I'm working on Secure Boot support and noticed the dbxDefault variable
isn't being created: during boot I get the messages:
SecureBootFetchData: Invalid key format: 0
Content for dbxDefault not found
I'm using ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc to add the data
to my firmware.
The problem appears to be this: at https://uefi.org/revocationlistfile
it says:
"These files are used to update the Secure Boot Forbidden Signature
Database, dbx. It contains the raw bytes passed in *Data to
SetVariable()... an EFI_VARIABLE_AUTHENTICATION_2 concatenated with the
new variable value. Example usage: SetVariable( "dbx",
EFI_IMAGE_SECURITY_DATABASE_GUID, NV+BS+RT+AT+AppendWrite,
dbxUpdateDotBin_sizeInBytes, *dbxUpdateDotBin_bytes). dbxupdate.bin
already contains a Microsoft KEK signature (encoded as specified by the
UEFI spec)."
But SecureBootFetchData calls RsaGetPublicKeyFromX509, which won't work
because the data is in the wrong format?
Looking at the files in the release from
https://github.com/microsoft/secureboot_objects it looks like they're
also in the format suitable for calling SetVariable, not for parsing as
X509.
Has anyone else come across this and knows of a solution?
--
Rebecca Cran
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120848): https://edk2.groups.io/g/devel/message/120848
Mute This Topic: https://groups.io/mt/109800343/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
