git.baikalelectronics.ru Git - uboot.git/commit

author	AKASHI Takahiro <takahiro.akashi@linaro.org>
	Wed, 8 Jul 2020 05:01:57 +0000 (14:01 +0900)
committer	Heinrich Schuchardt <xypron.glpk@gmx.de>
	Sat, 11 Jul 2020 21:14:15 +0000 (23:14 +0200)
commit	bdff53a9af1eeb3e1b65e3e9cf6e8d0c7b159f48
tree	40646528a94b6ab0eb5b6c46e241893b5b72ef10	tree \| snapshot
parent	3aaf68374d4b7e240a0aec2f4af9af4223d7f1aa	commit \| diff

efi_loader: image_loader: add digest-based verification for signed image

In case that a type of certificate in "db" or "dbx" is
EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
a public key for RSA decryption, but a digest of image to be loaded.
If the value matches to a value calculated from a given binary image, it is
granted for loading.

With this patch, common digest check code, which used to be used for
unsigned image verification, will be extracted from
efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
extra step for digest check will be added to efi_image_authenticate().

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

include/efi_loader.h		diff \| blob \| history
lib/efi_loader/efi_image_loader.c		diff \| blob \| history
lib/efi_loader/efi_signature.c		diff \| blob \| history