vbatts/sbsigntools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

image: fix incorrect assumption about signature header

Browse source 
The sbsign tools appear to assume that WIN_CERTIFICATE.dwLength is the
length of the signature.  It's not, it's the length of the signature
plus the length of the WIN_CERTIFICATE header.  UEFI Version 2.3.1,
Errata A explicitly states this in section 27.2.5 (Code Definitions).

I found this because I've been playing around with the tianocore secure
boot UEFI images and I couldn't get efi binaries signed with your tools
to verify.  When you apply the fix, I've got the binaries to verify (at
least with X509 KEK signatures).

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
This commit is contained in:
James Bottomley 2012-06-25 12:26:08 +00:00 committed by Jeremy Kerr
parent 81d7825c98
commit bf7e97bd1c
2 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
image.c
View file

@ -359,7 +359,8 @@ int image_write(struct image *image, const char *filename)
/* optionally update the image to contain signature data */ /* optionally update the image to contain signature data */
if (is_signed) { if (is_signed) {
cert_table_header.size = image->sigsize; cert_table_header.size = image->sigsize +
sizeof(cert_table_header);
cert_table_header.revision = 0x0200; /* = revision 2 */ cert_table_header.revision = 0x0200; /* = revision 2 */
cert_table_header.type = 0x0002; /* PKCS signedData */ cert_table_header.type = 0x0002; /* PKCS signedData */

2
sbverify.c
View file

@ -120,7 +120,7 @@ static int load_image_signature_data(struct image *image,
header = image->buf + image->data_dir_sigtable->addr; header = image->buf + image->data_dir_sigtable->addr;
*buf = (void *)(header + 1); *buf = (void *)(header + 1);
*len = header->size; *len = header->size - sizeof(*header);
return 0; return 0;
} }