Get rid of unused patches.
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
parent
b20ba9cc96
commit
2d3b876a4b
@ -1,146 +0,0 @@
|
|||||||
From be73f6bd4f064015c9f12323e2fb2f51b8cdb631 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 22 Oct 2013 13:36:54 -0400
|
|
||||||
Subject: [PATCH 2/5] Don't reject all binaries without a certificate database.
|
|
||||||
|
|
||||||
If a binary isn't signed, but its hash is enrolled in db, it won't have
|
|
||||||
a certificate database. So in those cases, don't check it against
|
|
||||||
certificate databases in db/dbx/etc, but we don't need to reject it
|
|
||||||
outright.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
shim.c | 70 +++++++++++++++++++++++++++++++++++-------------------------------
|
|
||||||
1 file changed, 37 insertions(+), 33 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/shim.c b/shim.c
|
|
||||||
index 58136db..3d1febb 100644
|
|
||||||
--- a/shim.c
|
|
||||||
+++ b/shim.c
|
|
||||||
@@ -371,8 +371,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
|
||||||
SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) ==
|
|
||||||
DATA_FOUND)
|
|
||||||
return EFI_ACCESS_DENIED;
|
|
||||||
- if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
|
|
||||||
- sha256hash) == DATA_FOUND)
|
|
||||||
+ if (cert && check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
|
|
||||||
+ sha256hash) == DATA_FOUND)
|
|
||||||
return EFI_ACCESS_DENIED;
|
|
||||||
|
|
||||||
if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE,
|
|
||||||
@@ -381,7 +381,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
|
||||||
if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE,
|
|
||||||
EFI_CERT_SHA1_GUID) == DATA_FOUND)
|
|
||||||
return EFI_ACCESS_DENIED;
|
|
||||||
- if (check_db_cert(L"dbx", secure_var, cert, sha256hash) == DATA_FOUND)
|
|
||||||
+ if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) ==
|
|
||||||
+ DATA_FOUND)
|
|
||||||
return EFI_ACCESS_DENIED;
|
|
||||||
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
@@ -414,7 +415,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
|
||||||
update_verification_method(VERIFIED_BY_HASH);
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
}
|
|
||||||
- if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) {
|
|
||||||
+ if (cert && check_db_cert(L"db", secure_var, cert, sha256hash)
|
|
||||||
+ == DATA_FOUND) {
|
|
||||||
verification_method = VERIFIED_BY_CERT;
|
|
||||||
update_verification_method(VERIFIED_BY_CERT);
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
@@ -427,7 +429,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
|
||||||
update_verification_method(VERIFIED_BY_HASH);
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
}
|
|
||||||
- if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) {
|
|
||||||
+ if (cert && check_db_cert(L"MokList", shim_var, cert, sha256hash) ==
|
|
||||||
+ DATA_FOUND) {
|
|
||||||
verification_method = VERIFIED_BY_CERT;
|
|
||||||
update_verification_method(VERIFIED_BY_CERT);
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
@@ -712,25 +715,24 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
|
||||||
UINT8 sha256hash[SHA256_DIGEST_SIZE];
|
|
||||||
UINT8 sha1hash[SHA1_DIGEST_SIZE];
|
|
||||||
EFI_STATUS status = EFI_ACCESS_DENIED;
|
|
||||||
- WIN_CERTIFICATE_EFI_PKCS *cert;
|
|
||||||
+ WIN_CERTIFICATE_EFI_PKCS *cert = NULL;
|
|
||||||
unsigned int size = datasize;
|
|
||||||
|
|
||||||
- if (context->SecDir->Size == 0) {
|
|
||||||
- Print(L"Empty security header\n");
|
|
||||||
- return EFI_INVALID_PARAMETER;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- cert = ImageAddress (data, size, context->SecDir->VirtualAddress);
|
|
||||||
+ if (context->SecDir->Size != 0) {
|
|
