[PATCH v5 07/16] efi_loader: image_loader: support image authentication
takahiro.akashi at linaro.org
Tue Feb 25 06:25:36 CET 2020
On Mon, Feb 24, 2020 at 07:29:17PM +0100, Heinrich Schuchardt wrote:
> On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
> > With this commit, image validation can be enforced, as UEFI specification
> > section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
> > Currently we support
> > * authentication based on db and dbx,
> > so dbx-validated image will always be rejected.
> > * following signature types:
> > EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
> > EFI_CERT_X509_GUID (x509 certificate for signed images)
> > Timestamp-based certificate revocation is not supported here.
> > Internally, authentication data is stored in one of certificates tables
> > of PE image (See efi_image_parse()) and will be verified by
> > efi_image_authenticate() before loading a given image.
> > It seems that UEFI specification defines the verification process
> > in a bit ambiguous way. I tried to implement it as closely to as
> > EDK2 does.
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> According to git bisect this patch breaks the test
This error only occurs on "compressed" FIT images. While I'm not sure
whether it is directly related to efi support in bootm or not, I've
fixed it any way.
> Best regards
More information about the U-Boot