From: Jan Janssen Date: Mon, 3 Jan 2022 10:29:49 +0000 (+0100) Subject: boot: Prevent stub command line editing under secure boot X-Git-Tag: v251-rc1~592^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7ffc4f4748e559a4c5583df01b70e91e8ca8e54c;p=thirdparty%2Fsystemd.git boot: Prevent stub command line editing under secure boot --- diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c index f054ad18b9b..356de0dd672 100644 --- a/src/boot/efi/boot.c +++ b/src/boot/efi/boot.c @@ -44,6 +44,7 @@ enum loader_type { LOADER_UNDEFINED, LOADER_EFI, LOADER_LINUX, + LOADER_STUB, }; typedef struct { @@ -857,8 +858,18 @@ static BOOLEAN menu_run( case KEYPRESS(0, 0, 'e'): case KEYPRESS(0, 0, 'E'): /* only the options of configured entries can be edited */ - if (!config->editor || config->entries[idx_highlight]->type == LOADER_UNDEFINED) + if (!config->editor || !IN_SET(config->entries[idx_highlight]->type, + LOADER_EFI, LOADER_LINUX, LOADER_STUB)) break; + + /* The stub will not accept command line options when secure boot is enabled + * unless there is none embedded in the image. Do not try to pretend we + * can edit it to only have it be ignored. */ + if (config->entries[idx_highlight]->type == LOADER_STUB && + secure_boot_enabled() && + config->entries[idx_highlight]->options) + break; + /* The edit line may end up on the last line of the screen. And even though we're * not telling the firmware to advance the line, it still does in this one case, * causing a scroll to happen that screws with our beautiful boot loader output. @@ -2106,7 +2117,7 @@ static void config_entry_add_linux( entry = config_entry_add_loader( config, device, - LOADER_LINUX, + LOADER_STUB, f->FileName, /* key= */ 'l', good_name,