[PATCH 2/2 v2] efi_loader: Ignore sha1 on signature verification
Ilias Apalodimas
ilias.apalodimas at linaro.org
Wed Jan 19 12:54:42 CET 2022
Since SHA1 has know collisions disable it on EFI verification for
variables and executables
Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
---
lib/efi_loader/efi_signature.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 6e3ee3c0c004..1903adc89ed0 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs,
if (ret < 0 || !signer)
goto out;
+ if (!strcmp(signer->sig->hash_algo, "sha1")) {
+ pr_err("SHA1 support is disabled for EFI\n");
+ goto out;
+ }
+
if (sinfo->blacklisted)
goto out;
--
2.30.2
More information about the U-Boot
mailing list