boot: skip loading DTBs in type 1 when secure boot is enabled #328
Commits on Sep 20, 2023
-
boot: skip loading DTBs in type 1 when secure boot is enabled
The kernel loads the DTB from EFI before ExitBootServices(): https://github.com/torvalds/linux/blob/v6.5/drivers/firmware/efi/libstub/fdt.c#L245 DTBs can map and assign arbitrary memory ranges. The kernel refuses to load one from the dtb= kernel command line parameter when secure boot is enabled, as it's not safe. Let's do the same for type 1 entries, as they are unverified. This only affects arm64 and riscv64, firmwares do not support DTB on x86. (cherry picked from commit 4b4d612) (cherry picked from commit c1404ff) (cherry picked from commit 7844c65) (cherry picked from commit f381320) (cherry picked from commit 3c97ff5)
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.