mail archive of the barebox mailing list
 help / color / mirror / Atom feed
From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
To: Michael Olbrich <m.olbrich@pengutronix.de>
Cc: barebox@lists.infradead.org
Subject: Re: [PATCH 07/13] go: only use it if boot signature is not required
Date: Mon, 27 Mar 2017 19:50:44 +0800	[thread overview]
Message-ID: <A092B5A1-489D-4A2C-AA73-B2F5F4FBCC18@jcrosoft.com> (raw)
In-Reply-To: <20170326082322.bgy7gkj3duid4wjb@pengutronix.de>


> On 26 Mar 2017, at 4:23 PM, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> 
> On Sun, Mar 26, 2017 at 04:44:58AM +0200, Jean-Christophe PLAGNIOL-VILLARD wrote:
>> Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
> 
> Does this realy help? If someone has access to the barebox shell, then
> there are many ways to overwrite the secure boot check.

No have shell support does not mean been allow to by pass secure boot
As you think user interaction vs script

And do not forget the boot sequence can be change by the OS (user)

So we may endup to try to boot other images or boot sequence that use go

Best Regards,
J.


> Michael
> 
>> ---
>> commands/go.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>> 
>> diff --git a/commands/go.c b/commands/go.c
>> index fb319b320..e0385a977 100644
>> --- a/commands/go.c
>> +++ b/commands/go.c
>> @@ -26,6 +26,7 @@
>> #include <fcntl.h>
>> #include <linux/ctype.h>
>> #include <errno.h>
>> +#include <boot_verify.h>
>> 
>> static int do_go(int argc, char *argv[])
>> {
>> @@ -37,6 +38,9 @@ static int do_go(int argc, char *argv[])
>> 	if (argc < 2)
>> 		return COMMAND_ERROR_USAGE;
>> 
>> +	if (boot_get_verify_mode() < BOOT_VERIFY_AVAILABLE)
>> +		return -ESECVIOLATION;
>> +
>> 	if (!isdigit(*argv[1])) {
>> 		fd = open(argv[1], O_RDONLY);
>> 		if (fd < 0) {
>> -- 
>> 2.11.0
>> 
>> 
>> _______________________________________________
>> barebox mailing list
>> barebox@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/barebox
>> 
> 
> -- 
> Pengutronix e.K.                           |                             |
> Industrial Linux Solutions                 | http://www.pengutronix.de/  |
> Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
> 
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

  reply	other threads:[~2017-03-27 13:13 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-25  8:31 [PATCH 00/13] add efi secure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  2:44 ` [PATCH 01/13] bootm: move open to image_handler Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  2:44   ` [PATCH 02/13] boot_verify: use a new error ESECVIOLATION Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  7:59     ` Michael Olbrich
2017-03-26  2:44   ` [PATCH 03/13] bootm: make security generic Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  2:44   ` [PATCH 04/13] boot: invert the secure boot forcing support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  2:44   ` [PATCH 05/13] move boot verify to generic code Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  2:44   ` [PATCH 06/13] boot_verify: make it modifiable at start time Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  8:16     ` Michael Olbrich
2017-03-26  2:44   ` [PATCH 07/13] go: only use it if boot signature is not required Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  8:23     ` Michael Olbrich
2017-03-27 11:50       ` Jean-Christophe PLAGNIOL-VILLARD [this message]
2017-03-26  2:44   ` [PATCH 08/13] boot_verify: allow to force unsigned image to boot Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  8:25     ` Michael Olbrich
2017-03-26  2:45   ` [PATCH 09/13] boot_verify: add password request support Jean-Christophe PLAGNIOL-VILLARD
2017-03-27  6:11     ` Sascha Hauer
2017-03-26  2:45   ` [PATCH 10/13] efi: add more security related guid for the efivars Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  2:45   ` [PATCH 11/13] efi: fix lds for secure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  8:30     ` Michael Olbrich
2017-03-26  2:45   ` [PATCH 12/13] efi: fix secure and setup mode report Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  2:45   ` [PATCH 13/13] efi: enable sercure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26  7:57   ` [PATCH 01/13] bootm: move open to image_handler Michael Olbrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=A092B5A1-489D-4A2C-AA73-B2F5F4FBCC18@jcrosoft.com \
    --to=plagnioj@jcrosoft.com \
    --cc=barebox@lists.infradead.org \
    --cc=m.olbrich@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox