[PATCH] efi_loader: correctly handle mixed hashes and signatures in db
Ilias Apalodimas
ilias.apalodimas at linaro.org
Thu Jan 27 23:36:10 CET 2022
A mix of signatures and hashes in db doesn't always work as intended.
Currently if the digest algorithm is not supported we stop walking the
security database and reject the image.
That's problematic in case we find and try to check a signature before
inspecting the sha256 hash. If the image is unsigned we will reject it
even if the digest matches
Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
---
lib/efi_loader/efi_signature.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 3243e2c60de0..8fa82f8cea4c 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -176,7 +176,7 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs,
if (guidcmp(&siglist->sig_type, &efi_guid_sha256)) {
EFI_PRINT("Digest algorithm is not supported: %pUs\n",
&siglist->sig_type);
- break;
+ continue;
}
if (!efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
--
2.32.0
More information about the U-Boot
mailing list