Cross Reference: /u-boot/lib/efi_loader/efi

History log of /u-boot/lib/efi_loader/efi_signature.c
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
# c38cb227	14-Dec-2023	Tom Rini <trini@konsulko.com>	efi_loader: Remove <common.h> We largely do not need <common.h> in these files, so drop it. The only exception here is that efi_freestanding.c needs <linux/types.h> and had been getting that via <common.h>. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Tom Rini <trini@konsulko.com> /u-boot/lib/efi_loader/efi_signature.c
# b3301406	04-Jul-2022	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: signature: export efi_hash_regions() This function is used to calculate a message digest as part of authentication process in a later patch. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# b436cc6a	06-May-2022	Ilias Apalodimas <ilias.apalodimas@linaro.org>	efi_loader: add sha384/512 on certificate revocation Currently we don't support sha384/512 for the X.509 certificate in dbx. Moreover if we come across such a hash we skip the check and approve the image, although the image might needs to be rejected. Rework the code a bit and fix it by adding an array of structs with the supported GUIDs, len and literal used in the U-Boot crypto APIs instead of hardcoding the GUID types. It's worth noting here that efi_hash_regions() can now be reused from efi_signature_lookup_digest() and add sha348/512 support there as well Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# bdcc0a95	14-Feb-2022	Ilias Apalodimas <ilias.apalodimas@linaro.org>	efi_loader: fix uefi secure boot with intermediate certs The general rule of accepting or rejecting an image is 1. Is the sha256 of the image in dbx 2. Is the image signed with a certificate that's found in db and not in dbx 3. The image carries a cert which is signed by a cert in db (and not in dbx) and the image can be verified against the former 4. Is the sha256 of the image in db For example SHIM is signed by "CN=Microsoft Windows UEFI Driver Publisher", which is issued by "CN=Microsoft Corporation UEFI CA 2011", which in it's turn is issued by "CN=Microsoft Corporation Third Party Marketplace Root". The latter is a self-signed CA certificate and with our current implementation allows shim to execute if we insert it in db. However it's the CA cert in the middle of the chain which usually ends up in the system's db. pkcs7_verify_one() might or might not return the root certificate for a given chain. But when verifying executables in UEFI, the trust anchor can be in the middle of the chain, as long as that certificate is present in db. Currently we only allow this check on self-signed certificates, so let's remove that check and allow all certs to try a match an entry in db. Open questions: - Does this break any aspect of variable authentication since efi_signature_verify() is used on those as well? Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 5ee900c1	28-Jan-2022	Ilias Apalodimas <ilias.apalodimas@linaro.org>	efi_loader: hash the image once before checking against db/dbx We don't have to recalculate the image hash every time we check against a new db/dbx entry. So let's add a flag forcing it to run once since we only support sha256 hashes Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> /u-boot/lib/efi_loader/efi_signature.c
# 4b634313	28-Jan-2022	Ilias Apalodimas <ilias.apalodimas@linaro.org>	efi_loader: correctly handle mixed hashes and signatures in db A mix of signatures and hashes in db doesn't always work as intended. Currently if the digest algorithm is not explicitly set to sha256 we stop walking the security database and reject the image. That's problematic in case we find and try to check a signature before inspecting the sha256 hash. If the image is unsigned we will reject it even if the digest matches. Since we no longer reject the image on unknown algorithms add an explicit check and reject the image if any other hash algorithm apart from sha256 is detected on dbx. Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> /u-boot/lib/efi_loader/efi_signature.c
# ce00a740	16-Jan-2022	Heinrich Schuchardt <xypron.glpk@gmx.de>	efi_loader: use %pUs for printing GUIDs For printing GUIDs with macro EFI_ENTRY use %pUs instead of %pUl to provide readable debug output. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> /u-boot/lib/efi_loader/efi_signature.c
# 02fef8b1	09-Sep-2021	Heinrich Schuchardt <xypron.glpk@gmx.de>	efi_loader: simplify efi_sigstore_parse_sigdb() Simplify efi_sigstore_parse_sigdb() by using existing functions. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# f6081a8a	13-May-2021	Masahisa Kojima <masahisa.kojima@linaro.org>	efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled This is preparation for PE/COFF measurement support. PE/COFF image hash calculation is same in both UEFI Secure Boot image verification and measurement in measured boot. PE/COFF image parsing functions are gathered into efi_image_loader.c, and exposed even if UEFI Secure Boot is not enabled. This commit also adds the EFI_SIGNATURE_SUPPORT option to decide if efi_signature.c shall be compiled. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> /u-boot/lib/efi_loader/efi_signature.c
# 04be98bd	30-Dec-2020	Sughosh Ganu <sughosh.ganu@linaro.org>	efi: capsule: Add support for uefi capsule authentication Add support for authenticating uefi capsules. Most of the signature verification functionality is shared with the uefi secure boot feature. The root certificate containing the public key used for the signature verification is stored as part of the device tree blob. The root certificate is stored as an efi signature list(esl) file -- this file contains the x509 certificate which is the root certificate. