` Sayanta Pattanayak
@ 2021-07-15 11:27 ` Javier Martinez Canillas
2021-07-15 14:43 ` Sayanta Pattanayak
0 siblings, 1 reply; 20+ messages in thread
From: Javier Martinez Canillas @ 2021-07-15 11:27 UTC (permalink / raw)
To: Sayanta Pattanayak, Daniel Kiper; +Cc: grub-devel, nd, xnox, pjones, leif
Hello Sayanta,
On 7/15/21 7:26 AM, Sayanta Pattanayak wrote:
[snip]
>>> We understand LoadImage() interface is used in our platform, but if
>>> the error scenario is not expected with LoadImage() interface then we
>>> need further investigation. We are trying to look into it.
>>>
I agree with the assessment made by others that validating using the UEFI
firmware should be a supported configuration if the image is built with
the --disable-shim-lock option.
>>> What can we infer from the change you suggested and that it worked? Do
>>> we need to make certain changes in our platform?
>>
>> The change which I suggested was just a check for my theory. It is not real fix.
>> We have to fix this issue in the GRUB in a different way. This is not your fault.
>> When we have a fix we will ask you for some tests.
>
> Thanks for the information. Sure, will look forward for the change and further experiments to perform.
>
Could you please try the following patch? I've not tested it yet but I
think that should make GRUB to support your use case.
From 37157118e237f216866e185e53f8f7d6c9233407 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Thu, 15 Jul 2021 13:08:11 +0200
Subject: [RFC PATCH] kern/efi/sb: Allow validation to be done by the UEFI firmware
The shim_lock protocol is used to delegate that PE32+ binaries have been
signed with a trusted key. This is done because GRUB currently lacks the
ability to do the validation itself.
But in certain configurations a user may not want to use shim for this,
and either delegate on a different verifier (i.e: pgp) or just leave it
to the UEFI firmware. The latter can be done if both GRUB and the Linux
kernel have been signed by a key trusted by the UEFI firmware.
There's an grub-mkimage --disable-shim-lock option that could be used to
avoid using he shim_lock protocol and rely on another verifier, but that
will not work for the latter case. Since the lockdown verifier defers it
to another verifier but no verifier validates the Linux kernel images.
To workaround that, let's make the shim_lock verifier always validate a
kernel file type if the --disable-shim-lock option has been enabled.
Reported-by: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
grub-core/kern/efi/sb.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index c52ec6226a6..51af1a21546 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -143,8 +143,17 @@ shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, gru
{
grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
+ /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */
if (!sl)
- return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found"));
+ {
+ FOR_MODULES (header)
+ {
+ if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
+ return GRUB_ERR_NONE;
+
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found"));
+ }
+ }
if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
@@ -166,16 +175,6 @@ grub_shim_lock_verifier_setup (void)
grub_efi_shim_lock_protocol_t *sl =
grub_efi_locate_protocol (&shim_lock_guid, 0);
- /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */
- if (!sl)
- {
- FOR_MODULES (header)
- {
- if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
- return;
- }
- }
-
/* Secure Boot is off. Do not load shim_lock. */
if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
return;
--
2.31.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* RE: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-15 11:27 ` Javier Martinez Canillas
@ 2021-07-15 14:43 ` Sayanta Pattanayak
2021-07-15 15:12 ` Javier Martinez Canillas
0 siblings, 1 reply; 20+ messages in thread
From: Sayanta Pattanayak @ 2021-07-15 14:43 UTC (permalink / raw)
To: Javier Martinez Canillas, Daniel Kiper; +Cc: grub-devel, nd, xnox, pjones, leif
Hi Javier,
I tried with your suggested change, but observing Exception as following -
disk/efi/efidisk.c:531: opening hd0 succeeded
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
kern/fs.c:56: Detecting ext2...
kern/verifiers.c:88: file: /Image type: 3
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xccc0 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcd00 from hd0
.....
