git.dujemihanovic.xyz Git - u-boot.git/commit

efi_loader: Fix EFI_VARIABLE_APPEND_WRITE hash check

According to UEFI v2.10 spec section 8.2.6, if a caller invokes the
SetVariables() service, it will produce a digest from hash(VariableName,
VendorGuid, Attributes, TimeStamp, DataNew_variable_content), then the
firmware that implements the SetVariable() service will compare the
digest with the result of applying the signer’s public key to the
signature. For EFI variable append write, efitools sign-efi-sig-list has
an option "-a" to add EFI_VARIABLE_APPEND_WRITE attr, and u-boot will
drop this attribute in efi_set_variable_int(). So if a caller uses
"sign-efi-sig-list -a" to create the authenticated variable, this append
write will fail in the u-boot due to "hash check failed".

This patch resumes writing the EFI_VARIABLE_APPEND_WRITE attr to ensure
that the hash check is correct. And also update the "test_efi_secboot"
test case to compliance with the change.

Signed-off-by: Weizhao Ouyang <o451686892@gmail.com>

author	Weizhao Ouyang <o451686892@gmail.com>
	Wed, 8 May 2024 11:13:12 +0000 (19:13 +0800)
committer	Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
	Mon, 10 Jun 2024 13:01:44 +0000 (15:01 +0200)
commit	3b7d26eb2b88bf2be5a4a32ece1fca61b57e7721
tree	eb4d8f4544d16becbf61b4076503b47f3548fd1c	tree \| snapshot
parent	1ebd659cf020843fd8e8ef90d85a66941cbab6ec	commit \| diff

lib/efi_loader/efi_variable.c		diff \| blob \| history
test/py/tests/test_efi_secboot/conftest.py		diff \| blob \| history
test/py/tests/test_efi_secboot/test_authvar.py		diff \| blob \| history
test/py/tests/test_efi_secboot/test_signed.py		diff \| blob \| history