Re: [PATCH] verifiers: Don't return error for deferred image

[Leo Yan <leo.yan@linaro.org>]

Hi Boyang,

On Thu, Dec 22, 2022 at 07:25:13PM +0800, Zhang Boyang wrote:
> Hi,
> 
> On 2022/12/22 19:14, Leo Yan wrote:
> > When boot from menu and the flag GRUB_VERIFY_FLAGS_DEFER_AUTH is set,
> > grub returns error:
> > 
> >   Booting a command list
> > 
> >   error: verification requested but nobody cares: (hd0,gpt1)/Image.
> > 
> >   Press any key to continue...
> > 
> > In this case, the image should be deferred for authentication, grub
> > should return the file handle and pass down to later firmware (e.g.
> > U-Boot, etc) for authentication.
> 
> This is probably not what verification framework designed to be. It seems to
> be designed to verify files during GRUB is executing (e.g. check file
> signature if UEFI Secure Boot is enabled).

Good point.  We expect the solution is grub can defer authentication for
an image and invokes EFI LoadImage service, then EFI loader can load
and verify the image.

For more specific, now I am debugging U-boot EFI with grub, since U-boot
EFI provides functionality for loading and authentication image (see
efi_load_image() in [1]), this is my purpose to use U-boot EFI to
authenticate kernel image (and even for initrd image).

> By the way, I didn't understand what does "return the file handle and pass
> down to later firmware" means. If you means you want GRUB call into
> firmware's function, you can write a verifier to do that and register your
> verifier with grub_verifier_register().

To be clear, I am not experienced for EFI and grub, I try my best to
give info :)

As explained above, we don't want to introduce any new verifier in
grub, it's about we want to verify image in U-boot EFT rather than in
grub.  So this is why I wrote this patch to dimiss the failure in grub
and pass image info to U-boot EFI service.  (and sorry my commit log
introduced confusion).

Thanks,
Leo

[1] https://github.com/u-boot/u-boot/blob/master/lib/efi_loader/efi_boottime.c#L2021