On Thu, Dec 08, 2022 at 10:28:43AM +0900, Masahisa Kojima wrote: > On Thu, 8 Dec 2022 at 08:12, Stuart Yoder <stuart.yo...@arm.com> wrote: > > > > > > > > On 12/7/22 12:49 AM, Ilias Apalodimas wrote: > > > Hi Stuart, > > > > > > On Tue, 6 Dec 2022 at 19:58, Stuart Yoder <stuart.yo...@arm.com> wrote: > > >> > > >> All, > > >> > > >> I saw the meeting notes on the wiki: > > >> > > >> > Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not > > >> > support all types of certificate, probably will break SIE ACS. > > >> > Need a test using an unsupported certificate in dbx, try to boot, > > >> > should be rejected by bootloader > > >> > > > >> > Heinrich: edk2 will support all types. At least make sure we support > > >> > the secure certificate types (e.g. not sha1) > > >> > Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with > > >> > Stuart > > >> > > >> Currently the certificates used in the SIE ACS are all X.509, RSA2048, > > >> SHA256. > > >> > > >> That is also what is reflected in the SCT public spec for the new > > >> secure boot tests: > > >> https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT-Case-Spec/SCT_Secure_Boot.md > > > > > > Ok thanks. As I said I'll try to run it on hardware and share the results > > > > > >> > > >> What certificate types will u-boot not support? > > > > > > EFI_CERT_RSA2048_GUID, > > > EFI_CERT_RSA2048_SHA256_GUID, > > > EFI_CERT_SHA1_GUID, > > > EFI_CERT_RSA2048_SHA_GUID, > > > EFI_CERT_SHA224_GUID, > > > EFI_CERT_SHA384_GUID, > > > EFI_CERT_SHA512_GUID, > > > > > > are currently unsupported. Keep in mind that if U-Boot finds any of > > > those types in DBX, it will unconditionally reject images. > > Of the various signature types that can be in db and dbx, the SIE > > ACS tests the following: > > > > -for db siglists > > -for certificates: EFI_CERT_X509_GUID > > -for hashes of images: EFI_CERT_SHA256_GUID > > > > -for dbx siglists > > -for revocations of certificates: EFI_CERT_X509_GUID > > -for revocations of certificates by hash: EFI_CERT_SHA256_GUID, > > EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID > > It would be as follows according to [0]? > EFI_CERT_SHA256_GUID -> EFI_CERT_X509_SHA256_GUID > EFI_CERT_SHA384_GUID -> EFI_CERT_X509_SHA384_GUID > EFI_CERT_SHA512_GUID -> EFI_CERT_X509_SHA512_GUID > > If so, U-Boot supports these dbx siglists for revocation. > EFI_CERT_X509_SHA256_GUID > EFI_CERT_X509_SHA384_GUID > EFI_CERT_X509_SHA512_GUID
That's right. FYI, my pytest in U-Boot repository (test_efi_secboot/test_signed.py) covers all the cases: > > -for dbx siglists > > -for revocations of certificates: EFI_CERT_X509_GUID Test case 6b > > -for revocations of certificates by hash: EFI_CERT_SHA256_GUID, > > EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID Test case 4 and case 7 > > -for revocations of images by hash: EFI_CERT_SHA256_GUID Test case 6c -Takahiro Akashi > > [0] > https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT-Case-Spec/SCT_Secure_Boot.md > > Regards, > Masahisa Kojima > > > -for revocations of images by hash: EFI_CERT_SHA256_GUID > > > > The reason for picking those is that those GUIDs are the only ones > > supported by the efitools used in generating test signature lists. > > Updating efitools with additional GUIDs was out of scope of what > > we were able to do. > > > > So it would be nice if u-boot supported revocations of > > EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID. > > > > Thanks, > > Stuart > > _______________________________________________ > > boot-architecture mailing list -- boot-architecture@lists.linaro.org > > To unsubscribe send an email to boot-architecture-le...@lists.linaro.org > _______________________________________________ > boot-architecture mailing list -- boot-architecture@lists.linaro.org > To unsubscribe send an email to boot-architecture-le...@lists.linaro.org _______________________________________________ boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-le...@lists.linaro.org
