diff options
| author | AKASHI Takahiro <takahiro.akashi@linaro.org> | 2020-07-08 14:01:57 +0900 |
|---|---|---|
| committer | Heinrich Schuchardt <xypron.glpk@gmx.de> | 2020-07-11 23:14:15 +0200 |
| commit | 7926dfb579cb17efc62ede2ce6d5c0a6f7e2f855 (patch) | |
| tree | 40646528a94b6ab0eb5b6c46e241893b5b72ef10 /include/efi_loader.h | |
| parent | 11bafb259648dea054e07dc5c8003eb8c736f36c (diff) | |
| download | u-boot-7926dfb579cb17efc62ede2ce6d5c0a6f7e2f855.tar.gz | |
efi_loader: image_loader: add digest-based verification for signed image
In case that a type of certificate in "db" or "dbx" is
EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
a public key for RSA decryption, but a digest of image to be loaded.
If the value matches to a value calculated from a given binary image, it is
granted for loading.
With this patch, common digest check code, which used to be used for
unsigned image verification, will be extracted from
efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
extra step for digest check will be added to efi_image_authenticate().
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Diffstat (limited to 'include/efi_loader.h')
| -rw-r--r-- | include/efi_loader.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/efi_loader.h b/include/efi_loader.h index 2f9fb112b3..ceabbaadd0 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -765,6 +765,8 @@ struct efi_signature_store { struct x509_certificate; struct pkcs7_message; +bool efi_signature_lookup_digest(struct efi_image_regions *regs, + struct efi_signature_store *db); bool efi_signature_verify_one(struct efi_image_regions *regs, struct pkcs7_message *msg, struct efi_signature_store *db); |