||||||
+ cert = ImageAddress (data, size,
|
|
||||||
+ context->SecDir->VirtualAddress);
|
|
||||||
|
|
||||||
- if (!cert) {
|
|
||||||
- Print(L"Certificate located outside the image\n");
|
|
||||||
- return EFI_INVALID_PARAMETER;
|
|
||||||
- }
|
|
||||||
+ if (!cert) {
|
|
||||||
+ Print(L"Certificate located outside the image\n");
|
|
||||||
+ return EFI_INVALID_PARAMETER;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
|
|
||||||
- Print(L"Unsupported certificate type %x\n",
|
|
||||||
- cert->Hdr.wCertificateType);
|
|
||||||
- return EFI_UNSUPPORTED;
|
|
||||||
+ if (cert->Hdr.wCertificateType !=
|
|
||||||
+ WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
|
|
||||||
+ Print(L"Unsupported certificate type %x\n",
|
|
||||||
+ cert->Hdr.wCertificateType);
|
|
||||||
+ return EFI_UNSUPPORTED;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
status = generate_hash(data, datasize, context, sha256hash, sha1hash);
|
|
||||||
@@ -761,27 +763,29 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
|
||||||
if (status == EFI_SUCCESS)
|
|
||||||
return status;
|
|
||||||
|
|
||||||
- /*
|
|
||||||
- * Check against the shim build key
|
|
||||||
- */
|
|
||||||
- if (AuthenticodeVerify(cert->CertData,
|
|
||||||
+ if (cert) {
|
|
||||||
+ /*
|
|
||||||
+ * Check against the shim build key
|
|
||||||
+ */
|
|
||||||
+ if (AuthenticodeVerify(cert->CertData,
|
|
||||||
context->SecDir->Size - sizeof(cert->Hdr),
|
|
||||||
shim_cert, sizeof(shim_cert), sha256hash,
|
|
||||||
SHA256_DIGEST_SIZE)) {
|
|
||||||
- status = EFI_SUCCESS;
|
|
||||||
- return status;
|
|
||||||
- }
|
|
||||||
+ status = EFI_SUCCESS;
|
|
||||||
+ return status;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
|
|
||||||
- /*
|
|
||||||
- * And finally, check against shim's built-in key
|
|
||||||
- */
|
|
||||||
- if (AuthenticodeVerify(cert->CertData,
|
|
||||||
+ /*
|
|
||||||
+ * And finally, check against shim's built-in key
|
|
||||||
+ */
|
|
||||||
+ if (AuthenticodeVerify(cert->CertData,
|
|
||||||
context->SecDir->Size - sizeof(cert->Hdr),
|
|
||||||
vendor_cert, vendor_cert_size, sha256hash,
|
|
||||||
SHA256_DIGEST_SIZE)) {
|
|
||||||
- status = EFI_SUCCESS;
|
|
||||||
- return status;
|
|
||||||
+ status = EFI_SUCCESS;
|
|
||||||
+ return status;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
status = EFI_ACCESS_DENIED;
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
@ -1,30 +0,0 @@
|
|||||||
From 83b3a7cf6d4d4e91579864cfc75dadf2b7304da9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Mon, 28 Oct 2013 10:41:03 -0400
|
|
||||||
Subject: [PATCH 4/5] We should be checking both mok and the system's SB
|
|
||||||
settings
|
|
||||||
|
|
||||||
When we call hook_system_services(), we're currently only checking mok's
|
|
||||||
setting. We should use secure_mode() instead so it'll check both.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
shim.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/shim.c b/shim.c
|
|
||||||
index 537177d..9d0d884 100644
|
|
||||||
--- a/shim.c
|
|
||||||
+++ b/shim.c
|
|
||||||
@@ -1718,7 +1718,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
|
|
||||||
/*
|
|
||||||
* Tell the user that we're in insecure mode if necessary
|
|
||||||
*/
|
|
||||||
- if (insecure_mode) {
|
|
||||||
+ if (!secure_mode()) {
|
|
||||||
Print(L"Booting in insecure mode\n");
|
|
||||||
uefi_call_wrapper(BS->Stall, 1, 2000000);
|
|
||||||
} else {
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
@ -1,54 +0,0 @@
|
|||||||
From 556c445ea19fc257fe35ac1a67477e7352ba3fcd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Wed, 30 Oct 2013 16:36:01 -0400
|
|
||||||
Subject: [PATCH 5/5] Don't free GetVariable() return data without checking the
|
|
||||||
status code.
|
|
||||||
|
|
||||||
This breaks every machine from before Secure Boot was a thing.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
shim.c | 15 ++++++++++++---
|
|
||||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/shim.c b/shim.c
|
|
||||||
index 9d0d884..0081342 100644
|
|
||||||
--- a/shim.c
|
|
||||||
+++ b/shim.c
|
|
||||||
@@ -456,21 +456,30 @@ static BOOLEAN secure_mode (void)
|
|
||||||
return FALSE;
|
|
||||||
|
|
||||||
status = get_variable(L"SecureBoot", &Data, &len, global_var);
|
|
||||||
+ if (status != EFI_SUCCESS) {
|
|
||||||
+ if (verbose)
|
|
||||||
+ console_notify(L"Secure boot not enabled\n");
|
|
||||||
+ return FALSE;
|
|
||||||
+ }
|
|
||||||
sb = *Data;
|
|
||||||
FreePool(Data);
|
|
||||||
|
|
||||||
- /* FIXME - more paranoia here? */
|
|
||||||
- if (status != EFI_SUCCESS || sb != 1) {
|
|
||||||
+ if (sb != 1) {
|
|
||||||
if (verbose)
|
|
||||||
console_notify(L"Secure boot not enabled\n");
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
|
|
||||||
status = get_variable(L"SetupMode", &Data, &len, global_var);
|
|
||||||
+ if (status == EFI_SUCCESS) {
|
|
||||||
+ if (verbose)
|
|
||||||
+ console_notify(L"Platform is in setup mode\n");
|
|
||||||
+ return FALSE;
|
|
||||||
+ }
|
|
||||||
setupmode = *Data;
|
|
||||||
FreePool(Data);
|
|
||||||
|
|
||||||
- if (status == EFI_SUCCESS && setupmode == 1) {
|
|
||||||
+ if (setupmode == 1) {
|
|
||||||
if (verbose)
|
|
||||||
console_notify(L"Platform is in setup mode\n");
|
|
||||||
return FALSE;
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
File diff suppressed because one or more lines are too long
@ -1,63 +0,0 @@
|
|||||||
From d3a9d4e8404e0f402fb371066f0e405ed3cecc29 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
|
||||||
Date: Tue, 14 Aug 2012 06:50:00 -0400
|
|
||||||
Subject: [PATCH] Use the file size, not the image size field, for
|
|
||||||
verification.
