From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH 07/13] efi_loader: image_loader: add digest-based verification for signed image
Date: Tue, 2 Jun 2020 14:31:47 +0900 [thread overview]
Message-ID: <20200602053147.GD20446@laputa> (raw)
In-Reply-To: <08624fa8-f408-df6c-01e7-d0f4caabfd88@gmx.de>
Heinrich,
On Sat, May 30, 2020 at 09:09:30AM +0200, Heinrich Schuchardt wrote:
> On 5/29/20 8:41 AM, AKASHI Takahiro wrote:
> > In case that a type of certificate in "db" or "dbx" is
> > EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains
> > a public key for RSA decryption, but a digest of image to be loaded.
> > If the value matches to a value calculated from a given binary image, it is
> > granted for loading.
> >
> > With this patch, common digest check code, which used to be used for
> > unsigned image verification, will be extracted from
> > efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and
> > extra step for digest check will be added to efi_image_authenticate().
>
> Could you, please, add comments in the code describing this process flow.
All the necessary code is contained in efi_signature_lookup_digest(),
but I'll add some comments in efi_image_authenticate().
Thanks,
-Takahiro Akashi
> Best regards
>
> Heinrich
next prev parent reply other threads:[~2020-06-02 5:31 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-29 6:41 [PATCH 00/13] efi_loader: rework/improve UEFI secure boot code AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 01/13] efi_loader: signature: move efi_guid_cert_type_pkcs7 to efi_signature.c AKASHI Takahiro
2020-05-29 10:27 ` Heinrich Schuchardt
2020-05-29 6:41 ` [PATCH 02/13] efi_loader: image_loader: add a check against certificate type of authenticode AKASHI Takahiro
2020-05-29 10:37 ` Heinrich Schuchardt
2020-06-02 2:22 ` AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 03/13] efi_loader: image_loader: retrieve authenticode only if it exists AKASHI Takahiro
2020-05-30 6:02 ` Heinrich Schuchardt
2020-05-29 6:41 ` [PATCH 04/13] efi_loader: signature: fix a size check against revocation list AKASHI Takahiro
2020-05-30 6:42 ` Heinrich Schuchardt
2020-05-29 6:41 ` [PATCH 05/13] efi_loader: signature: make efi_hash_regions more generic AKASHI Takahiro
2020-05-30 6:58 ` Heinrich Schuchardt
2020-06-02 5:05 ` AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 06/13] efi_loader: image_loader: verification for all signatures should pass AKASHI Takahiro
2020-05-30 7:01 ` Heinrich Schuchardt
2020-06-02 5:22 ` AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 07/13] efi_loader: image_loader: add digest-based verification for signed image AKASHI Takahiro
2020-05-30 7:09 ` Heinrich Schuchardt
2020-06-02 5:31 ` AKASHI Takahiro [this message]
2020-05-29 6:41 ` [PATCH 08/13] test/py: efi_secboot: remove all "re.search" AKASHI Takahiro
2020-05-30 7:04 ` Heinrich Schuchardt
2020-06-02 5:58 ` AKASHI Takahiro
2020-06-02 8:27 ` Heinrich Schuchardt
2020-07-02 16:21 ` Heinrich Schuchardt
2020-05-29 6:41 ` [PATCH 09/13] test/py: efi_secboot: fix test case 1g of test_authvar AKASHI Takahiro
2020-07-02 16:28 ` Heinrich Schuchardt
2020-05-29 6:41 ` [PATCH 10/13] test/py: efi_secboot: split "signed image" test case-1 into two cases AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 11/13] test/py: efi_secboot: add a test against certificate revocation AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 12/13] test/py: efi_secboot: add a test for multiple signatures AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 13/13] test/py: efi_secboot: add a test for verifying with digest of signed image AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200602053147.GD20446@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox