image: fix signature calculation when there's junk at the end of the efi binary

The current gnu efi generation tools insist on leaving junk at the end
of the binary.  According to the authenticode spec, we have to include
this in the hash otherwise signature verification fails, so add the end
junk to the calculation of the hash.

I've verified that with this fix (and another one to get objcopy to
align the sections correctly) we can now sign gnu tools generated efi
code with tianocore r13466

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>

1 files changed, 17 insertions, 4 deletions

diff --git a/image.c b/image.c
index ccbb535..a8f335a 100644
--- a/image.c
+++ b/image.c
@@ -304,15 +304,28 @@ int image_find_regions(struct image *image)
 		fprintf(stderr, "gaps in the section table may result in "
 				"different checksums\n");
 
+	qsort(image->checksum_regions, image->n_checksum_regions,
+			sizeof(struct region), cmp_regions);
+
 	if (bytes + image->cert_table_size != image->size) {
+		int n = image->n_checksum_regions++;
+		struct region *r;
+
+		image->checksum_regions = talloc_realloc(image,
+				image->checksum_regions,
+				struct region,
+				image->n_checksum_regions);
+		r = &image->checksum_regions[n];
+		r->name = "endjunk";
+		r->data = image->buf + bytes;
+		r->size = image->size - bytes - image->cert_table_size;
+
 		fprintf(stderr, "warning: data remaining[%zd vs %zd]: gaps "
 				"between PE/COFF sections?\n",
-				bytes, image->size);
+				bytes + image->cert_table_size, image->size);
+		
 	}
 
-	qsort(image->checksum_regions, image->n_checksum_regions,
-			sizeof(struct region), cmp_regions);
-
 	return 0;
 }