diff options
| author | Chris Coulson <chris.coulson@canonical.com> | 2022-02-28 21:29:16 +0000 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2022-04-05 13:37:03 -0400 |
| commit | a2da05fcb8972628bec08e4adfc13abbafc319ad (patch) | |
| tree | 7d2fbe3ee4e2cbf184510ad88d797e7998c73736 /include | |
| parent | 448f096e5c3a139535f162dfbfe8c08c434ac742 (diff) | |
| download | efi-boot-shim-a2da05fcb8972628bec08e4adfc13abbafc319ad.tar.gz efi-boot-shim-a2da05fcb8972628bec08e4adfc13abbafc319ad.zip | |
shim: implement SBAT verification for the shim_lock protocol
This implements SBAT verification via the shim_lock protocol
by moving verification inside the existing verify_buffer()
function that is shared by both shim_verify() and handle_image().
The .sbat section is optional for code verified via the shim_lock
protocol, unlike for code that is verified and executed directly
by shim. For executables that don't have a .sbat section,
verification is skipped when using the protocol.
A vendor can enforce SBAT verification for code verified via the
shim_lock protocol by revoking all pre-SBAT binaries via a dbx
update or by using vendor_dbx and then only signing binaries that
have a .sbat section from that point.
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/pe.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/pe.h b/include/pe.h index 43727f5e..b86e1b3a 100644 --- a/include/pe.h +++ b/include/pe.h @@ -15,7 +15,7 @@ read_header(void *data, unsigned int datasize, PE_COFF_LOADER_IMAGE_CONTEXT *context); EFI_STATUS -handle_sbat(char *SBATBase, size_t SBATSize); +verify_sbat_section(char *SBATBase, size_t SBATSize); EFI_STATUS handle_image (void *data, unsigned int datasize, |