@@ -81,6 +81,7 @@ shim_lock_init (grub_file_t io, enum grub_file_type type,
/* Fall through. */
case GRUB_FILE_TYPE_ACPI_TABLE:
+ case GRUB_FILE_TYPE_DEVICE_TREE:
*flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
return GRUB_ERR_NONE;
@@ -123,7 +123,7 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
return GRUB_ERR_NONE;
}
- dtb = grub_file_open (argv[0]);
+ dtb = grub_file_open (argv[0], GRUB_FILE_TYPE_DEVICE_TREE);
if (!dtb)
goto out;
@@ -93,6 +93,8 @@ enum grub_file_type
GRUB_FILE_TYPE_FILE_ID,
/* File holding ACPI table. */
GRUB_FILE_TYPE_ACPI_TABLE,
+ /* File holding Device Tree. */
+ GRUB_FILE_TYPE_DEVICE_TREE,
/* File we intend show to user. */
GRUB_FILE_TYPE_CAT,
GRUB_FILE_TYPE_HEXCAT,
We now have signature check logic in grub which allows us to treat files differently depending on their file type. Mark a loaded device tree as such and treat it like an overlayed ACPI table. Both describe hardware, so I suppose their threat level is the same. Signed-off-by: Alexander Graf <agraf@suse.de> --- grub-core/commands/efi/shim_lock.c | 1 + grub-core/loader/efi/fdt.c | 2 +- include/grub/file.h | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) -- 2.12.3 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel