Hi, On Wed, 7 Dec 2022 at 19:50, Ilias Apalodimas <ilias.apalodi...@linaro.org> wrote: > > Hi Stuart, > > On Tue, 6 Dec 2022 at 19:58, Stuart Yoder <stuart.yo...@arm.com> wrote: > > > > All, > > > > I saw the meeting notes on the wiki: > > > > > Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not > > > support all types of certificate, probably will break SIE ACS. > > > Need a test using an unsupported certificate in dbx, try to boot, > > > should be rejected by bootloader > > > > > > Heinrich: edk2 will support all types. At least make sure we support > > > the secure certificate types (e.g. not sha1) > > > Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with > > > Stuart > > > > Currently the certificates used in the SIE ACS are all X.509, RSA2048, > > SHA256. > > > > That is also what is reflected in the SCT public spec for the new > > secure boot tests: > > https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT-Case-Spec/SCT_Secure_Boot.md > > Ok thanks. As I said I'll try to run it on hardware and share the results > > > > > What certificate types will u-boot not support? > > EFI_CERT_RSA2048_GUID, > EFI_CERT_RSA2048_SHA256_GUID, > EFI_CERT_SHA1_GUID, > EFI_CERT_RSA2048_SHA_GUID, > EFI_CERT_SHA224_GUID, > EFI_CERT_SHA384_GUID, > EFI_CERT_SHA512_GUID, > > are currently unsupported. Keep in mind that if U-Boot finds any of > those types in DBX, it will unconditionally reject images.
I don't know anything about this, but why does U-Boot not support those? Regards, Simon _______________________________________________ boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-le...@lists.linaro.org
