On Wed, 3 Jul 2019 at 10:12, AKASHI Takahiro <[email protected]> wrote:
> On Wed, Jul 03, 2019 at 09:56:58AM +0200, Francois Ozog wrote: > > On Wed, 3 Jul 2019 at 02:00, AKASHI Takahiro <[email protected] > > > > wrote: > > > > > On Tue, Jul 02, 2019 at 08:43:26AM +0100, Francois Ozog wrote: > > > > Le mar. 2 juil. 2019 à 08:32, Peter Robinson <[email protected]> > a > > > > écrit : > > > > > > > > > Hi AKASHI, > > > > > > > > > > > I'm now working on implementing UEFI secure boot on U-boot, > > > > > > in particular, adding "dbt" (timestamp-based revocation) support > > > > > > as described in UEFI specification, section 32.5.1 paragraph#7. > > > > > > > > > > > > # To be honest, the description is quite hard for me to > understand. > > > > > > # I've got what it means only after reading corresponding EDK2 > code. > > > > > > > > > > > > My question is: Is there any signing tool on linux, with which > > > > > > we can directly "timestamp" a PE image with RFC3161-compliant > > > timestamp? > > > > > > > > > > I believe we (the RH distros) use pesign tool for this [1] but > pjones > > > > > would know all the intricate details of that. > > > > > > > > > > > I know that "signtool" in Microsoft's Windows SDK has this > feature, > > > > > > but I wonder what tool major distros use for this purpose. > > > > > > (They also need to use windows for creating their own > distributions?) > > > > > > > > > > > > I don't think it is very difficult to add the feature to existing > > > > > > tools like "sbsign," but it would be nice to use "proven" tools > > > > > > for testing. > > > > > > > > > > Peter > > > > > > > > > Thanks peter. > > > > Should we want to contribute say « file_fit » to sign FIT image, does > > > this > > > > sound reasonable ? > > > > > > I *dare* want to ask you what you mean by signing FIT image. > > > U-Boot's mkimage tool has a signing feature in a sense, so > > > it would be best to expand its functionality to avoid any confusion. > > > > > > The exact details of signing are specified in different specs. > > My view is that in a "signing realm", (say UEFI signing) one should use a > > consistent set of tools to sign and verify signing. > > Even today, distros/vendors use different tools, not many but a few though. Each distro can have its signing tool for modules, shared libs or executables. This is good as it fits a "distro signing realm". What shall be in signature, how it is effectively signed can be specific to each realm. > > > When U-Boot is used in the context UEFI SecureBoot, we should use a signle > > UEFI signing tool regarless of the nature of the file (PE, FIT, ...) > > We could use different tools to sign different file types, but if UEFI > > signing policy changes, you have to change a number of tools which does > not > > look good to me. > > Can you give me an example of "UEFI signing policy" or point to > any reference/document? > Isn't section 30 of UEFI spec (2.6) describing a "policy" ? UEFI realm GUIDs and stuff like that. Shall this section add a mandatory attribute for next version of signature, signing tools will have to be updated. What's important is a well-defined format/rule, not a tool, isn't it? > Conformance is a totally different issue. > I hate plugfests. (I spent a big chunk of my life when multiple "conformant" SS7 implementations were not interoperable). Bottom line, I actually do not really care if there is a single tool. I just say that for the next evolution of UEFI signing, we'll depend on multiple tools conformant updates, which may depend on a plugfest. > -Takahiro Akashi > > > > > -Takahiro Akashi > > > > > > > > > > > > > [1] https://github.com/rhboot/pesign > > > > > _______________________________________________ > > > > > boot-architecture mailing list > > > > > [email protected] > > > > > https://lists.linaro.org/mailman/listinfo/boot-architecture > > > > > > > > > -- > > > > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > > > > T: +33.67221.6485 > > > > [email protected] | Skype: ffozog > > > > > > > > > -- > > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > > T: +33.67221.6485 > > [email protected] | Skype: ffozog > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 [email protected] | Skype: ffozog _______________________________________________ boot-architecture mailing list [email protected] https://lists.linaro.org/mailman/listinfo/boot-architecture
