We now have signature check logic in grub which allows us to treat
files differently depending on their file type.
Treat a loaded device tree like an overlayed ACPI table.
Both describe hardware, so I suppose their threat level is the same.
Signed-off-by: Alexander Graf <ag...@suse.de>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
---
v3 -> v4:
- Rebase onto current git master
---
grub-core/commands/efi/shim_lock.c | 1 +
include/grub/file.h | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/grub-core/commands/efi/shim_lock.c
b/grub-core/commands/efi/shim_lock.c
index 01246b0fc..83568cb2b 100644
--- a/grub-core/commands/efi/shim_lock.c
+++ b/grub-core/commands/efi/shim_lock.c
@@ -81,6 +81,7 @@ shim_lock_init (grub_file_t io, enum grub_file_type type,
/* Fall through. */
case GRUB_FILE_TYPE_ACPI_TABLE:
+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
*flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
return GRUB_ERR_NONE;
diff --git a/include/grub/file.h b/include/grub/file.h
index cbbd29465..31567483c 100644
--- a/include/grub/file.h
+++ b/include/grub/file.h
@@ -74,8 +74,6 @@ enum grub_file_type
GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE,
- GRUB_FILE_TYPE_DEVICE_TREE_IMAGE,
-
/* File holding signature. */
GRUB_FILE_TYPE_SIGNATURE,
/* File holding public key to verify signature once. */
@@ -100,6 +98,8 @@ enum grub_file_type
GRUB_FILE_TYPE_FILE_ID,
/* File holding ACPI table. */
GRUB_FILE_TYPE_ACPI_TABLE,
+ /* File holding Device Tree. */
+ GRUB_FILE_TYPE_DEVICE_TREE_IMAGE,
/* File we intend show to user. */
GRUB_FILE_TYPE_CAT,
GRUB_FILE_TYPE_HEXCAT,
--
2.12.3
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