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc00 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc40 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dc80 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dcc0 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dd00 from hd0
Synchronous Exception at 0x00000000F92699DC
Synchronous Exception at 0x00000000F92699DC
PC 0x0000F92699DC
PC 0x0000F92699A8
PC 0x0000F92709B8
PC 0x0000F926D2BC
PC 0x0081FFF64644
PC 0x0081FFF87B84
PC 0x0081FFF86788
PC 0x0081FFF87614
PC 0x0081FFF86788
PC 0x0081FFF87D00
PC 0x0081FFF87D58
PC 0x0081FFF7E334
PC 0x0081FFF7E04C
PC 0x0081FFF7A398
PC 0x0081FFF7A7B4
PC 0x0081FFF7A890
PC 0x0000F926DE84
PC 0x0000FE955A78 (0x0000FE94E000+0x00007A78) [ 1] DxeCore.dll
PC 0x0000FE74EF58 (0x0000FE747000+0x00007F58) [ 2] BdsDxe.dll
PC 0x0000FE7514A8 (0x0000FE747000+0x0000A4A8) [ 2] BdsDxe.dll
PC 0x0000FE95922C (0x0000FE94E000+0x0000B22C) [ 3] DxeCore.dll
Another doubt, should the Image be detected as "UEFI stub kernel", as happened with experimental suggestion by Daniel?
One minor addition in your patch, added below.
Thanks
>-----Original Message-----
>From: Javier Martinez Canillas <javierm@redhat.com>
>Sent: Thursday, July 15, 2021 4:58 PM
>To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>; Daniel Kiper
><dkiper@net-space.pl>
>Cc: grub-devel@gnu.org; nd <nd@arm.com>; xnox@ubuntu.com;
>pjones@redhat.com; leif@nuviainc.com
>Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
>
>Hello Sayanta,
>
>On 7/15/21 7:26 AM, Sayanta Pattanayak wrote:
>
>[snip]
>
>>>> We understand LoadImage() interface is used in our platform, but if
>>>> the error scenario is not expected with LoadImage() interface then
>>>> we need further investigation. We are trying to look into it.
>>>>
>
>I agree with the assessment made by others that validating using the UEFI
>firmware should be a supported configuration if the image is built with the --
>disable-shim-lock option.
>
>>>> What can we infer from the change you suggested and that it worked?
>>>> Do we need to make certain changes in our platform?
>>>
>>> The change which I suggested was just a check for my theory. It is not real
>fix.
>>> We have to fix this issue in the GRUB in a different way. This is not your
>fault.
>>> When we have a fix we will ask you for some tests.
>>
>> Thanks for the information. Sure, will look forward for the change and
>further experiments to perform.
>>
>
>Could you please try the following patch? I've not tested it yet but I think that
>should make GRUB to support your use case.
>
>From 37157118e237f216866e185e53f8f7d6c9233407 Mon Sep 17 00:00:00 2001
>From: Javier Martinez Canillas <javierm@redhat.com>
>Date: Thu, 15 Jul 2021 13:08:11 +0200
>Subject: [RFC PATCH] kern/efi/sb: Allow validation to be done by the UEFI
>firmware
>
>The shim_lock protocol is used to delegate that PE32+ binaries have been
>signed with a trusted key. This is done because GRUB currently lacks the
>ability to do the validation itself.
>
>But in certain configurations a user may not want to use shim for this, and
>either delegate on a different verifier (i.e: pgp) or just leave it to the UEFI
>firmware. The latter can be done if both GRUB and the Linux kernel have
>been signed by a key trusted by the UEFI firmware.
>
>There's an grub-mkimage --disable-shim-lock option that could be used to
>avoid using he shim_lock protocol and rely on another verifier, but that will
>not work for the latter case. Since the lockdown verifier defers it to another
>verifier but no verifier validates the Linux kernel images.
>
>To workaround that, let's make the shim_lock verifier always validate a kernel
>file type if the --disable-shim-lock option has been enabled.
