diff options
author | Simon J. Gerraty <sjg@FreeBSD.org> | 2020-03-25 19:12:19 +0000 |
---|---|---|
committer | Simon J. Gerraty <sjg@FreeBSD.org> | 2020-03-25 19:12:19 +0000 |
commit | 53f151f90603580d0c0a8fa1840ba1262958a7c1 (patch) | |
tree | 78969ebac620eb68b5a22beb561b91e35c99db70 /lib/libsecureboot/vectx.c | |
parent | 7c63520c42754642acce60c7be5fc9676e3e3266 (diff) | |
download | src-53f151f90603580d0c0a8fa1840ba1262958a7c1.tar.gz src-53f151f90603580d0c0a8fa1840ba1262958a7c1.zip |
Notes
Diffstat (limited to 'lib/libsecureboot/vectx.c')
-rw-r--r-- | lib/libsecureboot/vectx.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/lib/libsecureboot/vectx.c b/lib/libsecureboot/vectx.c index 908e24fb554c..433df00f244c 100644 --- a/lib/libsecureboot/vectx.c +++ b/lib/libsecureboot/vectx.c @@ -104,8 +104,8 @@ vectx_open(int fd, const char *path, off_t off, struct stat *stp, rc = verify_prep(fd, path, off, stp, __func__); DEBUG_PRINTF(2, - ("vectx_open: caller=%s,name='%s',prep_rc=%d\n", - caller,path, rc)); + ("vectx_open: caller=%s,fd=%d,name='%s',prep_rc=%d\n", + caller, fd, path, rc)); switch (rc) { case VE_FINGERPRINT_NONE: @@ -316,6 +316,9 @@ vectx_lseek(struct vectx *ctx, off_t off, int whence) * We have finished reading file, compare the hash with what * we wanted. * + * Be sure to call this before closing the file, since we may + * need to seek to the end to ensure hashing is complete. + * * @param[in] pctx * pointer to ctx * @@ -337,20 +340,25 @@ vectx_close(struct vectx *ctx, int severity, const char *caller) */ ve_pcr_updating_set((severity == VE_MUST)); #endif + /* make sure we have hashed it all */ + vectx_lseek(ctx, 0, SEEK_END); rc = ve_check_hash(&ctx->vec_ctx, ctx->vec_md, ctx->vec_path, ctx->vec_want, ctx->vec_hashsz); } DEBUG_PRINTF(2, ("vectx_close: caller=%s,name='%s',rc=%d,severity=%d\n", caller,ctx->vec_path, rc, severity)); - if (severity > VE_WANT || rc == VE_FINGERPRINT_WRONG) - printf("%serified %s\n", (rc <= 0) ? "Unv" : "V", - ctx->vec_path); + if (rc == VE_FINGERPRINT_WRONG) { + printf("Unverified: %s\n", ve_error_get()); #if !defined(UNIT_TEST) && !defined(DEBUG_VECTX) - /* we are generally called with VE_MUST */ - if (severity > VE_WANT && rc == VE_FINGERPRINT_WRONG) - panic("cannot continue"); + /* we are generally called with VE_MUST */ + if (severity > VE_WANT) + panic("cannot continue"); #endif + } else if (severity > VE_WANT) { + printf("%serified %s\n", (rc <= 0) ? "Unv" : "V", + ctx->vec_path); + } free(ctx); return ((rc < 0) ? rc : 0); } |