On 03/22/18 03:02, Wu, Jiaxin wrote: > On 03/21/18 14:39, Laszlo Ersek wrote: >> (1) Do you agree EFI_CERT_X509_GUID is the right setting for >> "EFI_SIGNATURE_LIST.SignatureType" (even though the edk2 code >> currently ignores it)? >> >> This would also imply that we set >> "EFI_SIGNATURE_LIST.SignatureHeaderSize" to zero, according to the >> UEFI spec. >> > > Yes, exactly, EFI_CERT_X509_GUID is the correct SignatureType for the > CACertificate. SignatureHeaderSize should be set to zero. We do miss > the check in HttpDxe driver, I'm fine to add back the SignatureType > check in TlsConfigCertificate(). So, can you report the Bugzilla for > this fixing? Thanks.
I've filed <https://bugzilla.tianocore.org/show_bug.cgi?id=909> and assigned it to myself (for a v1 patch at least). >> (2) Do you foresee any such restrictions for the >> "EFI_SIGNATURE_DATA.SignatureOwner" field in >> EFI_TLS_CA_CERTIFICATE_VARIABLE? Or is it safe if we generate a GUID >> for the tool with "uuidgen"? >> > > I don't think it's necessary to restrict/stand the GUID in the field > of SignatureOwner for the CA certification (at least for now) since > it's only used to identify the different venders (i.e, Microsoft) so > as to avoid the following content check. In the UEFI part, we also > didn't check the SignatureOwner for the any security consideration. > So, I think it's safe to generate a GUID using the tool at present. Sounds great, thanks! Laszlo _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
