From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heinrich Schuchardt Date: Fri, 17 Jan 2020 06:37:39 +0100 Subject: [PATCH v4 03/16] efi_loader: add signature verification functions In-Reply-To: <20200117021959.GJ28530@linaro.org> References: <20191218004512.24939-1-takahiro.akashi@linaro.org> <20191218004512.24939-4-takahiro.akashi@linaro.org> <2a71eab4-8acf-b849-b632-163cb4dbdfe8@gmx.de> <20200117021959.GJ28530@linaro.org> Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit To: u-boot@lists.denx.de On 1/17/20 3:20 AM, AKASHI Takahiro wrote: > On Wed, Jan 15, 2020 at 01:13:36AM +0100, Heinrich Schuchardt wrote: >> On 1/15/20 12:43 AM, Heinrich Schuchardt wrote: >>> On 12/18/19 1:44 AM, AKASHI Takahiro wrote: > (snip) >>>> diff --git a/lib/efi_loader/efi_signature.c >>>> b/lib/efi_loader/efi_signature.c >>>> new file mode 100644 >>>> index 000000000000..823d3311e010 >>>> --- /dev/null >>>> +++ b/lib/efi_loader/efi_signature.c >>>> @@ -0,0 +1,584 @@ >>>> +// SPDX-License-Identifier: GPL-2.0+ >>>> +/* >>>> + * Copyright (c) 2018 Patrick Wildt >>>> + * Copyright (c) 2019 Linaro Limited, Author: AKASHI Takahiro >>>> + */ >>>> + >>>> +#include >>>> +#include >>>> +#include >>>> +#include >>>> +#include >>>> +#include >>>> +#include >>>> +#include >>>> +#include >>>> +#include >>>> +#include >>>> +/* >>>> + * avoid duplicated inclusion: >>>> + * #include "../lib/crypto/x509_parser.h" >>>> + */ >>>> +#include "../lib/crypto/pkcs7_parser.h" >>>> + >>>> +const efi_guid_t efi_guid_image_security_database = >>>> +        EFI_IMAGE_SECURITY_DATABASE_GUID; >>>> +const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID; >>>> +const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID; >>>> +const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID; >>>> +const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; >>>> + >>>> +#ifdef CONFIG_EFI_SECURE_BOOT >> >> This is the #ifdef to move to the Makefile. In the previous mail I got >> into the wrong line. > > No. > As you can see, those guids may also be referred to by other files > (see efi_variable.c and cmd/nvedit_efi.c) > even in !EFI_SECURE_BOOT case, and I think that this file is best fit > for them. I cannot find any of these guids in any other C file after applying all patches from https://patchwork.ozlabs.org/project/uboot/list/?series=&submitter=61166&state=&q=&archive=&delegate= git grep -n efi_guid_sha256 include/efi_loader.h:185:extern const efi_guid_t efi_guid_sha256; lib/efi_loader/efi_signature.c:26:const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID; lib/efi_loader/efi_signature.c:252: if (guidcmp(&siglist->sig_type, &efi_guid_sha256)) { lib/efi_loader/efi_signature.c:27:const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID; git grep -n efi_guid_cert_x509 include/efi_loader.h:186:extern const efi_guid_t efi_guid_cert_x509; include/efi_loader.h:187:extern const efi_guid_t efi_guid_cert_x509_sha256; lib/efi_loader/efi_signature.c:28:const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID; lib/efi_loader/efi_signature.c:29:const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; lib/efi_loader/efi_signature.c:283: if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509)) { lib/efi_loader/efi_signature.c:406: if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509_sha256)) { include/efi_loader.h:187:extern const efi_guid_t efi_guid_cert_x509_sha256; lib/efi_loader/efi_signature.c:29:const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; lib/efi_loader/efi_signature.c:406: if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509_sha256)) { Best regards Heinrich