sbvarsign: use SignedData instead of PKCS7 for authenticated updates

The EFI standard is ambiguous about which one to use for variable
updates (it is definite about using PKCS7 for signed binaries).  Until
recently, the reference platform, tianocore, accepted both.  However
after patch

commit c035e37335ae43229d7e68de74a65f2c01ebc0af
Author: Zhang Lubo <lubo.zhang@intel.com>
Date:   Thu Jan 5 14:58:05 2017 +0800

    SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.

The acceptance of PKCS7 got broken.  This breakage seems to be
propagating to the UEFI ecosystem, so update the variable signing
tools to emit the SignedData type (which all previous EFI
implementations accepted).

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
This commit is contained in:
James Bottomley 2019-01-09 15:52:34 -08:00
parent 704d2c2506
commit 73a13fb7e3

View file

@ -269,7 +269,7 @@ static int add_auth_descriptor(struct varsign_context *ctx)
return -1; return -1;
} }
len = i2d_PKCS7(p7, NULL); len = i2d_PKCS7_SIGNED(p7->d.sign, NULL);
/* set up our auth descriptor */ /* set up our auth descriptor */
@ -281,7 +281,7 @@ static int add_auth_descriptor(struct varsign_context *ctx)
auth->AuthInfo.Hdr.wCertificateType = 0x0EF1; auth->AuthInfo.Hdr.wCertificateType = 0x0EF1;
auth->AuthInfo.CertType = cert_pkcs7_guid; auth->AuthInfo.CertType = cert_pkcs7_guid;
tmp = auth->AuthInfo.CertData; tmp = auth->AuthInfo.CertData;
i2d_PKCS7(p7, &tmp); i2d_PKCS7_SIGNED(p7->d.sign, &tmp);
ctx->auth_descriptor = auth; ctx->auth_descriptor = auth;
ctx->auth_descriptor_len = sizeof(*auth) + len; ctx->auth_descriptor_len = sizeof(*auth) + len;