Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce

grub-devel.gnu.org archive mirror
 help / color / mirror / Atom feed

From: Andrey Borzenkov <arvidjaar@gmail.com>
To: grub-devel@gnu.org
Subject: Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce
Date: Fri, 6 Sep 2013 23:48:45 +0400	[thread overview]
Message-ID: <20130906234845.4eb45795@opensuse.site> (raw)
In-Reply-To: <1378484333-13577-3-git-send-email-jonmccune@google.com>

В Fri,  6 Sep 2013 09:18:50 -0700
Jon McCune <jonmccune@google.com> пишет:

> This works by adding an open_envblk_file_untrusted() method that bypasses
> signature checking, but only if the invocation of load_env includes a
> whitelist of one or more environment variables that are to be read from the
> file.

What is the use case? load_env is called exactly once at the beginning
of configfile processing. At this point file still has valid signature
assuming grub-editenv (or some other tool) computed one. When do you
need to load environment more than once?

next prev parent reply	other threads:[~2013-09-06 19:49 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-06 16:18 [PATCH v2 0/5] Enable savedefault, etc with check_signatures=enforce Jon McCune
2013-09-06 16:18 ` [PATCH v2 1/5] style: indent --no-tabs --gnu-style grub-core/commands/loadenv.c Jon McCune
2013-09-06 16:18 ` [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce Jon McCune
2013-09-06 19:48   ` Andrey Borzenkov [this message]
2013-09-06 21:10     ` Jonathan McCune
2013-09-07  9:33       ` Andrey Borzenkov
2013-09-09 15:34         ` Jonathan McCune
2013-09-19 10:12           ` Andrey Borzenkov
2013-09-19 18:18             ` Jonathan McCune
2013-09-19  7:18         ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-09-19 10:06           ` Andrey Borzenkov
2013-09-06 16:18 ` [PATCH v2 3/5] save_env should work, " Jon McCune
2013-09-06 16:18 ` [PATCH v2 4/5] Add -k, --pubkey=FILE support to grub-install command Jon McCune
2013-09-06 19:40   ` Andrey Borzenkov
2013-09-06 21:10     ` Jonathan McCune
2013-09-06 16:18 ` [PATCH v2 5/5] Additional security-relevant documentation Jon McCune

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130906234845.4eb45795@opensuse.site \
    --to=arvidjaar@gmail.com \
    --cc=grub-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).