diff options
| author | Ilias Apalodimas <ilias.apalodimas@linaro.org> | 2022-01-29 00:20:31 +0200 |
|---|---|---|
| committer | Heinrich Schuchardt <heinrich.schuchardt@canonical.com> | 2022-01-29 10:23:40 +0100 |
| commit | 4b634313232ed4a17bbf66d228764fef639e1f65 (patch) | |
| tree | 5af800e3a6ab14d5029ccdd9ef36add5df512441 /include | |
| parent | 8d4c4265327263191a3b9d42bb3e5321a1b61f20 (diff) | |
| download | u-boot-4b634313232ed4a17bbf66d228764fef639e1f65.zip u-boot-4b634313232ed4a17bbf66d228764fef639e1f65.tar.gz u-boot-4b634313232ed4a17bbf66d228764fef639e1f65.tar.bz2 | |
efi_loader: correctly handle mixed hashes and signatures in db
A mix of signatures and hashes in db doesn't always work as intended.
Currently if the digest algorithm is not explicitly set to sha256 we
stop walking the security database and reject the image.
That's problematic in case we find and try to check a signature before
inspecting the sha256 hash. If the image is unsigned we will reject it
even if the digest matches.
Since we no longer reject the image on unknown algorithms add an explicit
check and reject the image if any other hash algorithm apart from sha256
is detected on dbx.
Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/efi_api.h | 12 | ||||
| -rw-r--r-- | include/efi_loader.h | 3 |
2 files changed, 14 insertions, 1 deletions
diff --git a/include/efi_api.h b/include/efi_api.h index f123d05..982c200 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -1849,9 +1849,21 @@ struct efi_system_resource_table { #define LAST_ATTEMPT_STATUS_ERROR_UNSUCCESSFUL_VENDOR_RANGE_MAX 0x00004000 /* Certificate types in signature database */ +#define EFI_CERT_SHA1_GUID \ + EFI_GUID(0x826ca512, 0xcf10, 0x4ac9, 0xb1, 0x87, \ + 0xbe, 0x01, 0x49, 0x66, 0x31, 0xbd) +#define EFI_CERT_SHA224_GUID \ + EFI_GUID(0xb6e5233, 0xa65c, 0x44c9, 0x94, 0x07, \ + 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd) #define EFI_CERT_SHA256_GUID \ EFI_GUID(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, \ 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28) +#define EFI_CERT_SHA384_GUID \ + EFI_GUID(0xff3e5307, 0x9fd0, 0x48c9, 0x85, 0xf1, \ + 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x01) +#define EFI_CERT_SHA512_GUID \ + EFI_GUID(0x93e0fae, 0xa6c4, 0x4f50, 0x9f, 0x1b, \ + 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a) #define EFI_CERT_RSA2048_GUID \ EFI_GUID(0x3c5766e8, 0x269c, 0x4e34, 0xaa, 0x14, \ 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6) diff --git a/include/efi_loader.h b/include/efi_loader.h index 1fa75b4..4e50f2d 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -912,7 +912,8 @@ struct x509_certificate; struct pkcs7_message; bool efi_signature_lookup_digest(struct efi_image_regions *regs, - struct efi_signature_store *db); + struct efi_signature_store *db, + bool dbx); bool efi_signature_verify(struct efi_image_regions *regs, struct pkcs7_message *msg, struct efi_signature_store *db, |