The sbsign tools appear to assume that WIN_CERTIFICATE.dwLength is the
length of the signature. It's not, it's the length of the signature
plus the length of the WIN_CERTIFICATE header. UEFI Version 2.3.1,
Errata A explicitly states this in section 27.2.5 (Code Definitions).
I found this because I've been playing around with the tianocore secure
boot UEFI images and I couldn't get efi binaries signed with your tools
to verify. When you apply the fix, I've got the binaries to verify (at
least with X509 KEK signatures).
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Rather than requiring an explicit image_pecoff_parse, do it
unconditionally in image_load. We don't have any instances where we need
to do this separately.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Change image_write_signed to image_write, and conditionally write the
signature if one is present.
This will allow us to write unsigned images when detaching a sig from an
image.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Fix a few warnings:
idc.c: In function ‘IDC_get’:
idc.c:248:12: warning: ‘idclen’ may be used uninitialised in this function [-Wuninitialized]
image.c: In function ‘image_load’:
image.c:37:15: warning: unused variable ‘bytes_read’ [-Wunused-variable]
Plus, a bunch of strict-aliasing warnings:
image.c:101:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
[ similar warnings trimmed ]
when compiling image.c. Since struct external_PEI_DOS_hdr uses char[]
types for all members, we need to use accessors here.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Add an option (--detached) to sbsign, which creates a detached
signature, rather than embedding it in the PE/COFF signature table.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
GPLv3; the sources include parts of binutils, include parts of ccan,
and have been partially based of osslsigntool.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
