| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jan 2017 15:27:23 +0000
From: David Howells <dhowells@...hat.com>
To: Matt Fleming <matt@...eblueprint.co.uk>
Cc: dhowells@...hat.com, ard.biesheuvel@...aro.org,
linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH 5/8] efi: Get the secure boot status [ver #6]
Matt Fleming <matt@...eblueprint.co.uk> wrote:
> > + movb $0, BP_secure_boot(%rsi)
> > #ifdef CONFIG_EFI_STUB
> > /*
> > * The entry point for the PE/COFF executable is efi_pe_entry, so
>
> Is clearing ::secure_boot really necessary? Any code path that goes
> via efi_main() will set it correctly and all other code paths should
> get it cleared in sanitize_boot_params(), no?
No.
The boot_params->secure_boot parameter exists whether or not efi_main() is
traversed (ie. if EFI isn't enabled or CONFIG_EFI_STUB=n) and, if not cleared,
is of uncertain value.
Further, sanitize_boot_params() has to be modified by this patch so as not to
clobber the secure_boot flag.
> What's the distinction between the unset and unknown enums?
unset -> The flag was cleared by head.S and efi_get_secureboot() was never
called.
unknown -> efi_get_secureboot() tried and failed to access the EFI variables
that should give the state.
David
Powered by blists - more mailing lists