>
>Reported-by: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
>Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
>---
> grub-core/kern/efi/sb.c | 21 ++++++++++-----------
> 1 file changed, 10 insertions(+), 11 deletions(-)
>
>diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c index
>c52ec6226a6..51af1a21546 100644
>--- a/grub-core/kern/efi/sb.c
>+++ b/grub-core/kern/efi/sb.c
>@@ -143,8 +143,17 @@ shim_lock_verifier_write (void *context
>__attribute__ ((unused)), void *buf, gru {
+ struct grub_module_header *header;
> grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol
>(&shim_lock_guid, 0);
>
>+ /* shim_lock is missing, check if GRUB image is built with
>+ --disable-shim-lock. */
> if (!sl)
>- return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol
>not found"));
>+ {
>+ FOR_MODULES (header)
>+ {
>+ if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
>+ return GRUB_ERR_NONE;
>+
>+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock
>protocol not found"));
>+ }
>+ }
>
> if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
> return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim
>signature")); @@ -166,16 +175,6 @@ grub_shim_lock_verifier_setup (void)
> grub_efi_shim_lock_protocol_t *sl =
> grub_efi_locate_protocol (&shim_lock_guid, 0);
>
>- /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock.
>*/
>- if (!sl)
>- {
>- FOR_MODULES (header)
>- {
>- if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
>- return;
>- }
>- }
>-
> /* Secure Boot is off. Do not load shim_lock. */
> if (grub_efi_get_secureboot () !=
>GRUB_EFI_SECUREBOOT_MODE_ENABLED)
> return;
>--
>2.31.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-15 14:43 ` Sayanta Pattanayak
@ 2021-07-15 15:12 ` Javier Martinez Canillas
2021-07-15 18:11 ` Sayanta Pattanayak
0 siblings, 1 reply; 20+ messages in thread
From: Javier Martinez Canillas @ 2021-07-15 15:12 UTC (permalink / raw)
To: Sayanta Pattanayak, Daniel Kiper; +Cc: grub-devel, nd, xnox, pjones, leif
On 7/15/21 4:43 PM, Sayanta Pattanayak wrote:
> Hi Javier,
>
> I tried with your suggested change, but observing Exception as following -
>
Thanks for testing.
[snip]
>
> Synchronous Exception at 0x00000000F92699DC
> Synchronous Exception at 0x00000000F92699DC
Hmm, I found another bug in the patch since the error was returned inside
the for loop and not after that. So may lead to a NULL pointer dereference
error if not using the --disable-shim-lock option but booting without shim.
[snip]
>
> Another doubt, should the Image be detected as "UEFI stub kernel", as happened with experimental suggestion by Daniel?
>
I don't think is needed but I'll leave that to Daniel.
> One minor addition in your patch, added below.
>
Thanks for that. That happen when I write a patch without even build
testing it....
Can you give it a try to this one now? I built tested this time but
still couldn't test it. I should be able to do that but no earlier
than next week.
From a7c205faef72df4dd6decb114b35b53941c17014 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Thu, 15 Jul 2021 13:08:11 +0200
Subject: [RFC PATCH v2] kern/efi/sb: Allow validation to be done by the UEFI firmware
The shim_lock protocol is used to delegate that PE32+ binaries have been
signed with a trusted key. This is done because GRUB currently lacks the
ability to do the validation itself.
But in certain configurations a user may not want to use shim for this,
and either delegate on a different verifier (i.e: pgp) or just leave it
to the UEFI firmware. The latter can be done if both GRUB and the Linux
kernel have been signed by a key trusted by the UEFI firmware.
There's an grub-mkimage --disable-shim-lock option that could be used to
avoid using he shim_lock protocol and rely on another verifier, but that
will not work for the latter case. Since the lockdown verifier defers it
to another verifier but no verifier validates the Linux kernel images.
To workaround that, let's make the shim_lock verifier always validate a
kernel file type if the --disable-shim-lock option has been enabled.
