[PATCH 2/2 v2] efi_loader: Ignore sha1 on signature verification
Ilias Apalodimas
ilias.apalodimas at linaro.org
Wed Jan 19 16:03:36 CET 2022
Heinrich
Replying to myself here but...
On Wed, 19 Jan 2022 at 13:54, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> Since SHA1 has know collisions disable it on EFI verification for
> variables and executables
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> ---
> lib/efi_loader/efi_signature.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
> index 6e3ee3c0c004..1903adc89ed0 100644
> --- a/lib/efi_loader/efi_signature.c
> +++ b/lib/efi_loader/efi_signature.c
> @@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs,
> if (ret < 0 || !signer)
> goto out;
>
> + if (!strcmp(signer->sig->hash_algo, "sha1")) {
> + pr_err("SHA1 support is disabled for EFI\n");
> + goto out;
> + }
> +
> if (sinfo->blacklisted)
> goto out;
>
> --
> 2.30.2
>
This patch gets the job done, but rejects the sha1 cert signed images
overall without checking db or dbx. Since I am planning to refactor
the secure boot checking sequence a bit, it would make more sense for
me to fix this in a less hacky way in upcoming patches. You can ofc
pickup 1/2 whic is fixing an actual issue.
Cheers
/Ilias
More information about the U-Boot
mailing list