From mboxrd@z Thu Jan  1 00:00:00 1970
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Tue, 2 Jun 2020 14:31:47 +0900
Subject: [PATCH 07/13] efi_loader: image_loader: add digest-based
 verification for signed image
In-Reply-To: <08624fa8-f408-df6c-01e7-d0f4caabfd88@gmx.de>
References: <20200529064130.28332-1-takahiro.akashi@linaro.org>
 <20200529064130.28332-8-takahiro.akashi@linaro.org>
 <08624fa8-f408-df6c-01e7-d0f4caabfd88@gmx.de>
Message-ID: <20200602053147.GD20446@laputa>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Heinrich,

On Sat, May 30, 2020 at 09:09:30AM +0200, Heinrich Schuchardt wrote:
> On 5/29/20 8:41 AM, AKASHI Takahiro wrote:
> > In case that a type of certificate in "db" or "dbx" is
> > EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
> > a public key for RSA decryption, but a digest of image to be loaded.
> > If the value matches to a value calculated from a given binary image, it is
> > granted for loading.
> >
> > With this patch, common digest check code, which used to be used for
> > unsigned image verification, will be extracted from
> > efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
> > extra step for digest check will be added to efi_image_authenticate().
> 
> Could you, please, add comments in the code describing this process flow.

All the necessary code is contained in efi_signature_lookup_digest(),
but I'll add some comments in efi_image_authenticate().

Thanks,
-Takahiro Akashi


> Best regards
> 
> Heinrich