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# b4f20a5d	30-Dec-2020	Sughosh Ganu <sughosh.ganu@linaro.org>	efi_loader: Re-factor code to build the signature store from efi signature list The efi_sigstore_parse_sigdb function reads the uefi authenticated variable, stored in the signature database format and builds the signature store structure. Factor out the code for building the signature store. This can then be used by the capsule authentication routine to build the signature store even when the signature database is not stored as an uefi authenticated variable Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 201b8068	30-Dec-2020	Sughosh Ganu <sughosh.ganu@linaro.org>	efi_loader: Make the pkcs7 header parsing function an extern The pkcs7 header parsing functionality is pretty generic, and can be used by other features like capsule authentication. Make the function an extern, also changing it's name to efi_parse_pkcs7_header Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 52956e53	13-Aug-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: signature: correct a behavior against multiple signatures Under the current implementation, all the signatures, if any, in a signed image must be verified before loading it. Meanwhile, UEFI specification v2.8b section 32.5.3.3 says, Multiple signatures are allowed to exist in the binary’s certificate table (as per PE/COFF Section “Attribute Certificate Table”). Only one hash or signature is required to be present in db in order to pass validation, so long as neither the SHA-256 hash of the binary nor any present signature is reflected in dbx. This patch makes the semantics of signature verification compliant with the specification mentioned above. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de> /u-boot/lib/efi_loader/efi_signature.c
# 1115edd8	21-Jul-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: signature: rework for intermediate certificates support In this commit, efi_signature_verify(with_sigdb) will be re-implemented using pcks7_verify_one() in order to support certificates chain, where the signer's certificate will be signed by an intermediate CA (certificate authority) and the latter's certificate will also be signed by another CA and so on. What we need to do here is to search for certificates in a signature, build up a chain of certificates and verify one by one. pkcs7_verify_one() handles most of these steps except the last one. pkcs7_verify_one() returns, if succeeded, the last certificate to verify, which can be either a self-signed one or one that should be signed by one of certificates in "db". Re-worked efi_signature_verify() will take care of this step. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 7926dfb5	07-Jul-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: image_loader: add digest-based verification for signed image In case that a type of certificate in "db" or "dbx" is EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains a public key for RSA decryption, but a digest of image to be loaded. If the value matches to a value calculated from a given binary image, it is granted for loading. With this patch, common digest check code, which used to be used for unsigned image verification, will be extracted from efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and extra step for digest check will be added to efi_image_authenticate(). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 11bafb25	07-Jul-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: image_loader: verification for all signatures should pass A signed image may have multiple signatures in - each WIN_CERTIFICATE in authenticode, and/or - each SignerInfo in pkcs7 SignedData (of WIN_CERTIFICATE) In the initial implementation of efi_image_authenticate(), the criteria of verification check for multiple signatures case is a bit ambiguous and it may cause inconsistent result. With this patch, we will make sure that verification check in efi_image_authenticate() should pass against all the signatures. The only exception would be - the case where a digest algorithm used in signature is not supported by U-Boot, or - the case where parsing some portion of authenticode has failed In those cases, we don't know how the signature be handled and should just ignore them. Please note that, due to this change, efi_signature_verify_with_sigdb()'s function prototype will be modified, taking "dbx" as well as "db" instead of outputing a "certificate." If "dbx" is null, the behavior would be the exact same as before. The function's name will be changed to efi_signature_verify() once current efi_signature_verify() has gone due to further improvement in intermediate certificates support. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 1e64d0b5	07-Jul-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: signature: make efi_hash_regions more generic There are a couple of occurrences of hash calculations in which a new efi_hash_regions will be commonly used. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 36b2f9da	07-Jul-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: signature: fix a size check against revocation list Since the size check against an entry in efi_search_siglist() is incorrect, this function will never find out a to-be-matched certificate and its associated revocation time in the signature list. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 28164c92	01-Jul-2020	Heinrich Schuchardt <xypron.glpk@gmx.de>	efi_loader: fix efi_image_region_add() Use start and end address consistently as half-open interval. Simplify the code. