Hi Stuart, On Tue, 6 Dec 2022 at 19:58, Stuart Yoder <stuart.yo...@arm.com> wrote: > > All, > > I saw the meeting notes on the wiki: > > > Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not > > support all types of certificate, probably will break SIE ACS. > > Need a test using an unsupported certificate in dbx, try to boot, > > should be rejected by bootloader > > > > Heinrich: edk2 will support all types. At least make sure we support > > the secure certificate types (e.g. not sha1) > > Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with > > Stuart > > Currently the certificates used in the SIE ACS are all X.509, RSA2048, > SHA256. > > That is also what is reflected in the SCT public spec for the new > secure boot tests: > https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT-Case-Spec/SCT_Secure_Boot.md
Ok thanks. As I said I'll try to run it on hardware and share the results > > What certificate types will u-boot not support? EFI_CERT_RSA2048_GUID, EFI_CERT_RSA2048_SHA256_GUID, EFI_CERT_SHA1_GUID, EFI_CERT_RSA2048_SHA_GUID, EFI_CERT_SHA224_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, are currently unsupported. Keep in mind that if U-Boot finds any of those types in DBX, it will unconditionally reject images. Thanks /Ilias > > Thanks, > Stuart > > > On 12/6/22 7:07 AM, Vincent Stehlé wrote: > > Thank you for attending the call yesterday, > > > > The notes are now on the wiki[1] (feel free to amend if you find any > > mistake or > > if anything is missing). > > > > Best regards, > > > > Vincent Stehlé > > System Architect - Arm > > > > [1]: https://github.com/ARM-software/ebbr/wiki/EBBR-Notes-2022.12.05 > > _______________________________________________ > > boot-architecture mailing list -- boot-architecture@lists.linaro.org > > To unsubscribe send an email to boot-architecture-le...@lists.linaro.org > _______________________________________________ > boot-architecture mailing list -- boot-architecture@lists.linaro.org > To unsubscribe send an email to boot-architecture-le...@lists.linaro.org _______________________________________________ boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-le...@lists.linaro.org
