Multiple certificate handling improvements #644
Conversation
|
Is there existing usage of these packed certificates? It would seem like the obvious way to do this is multiple EFI_SIGNATURE_LIST entries each with an EFI_CERT_TYPE_X509_GUID entry. If something else is already supporting the packed version, though, I don't have a big problem with it. |
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
rosslagerwall
force-pushed
the
private/rossla/cert
branch
from
fbf536c
to
0885b25
Compare
Nothing that I am aware of. On reflection, that change is unnecessary so I've dropped the commit. The remaining commits fix a leak and allow having multiple EFI_SIGNATURE_LIST entries each with an EFI_CERT_TYPE_X509_GUID entry. Thanks |
rosslagerwall
force-pushed
the
private/rossla/cert
branch
from
0885b25
to
3e05585
Compare
For multiple reasons, it may be useful for different keys to be used to sign different parts of the boot chain (e.g. a different key for GRUB and the Linux kernel). Allow this by loading concatenated EFI_SIGNATURE_LISTs from shim_certificate.efi rather than only the first. At the same time, be a bit more robust by checking for allocation failures and overflows due to invalid data in the binary. Use the smaller of VirtualSize and SizeOfRawData since the latter is rounded up to the section alignment and therefore may contain non-certificate data. Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
A couple of improvements for performing verification with multiple certificates.