diff options
author | AKASHI Takahiro <takahiro.akashi@linaro.org> | 2020-08-14 14:39:23 +0900 |
---|---|---|
committer | Heinrich Schuchardt <xypron.glpk@gmx.de> | 2020-08-14 12:28:25 +0200 |
commit | 52956e535e65c852b1f95d2ca5044cb7c4fc6bbe (patch) | |
tree | 2e7e3317e17608b7c7c4c003fa15477b52d5b7b4 /test/py/pytest.ini | |
parent | f68a6d583578799ec2011476ebd1e10590c6eb3c (diff) |
efi_loader: signature: correct a behavior against multiple signatures
Under the current implementation, all the signatures, if any, in
a signed image must be verified before loading it.
Meanwhile, UEFI specification v2.8b section 32.5.3.3 says,
Multiple signatures are allowed to exist in the binary’s certificate
table (as per PE/COFF Section “Attribute Certificate Table”). Only
one hash or signature is required to be present in db in order to pass
validation, so long as neither the SHA-256 hash of the binary nor any
present signature is reflected in dbx.
This patch makes the semantics of signature verification compliant with
the specification mentioned above.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Diffstat (limited to 'test/py/pytest.ini')
0 files changed, 0 insertions, 0 deletions