Permalink
Browse files

Invert EFI SB verify return codes

grub_linuxefi_secure_validate should return success iff shim_lock exists and verification succeeds.
The linuxefi command should not free the kernel buffer twice.
  • Loading branch information...
1 parent 7e08046 commit 5fec86351d793cb2eef4dc5abddb22d193348be3 @theopolis committed Oct 15, 2015
Showing with 5 additions and 7 deletions.
  1. +5 −6 grub-core/loader/efi/linux.c
  2. +0 −1 grub-core/loader/i386/efi/linux.c
@@ -41,13 +41,12 @@ grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
shim_lock = grub_efi_locate_protocol(&guid, NULL);
- if (!shim_lock)
- return 1;
+ if (!shim_lock || shim_lock->verify(data, size) != GRUB_EFI_SUCCESS) {
+ /* The SHIM_LOCK protocol is missing or verification failed. */
+ return 0;
+ }
- if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS)
- return 1;
-
- return 0;
+ return 1;
}
typedef void (*handover_func) (void *, grub_efi_system_table_t *, void *);
@@ -187,7 +187,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
if (! grub_linuxefi_secure_validate (kernel, filelen))
{
grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]);
- grub_free (kernel);
goto fail;
}

0 comments on commit 5fec863

Please sign in to comment.