bf7e97bd1c
The sbsign tools appear to assume that WIN_CERTIFICATE.dwLength is the length of the signature. It's not, it's the length of the signature plus the length of the WIN_CERTIFICATE header. UEFI Version 2.3.1, Errata A explicitly states this in section 27.2.5 (Code Definitions). I found this because I've been playing around with the tianocore secure boot UEFI images and I couldn't get efi binaries signed with your tools to verify. When you apply the fix, I've got the binaries to verify (at least with X509 KEK signatures). Signed-off-by: James Bottomley <JBottomley@Parallels.com> Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com> |
||
|---|---|---|
| coff | ||
| docs | ||
| lib | ||
| tests | ||
| .gitmodules | ||
| autogen.sh | ||
| configure.ac | ||
| COPYING | ||
| gen-keyfiles.c | ||
| idc.c | ||
| idc.h | ||
| image.c | ||
| image.h | ||
| libcoff.h | ||
| Makefile.am | ||
| NEWS | ||
| README | ||
| sbattach.c | ||
| sbsign.c | ||
| sbverify.c | ||
| verify.c | ||
sbsigntool - Signing utility for UEFI secure boot Copyright (C) 2102 Jeremy Kerr <jeremy.kerr@canonical.com> Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. See file ./INSTALL for building and installation instructions. Main git repository: git://kernel.ubuntu.com/jk/sbsigntool.git sbsigntool is free software. See the file COPYING for copying conditions.