Re: [edk2-devel] [PATCH 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present

["Jan Bobek" <jbobek@nvidia.com>]

> I linked email with Bugzilla. Either email or Bugzilla is OK for the
> discussion.

Sounds good.

> Personally, I don't understand one thing.
> If EDKII causes such failure, how the archlinux validates the correctness of the tool and document in [3] ?
>
> Or are they using a different UEFI implementation?

My understanding is that Archlinux assumes a standard-compliant UEFI
implementation. A Linux distribution doesn't typically provide UEFI
implementation; it's up to your platform vendor (e.g. laptop
manufacturer) to provide one. If the vendor wanted to use EDK2 as a
basis for their (typically proprietary) UEFI implementation, they would
need to address this issue one way or the other on their own.

-Jan

>> -----Original Message-----
>> From: Jan Bobek <jbobek@nvidia.com>
>> Sent: Tuesday, January 17, 2023 6:30 AM
>> To: Yao, Jiewen <jiewen.yao@intel.com>
>> Cc: devel@edk2.groups.io; Jeff Brasen <jbrasen@nvidia.com>; Girish
>> Mahadevan <gmahadevan@nvidia.com>; Wang, Jian J
>> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>
>> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/AuthVariableLib: Check
>> SHA-256 OID with ContentInfo present
>>
>> > Hi
>> > That is good catch!
>> > My apology to miss it before.
>> >
>> > 1) Please file a bugzilla (https://bugzilla.tianocore.org/) to record the issue
>> and associate to the patch.
>>
>> Filed bug 4305 [1]. Sorry for the delay, I didn't get my bugzilla
>> credentials until late last week.
>>
>> > 2) Would you please share with us that how you discover the issue?
>> > For example, any real use case to include ContentInfo? If yes, please share
>> a URL.
>> > Or this is just a purely spec compliance fix ?
>> >
>> > 3) Please describe how you validate the fix.
>> > If possible, would you please share your test case?
>>
>> I believe both of these answered / included in the bug description.
>>
>> > 4) Since the new code is handling ContentInfo structure is present, I believe
>> we need also check if the ContentInfo structure is valid.
>> > For example:
>> > ============
>> > c SignedData.contentInfo.contentType shall be set to id-data
>> > d SignedData.contentInfo.content shall be absent
>> > ============
>> > What do you think?
>>
>> I think you're talking about the ContentInfo structure that's part of
>> the SignedData structure, but the real problem is with ContentInfo
>> structure that _wraps_ the SignedData structure. More info in the bug
>> description.
>>
>> Also, is it customary to continue the discussion here on edk2-devel or
>> in the bug comments on bugzilla?
>>
>> -Jan
>>
>> References:
>> 1. https://bugzilla.tianocore.org/show_bug.cgi?id=4305