On 03/07/13 11:07, Gary Ching-Pang Lin wrote: > On Thu, Mar 07, 2013 at 09:17:13AM +0000, Fu, Siyuan wrote: >> Hi, Lin >> >> R14141 is the only patch for multiple signature support. R14165 >> fixes a bug when computing the signature count of an >> EFI_SIGANTURE_LIST in db/dbx. Please notice that the image >> verification policy is also updated as below in R14141. >> >> The image verification policy is: If the image is signed, At least >> one valid signature or at least one hash value of the image must >> match a record in the security database "db", and no valid >> signature nor any hash value of the image may be reflected in the >> security database "dbx". Otherwise, the image is not signed, The >> SHA256 hash value of the image must match a record in the security >> database "db", and not be reflected in the security data base >> "dbx". >> > I found it's related to the signing tool. The image signed by > Microsoft passed the verification. The images signed with pesign > which used to work without R14141 failed now.
Following up on this for the list's sake (Gary knows already because he contributed to fixing the problem), this should work again in pesign-0.104. Laszlo ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
