[PATCH] discover/boot: abort kexec on any error from validation
Samuel Mendoza-Jonas
sam at mendozajonas.com
Wed May 23 11:30:06 AEST 2018
On Wed, 2018-05-16 at 13:23 +1000, Brett Grandbois wrote:
> gpg_validate_boot_files() can return error codes for a variety of
> reasons but kexec_load only aborts for signature or decryption failure.
> In any other failure case like unable to open LOCKDOWN_FILE or do the
> secure copy the validation is bypassed by an early return but kexec_load
> does not abort.
>
> Signed-off-by: Brett Grandbois <brett.grandbois at opengear.com>
Thanks, merged as 1214247
> ---
> discover/boot.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/discover/boot.c b/discover/boot.c
> index 0da40e3..09e42f2 100644
> --- a/discover/boot.c
> +++ b/discover/boot.c
> @@ -76,13 +76,13 @@ static int kexec_load(struct boot_task *boot_task)
> if (result == KEXEC_LOAD_DECRYPTION_FALURE) {
> pb_log("%s: Aborting kexec due to"
> " decryption failure\n", __func__);
> - goto abort_kexec;
> }
> if (result == KEXEC_LOAD_SIGNATURE_FAILURE) {
> pb_log("%s: Aborting kexec due to signature"
> " verification failure\n", __func__);
> - goto abort_kexec;
> }
> +
> + goto abort_kexec;
> }
>
> const char* local_initrd = (boot_task->local_initrd_override) ?
More information about the Petitboot
mailing list