Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
boot: skip loading DTBs in type 1 when secure boot is enabled
The kernel loads the DTB from EFI before ExitBootServices(): https://github.com/torvalds/linux/blob/v6.5/drivers/firmware/efi/libstub/fdt.c#L245 DTBs can map and assign arbitrary memory ranges. The kernel refuses to load one from the dtb= kernel command line parameter when secure boot is enabled, as it's not safe. Let's do the same for type 1 entries, as they are unverified. This only affects arm64 and riscv64, firmwares do not support DTB on x86. (cherry picked from commit 4b4d612)
- Loading branch information