-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
shim: skip verification for multiple signatures once one of them is matched #700
base: main
Are you sure you want to change the base?
Conversation
If an image signed by multiple keys matches any one of vendor certificates, the image will be considered valid and should stop checking the next signature. This PR immediately stops do-while() next signature checking. in verify_buffer_authenticode() when key matches. Signed-off-by: Dennis Tseng <[email protected]>
@dennis-tseng99 - I think this change may not be correct: "If at any point any assertion about the |
@mikebeaton, Thanks for your comment. Hope not to misunderstand your meaning.
EDIT: if the format check for sig-list is necessary, then we should skip verify_one_signature() once one of signatures is correctly verified to avoid the high cpu consumption. @mikebeaton To enhance data integrity, I do not remove the format check for rest signatures to avoid mal-format. TPM measurement is cpu heavier than malformed checking. Verifying one valid signature and measuring its corresponding vendor cert’s TPM should be enough to ensure security and integrity, reducing extra overhead. |
In the PR, verification would stop if it gets SUCCESS. Before the PR verification would fail after a success, if the binary was found to be malformed after the success. And I think the commit message I quoted means that that is the intended behaviour. I'm not a maintainer. So if you don't agree with my reading, of course wait for the maintainers to comment! EDIT: To put it another way, I think the requirements are, binary must be signed by at least one sig, and entire sig list must be valid. The second requirement is not checked with this PR, but should be, if I've understood the code and comment correctly. |
If a single signature is correctly verified for an image with multiple signatures, then the verify_one_signature() should be skipped to avoid cpu-consumption. In the mean time, it is wise to at least check the format of the remaining signatures to reduce the risk of corrupted or malformed signatures.
Hi! I still think this is unfortunately probably wrong. If modifying code like this then (I humbly suggest!) it is important to check whether the code being skipped has any side effects that might be wanted. In this case, the calls to |
If a single signature is correctly verified for an image with multiple signatures, then the verify_one_signature() should be skipped to avoid cpu-consumption. In the mean time, it is wise to at least check the format of the remaining signatures to reduce the risk of corrupted or malformed signatures.