From d7cfae59da563d49b820c255c690cc1ac5dd472a Mon Sep 17 00:00:00 2001 From: James Bottomley Date: Wed, 27 Jun 2012 08:33:26 +0000 Subject: [PATCH] image: fix signature calculation when there's junk at the end of the efi binary The current gnu efi generation tools insist on leaving junk at the end of the binary. According to the authenticode spec, we have to include this in the hash otherwise signature verification fails, so add the end junk to the calculation of the hash. I've verified that with this fix (and another one to get objcopy to align the sections correctly) we can now sign gnu tools generated efi code with tianocore r13466 Signed-off-by: James Bottomley Signed-off-by: Jeremy Kerr --- image.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/image.c b/image.c index ccbb535..a8f335a 100644 --- a/image.c +++ b/image.c @@ -304,15 +304,28 @@ int image_find_regions(struct image *image) fprintf(stderr, "gaps in the section table may result in " "different checksums\n"); - if (bytes + image->cert_table_size != image->size) { - fprintf(stderr, "warning: data remaining[%zd vs %zd]: gaps " - "between PE/COFF sections?\n", - bytes, image->size); - } - qsort(image->checksum_regions, image->n_checksum_regions, sizeof(struct region), cmp_regions); + if (bytes + image->cert_table_size != image->size) { + int n = image->n_checksum_regions++; + struct region *r; + + image->checksum_regions = talloc_realloc(image, + image->checksum_regions, + struct region, + image->n_checksum_regions); + r = &image->checksum_regions[n]; + r->name = "endjunk"; + r->data = image->buf + bytes; + r->size = image->size - bytes - image->cert_table_size; + + fprintf(stderr, "warning: data remaining[%zd vs %zd]: gaps " + "between PE/COFF sections?\n", + bytes + image->cert_table_size, image->size); + + } + return 0; }