[PATCH v4 6/7] efi_loader: signature: rework for intermediate certificates support

AKASHI Takahiro takahiro.akashi at linaro.org
Mon Jul 20 08:17:45 CEST 2020


Heinrich,

On Fri, Jul 17, 2020 at 12:23:08PM +0200, Heinrich Schuchardt wrote:
> On 17.07.20 09:16, AKASHI Takahiro wrote:
> > In this commit, efi_signature_verify(with_sigdb) will be re-implemented
> > using pcks7_verify_one() in order to support certificates chain, where
> > the signer's certificate will be signed by an intermediate CA (certificate
> > authority) and the latter's certificate will also be signed by another CA
> > and so on.
> >
> > What we need to do here is to search for certificates in a signature,
> > build up a chain of certificates and verify one by one. pkcs7_verify_one()
> > handles most of these steps except the last one.
> >
> > pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
> > which can be either a self-signed one or one that should be signed by one
> > of certificates in "db". Re-worked efi_signature_verify() will take care
> > of this step.
> >
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> > ---
> 
> With patches 1-6 applied to origin/master (fee68b98fe3890):
> make tests:
> 
> test/py/tests/test_efi_secboot/test_authvar.py FFFFF
> test/py/tests/test_efi_secboot/test_signed.py .F..FF
> test/py/tests/test_efi_secboot/test_unsigned.py ...

Even after rebasing the code to fee68b98fe3890,
I have never seen any failures in those cases.
(I use pytest directly instead of 'make tests' though.)

-Takahiro Akashi

> Patches 1-5 pass the test.
> 
> Best regards
> 
> Heinrich


More information about the U-Boot mailing list