[PATCH 07/13] go: only use it if boot signature is not required

Jean-Christophe PLAGNIOL-VILLARD plagnioj at jcrosoft.com
Mon Mar 27 04:50:44 PDT 2017


> On 26 Mar 2017, at 4:23 PM, Michael Olbrich <m.olbrich at pengutronix.de> wrote:
> 
> On Sun, Mar 26, 2017 at 04:44:58AM +0200, Jean-Christophe PLAGNIOL-VILLARD wrote:
>> Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj at jcrosoft.com>
> 
> Does this realy help? If someone has access to the barebox shell, then
> there are many ways to overwrite the secure boot check.

No have shell support does not mean been allow to by pass secure boot
As you think user interaction vs script

And do not forget the boot sequence can be change by the OS (user)

So we may endup to try to boot other images or boot sequence that use go

Best Regards,
J.


> Michael
> 
>> ---
>> commands/go.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>> 
>> diff --git a/commands/go.c b/commands/go.c
>> index fb319b320..e0385a977 100644
>> --- a/commands/go.c
>> +++ b/commands/go.c
>> @@ -26,6 +26,7 @@
>> #include <fcntl.h>
>> #include <linux/ctype.h>
>> #include <errno.h>
>> +#include <boot_verify.h>
>> 
>> static int do_go(int argc, char *argv[])
>> {
>> @@ -37,6 +38,9 @@ static int do_go(int argc, char *argv[])
>> 	if (argc < 2)
>> 		return COMMAND_ERROR_USAGE;
>> 
>> +	if (boot_get_verify_mode() < BOOT_VERIFY_AVAILABLE)
>> +		return -ESECVIOLATION;
>> +
>> 	if (!isdigit(*argv[1])) {
>> 		fd = open(argv[1], O_RDONLY);
>> 		if (fd < 0) {
>> -- 
>> 2.11.0
>> 
>> 
>> _______________________________________________
>> barebox mailing list
>> barebox at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/barebox
>> 
> 
> -- 
> Pengutronix e.K.                           |                             |
> Industrial Linux Solutions                 | http://www.pengutronix.de/  |
> Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
> 
> _______________________________________________
> barebox mailing list
> barebox at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox




More information about the barebox mailing list