On Tue, Feb 25, 2020 at 07:40:01AM +0100, Heinrich Schuchardt wrote:
On 2/25/20 6:25 AM, AKASHI Takahiro wrote:
On Mon, Feb 24, 2020 at 07:29:17PM +0100, Heinrich Schuchardt wrote:
On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
With this commit, image validation can be enforced, as UEFI specification section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
Currently we support
- authentication based on db and dbx, so dbx-validated image will always be rejected.
- following signature types: EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images) EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certificate revocation is not supported here.
Internally, authentication data is stored in one of certificates tables of PE image (See efi_image_parse()) and will be verified by efi_image_authenticate() before loading a given image.
It seems that UEFI specification defines the verification process in a bit ambiguous way. I tried to implement it as closely to as EDK2 does.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
According to git bisect this patch breaks the test test/py/tests/test_efi_fit.py.
This error only occurs on "compressed" FIT images. While I'm not sure whether it is directly related to efi support in bootm or not, I've fixed it any way.
Hello Takahiro,
where can I find the fix?
Only in my local repository. Since I'm running Travis CI now, I will post a new version once the test is completed AND if you have no more comments on my v5.
Thanks, -Takahiro Akashi
Best regards
Heinrich
Thanks, -Takahiro Akashi
Best regards
Heinrich