Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 27 Nov 2025 02:18:51 +0000
From:      Ka Ho Ng <khng@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 52c0749723bd - main - libsecureboot: do further checks on files without manifests
Message-ID:  <6927b50b.2c780.4b67f7f9@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by khng:

URL: https://cgit.FreeBSD.org/src/commit/?id=52c0749723bd80017fb0c0487440762a783ad323

commit 52c0749723bd80017fb0c0487440762a783ad323
Author:     Ka Ho Ng <khng@FreeBSD.org>
AuthorDate: 2025-11-27 02:17:14 +0000
Commit:     Ka Ho Ng <khng@FreeBSD.org>
CommitDate: 2025-11-27 02:18:23 +0000

    libsecureboot: do further checks on files without manifests
    
    verify_prep can return VE_FINGERPRINT_NONE. Consider such scenario so
    the VE_GEUSS heuristics works with files that likely will not have
    fingerprints in the manifest file.
    
    Obtained from:  Hewlett Packard Enterprise
    Reviewed by:    sjg
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D53940
---
 lib/libsecureboot/verify_file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libsecureboot/verify_file.c b/lib/libsecureboot/verify_file.c
index 753204a33b6a..ee263dafe774 100644
--- a/lib/libsecureboot/verify_file.c
+++ b/lib/libsecureboot/verify_file.c
@@ -539,7 +539,7 @@ verify_file(int fd, const char *filename, off_t off, int severity,
 		return (0);
 
 	if (rc != VE_FINGERPRINT_WRONG && loaded_manifests) {
-		if (rc != VE_NOT_CHECKED)
+		if (rc != VE_NOT_CHECKED && rc != VE_FINGERPRINT_NONE)
 			return (rc);
 
 		if (severity <= VE_GUESS)
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6927b50b.2c780.4b67f7f9>