24 Feb
2020
24 Feb
'20
7:29 p.m.
On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
With this commit, image validation can be enforced, as UEFI specification section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
Currently we support
- authentication based on db and dbx, so dbx-validated image will always be rejected.
- following signature types: EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images) EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certificate revocation is not supported here.
Internally, authentication data is stored in one of certificates tables of PE image (See efi_image_parse()) and will be verified by efi_image_authenticate() before loading a given image.
It seems that UEFI specification defines the verification process in a bit ambiguous way. I tried to implement it as closely to as EDK2 does.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
According to git bisect this patch breaks the test test/py/tests/test_efi_fit.py.
Best regards
Heinrich