From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VMbEG-0008Ra-2a for mharc-grub-devel@gnu.org; Thu, 19 Sep 2013 06:12:56 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48766) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VMbE6-0008Qx-UF for grub-devel@gnu.org; Thu, 19 Sep 2013 06:12:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VMbDz-0005dr-K6 for grub-devel@gnu.org; Thu, 19 Sep 2013 06:12:46 -0400 Received: from mail-lb0-f172.google.com ([209.85.217.172]:57121) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VMbDz-0005dh-D4 for grub-devel@gnu.org; Thu, 19 Sep 2013 06:12:39 -0400 Received: by mail-lb0-f172.google.com with SMTP id x18so7787075lbi.3 for ; Thu, 19 Sep 2013 03:12:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=tl/w+0TG3924ir2nnu4EK2GYxa3MLsrLZWpVxkMDKBM=; b=QLVUEK7dZfjHNVJurrBxfy5aPNAPb7YJmPRPNKJDg+dLZ/I42b5TlKVEMQ4jsp7K3U 8U+X4LapCEgYmiBv7t5dy3hKC3jbOwf94gJMdKoONvZYYc+QuzGXlcwM+6XLW9RrFY1q +me5ZUqi4OOLW4S1W2UEqM6SQBMcgFG3rgU7x0YLXTNkPYKzg1tKRMMCE2oaftQpnrSs KYxjHo+jMzSgU6WRv0zO61KpOW3OAh2U8k27q0lbSQtUO7AmpqNPmbgvpbF3D2T1m2vK uSdrbISzLrZRqH8HxW9mS8vQ1vQ+4IksD8LJSXZekIInHjan5sspwi5TDZKTpqqTbN3g JX4Q== X-Received: by 10.152.4.6 with SMTP id g6mr38346lag.50.1379585543385; Thu, 19 Sep 2013 03:12:23 -0700 (PDT) Received: from opensuse.site (ppp91-76-143-238.pppoe.mtu-net.ru. [91.76.143.238]) by mx.google.com with ESMTPSA id m13sm3546810lbo.11.1969.12.31.16.00.00 (version=SSLv3 cipher=RC4-SHA bits=128/128); Thu, 19 Sep 2013 03:12:23 -0700 (PDT) Date: Thu, 19 Sep 2013 14:12:22 +0400 From: Andrey Borzenkov To: grub-devel@gnu.org Subject: Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce Message-ID: <20130919141222.3c8ad589@opensuse.site> In-Reply-To: References: <1378484333-13577-1-git-send-email-jonmccune@google.com> <1378484333-13577-3-git-send-email-jonmccune@google.com> <20130906234845.4eb45795@opensuse.site> <20130907133350.0a9f7c5d@opensuse.site> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.18; x86_64-suse-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.85.217.172 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Sep 2013 10:12:54 -0000 В Mon, 9 Sep 2013 08:34:10 -0700 Jonathan McCune пишет: > > > Now if you could come up with solution that maintains compatibility > > with existing grub.cfg, that would be valid reason. But right now > > grub.cfg must be changed anyway at which point just save untrusted > > variables separately from trusted. > > > > > I don't think my changes break compatibility with anybody's existing > grub.cfg. Can you be more specific? > Currently grub.cfg loads all variables from environment block. Your change would require changing it to load only whitelisted variables.