lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161122203058.GA1844@wunner.de>
Date:   Tue, 22 Nov 2016 21:30:58 +0100
From:   Lukas Wunner <lukas@...ner.de>
To:     David Howells <dhowells@...hat.com>
Cc:     Matthew Garrett <matthew.garrett@...ula.com>,
        linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org, keyrings@...r.kernel.org
Subject: Re: [PATCH 4/6] efi: Get the secure boot status

On Tue, Nov 22, 2016 at 02:47:27PM +0000, David Howells wrote:
> Lukas Wunner <lukas@...ner.de> wrote:
> > The "out_efi_err" portion differs from the previous version of this
> > patch.  Setting a __u8 to a negative value, is this really what you
> > want?
> 
> Eh?  efi_get_secureboot() returns an int as before.  The out_efi_err:
> portions are exactly the same:

By "the previous version of this patch" I was referring to your
submission of Nov 16, not the existing code in the kernel.
Your patch didn't contain the out_efi_err portion.

You're assigning a negative value to boot_params->secure_boot
(which is declared __u8).

In the next patch you're just checking if the value isn't 0
and you're considerung secure boot to be enabled even though
GetVariable failed.  Hence my question above, is this what
you want?  Likely not, perhaps this is what you really want:

	boot_params->secure_boot = (efi_get_secureboot() == 1);

Best regards,

Lukas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