Heinrich
Replying to myself here but...
On Wed, 19 Jan 2022 at 13:54, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Since SHA1 has know collisions disable it on EFI verification for variables and executables
Signed-off-by: Ilias Apalodimas ilias.apalodimas@linaro.org
lib/efi_loader/efi_signature.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 6e3ee3c0c004..1903adc89ed0 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs, if (ret < 0 || !signer) goto out;
if (!strcmp(signer->sig->hash_algo, "sha1")) {pr_err("SHA1 support is disabled for EFI\n");goto out;}if (sinfo->blacklisted) goto out;-- 2.30.2
This patch gets the job done, but rejects the sha1 cert signed images overall without checking db or dbx. Since I am planning to refactor the secure boot checking sequence a bit, it would make more sense for me to fix this in a less hacky way in upcoming patches. You can ofc pickup 1/2 whic is fixing an actual issue.
Cheers /Ilias