ChuanN-sudo/u-boot
1
0
Fork 0
forked from OERV-BSP/u-boot
Code Pull Requests Activity

efi_loader: improve error handling in try_load_entry()

Browse Source 
The image is not unloaded if a security violation occurs.

If efi_set_load_options() fails, we do not free the memory allocated for
the optional data. We do not unload the image.

* Unload the image if a security violation occurs.
* Free load_options if efi_set_load_options() fails.
* Unload the image if efi_set_load_options() fails.

Fixes: 53f6a5aa86 ("efi_loader: Replace config option for initrd loading")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
This commit is contained in:
Heinrich Schuchardt
2024-04-22 10:41:00 +02:00
parent 84aab11d35
commit 566f067349
4 changed files with 72 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
test/py/tests/test_efi_secboot/test_signed.py
View File

@@ -62,13 +62,13 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert('\'HELLO1\' failed' in ''.join(output))
assert('efi_start_image() returned: 26' in ''.join(output))
assert('efi_bootmgr_load() returned: 26' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot add -b 2 HELLO2 host 0:1 /helloworld.efi -s ""',
'efidebug boot order 2',
'efidebug test bootmgr'])
assert '\'HELLO2\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
with u_boot_console.log.section('Test Case 2b'):
# Test Case 2b, authenticated by db
@@ -80,7 +80,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 2',
'efidebug test bootmgr'])
assert '\'HELLO2\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
output = u_boot_console.run_command_list([
'efidebug boot order 1',
'bootefi bootmgr'])
@@ -108,7 +108,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
with u_boot_console.log.section('Test Case 3b'):
# Test Case 3b, rejected by dbx even if db allows
@@ -120,7 +120,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
def test_efi_signed_image_auth4(self, u_boot_console, efi_boot_env):
"""
@@ -146,7 +146,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
def test_efi_signed_image_auth5(self, u_boot_console, efi_boot_env):
"""
@@ -196,7 +196,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
with u_boot_console.log.section('Test Case 5d'):
# Test Case 5d, rejected if both of signatures are revoked
@@ -208,7 +208,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
# Try rejection in reverse order.
u_boot_console.restart_uboot()
@@ -233,7 +233,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
"""
@@ -268,7 +268,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
with u_boot_console.log.section('Test Case 6c'):
# Test Case 6c, rejected by image's digest in dbx
@@ -282,7 +282,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
def test_efi_signed_image_auth7(self, u_boot_console, efi_boot_env):
"""
@@ -310,7 +310,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
# sha512 of an x509 cert in dbx
u_boot_console.restart_uboot()
@@ -333,7 +333,7 @@ class TestEfiSignedImage(object):
'efidebug boot order 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
def test_efi_signed_image_auth8(self, u_boot_console, efi_boot_env):
"""
@@ -368,4 +368,4 @@ class TestEfiSignedImage(object):
'efidebug test bootmgr'])
assert(not 'hELLO, world!' in ''.join(output))
assert('\'HELLO1\' failed' in ''.join(output))
assert('efi_start_image() returned: 26' in ''.join(output))
assert('efi_bootmgr_load() returned: 26' in ''.join(output))