[PATCH 2/2 v2] efi_loader: Ignore sha1 on signature verification

Ilias Apalodimas ilias.apalodimas at linaro.org
Wed Jan 19 12:54:42 CET 2022


Since SHA1 has know collisions disable it on EFI verification for
variables and executables

Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
---
 lib/efi_loader/efi_signature.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 6e3ee3c0c004..1903adc89ed0 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs,
 		if (ret < 0 || !signer)
 			goto out;
 
+		if (!strcmp(signer->sig->hash_algo, "sha1")) {
+			pr_err("SHA1 support is disabled for EFI\n");
+			goto out;
+		}
+
 		if (sinfo->blacklisted)
 			goto out;
 
-- 
2.30.2



More information about the U-Boot mailing list