diff options
author | Brett Grandbois <brett.grandbois@opengear.com> | 2018-05-16 13:23:49 +1000 |
---|---|---|
committer | Samuel Mendoza-Jonas <sam@mendozajonas.com> | 2018-05-23 11:09:38 +1000 |
commit | 1214247667d138e2fa1748f4f270e5fc80010377 (patch) | |
tree | d3f499e91f2cf4e919682e308e51c33509391aa5 /discover/boot.c | |
parent | 80c9b417ea3e450c00aac0e93072b85a2c96a484 (diff) | |
download | talos-petitboot-1214247667d138e2fa1748f4f270e5fc80010377.tar.gz talos-petitboot-1214247667d138e2fa1748f4f270e5fc80010377.zip |
discover/boot: abort kexec on any error from validation
gpg_validate_boot_files() can return error codes for a variety of
reasons but kexec_load only aborts for signature or decryption failure.
In any other failure case like unable to open LOCKDOWN_FILE or do the
secure copy the validation is bypassed by an early return but kexec_load
does not abort.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Diffstat (limited to 'discover/boot.c')
-rw-r--r-- | discover/boot.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/discover/boot.c b/discover/boot.c index 0da40e3..09e42f2 100644 --- a/discover/boot.c +++ b/discover/boot.c @@ -76,13 +76,13 @@ static int kexec_load(struct boot_task *boot_task) if (result == KEXEC_LOAD_DECRYPTION_FALURE) { pb_log("%s: Aborting kexec due to" " decryption failure\n", __func__); - goto abort_kexec; } if (result == KEXEC_LOAD_SIGNATURE_FAILURE) { pb_log("%s: Aborting kexec due to signature" " verification failure\n", __func__); - goto abort_kexec; } + + goto abort_kexec; } const char* local_initrd = (boot_task->local_initrd_override) ? |