Bug#927888: Need to disable the devicetree command in Secure Boot mode

Colin Watson Sat, 04 May 2019 14:48:17 -0700

On Fri, May 03, 2019 at 10:42:34PM +0100, Steve McIntyre wrote:
> diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
> index c9aee74ef..735c56e45 100644
> --- a/grub-core/loader/efi/fdt.c
> +++ b/grub-core/loader/efi/fdt.c
> @@ -123,6 +123,14 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ 
> ((unused)),
>        return GRUB_ERR_NONE;
>      }
>  
> +#ifdef GRUB_MACHINE_EFI
> +  if (grub_efi_secure_boot ())
> +    {
> +      return grub_error (GRUB_ERR_ACCESS_DENIED,
> +               "Secure Boot forbids loading devicetree from %s", argv[0]);
> +    }
> +#endif
> +
>    dtb = grub_file_open (argv[0]);
>    if (!dtb)
>      goto out;


Thanks.  I've applied this and the rest of the patch as-is, but I'm
pretty sure that the #ifdef in this file is rather unnecessary - unlike
grub-core/loader/arm/linux.c, grub-core/loader/efi/fdt.c should only be
compiled if GRUB_MACHINE_EFI is defined.

-- 
Colin Watson                                       [cjwat...@debian.org]

Bug#927888: Need to disable the devicetree command in Secure Boot mode

Reply via email to