On 1/29/26 14:19, Zhuoying Cai wrote:
>>> + /*
>>> + * Store indices of cert entry that have already used for signature
>>> + * verification to prevent allocating the same certificate multiple
>>> times.
>>> + * cert_table index (cert_table_idx):
>>> + * index of certificate from qemu cert store used for
>>> verification
>>> + * cert_table value (cert_entry_idx):
>>> + * index of cert entry in cert list that contains the
>>> certificate
>>> + */
>>> + int cert_table[MAX_CERTIFICATES] = { [0 ... MAX_CERTIFICATES - 1] =
>>> -1};
>> If you agree with the suggestion below for verify_signature to adjust
>> the returned index, then the cert_table can be used a bit differently:
>>
>> Make this an array of booleans. Use the index returned by
>> verify_signature. Value true means that the cert has already been added
>> to the IplSignatureCertificateList. False means it has yet to be added
>> to the list.
>>
> If verify_signature adjusted the returned index, I don’t quite see why
> cert_table should become a boolean array. We still need to track the
> certificate index in IplSignatureCertificateList, since that index is
> used later as the IPL-Signature-Certificate Index (SCI) in
> IplDeviceComponentList. That’s what cert_table currently provides.
>
> With a boolean array, that index information would be lost. Am I missing
> something?
Ah, I see. This is to keep track of which cert store index corresponds
to the entry in the IplSignatureCertificateList. I thought it was to
**only** keep track of which cert was already retrieved from the store,
so my suggestion was off. Thanks for clearing that up.
I might've been confused by the comment. What about:
```
/*
* Keep track of which certificate store indices correspond to the
* certificate data entries within the IplSignatureCertificateList to
* prevent allocating space for the same certificate multiple times.
*
* The array index corresponds to the certificate's cert-store index.
*
* The array value corresponds to the certificate's entry within the
* IplSignatureCertificateList (with a value of -1 denoting no entry
* exists for the certificate).
*/
```
It's just a more verbose explanation of what you already have, but the
main point is to correlate where the index value comes from and which
data structure the array assists.
If you take the suggestion to rename the IplSignatureCertificateList
variable from certs to cert_list, then I would also suggest renaming
cert_table to something like cert_list_table so it will read a little
more clearly when viewed next to cert_list.
--
Regards,
Collin
