Heinrich, On Sat, May 30, 2020 at 09:09:30AM +0200, Heinrich Schuchardt wrote: > On 5/29/20 8:41 AM, AKASHI Takahiro wrote: > > In case that a type of certificate in "db" or "dbx" is > > EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains > > a public key for RSA decryption, but a digest of image to be loaded. > > If the value matches to a value calculated from a given binary image, it is > > granted for loading. > > > > With this patch, common digest check code, which used to be used for > > unsigned image verification, will be extracted from > > efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and > > extra step for digest check will be added to efi_image_authenticate(). > > Could you, please, add comments in the code describing this process flow.
All the necessary code is contained in efi_signature_lookup_digest(), but I'll add some comments in efi_image_authenticate(). Thanks, -Takahiro Akashi > Best regards > > Heinrich