[PATCH 07/13] efi_loader: image_loader: add digest-based verification for signed image
Heinrich Schuchardt
xypron.glpk at gmx.de
Sat May 30 09:09:30 CEST 2020
On 5/29/20 8:41 AM, AKASHI Takahiro wrote:
> In case that a type of certificate in "db" or "dbx" is
> EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
> a public key for RSA decryption, but a digest of image to be loaded.
> If the value matches to a value calculated from a given binary image, it is
> granted for loading.
>
> With this patch, common digest check code, which used to be used for
> unsigned image verification, will be extracted from
> efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
> extra step for digest check will be added to efi_image_authenticate().
Could you, please, add comments in the code describing this process flow.
Best regards
Heinrich
More information about the U-Boot
mailing list