image: fix signature calculation when there's junk at the end of the efi binary
The current gnu efi generation tools insist on leaving junk at the end of the binary. According to the authenticode spec, we have to include this in the hash otherwise signature verification fails, so add the end junk to the calculation of the hash. I've verified that with this fix (and another one to get objcopy to align the sections correctly) we can now sign gnu tools generated efi code with tianocore r13466 Signed-off-by: James Bottomley <JBottomley@Parallels.com> Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
This commit is contained in:
James Bottomley
Jeremy Kerr
parent
1614a6e0f1
commit
d7cfae59da
1 changed files with 19 additions and 6 deletions
25
image.c
25
image.c
|
|
@ -304,15 +304,28 @@ int image_find_regions(struct image *image)
|
|||
fprintf(stderr, "gaps in the section table may result in "
|
||||
"different checksums\n");
|
||||
|
||||
if (bytes + image->cert_table_size != image->size) {
|
||||
fprintf(stderr, "warning: data remaining[%zd vs %zd]: gaps "
|
||||
"between PE/COFF sections?\n",
|
||||
bytes, image->size);
|
||||
}
|
||||
|
||||
qsort(image->checksum_regions, image->n_checksum_regions,
|
||||
sizeof(struct region), cmp_regions);
|
||||
|
||||
if (bytes + image->cert_table_size != image->size) {
|
||||
int n = image->n_checksum_regions++;
|
||||
struct region *r;
|
||||
|
||||
image->checksum_regions = talloc_realloc(image,
|
||||
image->checksum_regions,
|
||||
struct region,
|
||||
image->n_checksum_regions);
|
||||
r = &image->checksum_regions[n];
|
||||
r->name = "endjunk";
|
||||
r->data = image->buf + bytes;
|
||||
r->size = image->size - bytes - image->cert_table_size;
|
||||
|
||||
fprintf(stderr, "warning: data remaining[%zd vs %zd]: gaps "
|
||||
"between PE/COFF sections?\n",
|
||||
bytes + image->cert_table_size, image->size);
|
||||
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue