On Tue, Jul 02, 2019 at 08:43:26AM +0100, Francois Ozog wrote: > Le mar. 2 juil. 2019 à 08:32, Peter Robinson <[email protected]> a > écrit : > > > Hi AKASHI, > > > > > I'm now working on implementing UEFI secure boot on U-boot, > > > in particular, adding "dbt" (timestamp-based revocation) support > > > as described in UEFI specification, section 32.5.1 paragraph#7. > > > > > > # To be honest, the description is quite hard for me to understand. > > > # I've got what it means only after reading corresponding EDK2 code. > > > > > > My question is: Is there any signing tool on linux, with which > > > we can directly "timestamp" a PE image with RFC3161-compliant timestamp? > > > > I believe we (the RH distros) use pesign tool for this [1] but pjones > > would know all the intricate details of that. > > > > > I know that "signtool" in Microsoft's Windows SDK has this feature, > > > but I wonder what tool major distros use for this purpose. > > > (They also need to use windows for creating their own distributions?) > > > > > > I don't think it is very difficult to add the feature to existing > > > tools like "sbsign," but it would be nice to use "proven" tools > > > for testing. > > > > Peter > > > Thanks peter. > Should we want to contribute say « file_fit » to sign FIT image, does this > sound reasonable ?
I *dare* want to ask you what you mean by signing FIT image. U-Boot's mkimage tool has a signing feature in a sense, so it would be best to expand its functionality to avoid any confusion. -Takahiro Akashi > > > > [1] https://github.com/rhboot/pesign > > _______________________________________________ > > boot-architecture mailing list > > [email protected] > > https://lists.linaro.org/mailman/listinfo/boot-architecture > > > -- > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > T: +33.67221.6485 > [email protected] | Skype: ffozog _______________________________________________ boot-architecture mailing list [email protected] https://lists.linaro.org/mailman/listinfo/boot-architecture
