X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=SecurityPkg%2FPkcs7Verify%2FPkcs7VerifyDxe%2FPkcs7VerifyDxe.c;h=ac83e6d5c249264ebee6da09909852fe5d41170c;hb=6ded19558a2b21bcce544afcfa17fb59a8b4760a;hp=0da549a6bd57a09071c1c2d1fc4819e566bc50ab;hpb=4bbf39632c840e32996e8d43137f23fb43282859;p=mirror_edk2.git

diff --git a/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c b/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
index 0da549a6bd..ac83e6d5c2 100644
--- a/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
+++ b/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
@@ -1321,6 +1321,14 @@ _Exit:
   verifies the signature of the content is valid and signing certificate was not revoked
   and is contained within a list of trusted signers.
 
+  Note: because this function uses hashes and the specification contains a variety of
+        hash choices, you should be aware that the check against the RevokedDb list
+        will improperly succeed if the signature is revoked using a different hash
+        algorithm.  For this reason, you should either cycle through all UEFI supported
+        hashes to see if one is forbidden, or rely on a single hash choice only if the
+        UEFI signature authority only signs and revokes with a single hash (at time
+        of writing, this hash choice is SHA256).
+
   @param[in]     This                 Pointer to EFI_PKCS7_VERIFY_PROTOCOL instance.
   @param[in]     Signature            Points to buffer containing ASN.1 DER-encoded PKCS
                                       detached signature.