On Tue, Feb 25, 2020 at 07:40:01AM +0100, Heinrich Schuchardt wrote: > On 2/25/20 6:25 AM, AKASHI Takahiro wrote: > > On Mon, Feb 24, 2020 at 07:29:17PM +0100, Heinrich Schuchardt wrote: > > > On 1/28/20 9:25 AM, AKASHI Takahiro wrote: > > > > With this commit, image validation can be enforced, as UEFI > > > > specification > > > > section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled. > > > > > > > > Currently we support > > > > * authentication based on db and dbx, > > > > so dbx-validated image will always be rejected. > > > > * following signature types: > > > > EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images) > > > > EFI_CERT_X509_GUID (x509 certificate for signed images) > > > > Timestamp-based certificate revocation is not supported here. > > > > > > > > Internally, authentication data is stored in one of certificates tables > > > > of PE image (See efi_image_parse()) and will be verified by > > > > efi_image_authenticate() before loading a given image. > > > > > > > > It seems that UEFI specification defines the verification process > > > > in a bit ambiguous way. I tried to implement it as closely to as > > > > EDK2 does. > > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org> > > > > > > According to git bisect this patch breaks the test > > > test/py/tests/test_efi_fit.py. > > > > This error only occurs on "compressed" FIT images. While I'm not sure > > whether it is directly related to efi support in bootm or not, I've > > fixed it any way. > > Hello Takahiro, > > where can I find the fix?
Only in my local repository. Since I'm running Travis CI now, I will post a new version once the test is completed AND if you have no more comments on my v5. Thanks, -Takahiro Akashi > Best regards > > Heinrich > > > > > Thanks, > > -Takahiro Akashi > > > > > > > Best regards > > > > > > Heinrich >