Hi Heinrich,
[...]
> > /*
> > @@ -500,7 +528,9 @@ bool efi_signature_verify(struct efi_image_regions
> > *regs,
> > */
> > if (!msg->data &&
> > !efi_hash_regions(regs->reg, regs->num,
> > - (void **)&sinfo->sig->digest, NULL)) {
> > + (void **)&sinfo->sig->digest,
> > + guid_to_sha_str(&efi_guid_sha256),
>
> The UEFI spec knows certificate types like EFI_CERT_X509_SHA512_GUID.
> Why do we assume SHA256 here?
This part is only used for variable authentication. This was using
sha256 only before the patch, but isn't that the only thing the spec
mandates for authenticated variables?
>
> Best regards
>
> Heinrich
>
> > + NULL)) {
> > EFI_PRINT("Digesting an image failed\n");
> > goto out;
> > }
>
