image: fix incorrect assumption about signature header
The sbsign tools appear to assume that WIN_CERTIFICATE.dwLength is the length of the signature. It's not, it's the length of the signature plus the length of the WIN_CERTIFICATE header. UEFI Version 2.3.1, Errata A explicitly states this in section 27.2.5 (Code Definitions). I found this because I've been playing around with the tianocore secure boot UEFI images and I couldn't get efi binaries signed with your tools to verify. When you apply the fix, I've got the binaries to verify (at least with X509 KEK signatures). Signed-off-by: James Bottomley <JBottomley@Parallels.com> Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
This commit is contained in:
James Bottomley
Jeremy Kerr
parent
81d7825c98
commit
bf7e97bd1c
2 changed files with 3 additions and 2 deletions
3
image.c
3
image.c
|
|
@ -359,7 +359,8 @@ int image_write(struct image *image, const char *filename)
|
||||||
|
|
||||||
/* optionally update the image to contain signature data */
|
/* optionally update the image to contain signature data */
|
||||||
if (is_signed) {
|
if (is_signed) {
|
||||||
cert_table_header.size = image->sigsize;
|
cert_table_header.size = image->sigsize +
|
||||||
|
sizeof(cert_table_header);
|
||||||
cert_table_header.revision = 0x0200; /* = revision 2 */
|
cert_table_header.revision = 0x0200; /* = revision 2 */
|
||||||
cert_table_header.type = 0x0002; /* PKCS signedData */
|
cert_table_header.type = 0x0002; /* PKCS signedData */
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -120,7 +120,7 @@ static int load_image_signature_data(struct image *image,
|
||||||
|
|
||||||
header = image->buf + image->data_dir_sigtable->addr;
|
header = image->buf + image->data_dir_sigtable->addr;
|
||||||
*buf = (void *)(header + 1);
|
*buf = (void *)(header + 1);
|
||||||
*len = header->size;
|
*len = header->size - sizeof(*header);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue