Handle binaries with multiple signatures. - efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

diff options

author	Peter Jones <pjones@redhat.com>	2020-07-23 16:32:05 -0400
committer	Peter Jones <pjones@redhat.com>	2020-07-23 22:22:04 -0400
commit	76c0447e204c7e4ce918c4887ce8aae0e0816271 (patch)
tree	7ec8d58f329a135af79439b4fc804276218f3c54 /lib
parent	dd3a5d71252a1f94e37f1a4c8841d253630b305a (diff)
download	efi-boot-shim-76c0447e204c7e4ce918c4887ce8aae0e0816271.tar.gz efi-boot-shim-76c0447e204c7e4ce918c4887ce8aae0e0816271.zip

Handle binaries with multiple signatures.

This adds support for multiple signatures. It first tries validating the binary by hash, first against our dbx lists, then against our db lists. If it isn't allowed or rejected at that step, it continues to the normal routine of checking all the signatures. At this point it does *not* reject a binary just because a signature is by a cert on a dbx list, though that will override any db list that certificate is listed on. If at any point any assertion about the binary or signature list being well-formed fails, the binary is immediately rejected, though we do allow skipping over signatures which have an unsupported sig->Hdr.wCertificateType. Signed-off-by: Peter Jones <pjones@redhat.com> Upstream: pr#210

Diffstat (limited to 'lib')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: