image: fix signature calculation when there's junk at the end of the efi binary

The current gnu efi generation tools insist on leaving junk at the end
of the binary.  According to the authenticode spec, we have to include
this in the hash otherwise signature verification fails, so add the end
junk to the calculation of the hash.

I've verified that with this fix (and another one to get objcopy to
align the sections correctly) we can now sign gnu tools generated efi
code with tianocore r13466

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
This commit is contained in:
James Bottomley 2012-06-27 08:33:26 +00:00 committed by Jeremy Kerr
parent 1614a6e0f1
commit d7cfae59da

25
image.c
View file

@ -304,15 +304,28 @@ int image_find_regions(struct image *image)
fprintf(stderr, "gaps in the section table may result in " fprintf(stderr, "gaps in the section table may result in "
"different checksums\n"); "different checksums\n");
if (bytes + image->cert_table_size != image->size) {
fprintf(stderr, "warning: data remaining[%zd vs %zd]: gaps "
"between PE/COFF sections?\n",
bytes, image->size);
}
qsort(image->checksum_regions, image->n_checksum_regions, qsort(image->checksum_regions, image->n_checksum_regions,
sizeof(struct region), cmp_regions); sizeof(struct region), cmp_regions);
if (bytes + image->cert_table_size != image->size) {
int n = image->n_checksum_regions++;
struct region *r;
image->checksum_regions = talloc_realloc(image,
image->checksum_regions,
struct region,
image->n_checksum_regions);
r = &image->checksum_regions[n];
r->name = "endjunk";
r->data = image->buf + bytes;
r->size = image->size - bytes - image->cert_table_size;
fprintf(stderr, "warning: data remaining[%zd vs %zd]: gaps "
"between PE/COFF sections?\n",
bytes + image->cert_table_size, image->size);
}
return 0; return 0;
} }