From 7926dfb579cb17efc62ede2ce6d5c0a6f7e2f855 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Wed, 8 Jul 2020 14:01:57 +0900
Subject: efi_loader: image_loader: add digest-based verification for signed
 image

In case that a type of certificate in "db" or "dbx" is
EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
a public key for RSA decryption, but a digest of image to be loaded.
If the value matches to a value calculated from a given binary image, it is
granted for loading.

With this patch, common digest check code, which used to be used for
unsigned image verification, will be extracted from
efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
extra step for digest check will be added to efi_image_authenticate().

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 include/efi_loader.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'include')

diff --git a/include/efi_loader.h b/include/efi_loader.h
index 2f9fb112b34..ceabbaadd0f 100644
--- a/include/efi_loader.h
+++ b/include/efi_loader.h
@@ -765,6 +765,8 @@ struct efi_signature_store {
 struct x509_certificate;
 struct pkcs7_message;
 
+bool efi_signature_lookup_digest(struct efi_image_regions *regs,
+				 struct efi_signature_store *db);
 bool efi_signature_verify_one(struct efi_image_regions *regs,
 			      struct pkcs7_message *msg,
 			      struct efi_signature_store *db);
-- 
cgit v1.2.3