From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v4 6/7] efi_loader: signature: rework for intermediate certificates support
Date: Mon, 20 Jul 2020 15:17:45 +0900 [thread overview]
Message-ID: <20200720061745.GB31092@laputa> (raw)
In-Reply-To: <ebe3e442-8766-8775-0ae6-4a3021d7076b@gmx.de>
Heinrich,
On Fri, Jul 17, 2020 at 12:23:08PM +0200, Heinrich Schuchardt wrote:
> On 17.07.20 09:16, AKASHI Takahiro wrote:
> > In this commit, efi_signature_verify(with_sigdb) will be re-implemented
> > using pcks7_verify_one() in order to support certificates chain, where
> > the signer's certificate will be signed by an intermediate CA (certificate
> > authority) and the latter's certificate will also be signed by another CA
> > and so on.
> >
> > What we need to do here is to search for certificates in a signature,
> > build up a chain of certificates and verify one by one. pkcs7_verify_one()
> > handles most of these steps except the last one.
> >
> > pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
> > which can be either a self-signed one or one that should be signed by one
> > of certificates in "db". Re-worked efi_signature_verify() will take care
> > of this step.
> >
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
>
> With patches 1-6 applied to origin/master (fee68b98fe3890):
> make tests:
>
> test/py/tests/test_efi_secboot/test_authvar.py FFFFF
> test/py/tests/test_efi_secboot/test_signed.py .F..FF
> test/py/tests/test_efi_secboot/test_unsigned.py ...
Even after rebasing the code to fee68b98fe3890,
I have never seen any failures in those cases.
(I use pytest directly instead of 'make tests' though.)
-Takahiro Akashi
> Patches 1-5 pass the test.
>
> Best regards
>
> Heinrich
next prev parent reply other threads:[~2020-07-20 6:17 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-17 7:16 [PATCH v4 0/7] efi_loader: secure boot: support intermediate certificates in signature AKASHI Takahiro
2020-07-17 7:16 ` [PATCH v4 1/7] lib: crypto: add public_key_verify_signature() AKASHI Takahiro
2020-07-19 8:20 ` Heinrich Schuchardt
2020-07-20 2:51 ` AKASHI Takahiro
2020-07-17 7:16 ` [PATCH v4 2/7] lib: crypto: enable x509_check_for_self_signed() AKASHI Takahiro
2020-07-17 7:16 ` [PATCH v4 3/7] lib: crypto: import pkcs7_verify.c from linux AKASHI Takahiro
2020-07-19 8:29 ` Heinrich Schuchardt
2020-07-17 7:16 ` [PATCH v4 4/7] lib: crypto: add pkcs7_digest() AKASHI Takahiro
2020-07-17 7:16 ` [PATCH v4 5/7] lib: crypto: export and enhance pkcs7_verify_one() AKASHI Takahiro
2020-07-17 7:16 ` [PATCH v4 6/7] efi_loader: signature: rework for intermediate certificates support AKASHI Takahiro
2020-07-17 10:23 ` Heinrich Schuchardt
2020-07-20 6:17 ` AKASHI Takahiro [this message]
2020-07-17 7:16 ` [PATCH v4 7/7] test/py: efi_secboot: add test for intermediate certificates AKASHI Takahiro
2020-07-17 10:29 ` Heinrich Schuchardt
2020-07-20 5:52 ` AKASHI Takahiro
2020-07-20 6:29 ` Heinrich Schuchardt
2020-07-20 7:03 ` AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200720061745.GB31092@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox