From 0929924b610c8365202e04e3482ecda88e895a1a Mon Sep 17 00:00:00 2001
From: "Simon J. Gerraty" <sjg@FreeBSD.org>
Date: Fri, 21 Aug 2020 00:27:06 +0000
Subject: [PATCH] veloader: insist on verifying .4th .lua etc

When files are read from .rc or .4th, verify_file is asked to
guess the severity (VE_TRY,VE_WANT,VE_MUST)

Reviewed by:	stevek
MFC after:	1 week
Sponsored by:	Juniper Networks
---
 lib/libsecureboot/verify_file.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/libsecureboot/verify_file.c b/lib/libsecureboot/verify_file.c
index ca7c59abeffc..9773b02e5a1d 100644
--- a/lib/libsecureboot/verify_file.c
+++ b/lib/libsecureboot/verify_file.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2017-2018, Juniper Networks, Inc.
+ * Copyright (c) 2017-2020, Juniper Networks, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -255,6 +255,10 @@ severity_guess(const char *filename)
 		    strcmp(cp, ".cookie") == 0 ||
 			strcmp(cp, ".hints") == 0)
 			return (VE_TRY);
+		if (strcmp(cp, ".4th") == 0 ||
+		    strcmp(cp, ".lua") == 0 ||
+		    strcmp(cp, ".rc") == 0)
+			return (VE_MUST);
 	}
 	return (VE_WANT);
 }