efi_loader: hash the image once before checking against db/dbx

We don't have to recalculate the image hash every time we check against a
new db/dbx entry.  So let's add a flag forcing it to run once since we only
support sha256 hashes

Suggested-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>

diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index eb6886cdccd45c3304129e6e719f94f292486edb..1bd1fdc95fce7a8974ea6c3e4246cecbad1c4b83 100644 (file)
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -192,6 +192,7 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs,
        void *hash = NULL;
        size_t size = 0;
        bool found = false;
+       bool hash_done = false;
 
        EFI_PRINT("%s: Enter, %p, %p\n", __func__, regs, db);
 
@@ -214,10 +215,12 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs,
                if (guidcmp(&siglist->sig_type, &efi_guid_sha256))
                        continue;
 
-               if (!efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
+               if (!hash_done &&
+                   !efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
                        EFI_PRINT("Digesting an image failed\n");
                        break;
                }
+               hash_done = true;
 
                for (sig_data = siglist->sig_data_list; sig_data;
                     sig_data = sig_data->next) {