|
|
||||||
|
|
||||||
---
|
|
||||||
shim.c | 11 ++++++-----
|
|
||||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/shim.c b/shim.c
|
|
||||||
index 2d9044d..6a3c054 100644
|
|
||||||
--- a/shim.c
|
|
||||||
+++ b/shim.c
|
|
||||||
@@ -555,7 +555,7 @@ done:
|
|
||||||
/*
|
|
||||||
* Read the binary header and grab appropriate information from it
|
|
||||||
*/
|
|
||||||
-static EFI_STATUS read_header(void *data,
|
|
||||||
+static EFI_STATUS read_header(void *data, unsigned int datasize,
|
|
||||||
PE_COFF_LOADER_IMAGE_CONTEXT *context)
|
|
||||||
{
|
|
||||||
EFI_IMAGE_DOS_HEADER *DosHdr = data;
|
|
||||||
@@ -590,7 +590,7 @@ static EFI_STATUS read_header(void *data,
|
|
||||||
context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
|
|
||||||
context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
|
|
||||||
|
|
||||||
- if (context->SecDir->VirtualAddress >= context->ImageSize) {
|
|
||||||
+ if (context->SecDir->VirtualAddress >= datasize) {
|
|
||||||
Print(L"Malformed security header\n");
|
|
||||||
return EFI_INVALID_PARAMETER;
|
|
||||||
}
|
|
||||||
@@ -606,7 +606,8 @@ static EFI_STATUS read_header(void *data,
|
|
||||||
/*
|
|
||||||
* Once the image has been loaded it needs to be validated and relocated
|
|
||||||
*/
|
|
||||||
-static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
|
|
||||||
+static EFI_STATUS handle_grub (void *data, unsigned int datasize,
|
|
||||||
+ EFI_LOADED_IMAGE *li)
|
|
||||||
{
|
|
||||||
EFI_STATUS efi_status;
|
|
||||||
char *buffer;
|
|
||||||
@@ -615,7 +616,7 @@ static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
|
|
||||||
char *base, *end;
|
|
||||||
PE_COFF_LOADER_IMAGE_CONTEXT context;
|
|
||||||
|
|
||||||
- efi_status = read_header(data, &context);
|
|
||||||
+ efi_status = read_header(data, datasize, &context);
|
|
||||||
if (efi_status != EFI_SUCCESS) {
|
|
||||||
Print(L"Failed to read header\n");
|
|
||||||
return efi_status;
|
|
||||||
@@ -843,7 +844,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
|
|
||||||
if (!secure_mode())
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
|
|
||||||
- status = read_header(buffer, &context);
|
|
||||||
+ status = read_header(buffer, size, &context);
|
|
||||||
|
|
||||||
if (status != EFI_SUCCESS)
|
|
||||||
return status;
|
|
||||||
--
|
|
||||||
1.7.11.2
|
|
||||||
|
|
@ -1,129 +0,0 @@
|
|||||||
From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Mon, 13 Aug 2012 17:06:46 -0400
|
|
||||||
Subject: [PATCH] Allow specification of vendor_cert through a build command
|
|
||||||
line option.
|
|
||||||
|
|
||||||
This allows you to specify the vendor_cert as a file on the command line
|
|
||||||
during build.
|
|
||||||
---
|
|
||||||
Makefile | 16 +++++++++++-----
|
|
||||||
cert.S | 32 ++++++++++++++++++++++++++++++++
|
|
||||||
cert.h | 1 -
|
|
||||||
shim.c | 6 +++---
|
|
||||||
4 files changed, 46 insertions(+), 9 deletions(-)
|
|
||||||
create mode 100644 cert.S
|
|
||||||
delete mode 100644 cert.h
|
|
||||||
|
|
||||||
diff --git a/Makefile b/Makefile
|
|
||||||
index 1e3a020..66b105f 100644
|
|
||||||
--- a/Makefile
|
|
||||||
+++ b/Makefile
|
|
||||||
@@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
|
|
||||||
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
|
|
||||||
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
|
|
||||||
|
|
||||||
-
|
|
||||||
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
|
||||||
-Wall -mno-red-zone \
