The branch main has been updated by khng: URL: https://cgit.FreeBSD.org/src/commit/?id=52c0749723bd80017fb0c0487440762a783ad323
commit 52c0749723bd80017fb0c0487440762a783ad323 Author: Ka Ho Ng <[email protected]> AuthorDate: 2025-11-27 02:17:14 +0000 Commit: Ka Ho Ng <[email protected]> CommitDate: 2025-11-27 02:18:23 +0000 libsecureboot: do further checks on files without manifests verify_prep can return VE_FINGERPRINT_NONE. Consider such scenario so the VE_GEUSS heuristics works with files that likely will not have fingerprints in the manifest file. Obtained from: Hewlett Packard Enterprise Reviewed by: sjg MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D53940 --- lib/libsecureboot/verify_file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/libsecureboot/verify_file.c b/lib/libsecureboot/verify_file.c index 753204a33b6a..ee263dafe774 100644 --- a/lib/libsecureboot/verify_file.c +++ b/lib/libsecureboot/verify_file.c @@ -539,7 +539,7 @@ verify_file(int fd, const char *filename, off_t off, int severity, return (0); if (rc != VE_FINGERPRINT_WRONG && loaded_manifests) { - if (rc != VE_NOT_CHECKED) + if (rc != VE_NOT_CHECKED && rc != VE_FINGERPRINT_NONE) return (rc); if (severity <= VE_GUESS)
