secdb: change secdb algorithm sort order

There is an issue on some systems when creating EFI security database files, which is that the maximum variable size[0] turns out to be quite small. Because of this, there's a need to separate entries by class and add the most important ones first. This changes our sort order such that (by default) the most important thing comes first, and that is usually any present certificate, followed by any sha256 cert TBS hashes, followed by any individual sha256 hashes. [0] i.e., when you call: BS->QueryVariableInfo(EFI_VARIABLE_BOOTSERVICE_ACCESS, &max_storage_sz, &remaining_sz, &max_var_sz) you often get max_var_sz in the 2-page to 3-page range, which is pretty stingy for a big list of hashes plus a few X.509 certificates. Signed-off-by: Peter Jones <[email protected]>
rhboot · Jan 10, 2022 · 6914376 · 6914376
1 parent d917870
commit 6914376
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 10 deletions.
diff --git a/src/include/efivar/efisec-secdb.h b/src/include/efivar/efisec-secdb.h
@@ -25,15 +25,15 @@ typedef union {
 } efi_secdb_data_t;
 
 typedef enum {
-	SHA256,		// SHA-256 hash
+	X509_CERT,	// a raw x509 cert
 	X509_SHA256,	// SHA-256 hash of the TBSData
-	X509_SHA384,	// SHA-384 hash of the TBSData
+	SHA256,		// SHA-256 hash
 	X509_SHA512,	// SHA-512 hash of the TBSData
-	X509_CERT,	// a raw x509 cert
-	SHA1,		// SHA-1 hash
+	SHA512,		// SHA-512 hash
+	X509_SHA384,	// SHA-384 hash of the TBSData
 	SHA224,		// SHA-224 hash
 	SHA384,		// SHA-384 hash
-	SHA512,		// SHA-512 hash
+	SHA1,		// SHA-1 hash
 	RSA2048,	// RSA-2048 pubkey (m, e=0x10001)
 	RSA2048_SHA1,	// RSA-2048 signature of a SHA-1 hash
 	RSA2048_SHA256,	// RSA-2048 signature of a SHA-256 hash

diff --git a/src/libefisec.abixml b/src/libefisec.abixml
@@ -153,15 +153,15 @@
     <typedef-decl name='efi_secdb_data_t' type-id='type-id-55' filepath='src/include/efivar/efisec-secdb.h' line='25' column='1' id='type-id-54'/>
     <enum-decl name='efi_secdb_type_t' naming-typedef-id='type-id-65' filepath='src/include/efivar/efisec-secdb.h' line='27' column='1' id='type-id-66'>
       <underlying-type type-id='type-id-45'/>
-      <enumerator name='SHA256' value='0'/>
+      <enumerator name='X509_CERT' value='0'/>
       <enumerator name='X509_SHA256' value='1'/>
-      <enumerator name='X509_SHA384' value='2'/>
+      <enumerator name='SHA256' value='2'/>
       <enumerator name='X509_SHA512' value='3'/>
-      <enumerator name='X509_CERT' value='4'/>
-      <enumerator name='SHA1' value='5'/>
+      <enumerator name='SHA512' value='4'/>
+      <enumerator name='X509_SHA384' value='5'/>
       <enumerator name='SHA224' value='6'/>
       <enumerator name='SHA384' value='7'/>
-      <enumerator name='SHA512' value='8'/>
+      <enumerator name='SHA1' value='8'/>
       <enumerator name='RSA2048' value='9'/>
       <enumerator name='RSA2048_SHA1' value='10'/>
       <enumerator name='RSA2048_SHA256' value='11'/>

diff --git a/tests/test.esl.cert.addition.esl.goal b/tests/test.esl.cert.addition.esl.goal