From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [51.163.158.102]) by mx.groups.io with SMTP id smtpd.web10.16389.1601369021091747399 for ; Tue, 29 Sep 2020 01:43:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@suse.com header.s=mimecast20200619 header.b=emJcP6Is; spf=pass (domain: suse.com, ip: 51.163.158.102, mailfrom: glin@suse.com) Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=mimecast20200619; t=1601369018; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=zhT7ZFtEz3xababpp+nNuNKjmUvLycMJKHj2sbGEgMI=; b=emJcP6IsDNGos91PnJWQRmwGd3SGmDkaDWhY4MwP1IBtSGx/BtDi5WKYqgD8XCHJGqoABP T8iMKNsUvpq0RJH2hWSgg/VlQeTS77+kIuKkmdkYbyvmOSB2sN15Yz4qEB0V/uey3dH0qL fj0fY6x+ntayiArQEFVntogxFCi9kV8= Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04lp2051.outbound.protection.outlook.com [104.47.13.51]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-13-ckhMlNTeOpeu9AVAKUCipQ-1; Tue, 29 Sep 2020 10:43:36 +0200 X-MC-Unique: ckhMlNTeOpeu9AVAKUCipQ-1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Yt1qe0F3oqvV5TO/lv9EZbzWx+/+KvRnhB1vJA1MWKOop/El+0MzUSgf2+0E7ySiYk67y5fFYbetKOS/3IMti5HZg7UFI/JbHUzIoZGGciEzvML7H+pEOmpK3GP8Ce7BcVuvsS6kVa0xw0zSRyiqR+1oi6v2yfISptdyvrPtALmDNqCpghNTP0dJ1JWqh5JCiJkU7PEkjZDx2rplrpzk1RvfFIcPCkAw6r4VoOkQ6x5YhRtKagTo5AfZWIXRb2BYGCdYSVgZZROzw1D8aj7tDfOf47ohI58ThuzApRM7o4sxTIrb9hJoeV1DboDcucwjDi8fShrNF9ZwFBOdlhTT4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zhT7ZFtEz3xababpp+nNuNKjmUvLycMJKHj2sbGEgMI=; b=LzFGOOS5p5d6mlr99t+S2AqiCITsgjCapsgz4DoLIgbKWFQKysQASbkNpKl/0T9dixoh5yqcKl9Blrca9SQCY+tL6JJHtKk9OLVMuaRGmgPhcynmtTGmhWsu2AdvRcgZLq/0sTB0OHXVUbStK0VrFDjFKOGsaH7qgT3slywxOqdtF2N6J+ibNAKxHrzN6W22MhqAV7WgZ3CKKhgI0u8htX+vz03wdLYxked4eIhh9YKebVuJAPQYFfmmBhA7NzYBReOrStL10GmsOnB9PYeuQjS9aQp0q5JBVZwOm3FYRzvo0cI5FxjEv1xVl/qSr19quHG3NkO4yhU7lKZtjq8NaA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=suse.com; Received: from DB3PR0402MB3641.eurprd04.prod.outlook.com (2603:10a6:8:b::12) by DB6PR0402MB2743.eurprd04.prod.outlook.com (2603:10a6:4:95::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.32; Tue, 29 Sep 2020 08:43:35 +0000 Received: from DB3PR0402MB3641.eurprd04.prod.outlook.com ([fe80::58fb:dc1c:e5ad:2ac8]) by DB3PR0402MB3641.eurprd04.prod.outlook.com ([fe80::58fb:dc1c:e5ad:2ac8%2]) with mapi id 15.20.3348.022; Tue, 29 Sep 2020 08:43:35 +0000 Date: Tue, 29 Sep 2020 16:43:28 +0800 From: "Gary Lin" To: devel@edk2.groups.io Subject: Any plan to enforce the x509 EKU check? Message-ID: <20200929084328.GR8874@GaryWorkstation> X-ClientProxiedBy: AM0PR07CA0014.eurprd07.prod.outlook.com (2603:10a6:208:ac::27) To DB3PR0402MB3641.eurprd04.prod.outlook.com (2603:10a6:8:b::12) Return-Path: glin@suse.