From 73a13fb7e3264d8d9be7c7aa713016ce810ebe71 Mon Sep 17 00:00:00 2001 From: James Bottomley Date: Wed, 9 Jan 2019 15:52:34 -0800 Subject: [PATCH] sbvarsign: use SignedData instead of PKCS7 for authenticated updates The EFI standard is ambiguous about which one to use for variable updates (it is definite about using PKCS7 for signed binaries). Until recently, the reference platform, tianocore, accepted both. However after patch commit c035e37335ae43229d7e68de74a65f2c01ebc0af Author: Zhang Lubo Date: Thu Jan 5 14:58:05 2017 +0800 SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable. The acceptance of PKCS7 got broken. This breakage seems to be propagating to the UEFI ecosystem, so update the variable signing tools to emit the SignedData type (which all previous EFI implementations accepted). Signed-off-by: James Bottomley --- src/sbvarsign.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/sbvarsign.c b/src/sbvarsign.c index 7dcbe51..ebf625c 100644 --- a/src/sbvarsign.c +++ b/src/sbvarsign.c @@ -269,7 +269,7 @@ static int add_auth_descriptor(struct varsign_context *ctx) return -1; } - len = i2d_PKCS7(p7, NULL); + len = i2d_PKCS7_SIGNED(p7->d.sign, NULL); /* set up our auth descriptor */ @@ -281,7 +281,7 @@ static int add_auth_descriptor(struct varsign_context *ctx) auth->AuthInfo.Hdr.wCertificateType = 0x0EF1; auth->AuthInfo.CertType = cert_pkcs7_guid; tmp = auth->AuthInfo.CertData; - i2d_PKCS7(p7, &tmp); + i2d_PKCS7_SIGNED(p7->d.sign, &tmp); ctx->auth_descriptor = auth; ctx->auth_descriptor_len = sizeof(*auth) + len;