Bug#927888: Need to disable the devicetree command in Secure Boot mode
Colin Watson
cjwatson at debian.org
Sat May 4 22:44:26 BST 2019
On Fri, May 03, 2019 at 10:42:34PM +0100, Steve McIntyre wrote:
> diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
> index c9aee74ef..735c56e45 100644
> --- a/grub-core/loader/efi/fdt.c
> +++ b/grub-core/loader/efi/fdt.c
> @@ -123,6 +123,14 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
> return GRUB_ERR_NONE;
> }
>
> +#ifdef GRUB_MACHINE_EFI
> + if (grub_efi_secure_boot ())
> + {
> + return grub_error (GRUB_ERR_ACCESS_DENIED,
> + "Secure Boot forbids loading devicetree from %s", argv[0]);
> + }
> +#endif
> +
> dtb = grub_file_open (argv[0]);
> if (!dtb)
> goto out;
Thanks. I've applied this and the rest of the patch as-is, but I'm
pretty sure that the #ifdef in this file is rather unnecessary - unlike
grub-core/loader/arm/linux.c, grub-core/loader/efi/fdt.c should only be
compiled if GRUB_MACHINE_EFI is defined.
--
Colin Watson [cjwatson at debian.org]
More information about the Pkg-grub-devel
mailing list