[PATCH v4 6/7] efi_loader: signature: rework for intermediate certificates support
Heinrich Schuchardt
xypron.glpk at gmx.de
Fri Jul 17 12:23:08 CEST 2020
On 17.07.20 09:16, AKASHI Takahiro wrote:
> In this commit, efi_signature_verify(with_sigdb) will be re-implemented
> using pcks7_verify_one() in order to support certificates chain, where
> the signer's certificate will be signed by an intermediate CA (certificate
> authority) and the latter's certificate will also be signed by another CA
> and so on.
>
> What we need to do here is to search for certificates in a signature,
> build up a chain of certificates and verify one by one. pkcs7_verify_one()
> handles most of these steps except the last one.
>
> pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
> which can be either a self-signed one or one that should be signed by one
> of certificates in "db". Re-worked efi_signature_verify() will take care
> of this step.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> ---
With patches 1-6 applied to origin/master (fee68b98fe3890):
make tests:
test/py/tests/test_efi_secboot/test_authvar.py FFFFF
test/py/tests/test_efi_secboot/test_signed.py .F..FF
test/py/tests/test_efi_secboot/test_unsigned.py ...
Patches 1-5 pass the test.
Best regards
Heinrich
More information about the U-Boot
mailing list