mirror of
https://github.com/u-boot/u-boot.git
synced 2025-04-24 06:24:17 +00:00
3b7d26eb2b
According to UEFI v2.10 spec section 8.2.6, if a caller invokes the SetVariables() service, it will produce a digest from hash(VariableName, VendorGuid, Attributes, TimeStamp, DataNew_variable_content), then the firmware that implements the SetVariable() service will compare the digest with the result of applying the signer’s public key to the signature. For EFI variable append write, efitools sign-efi-sig-list has an option "-a" to add EFI_VARIABLE_APPEND_WRITE attr, and u-boot will drop this attribute in efi_set_variable_int(). So if a caller uses "sign-efi-sig-list -a" to create the authenticated variable, this append write will fail in the u-boot due to "hash check failed". This patch resumes writing the EFI_VARIABLE_APPEND_WRITE attr to ensure that the hash check is correct. And also update the "test_efi_secboot" test case to compliance with the change. Signed-off-by: Weizhao Ouyang <o451686892@gmail.com> |
||
|---|---|---|
| .. | ||
| conftest.py | ||
| defs.py | ||
| forge_image.sh | ||
| openssl.cnf | ||
| test_authvar.py | ||
| test_signed.py | ||
| test_signed_intca.py | ||
| test_unsigned.py | ||