Heinrich Replying to myself here but...
On Wed, 19 Jan 2022 at 13:54, Ilias Apalodimas <[email protected]> wrote: > > Since SHA1 has know collisions disable it on EFI verification for > variables and executables > > Signed-off-by: Ilias Apalodimas <[email protected]> > --- > lib/efi_loader/efi_signature.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c > index 6e3ee3c0c004..1903adc89ed0 100644 > --- a/lib/efi_loader/efi_signature.c > +++ b/lib/efi_loader/efi_signature.c > @@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs, > if (ret < 0 || !signer) > goto out; > > + if (!strcmp(signer->sig->hash_algo, "sha1")) { > + pr_err("SHA1 support is disabled for EFI\n"); > + goto out; > + } > + > if (sinfo->blacklisted) > goto out; > > -- > 2.30.2 > This patch gets the job done, but rejects the sha1 cert signed images overall without checking db or dbx. Since I am planning to refactor the secure boot checking sequence a bit, it would make more sense for me to fix this in a less hacky way in upcoming patches. You can ofc pickup 1/2 whic is fixing an actual issue. Cheers /Ilias
