[systemd-devel] Prevent firmware from falling back to next EFI boot option on secure boot failure?
Lennart Poettering
lennart at poettering.net
Wed Nov 23 16:56:49 UTC 2022
On Mi, 23.11.22 11:44, Daniel Harms (jdharms at gmail.com) wrote:
> Lennart,
>
> That is how we're hoping it should work, so it's good to hear. I
> suppose I'm not sure that it's the firmware driving this process--I
> just assumed because I know that the UEFI spec has verbiage requiring
> EFI boot managers to try next options in case of certain failure
> cases. I think you're probably right in that sd-boot *should* be able
> to continue onwards down the list.
>
> We're seeing the following error message in red text:
>
> ----------------
>
> Error loading \EFI\Linux\linux-5.15.0-unsigned.efi: Security Policy Violation
>
> Failed to execute [entry config name]
> (\EFI\Linux\linux-5.15.0-unsigned.efi): Security Policy Violation
>
> ------------
>
> What I believe is happening based on these messages is that
> image_start() is returning an error here:
> https://github.com/systemd/systemd/blob/v252/src/boot/efi/boot.c#L2747
> and the `goto out;` is being executed, ending/preventing any looping
> over boot options.
>
> If this is a bug, I'd be willing to attempt a pull request submission
> if a suggested fix is given. Overall we like the functionality
> sd-boot provides and the integration with systemd, but this is likely
> a hard requirement for our use case.
Yes please file an issue on github first, and this does sound a lot
like something we should fix, hence a PR that addresses this would be
more than welcome, too.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list