On 2/25/20 6:25 AM, AKASHI Takahiro wrote:
On Mon, Feb 24, 2020 at 07:29:17PM +0100, Heinrich Schuchardt wrote:
On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
With this commit, image validation can be enforced, as UEFI specification
section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
Currently we support
* authentication based on db and dbx,
so dbx-validated image will always be rejected.
* following signature types:
EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certificate revocation is not supported here.
Internally, authentication data is stored in one of certificates tables
of PE image (See efi_image_parse()) and will be verified by
efi_image_authenticate() before loading a given image.
It seems that UEFI specification defines the verification process
in a bit ambiguous way. I tried to implement it as closely to as
EDK2 does.
Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org>
According to git bisect this patch breaks the test
test/py/tests/test_efi_fit.py.
This error only occurs on "compressed" FIT images. While I'm not sure
whether it is directly related to efi support in bootm or not, I've
fixed it any way.
Hello Takahiro,
where can I find the fix?
Best regards
Heinrich
Thanks,
-Takahiro Akashi
Best regards
Heinrich