Reported-by: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
grub-core/kern/efi/sb.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index c52ec6226a6..479f4adcba4 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -141,10 +141,19 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
static grub_err_t
shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
{
+ struct grub_module_header *header;
grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
if (!sl)
- return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found"));
+ {
+ /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */
+ FOR_MODULES (header)
+ {
+ if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
+ return GRUB_ERR_NONE;
+ }
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found"));
+ }
if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
@@ -162,20 +171,9 @@ struct grub_file_verifier shim_lock_verifier =
void
grub_shim_lock_verifier_setup (void)
{
- struct grub_module_header *header;
grub_efi_shim_lock_protocol_t *sl =
grub_efi_locate_protocol (&shim_lock_guid, 0);
- /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */
- if (!sl)
- {
- FOR_MODULES (header)
- {
- if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
- return;
- }
- }
-
/* Secure Boot is off. Do not load shim_lock. */
if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
return;
--
2.31.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* RE: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-15 15:12 ` Javier Martinez Canillas
@ 2021-07-15 18:11 ` Sayanta Pattanayak
2021-07-16 8:55 ` Javier Martinez Canillas
0 siblings, 1 reply; 20+ messages in thread
From: Sayanta Pattanayak @ 2021-07-15 18:11 UTC (permalink / raw)
To: Javier Martinez Canillas, Daniel Kiper; +Cc: grub-devel, nd, xnox, pjones, leif
Thanks for your quick response.
I did try with the latest change, but still observing "shim_lock protocol not found" error. For " grub-mkimage", the option " --disable-shim-lock" is used.
disk/efi/efidisk.c:531: opening hd0 succeeded
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=2048, length=40959
partmap/gpt.c:115: GPT entry 1: start=43008, length=409599
kern/fs.c:56: Detecting ext2...
kern/verifiers.c:88: file: /Image type: 3
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc40 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0xcc80 from hd0
...
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dcc0 from hd0
disk/efi/efidisk.c:593: reading 0x40 sectors at the sector 0x1dd00 from hd0
kern/disk.c:295: Closing `hd0'.
disk/efi/efidisk.c:540: closing hd0
error: shim_lock protocol not found.
script/script.c:65: free 0x81fff4a6e0
>-----Original Message-----
>From: Javier Martinez Canillas <javierm@redhat.com>
>Sent: Thursday, July 15, 2021 8:43 PM
>To: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>; Daniel Kiper
><dkiper@net-space.pl>
>Cc: grub-devel@gnu.org; nd <nd@arm.com>; xnox@ubuntu.com;
>pjones@redhat.com; leif@nuviainc.com
>Subject: Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
>
>On 7/15/21 4:43 PM, Sayanta Pattanayak wrote:
>> Hi Javier,
>>
>> I tried with your suggested change, but observing Exception as
>> following -
>>
>
>Thanks for testing.
>
>[snip]
>
>>
>> Synchronous Exception at 0x00000000F92699DC Synchronous Exception at
>> 0x00000000F92699DC
>
>Hmm, I found another bug in the patch since the error was returned inside
>the for loop and not after that. So may lead to a NULL pointer dereference
>error if not using the --disable-shim-lock option but booting without shim.
>
>[snip]
>
>>
>> Another doubt, should the Image be detected as "UEFI stub kernel", as
>happened with experimental suggestion by Daniel?
>>
>
>I don't think is needed but I'll leave that to Daniel.
>
>> One minor addition in your patch, added below.
>>
>
>Thanks for that. That happen when I write a patch without even build testing
>it....
>
>Can you give it a try to this one now? I built tested this time but still couldn't
>test it. I should be able to do that but no earlier than next week.
>
>From a7c205faef72df4dd6decb114b35b53941c17014 Mon Sep 17 00:00:00 2001
>From: Javier Martinez Canillas <javierm@redhat.com>
>Date: Thu, 15 Jul 2021 13:08:11 +0200
>Subject: [RFC PATCH v2] kern/efi/sb: Allow validation to be done by the UEFI
>firmware
>
>The shim_lock protocol is used to delegate that PE32+ binaries have been
>signed with a trusted key. This is done because GRUB currently lacks the
>ability to do the validation itself.
>
>But in certain configurations a user may not want to use shim for this, and
>either delegate on a different verifier (i.e: pgp) or just leave it to the UEFI
>firmware. The latter can be done if both GRUB and the Linux kernel have
>been signed by a key trusted by the UEFI firmware.
>
>There's an grub-mkimage --disable-shim-lock option that could be used to
>avoid using he shim_lock protocol and rely on another verifier, but that will
>not work for the latter case. Since the lockdown verifier defers it to another
>verifier but no verifier validates the Linux kernel images.
>
>To workaround that, let's make the shim_lock verifier always validate a kernel
>file type if the --disable-shim-lock option has been enabled.
