SecurityPkg/Pkcs7Verify: Add the comments to address security problem

[mirror_edk2.git] / SecurityPkg / Pkcs7Verify / Pkcs7VerifyDxe / Pkcs7VerifyDxe.c

diff --git a/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c b/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
index 0da549a6bd57a09071c1c2d1fc4819e566bc50ab..ac83e6d5c249264ebee6da09909852fe5d41170c 100644 (file)
--- a/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
+++ b/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
@@ -1321,6 +1321,14 @@ _Exit:
   verifies the signature of the content is valid and signing certificate was not revoked\r
   and is contained within a list of trusted signers.\r
 \r
+  Note: because this function uses hashes and the specification contains a variety of\r
+        hash choices, you should be aware that the check against the RevokedDb list\r
+        will improperly succeed if the signature is revoked using a different hash\r
+        algorithm.  For this reason, you should either cycle through all UEFI supported\r
+        hashes to see if one is forbidden, or rely on a single hash choice only if the\r
+        UEFI signature authority only signs and revokes with a single hash (at time\r
+        of writing, this hash choice is SHA256).\r
+\r
   @param[in]     This                 Pointer to EFI_PKCS7_VERIFY_PROTOCOL instance.\r
   @param[in]     Signature            Points to buffer containing ASN.1 DER-encoded PKCS\r
                                       detached signature.\r