efi_loader: don't load signature database from file

The UEFI specification requires that the signature database may only be stored in tamper-resistant storage. So these variable may not be read from an unsigned file. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
author: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 2021-08-25 20:13:24 +0300
committer: Heinrich Schuchardt <xypron.glpk@gmx.de> 2021-09-04 13:03:57 +0300
commit: 9ef82e29478c76f17b536f8f289fd0406067ab01 (patch)
tree: 50276c339c16fc0dddce721de81515e980c4a89b /include/efi_variable.h
parent: f3a343d7339acf1d531e438e15fef3c7975cfdcf (diff)
download: u-boot-9ef82e29478c76f17b536f8f289fd0406067ab01.tar.xz
1 files changed, 4 insertions, 1 deletions
diff --git a/include/efi_variable.h b/include/efi_variable.h
index 4623a64142..2d97655e1f 100644
--- a/include/efi_variable.h
+++ b/include/efi_variable.h
@@ -161,10 +161,13 @@ efi_status_t __maybe_unused efi_var_collect(struct efi_var_file **bufp, loff_t *
 /**
  * efi_var_restore() - restore EFI variables from buffer
  *
+ * Only if @safe is set secure boot related variables will be restored.
+ *
  * @buf:	buffer
+ * @safe:	restoring from tamper-resistant storage
  * Return:	status code
  */
-efi_status_t efi_var_restore(struct efi_var_file *buf);
+efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe);
 
 /**
  * efi_var_from_file() - read variables from file
author	Heinrich Schuchardt <heinrich.schuchardt@canonical.com>	2021-08-25 20:13:24 +0300
committer	Heinrich Schuchardt <xypron.glpk@gmx.de>	2021-09-04 13:03:57 +0300
commit	9ef82e29478c76f17b536f8f289fd0406067ab01 (patch)
tree	50276c339c16fc0dddce721de81515e980c4a89b /include/efi_variable.h
parent	f3a343d7339acf1d531e438e15fef3c7975cfdcf (diff)
download	u-boot-9ef82e29478c76f17b536f8f289fd0406067ab01.tar.xz