From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id ADFCAC433EF
	for <u-boot@archiver.kernel.org>; Wed, 19 Jan 2022 11:55:04 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 531C983811;
	Wed, 19 Jan 2022 12:54:54 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="A7MWaiv/";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 8136A81B4B; Wed, 19 Jan 2022 12:54:50 +0100 (CET)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com
 [IPv6:2a00:1450:4864:20::333])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id B4B888303A
 for <u-boot@lists.denx.de>; Wed, 19 Jan 2022 12:54:47 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org
Received: by mail-wm1-x333.google.com with SMTP id
 i187-20020a1c3bc4000000b0034d2ed1be2aso12534088wma.1
 for <u-boot@lists.denx.de>; Wed, 19 Jan 2022 03:54:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=iMnQf/SCNrAkGsejvazMamcP8icsvuDkAWhtK6jvtgk=;
 b=A7MWaiv/uXN53FZpPCISlCJ4FK5LyBsqbW4Fdiiui2C25MlmAkI0QdevSBCxdytj3X
 PM5vIP4QCWdr2hpbaqRLfdDv/Uj6tpnBqi8V2qyDMQwMdLY2ClL2o42mVjxd0AMCn5Z2
 GGedvnfUG6PiISL91j5bGF+KxV4NdfzELl22oFRz0WyTAo7fPlj3huioYdRWidbEjY0i
 IoqHN2nmP07W1GCTTPmev1+WjvTuPf+CIMVP4OMJc5rHyr2ge4+YmuBjywV6oPmjl8SY
 gGZ5A/QAisP2lELh3vvsO25Syvl3q0F9HbcNupo/4KYEvT9psgJ9ubRmc7AWu4AXuZyW
 0Bvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=iMnQf/SCNrAkGsejvazMamcP8icsvuDkAWhtK6jvtgk=;
 b=ln6UjWOXOcmP32p8hN1MyhtKiHqtJH6WPvVd6am7b+3mqgkQTBqniZa9d1SQmjydbb
 jHayu5PnL1HFA9FN8WTULukZbXGewYqmDf0WnlXyx8g4HJdFq0MZdyhIJf1XDCi+dyTN
 sAwQ62fRTrubOAkAMRfBQDEWvOyeOpT+Sx5n35M9FPB9X0z47zEGvQNjMl+DUOclVE0m
 VieX3CYB7oyJ480czHlufH3y3EOo7QLKxEyAY/uM9hCT70YdNsXrz+XF3XdXdFwm5IpH
 q2TL3svLTGf5Z/TGNBZAgr8nV7y0QheouNBbiz/x5hho7JWZblMU8JejZ0h6lbZHnmS7
 Y0JQ==
X-Gm-Message-State: AOAM533gYFbZYqGKw/WDumaKMrUm/5uBeUjfGJTTjwvnkJcjRocCn/hU
 Os6z/QriGXXVueS+4l3WcW7rtQ==
X-Google-Smtp-Source: ABdhPJylwtJt/NJ9/WnirAMLfCCG8QfpjHV3pN125SOU2P66MeI+SL+n3i50flQcv8wsdSavs4B64Q==
X-Received: by 2002:a05:6000:168c:: with SMTP id
 y12mr29920093wrd.389.1642593287380; 
 Wed, 19 Jan 2022 03:54:47 -0800 (PST)
Received: from hades.. ([2a02:587:46a6:e776:230:64ff:fe3b:505d])
 by smtp.gmail.com with ESMTPSA id b13sm19338565wrf.64.2022.01.19.03.54.46
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 19 Jan 2022 03:54:47 -0800 (PST)
From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: xypron.glpk@gmx.de,
	takahiro.akashi@linaro.org
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Alexander Graf <agraf@csgraf.de>, u-boot@lists.denx.de
Subject: [PATCH 2/2 v2] efi_loader: Ignore sha1 on signature verification
Date: Wed, 19 Jan 2022 13:54:42 +0200
Message-Id: <20220119115443.373264-2-ilias.apalodimas@linaro.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20220119115443.373264-1-ilias.apalodimas@linaro.org>
References: <20220119115443.373264-1-ilias.apalodimas@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

Since SHA1 has know collisions disable it on EFI verification for
variables and executables

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 lib/efi_loader/efi_signature.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 6e3ee3c0c004..1903adc89ed0 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs,
 		if (ret < 0 || !signer)
 			goto out;
 
+		if (!strcmp(signer->sig->hash_algo, "sha1")) {
+			pr_err("SHA1 support is disabled for EFI\n");
+			goto out;
+		}
+
 		if (sinfo->blacklisted)
 			goto out;
 
-- 
2.30.2