[PATCH 1/2 v4] efi_loader: add sha384/512 on certificate revocation

Ilias Apalodimas ilias.apalodimas at linaro.org
Sat May 7 09:11:41 CEST 2022


Hi Heinrich,

[...]

> >                       /*
> > @@ -500,7 +528,9 @@ bool efi_signature_verify(struct efi_image_regions *regs,
> >                */
> >               if (!msg->data &&
> >                   !efi_hash_regions(regs->reg, regs->num,
> > -                                   (void **)&sinfo->sig->digest, NULL)) {
> > +                                   (void **)&sinfo->sig->digest,
> > +                                   guid_to_sha_str(&efi_guid_sha256),
>
> The UEFI spec knows certificate types like EFI_CERT_X509_SHA512_GUID.
> Why do we assume SHA256 here?

This part is only used for variable authentication.  This was using
sha256 only before the patch,  but isn't that the only thing the spec
mandates for authenticated  variables?

>
> Best regards
>
> Heinrich
>
> > +                                   NULL)) {
> >                       EFI_PRINT("Digesting an image failed\n");
> >                       goto out;
> >               }
>


More information about the U-Boot mailing list