[PATCH v4 03/16] efi_loader: add signature verification functions

AKASHI Takahiro takahiro.akashi at linaro.org
Tue Jan 21 07:00:09 CET 2020


On Fri, Jan 17, 2020 at 06:37:39AM +0100, Heinrich Schuchardt wrote:
> On 1/17/20 3:20 AM, AKASHI Takahiro wrote:
> >On Wed, Jan 15, 2020 at 01:13:36AM +0100, Heinrich Schuchardt wrote:
> >>On 1/15/20 12:43 AM, Heinrich Schuchardt wrote:
> >>>On 12/18/19 1:44 AM, AKASHI Takahiro wrote:
> >(snip)
> >>>>diff --git a/lib/efi_loader/efi_signature.c
> >>>>b/lib/efi_loader/efi_signature.c
> >>>>new file mode 100644
> >>>>index 000000000000..823d3311e010
> >>>>--- /dev/null
> >>>>+++ b/lib/efi_loader/efi_signature.c
> >>>>@@ -0,0 +1,584 @@
> >>>>+// SPDX-License-Identifier: GPL-2.0+
> >>>>+/*
> >>>>+ * Copyright (c) 2018 Patrick Wildt <patrick at blueri.se>
> >>>>+ * Copyright (c) 2019 Linaro Limited, Author: AKASHI Takahiro
> >>>>+ */
> >>>>+
> >>>>+#include <common.h>
> >>>>+#include <charset.h>
> >>>>+#include <efi_loader.h>
> >>>>+#include <image.h>
> >>>>+#include <hexdump.h>
> >>>>+#include <malloc.h>
> >>>>+#include <pe.h>
> >>>>+#include <linux/compat.h>
> >>>>+#include <linux/oid_registry.h>
> >>>>+#include <u-boot/rsa.h>
> >>>>+#include <u-boot/sha256.h>
> >>>>+/*
> >>>>+ * avoid duplicated inclusion:
> >>>>+ * #include "../lib/crypto/x509_parser.h"
> >>>>+ */
> >>>>+#include "../lib/crypto/pkcs7_parser.h"
> >>>>+
> >>>>+const efi_guid_t efi_guid_image_security_database =
> >>>>+        EFI_IMAGE_SECURITY_DATABASE_GUID;
> >>>>+const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID;
> >>>>+const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID;
> >>>>+const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
> >>>>+const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
> >>>>+
> >>>>+#ifdef CONFIG_EFI_SECURE_BOOT
> >>
> >>This is the #ifdef to move to the Makefile. In the previous mail I got
> >>into the wrong line.
> >
> >No.
> >As you can see, those guids may also be referred to by other files
> >(see efi_variable.c and cmd/nvedit_efi.c)
> >even in !EFI_SECURE_BOOT case, and I think that this file is best fit
> >for them.
> 
> I cannot find any of these guids in any other C file after applying all
> patches from

???
Did you look for efi_guid_image_security_database in efi_variable.c
and cmd/nvedit_efi.c?

-Takahiro Akashi


> https://patchwork.ozlabs.org/project/uboot/list/?series=&submitter=61166&state=&q=&archive=&delegate=
> 
> git grep -n efi_guid_sha256
> include/efi_loader.h:185:extern const efi_guid_t efi_guid_sha256;
> lib/efi_loader/efi_signature.c:26:const efi_guid_t efi_guid_sha256 =
> EFI_CERT_SHA256_GUID;
> lib/efi_loader/efi_signature.c:252:             if
> (guidcmp(&siglist->sig_type, &efi_guid_sha256)) {
> 
> lib/efi_loader/efi_signature.c:27:const efi_guid_t efi_guid_cert_rsa2048
> = EFI_CERT_RSA2048_GUID;
> 
> git grep -n efi_guid_cert_x509
> include/efi_loader.h:186:extern const efi_guid_t efi_guid_cert_x509;
> include/efi_loader.h:187:extern const efi_guid_t efi_guid_cert_x509_sha256;
> lib/efi_loader/efi_signature.c:28:const efi_guid_t efi_guid_cert_x509 =
> EFI_CERT_X509_GUID;
> lib/efi_loader/efi_signature.c:29:const efi_guid_t
> efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
> lib/efi_loader/efi_signature.c:283:     if (guidcmp(&siglist->sig_type,
> &efi_guid_cert_x509)) {
> lib/efi_loader/efi_signature.c:406:     if (guidcmp(&siglist->sig_type,
> &efi_guid_cert_x509_sha256)) {
> 
> include/efi_loader.h:187:extern const efi_guid_t efi_guid_cert_x509_sha256;
> lib/efi_loader/efi_signature.c:29:const efi_guid_t
> efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
> lib/efi_loader/efi_signature.c:406:     if (guidcmp(&siglist->sig_type,
> &efi_guid_cert_x509_sha256)) {
> 
> Best regards
> 
> Heinrich


More information about the U-Boot mailing list