Hi Peter,
On Tue, Jul 02, 2019 at 08:32:02AM +0100, Peter Robinson wrote:
> Hi AKASHI,
>
> > I'm now working on implementing UEFI secure boot on U-boot,
> > in particular, adding "dbt" (timestamp-based revocation) support
> > as described in UEFI specification, section 32.5.1 paragraph#7.
> >
> > # To be honest, the description is quite hard for me to understand.
> > # I've got what it means only after reading corresponding EDK2 code.
> >
> > My question is: Is there any signing tool on linux, with which
> > we can directly "timestamp" a PE image with RFC3161-compliant timestamp?
>
> I believe we (the RH distros) use pesign tool for this [1] but pjones
> would know all the intricate details of that.
Thank you for the reference, but I don't think that it is what
I'm looking for.
As far as I know by looking at EDK2's
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
RFC3161-compliant timestamp is expected to be stored in
unauthenticatedAttribute of PKCS7's SingerInfo.
On the other hand, "pesign" tool defines struct SpcSignerInfo
with "unsignedAttrs," which I believe is an alias name of
unauthenticatedAttribute, but does never set any meaningful
data in it.
I hope Peter(pjones) will confirm this.
Thanks,
-Takahiro Akashi
> > I know that "signtool" in Microsoft's Windows SDK has this feature,
> > but I wonder what tool major distros use for this purpose.
> > (They also need to use windows for creating their own distributions?)
> >
> > I don't think it is very difficult to add the feature to existing
> > tools like "sbsign," but it would be nice to use "proven" tools
> > for testing.
>
> Peter
>
> [1] https://github.com/rhboot/pesign
_______________________________________________
boot-architecture mailing list
[email protected]
https://lists.linaro.org/mailman/listinfo/boot-architecture
