sbvarsign: use SignedData instead of PKCS7 for authenticated updates
The EFI standard is ambiguous about which one to use for variable updates (it is definite about using PKCS7 for signed binaries). Until recently, the reference platform, tianocore, accepted both. However after patch commit c035e37335ae43229d7e68de74a65f2c01ebc0af Author: Zhang Lubo <lubo.zhang@intel.com> Date: Thu Jan 5 14:58:05 2017 +0800 SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable. The acceptance of PKCS7 got broken. This breakage seems to be propagating to the UEFI ecosystem, so update the variable signing tools to emit the SignedData type (which all previous EFI implementations accepted). Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
This commit is contained in:
parent
704d2c2506
commit
73a13fb7e3
1 changed files with 2 additions and 2 deletions
|
@ -269,7 +269,7 @@ static int add_auth_descriptor(struct varsign_context *ctx)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
len = i2d_PKCS7(p7, NULL);
|
len = i2d_PKCS7_SIGNED(p7->d.sign, NULL);
|
||||||
|
|
||||||
|
|
||||||
/* set up our auth descriptor */
|
/* set up our auth descriptor */
|
||||||
|
@ -281,7 +281,7 @@ static int add_auth_descriptor(struct varsign_context *ctx)
|
||||||
auth->AuthInfo.Hdr.wCertificateType = 0x0EF1;
|
auth->AuthInfo.Hdr.wCertificateType = 0x0EF1;
|
||||||
auth->AuthInfo.CertType = cert_pkcs7_guid;
|
auth->AuthInfo.CertType = cert_pkcs7_guid;
|
||||||
tmp = auth->AuthInfo.CertData;
|
tmp = auth->AuthInfo.CertData;
|
||||||
i2d_PKCS7(p7, &tmp);
|
i2d_PKCS7_SIGNED(p7->d.sign, &tmp);
|
||||||
|
|
||||||
ctx->auth_descriptor = auth;
|
ctx->auth_descriptor = auth;
|
||||||
ctx->auth_descriptor_len = sizeof(*auth) + len;
|
ctx->auth_descriptor_len = sizeof(*auth) + len;
|
||||||
|
|
Loading…
Reference in a new issue