|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging] xen/efi: Do not check kernel signature if it was embedded
commit 623c365951f991e57395e0fb9b0ce1f8847d2583
Author: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
AuthorDate: Mon Jun 23 10:50:13 2025 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Mon Jun 23 10:50:13 2025 +0200
xen/efi: Do not check kernel signature if it was embedded
Using UKI it's possible to embed Linux kernel into xen.efi file.
In this case the signature for Secure Boot is applied to the
whole xen.efi, including the kernel.
So checking for specific signature for the kernel is not
needed.
Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
Reviewed-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
---
xen/common/efi/boot.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index e39fbc3529..fb3b120982 100644
--- a/xen/common/efi/boot.c
+++ b/xen/common/efi/boot.c
@@ -1291,6 +1291,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE
ImageHandle,
bool base_video = false;
const char *option_str;
bool use_cfg_file;
+ bool kernel_verified = false;
int dt_modules_found;
__set_bit(EFI_BOOT, &efi_flags);
@@ -1461,6 +1462,11 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE
ImageHandle,
read_file(dir_handle, s2w(&name), &kernel, option_str);
efi_bs->FreePool(name.w);
}
+ else
+ {
+ /* Kernel was embedded so Xen signature includes it. */
+ kernel_verified = true;
+ }
if ( !read_section(loaded_image, L"ramdisk", &ramdisk, NULL) )
{
@@ -1534,6 +1540,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE
ImageHandle,
* verify it.
*/
if ( kernel.ptr &&
+ !kernel_verified &&
!EFI_ERROR(efi_bs->LocateProtocol(&shim_lock_guid, NULL,
(void **)&shim_lock)) &&
(status = shim_lock->Verify(kernel.ptr, kernel.size)) != EFI_SUCCESS )
--
generated by git-patchbot for /home/xen/git/xen.git#staging
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |