From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com;
 receiver=edk2-devel@lists.01.org 
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 2342822146740
 for <edk2-devel@lists.01.org>; Wed, 21 Mar 2018 06:32:50 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
 [10.11.54.4])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 1B7B3A201C;
 Wed, 21 Mar 2018 13:39:20 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-57.rdu2.redhat.com
 [10.10.121.57])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 4646D200BCA1;
 Wed, 21 Mar 2018 13:39:19 +0000 (UTC)
To: "Fu, Siyuan" <siyuan.fu@intel.com>, "Wu, Jiaxin" <jiaxin.wu@intel.com>
Cc: edk2-devel-01 <edk2-devel@lists.01.org>,
 "Daniel P. Berrange" <berrange@redhat.com>
References: <32764418-f00f-2423-216d-24b3f842a3c7@redhat.com>
 <B1FF2E9001CE9041BD10B825821D5BC58B468F73@SHSMSX103.ccr.corp.intel.com>
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <74abb2db-a6d0-d88d-7153-0347f5cb64bb@redhat.com>
Date: Wed, 21 Mar 2018 14:39:18 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <B1FF2E9001CE9041BD10B825821D5BC58B468F73@SHSMSX103.ccr.corp.intel.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.11.55.2]); Wed, 21 Mar 2018 13:39:20 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]);
 Wed, 21 Mar 2018 13:39:20 +0000 (UTC) for IP:'10.11.54.4'
 DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com'
 HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:''
Subject: Re: internal structure of EFI_TLS_CA_CERTIFICATE_VARIABLE
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 13:32:51 -0000
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 03/21/18 02:30, Fu, Siyuan wrote:
> The data structure of EFI_TLS_CA_CERTIFICATE_VARIABLE is
> EFI_SIGNATURE_LIST and we have documented this in HTTPs Boot wiki
> page:
> https://github.com/tianocore/tianocore.github.io/wiki/HTTPS-Boot
> 
> You can refer section 31.4.1 "Signature Database" in UEFI 2.7 A for a
> detail description of EFI_SIGNATURE_LIST structure.

Thanks! I have two more questions.

The nested loops that parse the signature list in TlsConfigCertificate()
currently ignore the contents of the following fields:
- EFI_SIGNATURE_LIST.SignatureType,
- EFI_SIGNATURE_DATA.SignatureOwner.

I'd like the generator / extractor tool to populate these fields
correctly right from the start, so that it remain compatible with future
features added to edk2.


So, I suggest that the tool set "EFI_SIGNATURE_LIST.SignatureType" to
EFI_CERT_X509_GUID ("This identifies a signature based on a DER-encoded
X.509 certificate"). Because, this is what the current edk2 code assumes
anyway -- in TlsSetCaCertificate(), we have a comment saying

  //
  // DER-encoded binary X.509 certificate or PEM-encoded X.509
  // certificate. Determine whether certificate is from DER encoding, if
  // so, translate it to X509 structure.
  //

(1) Do you agree EFI_CERT_X509_GUID is the right setting for
"EFI_SIGNATURE_LIST.SignatureType" (even though the edk2 code currently
ignores it)?

This would also imply that we set
"EFI_SIGNATURE_LIST.SignatureHeaderSize" to zero, according to the UEFI
spec.


Furthermore, what would you suggest for
"EFI_SIGNATURE_DATA.SignatureOwner"? According to the spec, it is "An
identifier which identifies the agent which added the signature to the
list", so in theory we could just generate any GUID for the tool with
"uuidgen". However, based on past experience, this may not be good
enough; for example, the Secure Boot Logo Test in the Microsoft HCK
expect the SignatureOwner field (on the Microsoft certificates) to be
constant 77FA9ABD-0359-4D32-BD60-28F4E78F784B. In other words, Microsoft
want the SignatureOwner field to stand for the organization that issued
the certificates (i.e., themselves), not for the agent that enrolled the
certificates.

(2) Do you foresee any such restrictions for the
"EFI_SIGNATURE_DATA.SignatureOwner" field in
EFI_TLS_CA_CERTIFICATE_VARIABLE? Or is it safe if we generate a GUID for
the tool with "uuidgen"?

Thanks!
Laszlo