[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 1/2] common/efi: bail if dom0 fails the shim verification step



From: Tamas K Lengyel <lengyelt@xxxxxxxxxxxx>

If the shim protocol is located it is expected that the dom0 kernel image
will also pass the shim verification.

Signed-off-by: Tamas K Lengyel <lengyelt@xxxxxxxxxxxx>
Cc: Jan Beulich <jbeulich@xxxxxxxx>
---
 xen/common/efi/boot.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index 01d33004e0..a3a439b838 100644
--- a/xen/common/efi/boot.c
+++ b/xen/common/efi/boot.c
@@ -1226,9 +1226,13 @@ efi_start(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE 
*SystemTable)
         efi_bs->FreePool(name.w);
 
         if ( !EFI_ERROR(efi_bs->LocateProtocol(&shim_lock_guid, NULL,
-                        (void **)&shim_lock)) &&
-             (status = shim_lock->Verify(kernel.ptr, kernel.size)) != 
EFI_SUCCESS )
-            PrintErrMesg(L"Dom0 kernel image could not be verified", status);
+                        (void **)&shim_lock)))
+        {
+            if  ( shim_lock->Verify(kernel.ptr, kernel.size) != EFI_SUCCESS )
+                blexit(L"Dom0 kernel image could not be verified by the 
shim.");
+
+            PrintStr(L"Dom0 kernel image was verified by the shim.\r\n");
+        }
 
         name.s = get_value(&cfg, section.s, "ramdisk");
         if ( name.s )
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.