File 0011-verify-ibm-secure-boot-property.patch of Package qemu
From 78f3c73e44cd909225d23df0190b8031a66d9fc0 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 28 Sep 2020 16:45:01 +1000
Subject: [PATCH 11/12] verify /ibm,secure-boot property
Only enforce if it is set
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
lib/libcrypto/appended_sig.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/roms/SLOF/lib/libcrypto/appended_sig.c b/roms/SLOF/lib/libcrypto/appended_sig.c
index cb58bdc..8a76457 100644
--- a/roms/SLOF/lib/libcrypto/appended_sig.c
+++ b/roms/SLOF/lib/libcrypto/appended_sig.c
@@ -6,6 +6,7 @@
#include <stdlib.h>
#include <mbedtls/pkcs7.h>
#include "certificate.h"
+#include "../../slof/paflof.h"
static char appsig_magic[] = "~Module signature appended~\n";
@@ -26,6 +27,15 @@ int verify_appended_signature(void *blob, size_t len) {
int rc = 0;
struct module_signature *modsig;
+ // only verify if in secure-boot mode.
+ // todo - oh so much, especially error handling
+ forth_eval("s\" /\" find-device s\" ibm,secure-boot\" get-node get-property");
+ if (forth_pop() == -1)
+ return 1;
+ forth_pop();
+ if (*(int32_t *)forth_pop() < 2)
+ return 1;
+
// go to start of magic
ptr = blob + (len - sizeof(appsig_magic) + 1); // appsig_magic contains null-term
--
2.33.1