From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Date: Fri, 28 Jan 2022 22:20:32 +0000 (+0200)
Subject: efi_loader: hash the image once before checking against db/dbx
X-Git-Tag: v2025.01-rc5-pxa1908~1559^2
X-Git-Url: http://git.dujemihanovic.xyz/%7B%7B%20%24style.RelPermalink%20%7D%7D?a=commitdiff_plain;h=5ee900c14ff57b8c9201d7d42f018b33df3ea42a;p=u-boot.git

efi_loader: hash the image once before checking against db/dbx

We don't have to recalculate the image hash every time we check against a
new db/dbx entry.  So let's add a flag forcing it to run once since we only
support sha256 hashes

Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
---

diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index eb6886cdcc..1bd1fdc95f 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -192,6 +192,7 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs,
 	void *hash = NULL;
 	size_t size = 0;
 	bool found = false;
+	bool hash_done = false;
 
 	EFI_PRINT("%s: Enter, %p, %p\n", __func__, regs, db);
 
@@ -214,10 +215,12 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs,
 		if (guidcmp(&siglist->sig_type, &efi_guid_sha256))
 			continue;
 
-		if (!efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
+		if (!hash_done &&
+		    !efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
 			EFI_PRINT("Digesting an image failed\n");
 			break;
 		}
+		hash_done = true;
 
 		for (sig_data = siglist->sig_data_list; sig_data;
 		     sig_data = sig_data->next) {