diff options
author | James Bottomley <jbottomley@parallels.com> | 2012-06-27 08:33:26 +0000 |
---|---|---|
committer | Jeremy Kerr <jeremy.kerr@canonical.com> | 2012-06-28 14:23:49 +0800 |
commit | d7cfae59da563d49b820c255c690cc1ac5dd472a (patch) | |
tree | 3a17b39b0b31ab5424c65c92cbddb47f5d7f19e1 | |
parent | 1614a6e0f144c07f4566a19edc366763faa1448f (diff) | |
download | sbsigntools-d7cfae59da563d49b820c255c690cc1ac5dd472a.tar.gz |
image: fix signature calculation when there's junk at the end of the efi binary
The current gnu efi generation tools insist on leaving junk at the end
of the binary. According to the authenticode spec, we have to include
this in the hash otherwise signature verification fails, so add the end
junk to the calculation of the hash.
I've verified that with this fix (and another one to get objcopy to
align the sections correctly) we can now sign gnu tools generated efi
code with tianocore r13466
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
-rw-r--r-- | image.c | 21 |
1 files changed, 17 insertions, 4 deletions
@@ -304,15 +304,28 @@ int image_find_regions(struct image *image) fprintf(stderr, "gaps in the section table may result in " "different checksums\n"); + qsort(image->checksum_regions, image->n_checksum_regions, + sizeof(struct region), cmp_regions); + if (bytes + image->cert_table_size != image->size) { + int n = image->n_checksum_regions++; + struct region *r; + + image->checksum_regions = talloc_realloc(image, + image->checksum_regions, + struct region, + image->n_checksum_regions); + r = &image->checksum_regions[n]; + r->name = "endjunk"; + r->data = image->buf + bytes; + r->size = image->size - bytes - image->cert_table_size; + fprintf(stderr, "warning: data remaining[%zd vs %zd]: gaps " "between PE/COFF sections?\n", - bytes, image->size); + bytes + image->cert_table_size, image->size); + } - qsort(image->checksum_regions, image->n_checksum_regions, - sizeof(struct region), cmp_regions); - return 0; } |