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> /u-boot/lib/efi_loader/efi_signature.c
# 3e9019d4	08-Jun-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: signature: replace debug to EFI_PRINT Just for style consistency, replace all the uses of debug to EFI_PRINT in efi_signature.c Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> /u-boot/lib/efi_loader/efi_signature.c
# a4292ecc	29-May-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: signature: move efi_guid_cert_type_pkcs7 to efi_signature.c The global variable, efi_guid_cert_type_pkcs7, will also be used in efi_image_loader.c in a succeeding patch so as to correctly handle a signature type of authenticode in signed image. Meanwhile, it is currently defined in efi_variable.c. Once some secure storage solution for UEFI variables is introduced, efi_variable.c may not always be compiled in. So move the definition to efi_signature.c as a common place. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> /u-boot/lib/efi_loader/efi_signature.c
# 30f92ce9	03-May-2020	Heinrich Schuchardt <xypron.glpk@gmx.de>	efi_loader: correct comments for efi_status_t EFI_STATUS is unsigned (UINTN). Hence it cannot be negative. Correct comments for 'Return:'. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> /u-boot/lib/efi_loader/efi_signature.c
# 964d5326	20-Apr-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: fix unreachable statement in efi_sigstore_parse_siglist "if (left < esl->signature_size)" is not reachable in a while loop. But it is still valuable in case that a given signature database is somehow corrupted. So fix the while loop condition. Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> /u-boot/lib/efi_loader/efi_signature.c
# e3f5c9cb	20-Apr-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	lib/crypto, efi_loader: move some headers to include/crypto Pkcs7_parse.h and x509_parser.h are used in UEFI subsystem, in particular, secure boot. So move them to include/crypto to avoid relative paths. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Don't include include x509_parser.h twice. Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> /u-boot/lib/efi_loader/efi_signature.c
# be6296d0	13-Apr-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: add signature database parser efi_signature_parse_sigdb() is a helper function will be used to parse signature database variable and instantiate a signature store structure in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 593e17d6	13-Apr-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: add signature verification functions In this commit, implemented are a couple of helper functions which will be used to materialize variable authentication as well as image authentication in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# b3301406	04-Jul-2022	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: signature: export efi_hash_regions() This function is used to calculate a message digest as part of authentication process in a later patch. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# b436cc6a	06-May-2022	Ilias Apalodimas <ilias.apalodimas@linaro.org>	efi_loader: add sha384/512 on certificate revocation Currently we don't support sha384/512 for the X.509 certificate in dbx. Moreover if we come across such a hash we skip the check and approve the image, although the image might needs to be rejected. Rework the code a bit and fix it by adding an array of structs with the supported GUIDs, len and literal used in the U-Boot crypto APIs instead of hardcoding the GUID types. It's worth noting here that efi_hash_regions() can now be reused from efi_signature_lookup_digest() and add sha348/512 support there as well Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# bdcc0a95	14-Feb-2022	Ilias Apalodimas <ilias.apalodimas@linaro.org>	efi_loader: fix uefi secure boot with intermediate certs The general rule of accepting or rejecting an image is 1. Is the sha256 of the image in dbx 2. Is the image signed with a certificate that's found in db and not in dbx 3. The image carries a cert which is signed by a cert in db (and not in dbx) and the image can be verified against the former 4. Is the sha256 of the image in db For example SHIM is signed by "CN=Microsoft Windows UEFI Driver Publisher", which is issued by "CN=Microsoft Corporation UEFI CA 2011", which in it's turn is issued by "CN=Microsoft Corporation Third Party Marketplace Root". The latter is a self-signed CA certificate and with our current implementation allows shim to execute if we insert it in db. However it's the CA cert in the middle of the chain which usually ends up in the system's db. pkcs7_verify_one() might or might not return the root certificate for a given chain. But when verifying executables in UEFI, the trust anchor can be in the middle of the chain, as long as that certificate is present in db. Currently we only allow this check on self-signed certificates, so let's remove that check and allow all certs to try a match an entry in db. Open questions: - Does this break any aspect of variable authentication since efi_signature_verify() is used on those as well? Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 5ee900c1	28-Jan-2022	Ilias Apalodimas <ilias.apalodimas@linaro.org>	efi_loader: hash the image once before checking against db/dbx We don't have to recalculate the image hash every time we check against a new db/dbx entry. So let's add a flag forcing it to run once since we only support sha256 hashes Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> /u-boot/lib/efi_loader/efi_signature.c
# 4b634313	28-Jan-2022	Ilias Apalodimas <ilias.apalodimas@linaro.org>	efi_loader: correctly handle mixed hashes and signatures in db A mix of signatures and hashes in db doesn't always work as intended. Currently if the digest algorithm is not explicitly set to sha256 we stop walking the security database and reject the image. That's problematic in case we find and try to check a signature before inspecting the sha256 hash. If the image is unsigned we will reject it even if the digest matches. Since we no longer reject the image on unknown algorithms add an explicit check and reject the image if any other hash algorithm apart from sha256 is detected on dbx. Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> /u-boot/lib/efi_loader/efi_signature.c
# ce00a740	16-Jan-2022	Heinrich Schuchardt <xypron.glpk@gmx.de>	efi_loader: use %pUs for printing GUIDs For printing GUIDs with macro EFI_ENTRY use %pUs instead of %pUl to provide readable debug output. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> /u-boot/lib/efi_loader/efi_signature.c
# 02fef8b1	09-Sep-2021	Heinrich Schuchardt <xypron.glpk@gmx.de>	efi_loader: simplify efi_sigstore_parse_sigdb() Simplify efi_sigstore_parse_sigdb() by using existing functions. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# f6081a8a	13-May-2021	Masahisa Kojima <masahisa.kojima@linaro.org>	efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled This is preparation for PE/COFF measurement support. PE/COFF image hash calculation is same in both UEFI Secure Boot image verification and measurement in measured boot. PE/COFF image parsing functions are gathered into efi_image_loader.c, and exposed even if UEFI Secure Boot is not enabled. This commit also adds the EFI_SIGNATURE_SUPPORT option to decide if efi_signature.c shall be compiled. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> /u-boot/lib/efi_loader/efi_signature.c
# 04be98bd	30-Dec-2020	Sughosh Ganu <sughosh.ganu@linaro.org>	efi: capsule: Add support for uefi capsule authentication Add support for authenticating uefi capsules. Most of the signature verification functionality is shared with the uefi secure boot feature. The root certificate containing the public key used for the signature verification is stored as part of the device tree blob. The root certificate is stored as an efi signature list(esl) file -- this file contains the x509 certificate which is the root certificate. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# b4f20a5d	30-Dec-2020	Sughosh Ganu <sughosh.ganu@linaro.org>	efi_loader: Re-factor code to build the signature store from efi signature list The efi_sigstore_parse_sigdb function reads the uefi authenticated variable, stored in the signature database format and builds the signature store structure. Factor out the code for building the signature store. This can then be used by the capsule authentication routine to build the signature store even when the signature database is not stored as an uefi authenticated variable Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 201b8068	30-Dec-2020	Sughosh Ganu <sughosh.ganu@linaro.org>	efi_loader: Make the pkcs7 header parsing function an extern The pkcs7 header parsing functionality is pretty generic, and can be used by other features like capsule authentication. Make the function an extern, also changing it's name to efi_parse_pkcs7_header Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 52956e53	13-Aug-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: signature: correct a behavior against multiple signatures Under the current implementation, all the signatures, if any, in a signed image must be verified before loading it. Meanwhile, UEFI specification v2.8b section 32.5.3.3 says, Multiple signatures are allowed to exist in the binary’s certificate table (as per PE/COFF Section “Attribute Certificate Table”). Only one hash or signature is required to be present in db in order to pass validation, so long as neither the SHA-256 hash of the binary nor any present signature is reflected in dbx. This patch makes the semantics of signature verification compliant with the specification mentioned above. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de> /u-boot/lib/efi_loader/efi_signature.c
# 1115edd8	21-Jul-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: signature: rework for intermediate certificates support In this commit, efi_signature_verify(with_sigdb) will be re-implemented using pcks7_verify_one() in order to support certificates chain, where the signer's certificate will be signed by an intermediate CA (certificate authority) and the latter's certificate will also be signed by another CA and so on. What we need to do here is to search for certificates in a signature, build up a chain of certificates and verify one by one. pkcs7_verify_one() handles most of these steps except the last one. pkcs7_verify_one() returns, if succeeded, the last certificate to verify, which can be either a self-signed one or one that should be signed by one of certificates in "db". Re-worked efi_signature_verify() will take care of this step. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c
# 7926dfb5	07-Jul-2020	AKASHI Takahiro <takahiro.akashi@linaro.org>	efi_loader: image_loader: add digest-based verification for signed image In case that a type of certificate in "db" or "dbx" is EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains a public key for RSA decryption, but a digest of image to be loaded. If the value matches to a value calculated from a given binary image, it is granted for loading. With this patch, common digest check code, which used to be used for unsigned image verification, will be extracted from efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and extra step for digest check will be added to efi_image_authenticate(). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> /u-boot/lib/efi_loader/efi_signature.c