From 54152379d1fad5709e369fcd40099f06f8be0480 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Rochoy?= <stephane.rochoy@stormshield.eu>
Date: Mon, 4 Dec 2023 10:57:43 +0100
Subject: [PATCH] libsecureboot: be more verbose about validation failures

---
 lib/libbearssl/Makefile.inc       |  1 +
 lib/libbearssl/Makefile.libsa.inc |  3 +++
 lib/libsecureboot/vets.c          | 12 +++++++++---
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/lib/libbearssl/Makefile.inc b/lib/libbearssl/Makefile.inc
index 764984de90671c..453630d038cda6 100644
--- a/lib/libbearssl/Makefile.inc
+++ b/lib/libbearssl/Makefile.inc
@@ -1,6 +1,7 @@
 
 BEARSSL?= ${SRCTOP}/contrib/bearssl
 BEARSSL_SRC= ${BEARSSL}/src
+BEARSSL_TOOLS= ${BEARSSL}/tools
 
 CFLAGS+= -I${BEARSSL}/inc
 CFLAGS+= ${NO_WDEPRECATED_NON_PROTOTYPE}
diff --git a/lib/libbearssl/Makefile.libsa.inc b/lib/libbearssl/Makefile.libsa.inc
index c31d3f85975a64..c171e141f0db06 100644
--- a/lib/libbearssl/Makefile.libsa.inc
+++ b/lib/libbearssl/Makefile.libsa.inc
@@ -83,3 +83,6 @@ SRCS+= \
 	x509/x509_decoder.c \
 	x509/x509_minimal.c \
 
+# We want find_error_name().
+SRCS+= \
+	${BEARSSL_TOOLS}/errors.c \
diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c
index 4a2aba43319148..38080d3aafbf3f 100644
--- a/lib/libsecureboot/vets.c
+++ b/lib/libsecureboot/vets.c
@@ -568,9 +568,15 @@ verify_signer_xcs(br_x509_certificate *xcs,
 			ve_error_set("Validation failed, certificate not valid as of %s",
 			    gdate(date, sizeof(date), ve_utc));
 			break;
-		default:
-			ve_error_set("Validation failed, err = %d", err);
-			break;
+		default: {
+			const char *err_desc = NULL;
+			const char *err_name = find_error_name(err, &err_desc);
+
+			if (err_name == NULL)
+				ve_error_set("Validation failed, err = %d", err);
+			else
+				ve_error_set("Validation failed, %s (%s)", err_desc, err_name);
+			break; }
 		}
 	} else {
 		tpk = mc.vtable->get_pkey(&mc.vtable, &usages);