On Mon, 2018-11-26 at 00:38 +0100, Alexander Graf wrote: > We now have signature check logic in grub which allows us to treat > files differently depending on their file type. > > Treat a loaded device tree like an overlayed ACPI table. > Both describe hardware, so I suppose their threat level is the same. > > Signed-off-by: Alexander Graf <ag...@suse.de>
Reviewed-by: Alistair Francis <alistair.fran...@wdc.com> Alistair > > --- > > v3 -> v4: > > - Rebase onto current git master > --- > grub-core/commands/efi/shim_lock.c | 1 + > include/grub/file.h | 4 ++-- > 2 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/grub-core/commands/efi/shim_lock.c b/grub- > core/commands/efi/shim_lock.c > index 01246b0fc..83568cb2b 100644 > --- a/grub-core/commands/efi/shim_lock.c > +++ b/grub-core/commands/efi/shim_lock.c > @@ -81,6 +81,7 @@ shim_lock_init (grub_file_t io, enum grub_file_type > type, > /* Fall through. */ > > case GRUB_FILE_TYPE_ACPI_TABLE: > + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: > *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; > > return GRUB_ERR_NONE; > diff --git a/include/grub/file.h b/include/grub/file.h > index 9aae46355..8c9bf5e5d 100644 > --- a/include/grub/file.h > +++ b/include/grub/file.h > @@ -69,8 +69,6 @@ enum grub_file_type > > GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE, > > - GRUB_FILE_TYPE_DEVICE_TREE_IMAGE, > - > /* File holding signature. */ > GRUB_FILE_TYPE_SIGNATURE, > /* File holding public key to verify signature once. */ > @@ -95,6 +93,8 @@ enum grub_file_type > GRUB_FILE_TYPE_FILE_ID, > /* File holding ACPI table. */ > GRUB_FILE_TYPE_ACPI_TABLE, > + /* File holding Device Tree. */ > + GRUB_FILE_TYPE_DEVICE_TREE_IMAGE, > /* File we intend show to user. */ > GRUB_FILE_TYPE_CAT, > GRUB_FILE_TYPE_HEXCAT, _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