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from GaryWorkstation (60.251.47.115) by AM0PR07CA0014.eurprd07.prod.outlook.com (2603:10a6:208:ac::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.13 via Frontend Transport; Tue, 29 Sep 2020 08:43:34 +0000 X-Originating-IP: [60.251.47.115] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e4d7ee33-c7d4-4268-b6ac-08d86453c0e4 X-MS-TrafficTypeDiagnostic: DB6PR0402MB2743: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 7Fr3am0zidbDWbM45wNXMY1MR8wzdjwmbFuKB+Yxf1eAElaGrDy6CNwhjlBZcSZGO7hKuCkMU9rBuUUK6AvFIPwDctqFtt/tsSk29K3REM6VomFR4wMVcbQVmS6vD8STBXUCvnP3Mlk0pxs+ca093JIRzvA7zJ1QXWBHopDCetoXYHc8ba0HZLGYA3GnYDaE2NM3EqS3KY19bKnPvX+Kwwn/I2GMGvrLIXMJywgSkA5bzgpYodt6QIHzC8vG7/BIfv04jM8qRypQrEAAjwpvwvTYM9bNb0+nBKvHdx30Gphex7swkw261fGUv7Iru5fFGTznYYsyylu0ntOXqW9HcOfUAtni08lqPKwlkwHJca0uynyttYRF0YuEGLkXwTo+HZ5QhuBn5bfEaQ1B5349kA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB3PR0402MB3641.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(366004)(376002)(346002)(136003)(396003)(316002)(55236004)(16526019)(186003)(26005)(6666004)(52116002)(83380400001)(2906002)(6496006)(1076003)(956004)(478600001)(33656002)(966005)(55016002)(6916009)(4744005)(86362001)(9686003)(33716001)(83080400001)(8676002)(5660300002)(8936002)(66946007)(66556008)(66476007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: l9Ndt3kL02+4wkELnZyPzophapQ0VRueW4hOeAfzIK9qETmJ6X2IqlVQ+WeRXf1QsVCoz+D3s2oCjtHjL8E8twedvEw725dJxhCsH0UcqghL9h74ESQypfR4DX7R77+0bIPwBVhtHozDXRU0gHxdmOZS6OOFCqD4eZfDREIw7TZYGDYpG/xj9OCenh8PNNaSAEURiKIAoMQbE9Q76cnIqLH9mMF/8iNfDyPfTu4dG0tK9vh+xJmPOWrYxsLsK+tyT4Cm7tG1AYovbncRJYj9F2XTMoqXFBu3dfYqhc8L6TiTDAhYOXoYXh9Mi15KuHak4frDpp1kZrJ5monGIkfe5bQHQQAsSqQghdWUkwjruv5QtP6DC4YADAn2iinLlQjg05jftmgrp3YXmMH2dBJz76A7tabwqoD7QZsyyYEXtG4bi34XSf3C2ZqueBANKbVMAAo/r8wdsA3j4agElidtEf4vEjh257aH7Phwm/sWRjBW73DOcy8xTXZ86VhtLDXH//g/f0pxZAqwy0ORhVEdxVIX7sA9kkYAZwl1xvKOm1CG/elc6tSJ5I8WKEkY1IyqgkdQS4PGDb+e/FxB5abGAiz8B9DW+1MnrOC+0rYfMpUMkW9rDJ4AT+RyUr7j5+yf72CRfPDNdXpBu0PsXV/QXQ== X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: e4d7ee33-c7d4-4268-b6ac-08d86453c0e4 X-MS-Exchange-CrossTenant-AuthSource: DB3PR0402MB3641.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2020 08:43:35.5412 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /qhO21c9Wsbw3WXZpnzHHEeRopfX17VlaiNXAJy4YL7cde+5oI66vrfnz7xiUMuw X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0402MB2743 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, My colleagues recently raised a question to me: does UEFI enforce the x509v3 extended key usage check, such as CodeSigning, for Secure Boot? (Some certification such as NIAP OS PP requires the OS to verify EKUs of x509 certs, and they wonder if UEFI requires similar checks.) I did a quick check and found that the EKU check functions were already implemented(*). What's interesting is that VerifyEKUsInPkcs7Signature() has no real user. The function has been introduced for a while, so I wonder if there is any plan to enforce the EKU check. Or, is it just an API for the firmware vendor to customize the their firmware rather than a general check for all platforms in the future? Thanks, Gary Lin (*) https://bugzilla.tianocore.org/show_bug.cgi?id=1402