From mboxrd@z Thu Jan  1 00:00:00 1970
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date: Tue, 25 Feb 2020 15:57:39 +0900
Subject: [PATCH v5 07/16] efi_loader: image_loader: support image
 authentication
In-Reply-To: <603df695-18b4-8b14-63f8-760d5d59ffcf@gmx.de>
References: <20200128082532.15943-1-takahiro.akashi@linaro.org>
 <20200128082532.15943-8-takahiro.akashi@linaro.org>
 <c89699dd-5f4a-cf54-4c0c-7c8b4b6fd042@gmx.de>
 <20200225052535.GF9257@linaro.org>
 <603df695-18b4-8b14-63f8-760d5d59ffcf@gmx.de>
Message-ID: <20200225065738.GG9257@linaro.org>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On Tue, Feb 25, 2020 at 07:40:01AM +0100, Heinrich Schuchardt wrote:
> On 2/25/20 6:25 AM, AKASHI Takahiro wrote:
> > On Mon, Feb 24, 2020 at 07:29:17PM +0100, Heinrich Schuchardt wrote:
> > > On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
> > > > With this commit, image validation can be enforced, as UEFI specification
> > > > section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
> > > > 
> > > > Currently we support
> > > > * authentication based on db and dbx,
> > > >     so dbx-validated image will always be rejected.
> > > > * following signature types:
> > > >       EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
> > > >       EFI_CERT_X509_GUID (x509 certificate for signed images)
> > > > Timestamp-based certificate revocation is not supported here.
> > > > 
> > > > Internally, authentication data is stored in one of certificates tables
> > > > of PE image (See efi_image_parse()) and will be verified by
> > > > efi_image_authenticate() before loading a given image.
> > > > 
> > > > It seems that UEFI specification defines the verification process
> > > > in a bit ambiguous way. I tried to implement it as closely to as
> > > > EDK2 does.
> > > > 
> > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > 
> > > According to git bisect this patch breaks the test
> > > test/py/tests/test_efi_fit.py.
> > 
> > This error only occurs on "compressed" FIT images. While I'm not sure
> > whether it is directly related to efi support in bootm or not, I've
> > fixed it any way.
> 
> Hello Takahiro,
> 
> where can I find the fix?

Only in my local repository.
Since I'm running Travis CI now, I will post a new version
once the test is completed AND if you have no more comments
on my v5.

Thanks,
-Takahiro Akashi

> Best regards
> 
> Heinrich
> 
> > 
> > Thanks,
> > -Takahiro Akashi
> > 
> > 
> > > Best regards
> > > 
> > > Heinrich
>