Bug#927888: Need to disable the devicetree command in Secure Boot mode
Steve McIntyre
steve at einval.com
Sat May 4 22:50:00 BST 2019
On Sat, May 04, 2019 at 10:44:26PM +0100, Colin Watson wrote:
>On Fri, May 03, 2019 at 10:42:34PM +0100, Steve McIntyre wrote:
>> diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
>> index c9aee74ef..735c56e45 100644
>> --- a/grub-core/loader/efi/fdt.c
>> +++ b/grub-core/loader/efi/fdt.c
>> @@ -123,6 +123,14 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
>> return GRUB_ERR_NONE;
>> }
>>
>> +#ifdef GRUB_MACHINE_EFI
>> + if (grub_efi_secure_boot ())
>> + {
>> + return grub_error (GRUB_ERR_ACCESS_DENIED,
>> + "Secure Boot forbids loading devicetree from %s", argv[0]);
>> + }
>> +#endif
>> +
>> dtb = grub_file_open (argv[0]);
>> if (!dtb)
>> goto out;
>
>Thanks. I've applied this and the rest of the patch as-is, but I'm
>pretty sure that the #ifdef in this file is rather unnecessary - unlike
>grub-core/loader/arm/linux.c, grub-core/loader/efi/fdt.c should only be
>compiled if GRUB_MACHINE_EFI is defined.
True. Ah well. :-)
--
Steve McIntyre, Cambridge, UK. steve at einval.com
Can't keep my eyes from the circling sky,
Tongue-tied & twisted, Just an earth-bound misfit, I...
More information about the Pkg-grub-devel
mailing list