Skip to content

Commit 5fec863

Browse files
author
Teddy Reed
committed
Invert EFI SB verify return codes
grub_linuxefi_secure_validate should return success iff shim_lock exists and verification succeeds. The linuxefi command should not free the kernel buffer twice.
1 parent 7e08046 commit 5fec863

File tree

2 files changed

+5
-7
lines changed

2 files changed

+5
-7
lines changed

grub-core/loader/efi/linux.c

+5-6
Original file line numberDiff line numberDiff line change
@@ -41,13 +41,12 @@ grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
4141

4242
shim_lock = grub_efi_locate_protocol(&guid, NULL);
4343

44-
if (!shim_lock)
45-
return 1;
44+
if (!shim_lock || shim_lock->verify(data, size) != GRUB_EFI_SUCCESS) {
45+
/* The SHIM_LOCK protocol is missing or verification failed. */
46+
return 0;
47+
}
4648

47-
if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS)
48-
return 1;
49-
50-
return 0;
49+
return 1;
5150
}
5251

5352
typedef void (*handover_func) (void *, grub_efi_system_table_t *, void *);

grub-core/loader/i386/efi/linux.c

-1
Original file line numberDiff line numberDiff line change
@@ -187,7 +187,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
187187
if (! grub_linuxefi_secure_validate (kernel, filelen))
188188
{
189189
grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]);
190-
grub_free (kernel);
191190
goto fail;
192191
}
193192

0 commit comments

Comments
 (0)