[PATCH 2/2 v2] efi_loader: hash the image once before checking against db/dbx

28 Jan 2022

We don't have to recalculate the image hash every time we check against a
new db/dbx entry.  So let's add a flag forcing it to run once since we only
support sha256 hashes
Suggested-by: Heinrich Schuchardt heinrich.schuchardt@canonical.com
Signed-off-by: Ilias Apalodimas ilias.apalodimas@linaro.org
---
 lib/efi_loader/efi_signature.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index eb6886cdccd4..1bd1fdc95fce 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -192,6 +192,7 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs,
    void *hash = NULL;
    size_t size = 0;
    bool found = false;
+	bool hash_done = false;
EFI_PRINT("%s: Enter, %p, %p\n", __func__, regs, db);
@@ -214,10 +215,12 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs,
    	if (guidcmp(&siglist->sig_type, &efi_guid_sha256))
    		continue;
-		if (!efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
+		if (!hash_done &&
+		    !efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
    		EFI_PRINT("Digesting an image failed\n");
    		break;
    	}
+		hash_done = true;
for (sig_data = siglist->sig_data_list; sig_data;
    	     sig_data = sig_data->next) {
-- 
2.32.0


    