summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
abf92c0)
The patch
ccb478ac "Add encrypted file support" removes two
result = KEXEC_LOAD_SIGNATURE_FAILURE;
statements from after the `if (verify_file_signature)` lines for the
kernel and cmdline signatures. This appears to have been a mistake that
snuck through testing, and would allow incorrect signatures to pass
validation.
Also fix up some confusing indenting in the decryption section.
Reported-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
local_image_signature,
authorized_signatures_handle,
"/etc/gpg"))
local_image_signature,
authorized_signatures_handle,
"/etc/gpg"))
+ result = KEXEC_LOAD_SIGNATURE_FAILURE;
if (verify_file_signature(cmdline_template,
local_cmdline_signature,
authorized_signatures_handle,
"/etc/gpg"))
if (verify_file_signature(cmdline_template,
local_cmdline_signature,
authorized_signatures_handle,
"/etc/gpg"))
+ result = KEXEC_LOAD_SIGNATURE_FAILURE;
if (boot_task->local_initrd_signature)
if (verify_file_signature(initrd_filename,
if (boot_task->local_initrd_signature)
if (verify_file_signature(initrd_filename,
"/etc/gpg"))
result = KEXEC_LOAD_SIGNATURE_FAILURE;
if (boot_task->local_initrd)
"/etc/gpg"))
result = KEXEC_LOAD_SIGNATURE_FAILURE;
if (boot_task->local_initrd)
- if (decrypt_file(initrd_filename,
+ if (decrypt_file(initrd_filename,
authorized_signatures_handle,
"/etc/gpg"))
result = KEXEC_LOAD_DECRYPTION_FALURE;
authorized_signatures_handle,
"/etc/gpg"))
result = KEXEC_LOAD_DECRYPTION_FALURE;
free(auth_sig_line);
return ret;
free(auth_sig_line);
return ret;
-}
\ No newline at end of file