| Message ID | 20220119115443.373264-2-ilias.apalodimas@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | [1/2,v2] lib/crypto: Enable more algorithms in cert verification | expand |
Heinrich Replying to myself here but... On Wed, 19 Jan 2022 at 13:54, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > > Since SHA1 has know collisions disable it on EFI verification for > variables and executables > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> > --- > lib/efi_loader/efi_signature.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c > index 6e3ee3c0c004..1903adc89ed0 100644 > --- a/lib/efi_loader/efi_signature.c > +++ b/lib/efi_loader/efi_signature.c > @@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs, > if (ret < 0 || !signer) > goto out; > > + if (!strcmp(signer->sig->hash_algo, "sha1")) { > + pr_err("SHA1 support is disabled for EFI\n"); > + goto out; > + } > + > if (sinfo->blacklisted) > goto out; > > -- > 2.30.2 > This patch gets the job done, but rejects the sha1 cert signed images overall without checking db or dbx. Since I am planning to refactor the secure boot checking sequence a bit, it would make more sense for me to fix this in a less hacky way in upcoming patches. You can ofc pickup 1/2 whic is fixing an actual issue. Cheers /Ilias
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 6e3ee3c0c004..1903adc89ed0 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs, if (ret < 0 || !signer) goto out; + if (!strcmp(signer->sig->hash_algo, "sha1")) { + pr_err("SHA1 support is disabled for EFI\n"); + goto out; + } + if (sinfo->blacklisted) goto out;
Since SHA1 has know collisions disable it on EFI verification for variables and executables Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> --- lib/efi_loader/efi_signature.c | 5 +++++ 1 file changed, 5 insertions(+)