|
|
||||||
$(EFI_INCLUDES)
|
|
||||||
ifeq ($(ARCH),x86_64)
|
|
||||||
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
|
||||||
endif
|
|
||||||
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
|
|
||||||
+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
|
|
||||||
+endif
|
|
||||||
+
|
|
||||||
LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
|
|
||||||
|
|
||||||
-TARGET = shim.efi
|
|
||||||
-OBJS = shim.o shim.so
|
|
||||||
-SOURCES = shim.c shim.h signature.h PeImage.h cert.h
|
|
||||||
+TARGET = shim.efi
|
|
||||||
+OBJS = shim.o cert.o
|
|
||||||
+SOURCES = shim.c shim.h signature.h PeImage.h
|
|
||||||
|
|
||||||
all: $(TARGET)
|
|
||||||
|
|
||||||
shim.o: $(SOURCES)
|
|
||||||
|
|
||||||
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
|
|
||||||
+cert.o : cert.S
|
|
||||||
+ $(CC) $(CFLAGS) -c -o $@ $<
|
|
||||||
+
|
|
||||||
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
|
|
||||||
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
|
|
||||||
|
|
||||||
Cryptlib/libcryptlib.a:
|
|
||||||
diff --git a/cert.S b/cert.S
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..129bab5
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/cert.S
|
|
||||||
@@ -0,0 +1,32 @@
|
|
||||||
+#if defined(VENDOR_CERT_FILE)
|
|
||||||
+ .globl vendor_cert
|
|
||||||
+ .data
|
|
||||||
+ .align 16
|
|
||||||
+ .type vendor_cert, @object
|
|
||||||
+ .size vendor_cert_size, vendor_cert_size-vendor_cert
|
|
||||||
+vendor_cert:
|
|
||||||
+.incbin VENDOR_CERT_FILE
|
|
||||||
+
|
|
||||||
+ .globl vendor_cert_size
|
|
||||||
+ .data
|
|
||||||
+ .align 16
|
|
||||||
+ .type vendor_cert_size, @object
|
|
||||||
+ .size vendor_cert_size, 4
|
|
||||||
+vendor_cert_size:
|
|
||||||
+ .long vendor_cert_size - vendor_cert
|
|
||||||
+#else
|
|
||||||
+ .globl vendor_cert
|
|
||||||
+ .bss
|
|
||||||
+ .type vendor_cert, @object
|
|
||||||
+ .size vendor_cert, 1
|
|
||||||
+vendor_cert:
|
|
||||||
+ .zero 1
|
|
||||||
+
|
|
||||||
+ .globl vendor_cert_size
|
|
||||||
+ .data
|
|
||||||
+ .align 4
|
|
||||||
+ .type vendor_cert_size, @object
|
|
||||||
+ .size vendor_cert_size, 4
|
|
||||||
+vendor_cert_size:
|
|
||||||
+ .long 1
|
|
||||||
+#endif
|
|
||||||
diff --git a/cert.h b/cert.h
|
|
||||||
deleted file mode 100644
|
|
||||||
index 380bc04..0000000
|
|
||||||
--- a/cert.h
|
|
||||||
+++ /dev/null
|
|
||||||
@@ -1 +0,0 @@
|
|
||||||
-static UINT8 vendor_cert[] = {0x00};
|
|
||||||
diff --git a/shim.c b/shim.c
|
|
||||||
index fc3dafc..2d9044d 100644
|
|
||||||
--- a/shim.c
|
|
||||||
+++ b/shim.c
|
|
||||||
@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
|
|
||||||
/*
|
|
||||||
* The vendor certificate used for validating the second stage loader
|
|
||||||
*/
|
|
||||||
-
|
|
||||||
-#include "cert.h"
|
|
||||||
+extern UINT8 vendor_cert[];
|
|
||||||
+extern UINT32 vendor_cert_size;
|
|
||||||
|
|
||||||
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
|
|
||||||
|
|
||||||
@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
|
||||||
|
|
||||||
if (!AuthenticodeVerify(cert->CertData,
|
|
||||||
context->SecDir->Size - sizeof(cert->Hdr),
|
|
||||||
- vendor_cert, sizeof(vendor_cert), hash,
|
|
||||||
+ vendor_cert, vendor_cert_size, hash,
|
|
||||||
SHA256_DIGEST_SIZE)) {
|
|
||||||
Print(L"Invalid signature\n");
|
|
||||||
status = EFI_ACCESS_DENIED;
|
|
||||||
--
|
|
||||||
1.7.11.2
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user