[PATCH 07/13] go: only use it if boot signature is not required

Michael Olbrich m.olbrich at pengutronix.de
Sun Mar 26 01:23:22 PDT 2017


On Sun, Mar 26, 2017 at 04:44:58AM +0200, Jean-Christophe PLAGNIOL-VILLARD wrote:
> Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj at jcrosoft.com>

Does this realy help? If someone has access to the barebox shell, then
there are many ways to overwrite the secure boot check.

Michael

> ---
>  commands/go.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/commands/go.c b/commands/go.c
> index fb319b320..e0385a977 100644
> --- a/commands/go.c
> +++ b/commands/go.c
> @@ -26,6 +26,7 @@
>  #include <fcntl.h>
>  #include <linux/ctype.h>
>  #include <errno.h>
> +#include <boot_verify.h>
>  
>  static int do_go(int argc, char *argv[])
>  {
> @@ -37,6 +38,9 @@ static int do_go(int argc, char *argv[])
>  	if (argc < 2)
>  		return COMMAND_ERROR_USAGE;
>  
> +	if (boot_get_verify_mode() < BOOT_VERIFY_AVAILABLE)
> +		return -ESECVIOLATION;
> +
>  	if (!isdigit(*argv[1])) {
>  		fd = open(argv[1], O_RDONLY);
>  		if (fd < 0) {
> -- 
> 2.11.0
> 
> 
> _______________________________________________
> barebox mailing list
> barebox at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |



More information about the barebox mailing list