This is a respin of Takahiro's patch series adding a defined time stamp
for time authenticated variables by calling sign-efi-sig-list with -t in
patches 10 - 12.
The original patch 01 of version 3 has been obsoleted by
lib/crypto: use qualified path for x509_parser.h
https://lists.denx.de/pipermail/u-boot/2020-July/419214.html
v4 (Jul 11th, 2020)
* remove obsolete patch 01/13 of v3
* call sign-efi-sig-list with -t
v3 (Jul 8, 2020)
* rebased to Heinrich's (current) efi-2020-10-rc1
* removed already-merged commits
* include pylint fixes (patch#8, #9 and #10-#13)
* print time64_t in "0x%llx" format (patch#4)
* make a small change on a description about efi_hash_regions() (patch#5)
v2 (Jun 9, 2020)
* on top of v2020.07-rc4
* add patch#1,#2 to remove unnecessary hacks in pytest
* use EFI_PRINT() instead of debug() everywhere (patch#3-#5)
* fix a verification logic so that we should reject an image if, at least,
one of signaures be verified by dbx. New efi_signature_verify_one() has
a main role. (patch#10)
* use "llu" format instead of "llx" to print out the revocation time
(patch#10)
* add some description about verification logic against multiple signatures
(patch#11)
v1 (May 29, 2020)
* initial release
*** BLURB HERE ***
AKASHI Takahiro (12):
efi_loader: image_loader: add a check against certificate type of
authenticode
efi_loader: image_loader: retrieve authenticode only if it exists
efi_loader: signature: fix a size check against revocation list
efi_loader: signature: make efi_hash_regions more generic
efi_loader: image_loader: verification for all signatures should pass
efi_loader: image_loader: add digest-based verification for signed
image
test/py: efi_secboot: apply autopep8
test/py: efi_secboot: more fixes against pylint
test/py: efi_secboot: split "signed image" test case-1 into two cases
test/py: efi_secboot: add a test against certificate revocation
test/py: efi_secboot: add a test for multiple signatures
test/py: efi_secboot: add a test for verifying with digest of signed
image
include/efi_loader.h | 15 +-
lib/efi_loader/efi_image_loader.c | 162 +++++--
lib/efi_loader/efi_signature.c | 435 +++++++++---------
test/py/tests/test_efi_secboot/conftest.py | 104 +++--
test/py/tests/test_efi_secboot/defs.py | 14 +-
.../py/tests/test_efi_secboot/test_authvar.py | 92 ++--
test/py/tests/test_efi_secboot/test_signed.py | 206 +++++++--
.../tests/test_efi_secboot/test_unsigned.py | 66 +--
8 files changed, 677 insertions(+), 417 deletions(-)
--
2.27.0
This is a respin of Takahiro's patch series adding a defined time stamp for time authenticated variables by calling sign-efi-sig-list with -t in patches 10 - 12. The original patch 01 of version 3 has been obsoleted by lib/crypto: use qualified path for x509_parser.h https://lists.denx.de/pipermail/u-boot/2020-July/419214.html v4 (Jul 11th, 2020) * remove obsolete patch 01/13 of v3 * call sign-efi-sig-list with -t v3 (Jul 8, 2020) * rebased to Heinrich's (current) efi-2020-10-rc1 * removed already-merged commits * include pylint fixes (patch#8, #9 and #10-#13) * print time64_t in "0x%llx" format (patch#4) * make a small change on a description about efi_hash_regions() (patch#5) v2 (Jun 9, 2020) * on top of v2020.07-rc4 * add patch#1,#2 to remove unnecessary hacks in pytest * use EFI_PRINT() instead of debug() everywhere (patch#3-#5) * fix a verification logic so that we should reject an image if, at least, one of signaures be verified by dbx. New efi_signature_verify_one() has a main role. (patch#10) * use "llu" format instead of "llx" to print out the revocation time (patch#10) * add some description about verification logic against multiple signatures (patch#11) v1 (May 29, 2020) * initial release *** BLURB HERE *** AKASHI Takahiro (12): efi_loader: image_loader: add a check against certificate type of authenticode efi_loader: image_loader: retrieve authenticode only if it exists efi_loader: signature: fix a size check against revocation list efi_loader: signature: make efi_hash_regions more generic efi_loader: image_loader: verification for all signatures should pass efi_loader: image_loader: add digest-based verification for signed image test/py: efi_secboot: apply autopep8 test/py: efi_secboot: more fixes against pylint test/py: efi_secboot: split "signed image" test case-1 into two cases test/py: efi_secboot: add a test against certificate revocation test/py: efi_secboot: add a test for multiple signatures test/py: efi_secboot: add a test for verifying with digest of signed image include/efi_loader.h | 15 +- lib/efi_loader/efi_image_loader.c | 162 +++++-- lib/efi_loader/efi_signature.c | 435 +++++++++--------- test/py/tests/test_efi_secboot/conftest.py | 104 +++-- test/py/tests/test_efi_secboot/defs.py | 14 +- .../py/tests/test_efi_secboot/test_authvar.py | 92 ++-- test/py/tests/test_efi_secboot/test_signed.py | 206 +++++++-- .../tests/test_efi_secboot/test_unsigned.py | 66 +-- 8 files changed, 677 insertions(+), 417 deletions(-) -- 2.27.0