[PATCH 2/2 v2] efi_loader: Ignore sha1 on signature verification

19 Jan 2022

Since SHA1 has know collisions disable it on EFI verification for
variables and executables
Signed-off-by: Ilias Apalodimas ilias.apalodimas@linaro.org
---
 lib/efi_loader/efi_signature.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 6e3ee3c0c004..1903adc89ed0 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs,
    	if (ret < 0 || !signer)
    		goto out;
+		if (!strcmp(signer->sig->hash_algo, "sha1")) {
+			pr_err("SHA1 support is disabled for EFI\n");
+			goto out;
+		}
+
    	if (sinfo->blacklisted)
    		goto out;
-- 
2.30.2


    