u-boot/lib
Ilias Apalodimas 54cebe8a3a efi_loader: fix dual signed image certification
The EFI spec allows for images to carry multiple signatures. Currently
we don't adhere to the verification process for such images.

The spec says:
"Multiple signatures are allowed to exist in the binary's certificate
table (as per PE/COFF Section "Attribute Certificate Table"). Only one
hash or signature is required to be present in db in order to pass
validation, so long as neither the SHA-256 hash of the binary nor any
present signature is reflected in dbx."

With our current implementation signing the image with two certificates
and inserting both of them in db and one of them dbx doesn't always reject
the image.  The rejection depends on the order that the image was signed
and the order the certificates are read (and checked) in db.

While at it move the sha256 hash verification outside the signature
checking loop, since it only needs to run once per image and get simplify
the logic for authenticating an unsigned imahe using sha256 hashes.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2022-02-11 20:07:55 +01:00
..
acpi acpi: Move MCFG implementation to common lib 2022-02-09 12:30:13 -07:00
aes tools: avoid OpenSSL deprecation warnings 2021-12-26 06:57:20 +01:00
at91 SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
blake2 lib: add BLAKE2 hash support 2022-01-18 08:31:02 -05:00
bzip2 common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
crypt Kconfig: Drop duplicate 'select SHA512' instances 2021-09-09 11:11:33 -04:00
crypto lib/crypto: Enable more algorithms in cert verification 2022-01-19 16:16:33 +01:00
dhry global: Convert simple_strtoul() with decimal to dectoul() 2021-08-02 13:32:14 -04:00
ecdsa image: Return destination node for add_verify_data() method 2022-01-26 08:50:44 -07:00
efi doc: replace @return by Return: 2022-01-19 18:11:34 +01:00
efi_driver efi: Rename UCLASS_EFI and IF_TYPE_EFI 2021-12-09 11:43:25 -08:00
efi_loader efi_loader: fix dual signed image certification 2022-02-11 20:07:55 +01:00
efi_selftest efi_selftest: merge FDT and RISC-V tests 2022-02-05 20:20:01 +01:00
libavb common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
libfdt fdt_region: move fdt_region.c to common/ from lib/libfdt/ 2020-04-26 14:23:55 -06:00
lzma treewide: Use 16-bit Unicode strings 2022-02-03 15:53:28 -05:00
lzo SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
optee fdtdec: Support reserved-memory flags 2021-10-13 14:18:30 -07:00
rsa rsa: adds rsa3072 algorithm 2022-01-28 17:58:41 -05:00
tizen SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
zlib common: Drop asm/global_data.h from common header 2021-02-02 15:33:42 -05:00
zstd doc: replace @return by Return: 2022-01-19 18:11:34 +01:00
.gitignore lib: ignore oid_registry_data.c file 2020-01-22 17:47:57 -05:00
abuf.c Add support for an owned buffer 2021-10-08 15:53:26 -04:00
addr_map.c lib: addr_map: Move address_map[] type to the header file 2021-03-05 10:25:43 +05:30
aes.c lib: aes: build failure with DEBUG=1 2021-01-16 19:17:11 -05:00
asm-offsets.c arm64: Add missing GD_FLG_SKIP_RELOC handling 2021-11-18 18:20:19 -05:00
asn1_decoder.c common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
bch.c common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
binman.c doc: replace @return by Return: 2022-01-19 18:11:34 +01:00
bitrev.c lib: bitrev: Sync with Linux kernel v4.17 2018-09-18 00:01:18 -06:00
charset.c lib/charset: UTF-8 stream conversion 2021-03-07 17:37:13 +01:00
circbuf.c common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
crc7.c lib: add crc7 from Linux 2011-01-18 23:38:08 +01:00
crc8.c common: Drop linux/crc8.h 2019-12-02 18:23:07 -05:00
crc16.c Roll CRC16-CCITT into the hash infrastructure 2018-12-08 20:18:44 -05:00
crc32.c crc32: Add crc32 implementation using __builtin_aarch64_crc32b 2021-09-23 14:15:32 -04:00
crc32c.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
ctype.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
date.c lib: remove superfluous #ifdefs from date.c 2021-07-12 20:30:48 +02:00
display_options.c version: Move version_string[] from version.h to version_string.h 2021-09-17 12:10:44 -04:00
div64.c common: Drop linux/bitops.h from common header 2020-05-18 21:19:23 -04:00
elf.c lib: elf: Move the generic elf loading/validating functions to lib 2020-03-03 13:08:14 +05:30
