Re: [PATCH 07/13] go: only use it if boot signature is not required

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On 26 Mar 2017, at 4:23 PM, Michael Olbrich <m.olbrich@xxxxxxxxxxxxxx> wrote:
> 
> On Sun, Mar 26, 2017 at 04:44:58AM +0200, Jean-Christophe PLAGNIOL-VILLARD wrote:
>> Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@xxxxxxxxxxxx>
> 
> Does this realy help? If someone has access to the barebox shell, then
> there are many ways to overwrite the secure boot check.

No have shell support does not mean been allow to by pass secure boot
As you think user interaction vs script

And do not forget the boot sequence can be change by the OS (user)

So we may endup to try to boot other images or boot sequence that use go

Best Regards,
J.


> Michael
> 
>> ---
>> commands/go.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>> 
>> diff --git a/commands/go.c b/commands/go.c
>> index fb319b320..e0385a977 100644
>> --- a/commands/go.c
>> +++ b/commands/go.c
>> @@ -26,6 +26,7 @@
>> #include <fcntl.h>
>> #include <linux/ctype.h>
>> #include <errno.h>
>> +#include <boot_verify.h>
>> 
>> static int do_go(int argc, char *argv[])
>> {
>> @@ -37,6 +38,9 @@ static int do_go(int argc, char *argv[])
>> 	if (argc < 2)
>> 		return COMMAND_ERROR_USAGE;
>> 
>> +	if (boot_get_verify_mode() < BOOT_VERIFY_AVAILABLE)
>> +		return -ESECVIOLATION;
>> +
>> 	if (!isdigit(*argv[1])) {
>> 		fd = open(argv[1], O_RDONLY);
>> 		if (fd < 0) {
>> -- 
>> 2.11.0
>> 
>> 
>> _______________________________________________
>> barebox mailing list
>> barebox@xxxxxxxxxxxxxxxxxxx
>> http://lists.infradead.org/mailman/listinfo/barebox
>> 
> 
> -- 
> Pengutronix e.K.                           |                             |
> Industrial Linux Solutions                 | http://www.pengutronix.de/  |
> Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
> 
> _______________________________________________
> barebox mailing list
> barebox@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/barebox


_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox



[Index of Archives]     [Linux Embedded]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux