From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=qin.long@intel.com; receiver=edk2-devel@lists.01.org Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id DD72A21F0DA44 for ; Mon, 5 Feb 2018 16:49:49 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Feb 2018 16:55:31 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,467,1511856000"; d="scan'208";a="28366983" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga001.fm.intel.com with ESMTP; 05 Feb 2018 16:55:16 -0800 Received: from fmsmsx151.amr.corp.intel.com (10.18.125.4) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 5 Feb 2018 16:55:15 -0800 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by FMSMSX151.amr.corp.intel.com (10.18.125.4) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 5 Feb 2018 16:55:15 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.116]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.125]) with mapi id 14.03.0319.002; Tue, 6 Feb 2018 08:55:14 +0800 From: "Long, Qin" To: Bryan Rosario , "edk2-devel@lists.01.org" Thread-Topic: [edk2] Why does EDK2 disable time checks on certificates? Thread-Index: AQHTnsuRGlQiO6F320q/HhDKr+C+B6OWiLyA Date: Tue, 6 Feb 2018 00:55:13 +0000 Message-ID: References: In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: Why does EDK2 disable time checks on certificates? X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2018 00:49:50 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable It's EDK2-only.=20 The current pre-boot environment have no trusted timer synchronization serv= ice. And it's very likely the system time is not the real-time (esp under d= ev environment). So the certificate time expiration checking was bypassed t= o avoid any boot break.=20 Against the corresponding certificate revocation case, the UEFI introduced = the DBX database (forbidden list) to address this.=20 Best Regards & Thanks, LONG, Qin -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Brya= n Rosario Sent: Tuesday, February 6, 2018 5:52 AM To: edk2-devel@lists.01.org Subject: [edk2] Why does EDK2 disable time checks on certificates? See here ("Currently certificate time expiration checking is ignored."): https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Securit= y . Is this behavior part of the UEFI specification or is it EDK2-only? And wha= t's the reasoning for it? Thanks, Bryan _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel