On 05/21/13 12:48, Gary Ching-Pang Lin wrote: > On Tue, May 21, 2013 at 10:52:27AM +0200, Laszlo Ersek wrote: >> On 05/16/13 08:04, Gary Ching-Pang Lin wrote: >>> On Wed, May 15, 2013 at 03:22:53PM +0200, Laszlo Ersek wrote: >> >>>> [...] I failed to secure boot Fedora 19 >>>> <http://www.linux-kvm.org/page/OVMF#Confirmation_of_secure_boot_in_Fedora_18>, >>>> which I guess might still relate to this thread (also started by you): >>>> <http://thread.gmane.org/gmane.comp.bios.tianocore.devel/2329>. >> >>> I think so. The git head OVMF (after applying your patch) works well with >>> the >>> lastest SLE 11 SP3 boot loader. >> >> Actually it also works with Fedora 19 (unreleased for the time being) if >> >> (a) the "shim" utility is signed with "pesign-0.104-1.fc19" >> <https://koji.fedoraproject.org/koji/buildinfo?buildID=419603>, and >> >> (b) the following key enrollment scheme is used: >> >> RedHatTestCA -> PK >> <nothing> -> KEK >> RedHatTestCA -> DB >> >> rather than the older / original >> >> RedHatTestCA -> PK >> RedHatTestCertificate -> KEK >> RedHatTestCertificate -> DB >> >> The enrollment change in (b) is required because of the verification >> policy change in SVN r14141 >> <https://github.com/tianocore/edk2/commit/6de4c35f#L0L1014>. >> >> It proved quite a challenge for me to track (b) down >> <https://bugzilla.redhat.com/show_bug.cgi?id=963361>, but ultimately new >> pesign does work! >> > The old pesign only inserted the signer certificate, so the signer certificate > can be enrolled in db and used to verify images. > > However, the newer pesign (I forgot the commit number) also inserted the root > CA, > so the root CA has to be in db, so the firmware can start the verification > from > the root CA.
Ah! Very enlightening! I actually dumped the chain prepared by "new pesign" with "sbverify", see the second half of <https://bugzilla.redhat.com/show_bug.cgi?id=963361#c6>, and was scratching my head because of the CA entries. Thanks! Laszlo ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
