On Thu, 8 Dec 2022 at 08:12, Stuart Yoder <stuart.yo...@arm.com> wrote: > > > > On 12/7/22 12:49 AM, Ilias Apalodimas wrote: > > Hi Stuart, > > > > On Tue, 6 Dec 2022 at 19:58, Stuart Yoder <stuart.yo...@arm.com> wrote: > >> > >> All, > >> > >> I saw the meeting notes on the wiki: > >> > >> > Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not > >> > support all types of certificate, probably will break SIE ACS. > >> > Need a test using an unsupported certificate in dbx, try to boot, > >> > should be rejected by bootloader > >> > > >> > Heinrich: edk2 will support all types. At least make sure we support > >> > the secure certificate types (e.g. not sha1) > >> > Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with > >> > Stuart > >> > >> Currently the certificates used in the SIE ACS are all X.509, RSA2048, > >> SHA256. > >> > >> That is also what is reflected in the SCT public spec for the new > >> secure boot tests: > >> https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT-Case-Spec/SCT_Secure_Boot.md > > > > Ok thanks. As I said I'll try to run it on hardware and share the results > > > >> > >> What certificate types will u-boot not support? > > > > EFI_CERT_RSA2048_GUID, > > EFI_CERT_RSA2048_SHA256_GUID, > > EFI_CERT_SHA1_GUID, > > EFI_CERT_RSA2048_SHA_GUID, > > EFI_CERT_SHA224_GUID, > > EFI_CERT_SHA384_GUID, > > EFI_CERT_SHA512_GUID, > > > > are currently unsupported. Keep in mind that if U-Boot finds any of > > those types in DBX, it will unconditionally reject images. > > Of the various signature types that can be in db and dbx, the SIE > ACS tests the following: > > -for db siglists > -for certificates: EFI_CERT_X509_GUID > -for hashes of images: EFI_CERT_SHA256_GUID > > -for dbx siglists > -for revocations of certificates: EFI_CERT_X509_GUID > -for revocations of certificates by hash: EFI_CERT_SHA256_GUID, > EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID
It would be as follows according to [0]? EFI_CERT_SHA256_GUID -> EFI_CERT_X509_SHA256_GUID EFI_CERT_SHA384_GUID -> EFI_CERT_X509_SHA384_GUID EFI_CERT_SHA512_GUID -> EFI_CERT_X509_SHA512_GUID If so, U-Boot supports these dbx siglists for revocation. EFI_CERT_X509_SHA256_GUID EFI_CERT_X509_SHA384_GUID EFI_CERT_X509_SHA512_GUID [0] https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT-Case-Spec/SCT_Secure_Boot.md Regards, Masahisa Kojima > -for revocations of images by hash: EFI_CERT_SHA256_GUID > > The reason for picking those is that those GUIDs are the only ones > supported by the efitools used in generating test signature lists. > Updating efitools with additional GUIDs was out of scope of what > we were able to do. > > So it would be nice if u-boot supported revocations of > EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID. > > Thanks, > Stuart > _______________________________________________ > boot-architecture mailing list -- boot-architecture@lists.linaro.org > To unsubscribe send an email to boot-architecture-le...@lists.linaro.org _______________________________________________ boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-le...@lists.linaro.org
