[PATCH v5 07/16] efi_loader: image_loader: support image authentication
Heinrich Schuchardt
xypron.glpk at gmx.de
Mon Feb 24 19:29:17 CET 2020
On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
> With this commit, image validation can be enforced, as UEFI specification
> section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
>
> Currently we support
> * authentication based on db and dbx,
> so dbx-validated image will always be rejected.
> * following signature types:
> EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
> EFI_CERT_X509_GUID (x509 certificate for signed images)
> Timestamp-based certificate revocation is not supported here.
>
> Internally, authentication data is stored in one of certificates tables
> of PE image (See efi_image_parse()) and will be verified by
> efi_image_authenticate() before loading a given image.
>
> It seems that UEFI specification defines the verification process
> in a bit ambiguous way. I tried to implement it as closely to as
> EDK2 does.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
According to git bisect this patch breaks the test
test/py/tests/test_efi_fit.py.
Best regards
Heinrich
More information about the U-Boot
mailing list