[RFC PATCH] efi_loader: add sha384/512 on certificate revocation
Stuart Yoder
stuart.yoder at arm.com
Mon May 2 23:51:55 CEST 2022
On 4/11/22 3:40 AM, Ilias Apalodimas wrote:
> Hi Akashi-san,
>
>> On Mon, Apr 11, 2022 at 05:31:08PM +0900, AKASHI Takahiro wrote:
>> On Mon, Apr 11, 2022 at 10:56:22AM +0300, Ilias Apalodimas wrote:
>>> Currently we don't support sha384/512 for the X.509
>>> certificate To-Be-Signed contents. Moreover if we come across such a
>>> hash we skip the check and approve the image, although the image
>>> might needs to be rejected.
>>
>> Are you sure? You seem to be talking about efi_signature_check_revocation() here.
>> Please be more specific.
>
> Arm has a security ACS testsuite [1]. The whole checking fails exactly on
> this bug.
[cut]
>
> [1] https://github.com/ARM-software/arm-systemready/tree/security-extension-acs
>
> Thanks
> /Ilias
Note, the above link is from the alpha release. Please use the EAC
release branch:
https://github.com/ARM-software/arm-systemready/tree/security-interface-extension-acs
Thanks,
Stuart
More information about the U-Boot
mailing list