Re: internal structure of EFI_TLS_CA_CERTIFICATE_VARIABLE

["Wu, Jiaxin" <jiaxin.wu@intel.com>]

Hi Laszlo,

Insert my comments as below: 

> The nested loops that parse the signature list in TlsConfigCertificate()
> currently ignore the contents of the following fields:
> - EFI_SIGNATURE_LIST.SignatureType,
> - EFI_SIGNATURE_DATA.SignatureOwner.
> 
> I'd like the generator / extractor tool to populate these fields
> correctly right from the start, so that it remain compatible with future
> features added to edk2.
> 
> 
> So, I suggest that the tool set "EFI_SIGNATURE_LIST.SignatureType" to
> EFI_CERT_X509_GUID ("This identifies a signature based on a DER-encoded
> X.509 certificate"). Because, this is what the current edk2 code assumes
> anyway -- in TlsSetCaCertificate(), we have a comment saying
> 
>   //
>   // DER-encoded binary X.509 certificate or PEM-encoded X.509
>   // certificate. Determine whether certificate is from DER encoding, if
>   // so, translate it to X509 structure.
>   //
> 
> (1) Do you agree EFI_CERT_X509_GUID is the right setting for
> "EFI_SIGNATURE_LIST.SignatureType" (even though the edk2 code currently
> ignores it)?
> 
> This would also imply that we set
> "EFI_SIGNATURE_LIST.SignatureHeaderSize" to zero, according to the UEFI
> spec.
> 

Yes, exactly, EFI_CERT_X509_GUID is the correct SignatureType for the CACertificate. SignatureHeaderSize should be set to zero. We do miss the check in HttpDxe driver, I'm fine to add back the  SignatureType check in TlsConfigCertificate(). So, can you report the Bugzilla for this fixing? Thanks.


> 
> Furthermore, what would you suggest for
> "EFI_SIGNATURE_DATA.SignatureOwner"? According to the spec, it is "An
> identifier which identifies the agent which added the signature to the
> list", so in theory we could just generate any GUID for the tool with
> "uuidgen". However, based on past experience, this may not be good
> enough; for example, the Secure Boot Logo Test in the Microsoft HCK
> expect the SignatureOwner field (on the Microsoft certificates) to be
> constant 77FA9ABD-0359-4D32-BD60-28F4E78F784B. In other words,
> Microsoft
> want the SignatureOwner field to stand for the organization that issued
> the certificates (i.e., themselves), not for the agent that enrolled the
> certificates.
> 
> (2) Do you foresee any such restrictions for the
> "EFI_SIGNATURE_DATA.SignatureOwner" field in
> EFI_TLS_CA_CERTIFICATE_VARIABLE? Or is it safe if we generate a GUID for
> the tool with "uuidgen"?
> 

I don't think it's necessary to restrict/stand the GUID in the field of SignatureOwner for the CA certification (at least for now) since it's only used to identify the different venders (i.e, Microsoft) so as to avoid the following content check. In the UEFI part, we also didn't check the SignatureOwner for the any security consideration. So, I think it's safe to generate a GUID using the tool at present.

Thanks,
Jiaxin