[Skiboot] [PATCH v2 1/5] secvar/backend: rename verify_signature parameters

Daniel Axtens dja at axtens.net
Mon Jun 21 18:26:37 AEST 2021

verify_signature() currently takes newcert and new_data_len. However,
these variables are used only as parameters to
mbedtls_pkcs7_signed_hash_verify() where they represent a hash value
and the length of the hash value.

verify_signature() is static, and the only caller of the function is
process_update(). process_update() passes in tbhbuffer and tbhbuffersize.
Those are unfortunate names too - because the data that process_update()
passes in is not a to-be-hashed buffer, but a hash. We'll fix that later.

Call the parameters hash and hash_len.

Signed-off-by: Daniel Axtens <dja at axtens.net>
 libstb/secvar/backend/edk2-compat-process.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index 244f23403fe0..8324dc068b8e 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -455,7 +455,7 @@ out:
 /* Verify the PKCS7 signature on the signed data. */
 static int verify_signature(const struct efi_variable_authentication_2 *auth,
-			    const char *newcert, const size_t new_data_size,
+			    const char *hash, const size_t hash_len,
 			    const struct secvar *avar)
 	mbedtls_pkcs7 *pkcs7 = NULL;
@@ -534,7 +534,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 		x509_buf = NULL;
-		rc = mbedtls_pkcs7_signed_hash_verify(pkcs7, &x509, newcert, new_data_size);
+		rc = mbedtls_pkcs7_signed_hash_verify(pkcs7, &x509, hash, hash_len);
 		/* If you find a signing certificate, you are done */
 		if (rc == 0) {

More information about the Skiboot mailing list