summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBrett Grandbois <brett.grandbois@opengear.com>2018-05-16 13:23:49 +1000
committerSamuel Mendoza-Jonas <sam@mendozajonas.com>2018-05-23 11:09:38 +1000
commit1214247667d138e2fa1748f4f270e5fc80010377 (patch)
treed3f499e91f2cf4e919682e308e51c33509391aa5
parent80c9b417ea3e450c00aac0e93072b85a2c96a484 (diff)
downloadtalos-petitboot-1214247667d138e2fa1748f4f270e5fc80010377.zip
talos-petitboot-1214247667d138e2fa1748f4f270e5fc80010377.tar.gz
discover/boot: abort kexec on any error from validation
gpg_validate_boot_files() can return error codes for a variety of reasons but kexec_load only aborts for signature or decryption failure. In any other failure case like unable to open LOCKDOWN_FILE or do the secure copy the validation is bypassed by an early return but kexec_load does not abort. Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
-rw-r--r--discover/boot.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/discover/boot.c b/discover/boot.c
index 0da40e3..09e42f2 100644
--- a/discover/boot.c
+++ b/discover/boot.c
@@ -76,13 +76,13 @@ static int kexec_load(struct boot_task *boot_task)
if (result == KEXEC_LOAD_DECRYPTION_FALURE) {
pb_log("%s: Aborting kexec due to"
" decryption failure\n", __func__);
- goto abort_kexec;
}
if (result == KEXEC_LOAD_SIGNATURE_FAILURE) {
pb_log("%s: Aborting kexec due to signature"
" verification failure\n", __func__);
- goto abort_kexec;
}
+
+ goto abort_kexec;
}
const char* local_initrd = (boot_task->local_initrd_override) ?
OpenPOWER on IntegriCloud