Merge tag 'efi-2020-10-rc3-2' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi

Pull request for UEFI sub-system for efi-2020-10-rc3 (2) This series includes bug fixes for: * UEFI secure boot - images with multiple signatures * UEFI secure boot - support for intermediate certificates * corrections for UEFI unit tests * missing loadaddr on MAIX board
author: Tom Rini <trini@konsulko.com> 2020-08-15 09:01:01 -0400
committer: Tom Rini <trini@konsulko.com> 2020-08-15 09:01:01 -0400
commit: 789bfb52668ee609b2043de645e2f94bbd24fd1f (patch)
tree: 168ecaa3ef75f85141d3586b2447c6a8f3a7af32 /lib/efi_loader/efi_image_loader.c
parent: c0192950dfcd82035a928de32c24335f3d2c0f7a (diff)
parent: a4bda5ebab8246004caaca2e17bc865d265bf57a (diff)
1 files changed, 17 insertions, 16 deletions
diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
index fef0bb870c6..eea42cc2043 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -546,6 +546,11 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
 		goto err;
 	}
 
+	if (efi_signature_lookup_digest(regs, dbx)) {
+		EFI_PRINT("Image's digest was found in \"dbx\"\n");
+		goto err;
+	}
+
 	/*
 	 * go through WIN_CERTIFICATE list
 	 * NOTE:
@@ -553,10 +558,9 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
 	 * in PE header, or as pkcs7 SignerInfo's in SignedData.
 	 * So the verification policy here is:
 	 *   - Success if, at least, one of signatures is verified
-	 *   - unless
-	 *       any of signatures is rejected explicitly, or
-	 *       none of digest algorithms are supported
+	 *   - unless signature is rejected explicitly with its digest.
 	 */
+
 	for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len;
 	     (u8 *)wincert < wincerts_end;
 	     wincert = (WIN_CERTIFICATE *)
@@ -627,32 +631,29 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
 		/* try black-list first */
 		if (efi_signature_verify_one(regs, msg, dbx)) {
 			EFI_PRINT("Signature was rejected by \"dbx\"\n");
-			goto err;
+			continue;
 		}
 
 		if (!efi_signature_check_signers(msg, dbx)) {
 			EFI_PRINT("Signer(s) in \"dbx\"\n");
-			goto err;
-		}
-
-		if (efi_signature_lookup_digest(regs, dbx)) {
-			EFI_PRINT("Image's digest was found in \"dbx\"\n");
-			goto err;
+			continue;
 		}
 
 		/* try white-list */
-		if (efi_signature_verify_with_sigdb(regs, msg, db, dbx))
-			continue;
+		if (efi_signature_verify(regs, msg, db, dbx)) {
+			ret = true;
+			break;
+		}
 
 		debug("Signature was not verified by \"db\"\n");
 
-		if (efi_signature_lookup_digest(regs, db))
-			continue;
+		if (efi_signature_lookup_digest(regs, db)) {
+			ret = true;
+			break;
+		}
 
 		debug("Image's digest was not found in \"db\" or \"dbx\"\n");
-		goto err;
 	}
-	ret = true;
 
 err:
 	efi_sigstore_free(db);
author	Tom Rini <trini@konsulko.com>	2020-08-15 09:01:01 -0400
committer	Tom Rini <trini@konsulko.com>	2020-08-15 09:01:01 -0400
commit	789bfb52668ee609b2043de645e2f94bbd24fd1f (patch)
tree	168ecaa3ef75f85141d3586b2447c6a8f3a7af32 /lib/efi_loader/efi_image_loader.c
parent	c0192950dfcd82035a928de32c24335f3d2c0f7a (diff)
parent	a4bda5ebab8246004caaca2e17bc865d265bf57a (diff)