File 0011-verify-ibm-secure-boot-property.patch of Package qemu

From 78f3c73e44cd909225d23df0190b8031a66d9fc0 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 28 Sep 2020 16:45:01 +1000
Subject: [PATCH 11/12] verify /ibm,secure-boot property

Only enforce if it is set

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 lib/libcrypto/appended_sig.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roms/SLOF/lib/libcrypto/appended_sig.c b/roms/SLOF/lib/libcrypto/appended_sig.c
index cb58bdc..8a76457 100644
--- a/roms/SLOF/lib/libcrypto/appended_sig.c
+++ b/roms/SLOF/lib/libcrypto/appended_sig.c
@@ -6,6 +6,7 @@
 #include <stdlib.h>
 #include <mbedtls/pkcs7.h>
 #include "certificate.h"
+#include "../../slof/paflof.h"
 
 static char appsig_magic[] = "~Module signature appended~\n";
 
@@ -26,6 +27,15 @@ int verify_appended_signature(void *blob, size_t len) {
 	int rc = 0;
 	struct module_signature *modsig;
 
+	// only verify if in secure-boot mode.
+	// todo - oh so much, especially error handling
+	forth_eval("s\" /\" find-device s\" ibm,secure-boot\" get-node get-property");
+	if (forth_pop() == -1)
+		return 1;
+	forth_pop();
+	if (*(int32_t *)forth_pop() < 2)
+		return 1;
+
 	// go to start of magic
 	ptr = blob + (len - sizeof(appsig_magic) + 1); // appsig_magic contains null-term
 
-- 
2.33.1

openSUSE Build Service is sponsored by