use SignedData instead of PKCS7 for variable updates

The EFI standard is ambiguous about which one to use for variable updates (it is definite about using PKCS7 for signed binaries). Until recently, the reference platform, tianocore, accepted both. However after patch commit c035e37335ae43229d7e68de74a65f2c01ebc0af Author: Zhang Lubo <lubo.zhang@intel.com> Date: Thu Jan 5 14:58:05 2017 +0800 SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable. The acceptance of PKCS7 got broken. This breakage seems to be propagating to the UEFI ecosystem, so update the variable signing tools to emit the SignedData type. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
author: James Bottomley <James.Bottomley@HansenPartnership.com> 2019-01-05 22:46:39 -0800
committer: James Bottomley <James.Bottomley@HansenPartnership.com> 2019-01-05 22:46:39 -0800
commit: e57bafc268511ad54598627b663a7ae86bd856f5 (patch)
tree: 395e21c046d37c50dbfdabce4d93224ad10138bd
parent: 7c4991f1b7eea98f2b5137f274a2f23af63ac174 (diff)
download: efitools-e57bafc268511ad54598627b663a7ae86bd856f5.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/openssl_sign.c b/lib/openssl_sign.c
index a187040..714ce1a 100644
--- a/lib/openssl_sign.c
+++ b/lib/openssl_sign.c
@@ -24,7 +24,7 @@ sign_efi_var_ssl(char *payload, int payload_size, EVP_PKEY *pkey, X509 *cert,
 	PKCS7_final(p7, bio_data, PKCS7_BINARY|PKCS7_DETACHED|PKCS7_NOATTR);
 
 	*sig = NULL;
-	*sigsize = i2d_PKCS7(p7, sig);
+	*sigsize = i2d_PKCS7_SIGNED(p7->d.sign, sig);
 	PKCS7_free(p7);
 	ERR_print_errors_fp(stdout);
author	James Bottomley <James.Bottomley@HansenPartnership.com>	2019-01-05 22:46:39 -0800
committer	James Bottomley <James.Bottomley@HansenPartnership.com>	2019-01-05 22:46:39 -0800
commit	e57bafc268511ad54598627b663a7ae86bd856f5 (patch)
tree	395e21c046d37c50dbfdabce4d93224ad10138bd
parent	7c4991f1b7eea98f2b5137f274a2f23af63ac174 (diff)
download	efitools-e57bafc268511ad54598627b663a7ae86bd856f5.tar.gz