> On 26 Mar 2017, at 4:23 PM, Michael Olbrich <m.olbrich@xxxxxxxxxxxxxx> wrote: > > On Sun, Mar 26, 2017 at 04:44:58AM +0200, Jean-Christophe PLAGNIOL-VILLARD wrote: >> Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@xxxxxxxxxxxx> > > Does this realy help? If someone has access to the barebox shell, then > there are many ways to overwrite the secure boot check. No have shell support does not mean been allow to by pass secure boot As you think user interaction vs script And do not forget the boot sequence can be change by the OS (user) So we may endup to try to boot other images or boot sequence that use go Best Regards, J. > Michael > >> --- >> commands/go.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/commands/go.c b/commands/go.c >> index fb319b320..e0385a977 100644 >> --- a/commands/go.c >> +++ b/commands/go.c >> @@ -26,6 +26,7 @@ >> #include <fcntl.h> >> #include <linux/ctype.h> >> #include <errno.h> >> +#include <boot_verify.h> >> >> static int do_go(int argc, char *argv[]) >> { >> @@ -37,6 +38,9 @@ static int do_go(int argc, char *argv[]) >> if (argc < 2) >> return COMMAND_ERROR_USAGE; >> >> + if (boot_get_verify_mode() < BOOT_VERIFY_AVAILABLE) >> + return -ESECVIOLATION; >> + >> if (!isdigit(*argv[1])) { >> fd = open(argv[1], O_RDONLY); >> if (fd < 0) { >> -- >> 2.11.0 >> >> >> _______________________________________________ >> barebox mailing list >> barebox@xxxxxxxxxxxxxxxxxxx >> http://lists.infradead.org/mailman/listinfo/barebox >> > > -- > Pengutronix e.K. | | > Industrial Linux Solutions | http://www.pengutronix.de/ | > Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > > _______________________________________________ > barebox mailing list > barebox@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/barebox _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox