]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e078490) | patch
boot: skip loading DTBs in type 1 when secure boot is enabled
authorLuca Boccassi <bluca@debian.org>
Sat, 16 Sep 2023 23:23:37 +0000 (00:23 +0100)
committerLuca Boccassi <luca.boccassi@gmail.com>
Tue, 19 Sep 2023 22:21:57 +0000 (23:21 +0100)
commit4b4d612d860a4acbbc22bc64a32637c0eb792cee
tree1bcb60b08f08b1d341fc21d3e46d9b70884d59e0tree | snapshot
parente0784901757efbbad89be7e8b8d0755af14d155acommit | diff
boot: skip loading DTBs in type 1 when secure boot is enabled

The kernel loads the DTB from EFI before ExitBootServices():

https://github.com/torvalds/linux/blob/v6.5/drivers/firmware/efi/libstub/fdt.c#L245

DTBs can map and assign arbitrary memory ranges. The kernel refuses
to load one from the dtb= kernel command line parameter when secure
boot is enabled, as it's not safe. Let's do the same for type 1
entries, as they are unverified.

This only affects arm64 and riscv64, firmwares do not support DTB
on x86.
src/boot/efi/boot.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.