From patchwork Wed Jan 19 11:54:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 533270 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp782732imr; Wed, 19 Jan 2022 03:55:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJzjqo2YsaE4BjIlpAoRjI4QXQqVguysIAYPU/rGWyE4igOOOAiVFTqBo+mPuvgyaOgk+/9n X-Received: by 2002:a17:907:968d:: with SMTP id hd13mr1047793ejc.101.1642593304049; Wed, 19 Jan 2022 03:55:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642593304; cv=none; d=google.com; s=arc-20160816; b=yXWF2LS58iIsoupOBdZn0Uh6bNpqAeJ9d2L/FOf39YwAaj46p8dGbhNmnNSJsFa9Eg PcW+am+EyXRB3WaYjV2pKBquJTD+b1/NloM7z4U1Xm3/Y7kcSs6NUfPMBHh1YKWXd7gT mbgiFvSBhqufwcA1bFoG4CN0E1JUDZV3z7D4FvZ39iina0Kk+4A0+O96Out6Ir9BLXyk lnIPItAQSJYGffU6It5qi+iw7f5JxtYlLyFFy18KLiiFzDyOTrmqCWA2ATzXs8Lx464U kpGW1JjxbN6OpdxFL0FzkuBowlTBBYjLfjDIygY5hPgz7ud3us5rpJP0xfjVZ9K2u1wn zj5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=iMnQf/SCNrAkGsejvazMamcP8icsvuDkAWhtK6jvtgk=; b=hUyC76JRNPWlFrXKBnCFzPwwjcQxX5C9kuDfGOuCuNd+NC5qBzhC715aOXfR940sko vRfSVsTJFY/BhVDBN9r5kqyxRYhF4Axao7wttPuY3hL0rvGqKmz4WD37wT/yV0JZNx8H MYLaTL/1YcI12s3hkiEEKaj0Pr61FSKyReENLd3x3Vt1UQjIuY9zMt7LL0JuC4Gx914Y 5VK1ne2KjEq6HSatAvOvJEgNljdoQXiP/wQiyATr59aZhPSjbS9d4c/hCKaHM+FPwN1K 0E3o+SOAZCa6DGYmS7CMxjPNODfVQ87x3lDVoH8lkvli+Fqz85kdzuB6ZKe4YeVYx2rR yyQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="A7MWaiv/"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id hq31si2485189ejc.802.2022.01.19.03.55.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 03:55:04 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="A7MWaiv/"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 531C983811; Wed, 19 Jan 2022 12:54:54 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="A7MWaiv/"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8136A81B4B; Wed, 19 Jan 2022 12:54:50 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B4B888303A for ; Wed, 19 Jan 2022 12:54:47 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wm1-x333.google.com with SMTP id i187-20020a1c3bc4000000b0034d2ed1be2aso12534088wma.1 for ; Wed, 19 Jan 2022 03:54:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=iMnQf/SCNrAkGsejvazMamcP8icsvuDkAWhtK6jvtgk=; b=A7MWaiv/uXN53FZpPCISlCJ4FK5LyBsqbW4Fdiiui2C25MlmAkI0QdevSBCxdytj3X PM5vIP4QCWdr2hpbaqRLfdDv/Uj6tpnBqi8V2qyDMQwMdLY2ClL2o42mVjxd0AMCn5Z2 GGedvnfUG6PiISL91j5bGF+KxV4NdfzELl22oFRz0WyTAo7fPlj3huioYdRWidbEjY0i IoqHN2nmP07W1GCTTPmev1+WjvTuPf+CIMVP4OMJc5rHyr2ge4+YmuBjywV6oPmjl8SY gGZ5A/QAisP2lELh3vvsO25Syvl3q0F9HbcNupo/4KYEvT9psgJ9ubRmc7AWu4AXuZyW 0Bvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iMnQf/SCNrAkGsejvazMamcP8icsvuDkAWhtK6jvtgk=; b=ln6UjWOXOcmP32p8hN1MyhtKiHqtJH6WPvVd6am7b+3mqgkQTBqniZa9d1SQmjydbb jHayu5PnL1HFA9FN8WTULukZbXGewYqmDf0WnlXyx8g4HJdFq0MZdyhIJf1XDCi+dyTN sAwQ62fRTrubOAkAMRfBQDEWvOyeOpT+Sx5n35M9FPB9X0z47zEGvQNjMl+DUOclVE0m VieX3CYB7oyJ480czHlufH3y3EOo7QLKxEyAY/uM9hCT70YdNsXrz+XF3XdXdFwm5IpH q2TL3svLTGf5Z/TGNBZAgr8nV7y0QheouNBbiz/x5hho7JWZblMU8JejZ0h6lbZHnmS7 Y0JQ== X-Gm-Message-State: AOAM533gYFbZYqGKw/WDumaKMrUm/5uBeUjfGJTTjwvnkJcjRocCn/hU Os6z/QriGXXVueS+4l3WcW7rtQ== X-Received: by 2002:a05:6000:168c:: with SMTP id y12mr29920093wrd.389.1642593287380; Wed, 19 Jan 2022 03:54:47 -0800 (PST) Received: from hades.. ([2a02:587:46a6:e776:230:64ff:fe3b:505d]) by smtp.gmail.com with ESMTPSA id b13sm19338565wrf.64.2022.01.19.03.54.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 03:54:47 -0800 (PST) From: Ilias Apalodimas To: xypron.glpk@gmx.de, takahiro.akashi@linaro.org Cc: Ilias Apalodimas , Alexander Graf , u-boot@lists.denx.de Subject: [PATCH 2/2 v2] efi_loader: Ignore sha1 on signature verification Date: Wed, 19 Jan 2022 13:54:42 +0200 Message-Id: <20220119115443.373264-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220119115443.373264-1-ilias.apalodimas@linaro.org> References: <20220119115443.373264-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Since SHA1 has know collisions disable it on EFI verification for variables and executables Signed-off-by: Ilias Apalodimas --- lib/efi_loader/efi_signature.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 6e3ee3c0c004..1903adc89ed0 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs, if (ret < 0 || !signer) goto out; + if (!strcmp(signer->sig->hash_algo, "sha1")) { + pr_err("SHA1 support is disabled for EFI\n"); + goto out; + } + if (sinfo->blacklisted) goto out;