Re: [PATCH] test/py: efi_secboot: Remove unnecessary cert-to-efi-hash-list option

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Takahiro Akashi <takahiro.akashi@linaro.org>
To: Masahisa Kojima <masahisa.kojima@linaro.org>
Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de>,
	Ilias Apalodimas <ilias.apalodimas@linaro.org>
Subject: Re: [PATCH] test/py: efi_secboot: Remove unnecessary cert-to-efi-hash-list option
Date: Mon, 3 Oct 2022 16:52:28 +0900	[thread overview]
Message-ID: <20221003075228.GA54319@laputa> (raw)
In-Reply-To: <20221003071215.21883-1-masahisa.kojima@linaro.org>

On Mon, Oct 03, 2022 at 04:12:15PM +0900, Masahisa Kojima wrote:
> 'cert-to-efi-hash-list -t 0' does not work as expected, it produces
> indeterminate timestamp.
> 
>   $ cert-to-efi-hash-list -t 0 -s 256 db.crt dbx_hash.crl
>   TimeOfRevocation is 0-113-0 00:00:255
> 
> If we need the CRL revoked for all the time, just don't specify
> '-t' option.

Correct. Thank you for the fix.
(The tests happen to pass since the year is always 0 (or 1900?).)

-Takahiro Akashi

>   $ cert-to-efi-hash-list -s 256 db.crt dbx_hash.crl
>   TimeOfRevocation is 0-0-0 00:00:00
> 
> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
> ---
>  test/py/tests/test_efi_secboot/conftest.py | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
> index db6b8d301f..f2f914f617 100644
> --- a/test/py/tests/test_efi_secboot/conftest.py
> +++ b/test/py/tests/test_efi_secboot/conftest.py
> @@ -77,17 +77,17 @@ def efi_boot_env(request, u_boot_config):
>                     % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
>                     shell=True)
>          # dbx_hash (digest of TEST_db certificate)
> -        check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth'
> +        check_call('cd %s; %scert-to-efi-hash-list -g %s -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth'
>                     % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
>                     shell=True)
> -        check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth'
> +        check_call('cd %s; %scert-to-efi-hash-list -g %s -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth'
>                     % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
>                     shell=True)
> -        check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth'
> +        check_call('cd %s; %scert-to-efi-hash-list -g %s -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth'
>                     % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
>                     shell=True)
>          # dbx_hash1 (digest of TEST_db1 certificate)
> -        check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
> +        check_call('cd %s; %scert-to-efi-hash-list -g %s -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
>                     % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
>                     shell=True)
>          # dbx_db (with TEST_db certificate)
> -- 
> 2.17.1
>

     prev parent reply	other threads:[~2022-10-03  7:52 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-03  7:12 [PATCH] test/py: efi_secboot: Remove unnecessary cert-to-efi-hash-list option Masahisa Kojima
2022-10-03  7:52 ` Takahiro Akashi [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221003075228.GA54319@laputa \
    --to=takahiro.akashi@linaro.org \
    --cc=ilias.apalodimas@linaro.org \
    --cc=masahisa.kojima@linaro.org \
    --cc=u-boot@lists.denx.de \
    --cc=xypron.glpk@gmx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox