From bf7e97bd1cc19f38c754b40f2bb3dad53c9bf3d8 Mon Sep 17 00:00:00 2001 From: James Bottomley Date: Mon, 25 Jun 2012 12:26:08 +0000 Subject: [PATCH] image: fix incorrect assumption about signature header The sbsign tools appear to assume that WIN_CERTIFICATE.dwLength is the length of the signature. It's not, it's the length of the signature plus the length of the WIN_CERTIFICATE header. UEFI Version 2.3.1, Errata A explicitly states this in section 27.2.5 (Code Definitions). I found this because I've been playing around with the tianocore secure boot UEFI images and I couldn't get efi binaries signed with your tools to verify. When you apply the fix, I've got the binaries to verify (at least with X509 KEK signatures). Signed-off-by: James Bottomley Signed-off-by: Jeremy Kerr --- image.c | 3 ++- sbverify.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/image.c b/image.c index 64c31ad..ccbb535 100644 --- a/image.c +++ b/image.c @@ -359,7 +359,8 @@ int image_write(struct image *image, const char *filename) /* optionally update the image to contain signature data */ if (is_signed) { - cert_table_header.size = image->sigsize; + cert_table_header.size = image->sigsize + + sizeof(cert_table_header); cert_table_header.revision = 0x0200; /* = revision 2 */ cert_table_header.type = 0x0002; /* PKCS signedData */ diff --git a/sbverify.c b/sbverify.c index edf7d8c..00c8684 100644 --- a/sbverify.c +++ b/sbverify.c @@ -120,7 +120,7 @@ static int load_image_signature_data(struct image *image, header = image->buf + image->data_dir_sigtable->addr; *buf = (void *)(header + 1); - *len = header->size; + *len = header->size - sizeof(*header); return 0; }