On 4/11/22 3:40 AM, Ilias Apalodimas wrote:
Hi Akashi-san,
On Mon, Apr 11, 2022 at 05:31:08PM +0900, AKASHI Takahiro wrote:
On Mon, Apr 11, 2022 at 10:56:22AM +0300, Ilias Apalodimas wrote:
Currently we don't support sha384/512 for the X.509
certificate To-Be-Signed contents. Moreover if we come across such a
hash we skip the check and approve the image, although the image
might needs to be rejected.
Are you sure? You seem to be talking about efi_signature_check_revocation()
here.
Please be more specific.
Arm has a security ACS testsuite [1]. The whole checking fails exactly on
this bug.
[cut]
[1] https://github.com/ARM-software/arm-systemready/tree/security-extension-acs
Thanks
/Ilias
Note, the above link is from the alpha release. Please use the EAC
release branch:
https://github.com/ARM-software/arm-systemready/tree/security-interface-extension-acs
Thanks,
Stuart