>
>Reported-by: Sayanta Pattanayak <Sayanta.Pattanayak@arm.com>
>Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
>---
> grub-core/kern/efi/sb.c | 22 ++++++++++------------
> 1 file changed, 10 insertions(+), 12 deletions(-)
>
>diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c index
>c52ec6226a6..479f4adcba4 100644
>--- a/grub-core/kern/efi/sb.c
>+++ b/grub-core/kern/efi/sb.c
>@@ -141,10 +141,19 @@ shim_lock_verifier_init (grub_file_t io __attribute__
>((unused)), static grub_err_t shim_lock_verifier_write (void *context
>__attribute__ ((unused)), void *buf, grub_size_t size) {
>+ struct grub_module_header *header;
> grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol
>(&shim_lock_guid, 0);
>
> if (!sl)
>- return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol
>not found"));
>+ {
>+ /* shim_lock is missing, check if GRUB image is built with --disable-shim-
>lock. */
>+ FOR_MODULES (header)
>+ {
>+ if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
>+ return GRUB_ERR_NONE;
>+ }
>+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol
>not found"));
>+ }
>
> if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
> return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim
>signature")); @@ -162,20 +171,9 @@ struct grub_file_verifier
>shim_lock_verifier = void grub_shim_lock_verifier_setup (void) {
>- struct grub_module_header *header;
> grub_efi_shim_lock_protocol_t *sl =
> grub_efi_locate_protocol (&shim_lock_guid, 0);
>
>- /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock.
>*/
>- if (!sl)
>- {
>- FOR_MODULES (header)
>- {
>- if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
>- return;
>- }
>- }
>-
> /* Secure Boot is off. Do not load shim_lock. */
> if (grub_efi_get_secureboot () !=
>GRUB_EFI_SECUREBOOT_MODE_ENABLED)
> return;
>--
>2.31.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
2021-07-15 18:11 ` Sayanta Pattanayak
@ 2021-07-16 8:55 ` Javier Martinez Canillas
0 siblings, 0 replies; 20+ messages in thread
From: Javier Martinez Canillas @ 2021-07-16 8:55 UTC (permalink / raw)
To: Sayanta Pattanayak, Daniel Kiper; +Cc: grub-devel, nd, xnox, pjones, leif
On 7/15/21 8:11 PM, Sayanta Pattanayak wrote:
> Thanks for your quick response.
> I did try with the latest change, but still observing "shim_lock protocol not found" error. For " grub-mkimage", the option " --disable-shim-lock" is used.
>
Thanks for testing.
Dmitry, any idea why header->type == OBJ_TYPE_DISABLE_SHIM_LOCK won't be
true when the for loop happens in shim_lock_verifier_write() ?
But in any case, Daniel does not agree with this approach. We would need
a different solution for this.
Best regards,
--
Javier Martinez Canillas
Linux Engineering
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2021-07-16 8:55 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-01 15:23 UEFI Secureboot not succeeding with Grub 2.06 and later version Sayanta Pattanayak
2021-07-07 13:14 ` Daniel Kiper
2021-07-08 7:04 ` Sayanta Pattanayak
2021-07-08 10:51 ` Dimitri John Ledkov
2021-07-08 12:01 ` Michael Chang
2021-07-08 12:18 ` Dimitri John Ledkov
2021-07-09 6:18 ` Michael Chang
2021-07-08 13:31 ` Daniel Kiper
2021-07-09 6:27 ` Michael Chang
2021-07-12 16:15 ` Sayanta Pattanayak
2021-07-12 16:23 ` Dimitri John Ledkov
2021-07-08 13:27 ` Daniel Kiper
2021-07-12 16:20 ` Sayanta Pattanayak
2021-07-14 13:14 ` Daniel Kiper
2021-07-15 5:26 ` Sayanta Pattanayak
2021-07-15 11:27 ` Javier Martinez Canillas
2021-07-15 14:43 ` Sayanta Pattanayak
2021-07-15 15:12 ` Javier Martinez Canillas
2021-07-15 18:11 ` Sayanta Pattanayak
2021-07-16 8:55 ` Javier Martinez Canillas
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.