Re: [edk2] OVMF multiple signatures verification

Thu, 07 Mar 2013 01:19:02 -0800 

Hi, Lin

R14141 is the only patch for multiple signature support. R14165 fixes a bug 
when computing the signature count of an EFI_SIGANTURE_LIST in db/dbx. Please 
notice that the image verification policy is also updated as below in R14141.

  The image verification policy is:
    If the image is signed,
      At least one valid signature or at least one hash value of the image must 
match a record
      in the security database "db", and no valid signature nor any hash value 
of the image may
      be reflected in the security database "dbx".
    Otherwise, the image is not signed,
      The SHA256 hash value of the image must match a record in the security 
database "db", and
      not be reflected in the security data base "dbx".


Best Regards,
Fu, Siyuan

-----Original Message-----
From: Gary Ching-Pang Lin [mailto:[email protected]] 
Sent: Thursday, March 07, 2013 4:10 PM
To: [email protected]
Subject: [edk2] OVMF multiple signatures verification

Hi,

As mentioned in the recent commits (14141, 14165), the multiple signatures 
support is integrated into edk2 mainline. However, my test showed those two 
commits broke the image verification. Even the image with only one signature 
was rejected and I got "Security Violation" when executing the image with 
shell. Did I miss any patch besides 14141 and 14165 to support the multiple 
signatures?

Thanks,

Gary Lin

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the 
endpoint security space. For insight on selecting the right partner to tackle 
endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Reply via email to