On Thu, Mar 07, 2013 at 09:17:13AM +0000, Fu, Siyuan wrote: > Hi, Lin > > R14141 is the only patch for multiple signature support. R14165 fixes a bug > when computing the signature count of an EFI_SIGANTURE_LIST in db/dbx. Please > notice that the image verification policy is also updated as below in R14141. > > The image verification policy is: > If the image is signed, > At least one valid signature or at least one hash value of the image > must match a record > in the security database "db", and no valid signature nor any hash > value of the image may > be reflected in the security database "dbx". > Otherwise, the image is not signed, > The SHA256 hash value of the image must match a record in the security > database "db", and > not be reflected in the security data base "dbx". > I found it's related to the signing tool. The image signed by Microsoft passed the verification. The images signed with pesign which used to work without R14141 failed now.
Gary Lin > > Best Regards, > Fu, Siyuan > > -----Original Message----- > From: Gary Ching-Pang Lin [mailto:g...@suse.com] > Sent: Thursday, March 07, 2013 4:10 PM > To: edk2-devel@lists.sourceforge.net > Subject: [edk2] OVMF multiple signatures verification > > Hi, > > As mentioned in the recent commits (14141, 14165), the multiple signatures > support is integrated into edk2 mainline. However, my test showed those two > commits broke the image verification. Even the image with only one signature > was rejected and I got "Security Violation" when executing the image with > shell. Did I miss any patch besides 14141 and 14165 to support the multiple > signatures? > > Thanks, > > Gary Lin > > ------------------------------------------------------------------------------ > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > endpoint security space. For insight on selecting the right partner to tackle > endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/edk2-devel > ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
