git: 52c0749723bd - main - libsecureboot: do further checks on files without manifests
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 27 Nov 2025 02:18:51 UTC
The branch main has been updated by khng:
URL: https://cgit.FreeBSD.org/src/commit/?id=52c0749723bd80017fb0c0487440762a783ad323
commit 52c0749723bd80017fb0c0487440762a783ad323
Author: Ka Ho Ng <khng@FreeBSD.org>
AuthorDate: 2025-11-27 02:17:14 +0000
Commit: Ka Ho Ng <khng@FreeBSD.org>
CommitDate: 2025-11-27 02:18:23 +0000
libsecureboot: do further checks on files without manifests
verify_prep can return VE_FINGERPRINT_NONE. Consider such scenario so
the VE_GEUSS heuristics works with files that likely will not have
fingerprints in the manifest file.
Obtained from: Hewlett Packard Enterprise
Reviewed by: sjg
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53940
---
lib/libsecureboot/verify_file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/libsecureboot/verify_file.c b/lib/libsecureboot/verify_file.c
index 753204a33b6a..ee263dafe774 100644
--- a/lib/libsecureboot/verify_file.c
+++ b/lib/libsecureboot/verify_file.c
@@ -539,7 +539,7 @@ verify_file(int fd, const char *filename, off_t off, int severity,
return (0);
if (rc != VE_FINGERPRINT_WRONG && loaded_manifests) {
- if (rc != VE_NOT_CHECKED)
+ if (rc != VE_NOT_CHECKED && rc != VE_FINGERPRINT_NONE)
return (rc);
if (severity <= VE_GUESS)