Message ID | 20181125233815.56392-11-agraf@suse.de |
---|---|
State | Superseded |
Headers | show |
Series | Add RISC-V support | expand |
On Mon, Nov 26, 2018 at 12:38:15AM +0100, Alexander Graf wrote: > We now have signature check logic in grub which allows us to treat > files differently depending on their file type. > > Treat a loaded device tree like an overlayed ACPI table. > Both describe hardware, so I suppose their threat level is the same. > > Signed-off-by: Alexander Graf <agraf@suse.de> Acked-by: Leif Lindholm <leif.lindholm@linaro.org> > > --- > > v3 -> v4: > > - Rebase onto current git master > --- > grub-core/commands/efi/shim_lock.c | 1 + > include/grub/file.h | 4 ++-- > 2 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c > index 01246b0fc..83568cb2b 100644 > --- a/grub-core/commands/efi/shim_lock.c > +++ b/grub-core/commands/efi/shim_lock.c > @@ -81,6 +81,7 @@ shim_lock_init (grub_file_t io, enum grub_file_type type, > /* Fall through. */ > > case GRUB_FILE_TYPE_ACPI_TABLE: > + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: > *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; > > return GRUB_ERR_NONE; > diff --git a/include/grub/file.h b/include/grub/file.h > index 9aae46355..8c9bf5e5d 100644 > --- a/include/grub/file.h > +++ b/include/grub/file.h > @@ -69,8 +69,6 @@ enum grub_file_type > > GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE, > > - GRUB_FILE_TYPE_DEVICE_TREE_IMAGE, > - > /* File holding signature. */ > GRUB_FILE_TYPE_SIGNATURE, > /* File holding public key to verify signature once. */ > @@ -95,6 +93,8 @@ enum grub_file_type > GRUB_FILE_TYPE_FILE_ID, > /* File holding ACPI table. */ > GRUB_FILE_TYPE_ACPI_TABLE, > + /* File holding Device Tree. */ > + GRUB_FILE_TYPE_DEVICE_TREE_IMAGE, > /* File we intend show to user. */ > GRUB_FILE_TYPE_CAT, > GRUB_FILE_TYPE_HEXCAT, > -- > 2.12.3 > _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
On Mon, 2018-11-26 at 00:38 +0100, Alexander Graf wrote: > We now have signature check logic in grub which allows us to treat > files differently depending on their file type. > > Treat a loaded device tree like an overlayed ACPI table. > Both describe hardware, so I suppose their threat level is the same. > > Signed-off-by: Alexander Graf <agraf@suse.de> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Alistair > > --- > > v3 -> v4: > > - Rebase onto current git master > --- > grub-core/commands/efi/shim_lock.c | 1 + > include/grub/file.h | 4 ++-- > 2 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/grub-core/commands/efi/shim_lock.c b/grub- > core/commands/efi/shim_lock.c > index 01246b0fc..83568cb2b 100644 > --- a/grub-core/commands/efi/shim_lock.c > +++ b/grub-core/commands/efi/shim_lock.c > @@ -81,6 +81,7 @@ shim_lock_init (grub_file_t io, enum grub_file_type > type, > /* Fall through. */ > > case GRUB_FILE_TYPE_ACPI_TABLE: > + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: > *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; > > return GRUB_ERR_NONE; > diff --git a/include/grub/file.h b/include/grub/file.h > index 9aae46355..8c9bf5e5d 100644 > --- a/include/grub/file.h > +++ b/include/grub/file.h > @@ -69,8 +69,6 @@ enum grub_file_type > > GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE, > > - GRUB_FILE_TYPE_DEVICE_TREE_IMAGE, > - > /* File holding signature. */ > GRUB_FILE_TYPE_SIGNATURE, > /* File holding public key to verify signature once. */ > @@ -95,6 +93,8 @@ enum grub_file_type > GRUB_FILE_TYPE_FILE_ID, > /* File holding ACPI table. */ > GRUB_FILE_TYPE_ACPI_TABLE, > + /* File holding Device Tree. */ > + GRUB_FILE_TYPE_DEVICE_TREE_IMAGE, > /* File we intend show to user. */ > GRUB_FILE_TYPE_CAT, > GRUB_FILE_TYPE_HEXCAT, _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
On Mon, Nov 26, 2018 at 12:38:15AM +0100, Alexander Graf wrote: > We now have signature check logic in grub which allows us to treat > files differently depending on their file type. > > Treat a loaded device tree like an overlayed ACPI table. > Both describe hardware, so I suppose their threat level is the same. > > Signed-off-by: Alexander Graf <agraf@suse.de> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c index 01246b0fc..83568cb2b 100644 --- a/grub-core/commands/efi/shim_lock.c +++ b/grub-core/commands/efi/shim_lock.c @@ -81,6 +81,7 @@ shim_lock_init (grub_file_t io, enum grub_file_type type, /* Fall through. */ case GRUB_FILE_TYPE_ACPI_TABLE: + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; return GRUB_ERR_NONE; diff --git a/include/grub/file.h b/include/grub/file.h index 9aae46355..8c9bf5e5d 100644 --- a/include/grub/file.h +++ b/include/grub/file.h @@ -69,8 +69,6 @@ enum grub_file_type GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE, - GRUB_FILE_TYPE_DEVICE_TREE_IMAGE, - /* File holding signature. */ GRUB_FILE_TYPE_SIGNATURE, /* File holding public key to verify signature once. */ @@ -95,6 +93,8 @@ enum grub_file_type GRUB_FILE_TYPE_FILE_ID, /* File holding ACPI table. */ GRUB_FILE_TYPE_ACPI_TABLE, + /* File holding Device Tree. */ + GRUB_FILE_TYPE_DEVICE_TREE_IMAGE, /* File we intend show to user. */ GRUB_FILE_TYPE_CAT, GRUB_FILE_TYPE_HEXCAT,
We now have signature check logic in grub which allows us to treat files differently depending on their file type. Treat a loaded device tree like an overlayed ACPI table. Both describe hardware, so I suppose their threat level is the same. Signed-off-by: Alexander Graf <agraf@suse.de> --- v3 -> v4: - Rebase onto current git master --- grub-core/commands/efi/shim_lock.c | 1 + include/grub/file.h | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) -- 2.12.3 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel