loader-proto: Mark load_image()'s handle_image() call as "in_protocol" - efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

diff options

author	Mate Kukri <mate.kukri@canonical.com>	2024-05-24 10:54:12 +0100
committer	Peter Jones <pjones@redhat.com>	2025-02-11 10:43:37 -0500
commit	5d172787d5fa7faafcaf5fe62ad36819bb51ba54 (patch)
tree	8d91538aad9ce26cc40129b77a39e5e2ad31317a /include/netboot.h
parent	2bff46034aeefe4b266b6d6dd7d6cd771c1bf4de (diff)
download	efi-boot-shim-5d172787d5fa7faafcaf5fe62ad36819bb51ba54.tar.gz efi-boot-shim-5d172787d5fa7faafcaf5fe62ad36819bb51ba54.zip

loader-proto: Mark load_image()'s handle_image() call as "in_protocol"

When verifying an image, if we're "in" a shim protocol call, we require the binary have an SBAT section. If it's not present we raise an EFI_SECURITY_VIOLATION error code. Currently loader protocol's load_image() is not marked as in protocol, so it instead will return EFI_SUCCESS when verifying the SBAT section. This patch changes that to be in protocol, so that SBAT will be required on any images loaded with shim's loader protocol. This will bring SBAT enforcement in-line with the shim_lock protocol. Signed-off-by: Mate Kukri <mate.kukri@canonical.com>

Diffstat (limited to 'include/netboot.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: