On 24-04-08, Ahmad Fatoum wrote:
> Hello Marco,
>
> On 08.04.24 09:36, Marco Felsch wrote:
> > The only allowed value for bootm_verify_mode is BOOTM_VERIFY_SIGNATURE
> > if CONFIG_BOOTM_FORCE_SIGNED_IMAGES is enabled. This is set via the
> > bootm_init() initcall. All further attempts to modify this variable
> > should be prevented.
> >
> > Signed-off-by: Marco Felsch <m.felsch@xxxxxxxxxxxxxx>
> > ---
> > common/bootm.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/common/bootm.c b/common/bootm.c
> > index a59fa35008a9..e6703b19b3ba 100644
> > --- a/common/bootm.c
> > +++ b/common/bootm.c
> > @@ -75,6 +75,11 @@ enum bootm_verify bootm_get_verify_mode(void)
> >
> > void bootm_set_verify_mode(enum bootm_verify mode)
> > {
> > + if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
> > + pr_err("BOOTM_FORCE_SIGNED_IMAGES enabled, prevent modifying bootm_verify_mode\n");
> > + return;
> > + }
>
> We bootm_set_verify_mode(BOOTM_VERIFY_SIGNATURE) shouldn't result
> in a warning message.
I was considering this as well.. I will add it, thanks.
> With this addressed:
>
> Reviewed-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
>
> > +
> > bootm_verify_mode = mode;
> > }
> >
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
>
>
