Since SHA1 has know collisions disable it on EFI verification for variables and executables
Signed-off-by: Ilias Apalodimas <[email protected]> --- lib/efi_loader/efi_signature.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 6e3ee3c0c004..1903adc89ed0 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs, if (ret < 0 || !signer) goto out; + if (!strcmp(signer->sig->hash_algo, "sha1")) { + pr_err("SHA1 support is disabled for EFI\n"); + goto out; + } + if (sinfo->blacklisted) goto out; -- 2.30.2
