[PATCH v5 07/16] efi_loader: image_loader: support image authentication

Heinrich Schuchardt xypron.glpk at gmx.de
Tue Feb 25 07:40:01 CET 2020

On 2/25/20 6:25 AM, AKASHI Takahiro wrote:
> On Mon, Feb 24, 2020 at 07:29:17PM +0100, Heinrich Schuchardt wrote:
>> On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
>>> With this commit, image validation can be enforced, as UEFI specification
>>> section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
>>> Currently we support
>>> * authentication based on db and dbx,
>>>     so dbx-validated image will always be rejected.
>>> * following signature types:
>>>       EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
>>>       EFI_CERT_X509_GUID (x509 certificate for signed images)
>>> Timestamp-based certificate revocation is not supported here.
>>> Internally, authentication data is stored in one of certificates tables
>>> of PE image (See efi_image_parse()) and will be verified by
>>> efi_image_authenticate() before loading a given image.
>>> It seems that UEFI specification defines the verification process
>>> in a bit ambiguous way. I tried to implement it as closely to as
>>> EDK2 does.
>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
>> According to git bisect this patch breaks the test
>> test/py/tests/test_efi_fit.py.
> This error only occurs on "compressed" FIT images. While I'm not sure
> whether it is directly related to efi support in bootm or not, I've
> fixed it any way.

Hello Takahiro,

where can I find the fix?

Best regards


> Thanks,
> -Takahiro Akashi
>> Best regards
>> Heinrich

More information about the U-Boot mailing list