diff options
| author | Ilias Apalodimas <ilias.apalodimas@linaro.org> | 2022-05-06 15:36:00 +0300 |
|---|---|---|
| committer | Heinrich Schuchardt <heinrich.schuchardt@canonical.com> | 2022-05-07 23:17:26 +0200 |
| commit | b436cc6a57cae017343a549f4b701e748d7e6448 (patch) | |
| tree | b109ed047f6936b107e135b04c0e937cd912013a /include | |
| parent | 3ae6cf5400ee004c309f73f358c1043cf6d8eecc (diff) | |
| download | u-boot-b436cc6a57cae017343a549f4b701e748d7e6448.zip u-boot-b436cc6a57cae017343a549f4b701e748d7e6448.tar.gz u-boot-b436cc6a57cae017343a549f4b701e748d7e6448.tar.bz2 | |
efi_loader: add sha384/512 on certificate revocation
Currently we don't support sha384/512 for the X.509 certificate
in dbx. Moreover if we come across such a hash we skip the check
and approve the image, although the image might needs to be rejected.
Rework the code a bit and fix it by adding an array of structs with the
supported GUIDs, len and literal used in the U-Boot crypto APIs instead
of hardcoding the GUID types.
It's worth noting here that efi_hash_regions() can now be reused from
efi_signature_lookup_digest() and add sha348/512 support there as well
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/efi_api.h | 6 | ||||
| -rw-r--r-- | include/efi_loader.h | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/include/efi_api.h b/include/efi_api.h index c7f7873..83c0108 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -1873,6 +1873,12 @@ struct efi_system_resource_table { #define EFI_CERT_X509_SHA256_GUID \ EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, \ 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed) +#define EFI_CERT_X509_SHA384_GUID \ + EFI_GUID(0x7076876e, 0x80c2, 0x4ee6, \ + 0xaa, 0xd2, 0x28, 0xb3, 0x49, 0xa6, 0x86, 0x5b) +#define EFI_CERT_X509_SHA512_GUID \ + EFI_GUID(0x446dbf63, 0x2502, 0x4cda, \ + 0xbc, 0xfa, 0x24, 0x65, 0xd2, 0xb0, 0xfe, 0x9d) #define EFI_CERT_TYPE_PKCS7_GUID \ EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \ 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7) diff --git a/include/efi_loader.h b/include/efi_loader.h index effb433..733ee03 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -300,6 +300,8 @@ extern const efi_guid_t efi_guid_image_security_database; extern const efi_guid_t efi_guid_sha256; extern const efi_guid_t efi_guid_cert_x509; extern const efi_guid_t efi_guid_cert_x509_sha256; +extern const efi_guid_t efi_guid_cert_x509_sha384; +extern const efi_guid_t efi_guid_cert_x509_sha512; extern const efi_guid_t efi_guid_cert_type_pkcs7; /* GUID of RNG protocol */ @@ -677,6 +679,10 @@ efi_status_t efi_file_size(struct efi_file_handle *fh, efi_uintn_t *size); /* get a device path from a Boot#### option */ struct efi_device_path *efi_get_dp_from_boot(const efi_guid_t guid); +/* get len, string (used in u-boot crypto from a guid */ +const char *guid_to_sha_str(const efi_guid_t *guid); +int algo_to_len(const char *algo); + /** * efi_size_in_pages() - convert size in bytes to size in pages * |