pe: read_header(): allow skipping SecDir content validation

When we're parsing the PE header of shim itself from the Loaded Image object, the signatures aren't present, but the Certificate Table entry in the Data Directory has not been cleared, so it'll fail verification. We know when we're doing that, so this patch makes that test optional. Signed-off-by: Peter Jones <pjones@redhat.com>
author: Peter Jones <pjones@redhat.com> 2025-02-25 11:44:11 -0500
committer: Peter Jones <pjones@redhat.com> 2025-02-25 19:40:54 -0500
commit: 3bce11831343ba6e67740f23ab3a6c6f09bc0bca (patch)
tree: 53a2fd99cb66cb0cd51e6bcc80d3fa0223e61699 /shim.c
parent: 1baf1efb37e2728104765477b12b70aeef3090af (diff)
download: efi-boot-shim-3bce11831343ba6e67740f23ab3a6c6f09bc0bca.tar.gz
efi-boot-shim-3bce11831343ba6e67740f23ab3a6c6f09bc0bca.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/shim.c b/shim.c
index 6afb35c5..9efbde11 100644
--- a/shim.c
+++ b/shim.c
@@ -961,7 +961,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 
 	in_protocol = 1;
 
-	efi_status = read_header(buffer, size, &context);
+	efi_status = read_header(buffer, size, &context, true);
 	if (EFI_ERROR(efi_status))
 		goto done;
 
@@ -1016,7 +1016,7 @@ static EFI_STATUS shim_read_header(void *data, unsigned int datasize,
 	EFI_STATUS efi_status;
 
 	in_protocol = 1;
-	efi_status = read_header(data, datasize, context);
+	efi_status = read_header(data, datasize, context, true);
 	in_protocol = 0;
 
 	return efi_status;
author	Peter Jones <pjones@redhat.com>	2025-02-25 11:44:11 -0500
committer	Peter Jones <pjones@redhat.com>	2025-02-25 19:40:54 -0500
commit	3bce11831343ba6e67740f23ab3a6c6f09bc0bca (patch)
tree	53a2fd99cb66cb0cd51e6bcc80d3fa0223e61699 /shim.c
parent	1baf1efb37e2728104765477b12b70aeef3090af (diff)
download	efi-boot-shim-3bce11831343ba6e67740f23ab3a6c6f09bc0bca.tar.gz efi-boot-shim-3bce11831343ba6e67740f23ab3a6c6f09bc0bca.zip