[PATCH v2 7/8] efi_loader: signature: rework for intermediate certificates support

Heinrich Schuchardt xypron.glpk at gmx.de
Tue Jul 7 12:33:56 CEST 2020


On 16.06.20 07:26, AKASHI Takahiro wrote:
> In this commit, efi_signature_verify(with_sigdb) will be re-implemented
> using pcks7_verify_one() in order to support certificates chain, where
> the signer's certificate will be signed by an intermediate CA (certificate
> authority) and the latter's certificate will also be signed by another CA
> and so on.
>
> What we need to do here is to search for certificates in a signature,
> build up a chain of certificates and verify one by one. pkcs7_verify_one()
> handles most of these steps except the last one.
>
> pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
> which can be either a self-signed one or one that should be signed by one
> of certificates in "db". Re-worked efi_signature_verify() will take care
> of this step.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>

Sounds reasonable.

Acked-by: Heinrich Schuchardt <xypron.glpk at gmx.de>


More information about the U-Boot mailing list