There is a difference in the implicit level of trust granted to images
coming from the same source as iPXE, compared to ones downloaded later
from network. An attacker who is able to replace initrd, kernel command
line, or an embedded image may as well replace the iPXE binary itself.

This commit makes initrd, kernel command line, and images embedded in
the iPXE binary trusted in terms of the IMAGE_TRUSTED flag.

Signed-off-by: Ladi Prosek <lpro...@redhat.com>
---
 src/arch/x86/core/runtime.c | 4 ++++
 src/image/embedded.c        | 1 +
 2 files changed, 5 insertions(+)

diff --git a/src/arch/x86/core/runtime.c b/src/arch/x86/core/runtime.c
index d160fee..3739055 100644
--- a/src/arch/x86/core/runtime.c
+++ b/src/arch/x86/core/runtime.c
@@ -78,6 +78,7 @@ static struct image cmdline_image = {
        .refcnt = REF_INIT ( cmdline_image_free ),
        .name = "<CMDLINE>",
        .type = &script_image_type,
+       .flags = IMAGE_TRUSTED,
 };
 
 /** Colour for debug messages */
@@ -208,6 +209,9 @@ static int initrd_init ( void ) {
                goto err_set_name;
        }
 
+       /* Initrd is trusted by default */
+       image->flags |= IMAGE_TRUSTED;
+
        /* Allocate and copy initrd content */
        image->data = umalloc ( initrd_len );
        if ( ! image->data ) {
diff --git a/src/image/embedded.c b/src/image/embedded.c
index 376e5d2..6a2ed36 100644
--- a/src/image/embedded.c
+++ b/src/image/embedded.c
@@ -35,6 +35,7 @@ EMBED_ALL
        .name = _name,                                                  \
        .data = ( userptr_t ) ( embedded_image_ ## _index ## _data ),   \
        .len = ( size_t ) embedded_image_ ## _index ## _len,            \
+       .flags = IMAGE_TRUSTED,                                         \
 },
 static struct image embedded_images[] = {
        EMBED_ALL
-- 
2.5.5

_______________________________________________
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel

Reply via email to