efi_loader: image_loader: add digest-based verification for signed image
authorAKASHI Takahiro <takahiro.akashi@linaro.org>
Wed, 8 Jul 2020 05:01:57 +0000 (14:01 +0900)
committerHeinrich Schuchardt <xypron.glpk@gmx.de>
Sat, 11 Jul 2020 21:14:15 +0000 (23:14 +0200)
commit7926dfb579cb17efc62ede2ce6d5c0a6f7e2f855
tree40646528a94b6ab0eb5b6c46e241893b5b72ef10
parent11bafb259648dea054e07dc5c8003eb8c736f36c
efi_loader: image_loader: add digest-based verification for signed image

In case that a type of certificate in "db" or "dbx" is
EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
a public key for RSA decryption, but a digest of image to be loaded.
If the value matches to a value calculated from a given binary image, it is
granted for loading.

With this patch, common digest check code, which used to be used for
unsigned image verification, will be extracted from
efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
extra step for digest check will be added to efi_image_authenticate().

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
include/efi_loader.h
lib/efi_loader/efi_image_loader.c
lib/efi_loader/efi_signature.c