errno_str.c lib: errno: sync error codes 2019-10-31 07:22:53 -04:00
errno.c sandbox: errno: avoid conflict with libc's errno 2021-05-24 14:21:30 -04:00
fdt-libcrypto.c lib/rsa: Make fdt_add_bignum() available outside of RSA code 2021-04-14 15:06:08 -04:00
fdtdec_common.c common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
fdtdec_test.c fdtdec: Support reserved-memory flags 2021-10-13 14:18:30 -07:00
fdtdec.c doc: replace @return by Return: 2022-01-19 18:11:34 +01:00
getopt.c lib: Add getopt 2020-10-30 10:56:11 -04:00
gunzip.c gzip: Avoid use of u64 2021-10-08 15:53:26 -04:00
gzip.c common: Move gzip functions into a new gzip header 2019-08-11 16:43:41 -04:00
hang.c serial: Rename SERIAL_SUPPORT to SERIAL 2021-09-04 12:26:01 -04:00
hash-checksum.c image: Drop unnecessary #ifdefs from image.h 2021-10-08 15:53:27 -04:00
hashtable.c env: Allow returning errors from hdelete_r() 2020-12-04 16:09:06 -05:00
hexdump.c hexdump: Allow ctrl-c to interrupt output 2021-06-08 11:39:09 -04:00
image-sparse.c lib: sparse: Make CHUNK_TYPE_RAW buffer aligned 2022-01-14 12:26:30 -05:00
Kconfig acpi refactoring to allow non-x86 use 2022-01-27 14:14:47 -05:00
ldiv.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
linux_compat.c common: Drop net.h from common header 2020-05-18 17:33:31 -04:00
linux_string.c Make linux kernel string funcs available to tools 2012-12-13 11:46:07 -07:00
list_sort.c common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
lmb.c lmb: Reserve U-Boot separately if relocation is disabled 2021-11-18 18:20:19 -05:00
lz4_wrapper.c lz4: Use a private header for U-Boot 2021-10-09 13:09:56 -04:00
lz4.c SPDX: Convert a few files that were missed before 2018-05-10 20:38:35 -04:00
Makefile acpi refactoring to allow non-x86 use 2022-01-27 14:14:47 -05:00
md5.c Prepare v2021.10-rc4 2021-09-16 10:29:40 -04:00
membuff.c common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
net_utils.c global: Convert simple_strtoul() with decimal to dectoul() 2021-08-02 13:32:14 -04:00
of_live.c doc: replace @return by Return: 2022-01-19 18:11:34 +01:00
oid_registry.c lib: add oid registry utility 2019-12-06 16:44:20 -05:00
panic.c common: Drop linux/delay.h from common header 2020-05-18 21:19:23 -04:00
physmem.c common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
qsort.c common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
rand.c common: Move random-number functions into their own header 2019-12-02 18:23:07 -05:00
rational.c lib: rational: copy the rational fraction lib routines from Linux 2021-06-11 16:34:52 +05:30
rbtree.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
rc4.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
rtc-lib.c lib: move rtc-lib.c to lib 2021-07-14 16:57:35 -04:00
sha1.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
sha256.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
sha512.c lib: Drop SHA512_ALGO in lieu of SHA512 2021-09-08 16:11:46 -04:00
slre.c common: Drop log.h from common header 2020-05-18 21:19:18 -04:00
smbios-parser.c efi_loader: add SMBIOS table measurement 2021-10-26 17:58:14 +02:00
smbios.c smbios: error handling for invalid addresses 2021-07-24 10:49:51 +02:00
sscanf.c xen: Code style conformity 2020-08-24 14:11:31 -04:00
string.c lib: Add memdup() 2021-10-08 15:53:26 -04:00
strto.c doc: replace @return by Return: 2022-01-19 18:11:34 +01:00
tables_csum.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
time.c Finish conversion of CONFIG_SYS_CLK_FREQ to Kconfig 2021-12-27 16:20:18 -05:00
tiny-printf.c net: Rename SPL_NET_SUPPORT to SPL_NET 2021-09-04 12:48:53 -04:00
tpm_api.c tpm: Add TPM2 support for write_lock 2021-03-02 15:53:37 -05:00
tpm-common.c tpm: Check outgoing command size 2021-07-15 18:42:05 -04:00
tpm-utils.h doc: replace @return by Return: 2022-01-19 18:11:34 +01:00
tpm-v1.c cmd: tpm-v1: fix load_key_by_sha1 compile errors 2021-11-17 13:47:27 +02:00
tpm-v2.c tpm: use more algorithms than sha256 on pcr_read 2021-11-30 09:23:49 +01:00
trace.c treewide: Convert macro and uses of __section(foo) to __section("foo") 2021-05-24 14:21:30 -04:00
uuid.c lib: allow printing RISC-V EFI Boot Protocol GUID 2022-01-29 10:23:40 +01:00
vsprintf.c lib: fix snprintf() for UTF-16 strings 2022-02-05 20:20:01 +01:00
xxhash.c lib: Add xxhash support 2019-05-05 08:48:50 -04:00