From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.136; helo=mga12.intel.com; envelope-from=qin.long@intel.com; receiver=edk2-devel@lists.01.org Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B781E21F0DA4B for ; Mon, 5 Feb 2018 18:44:22 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Feb 2018 18:50:04 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,467,1511856000"; d="scan'208";a="25133684" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by FMSMGA003.fm.intel.com with ESMTP; 05 Feb 2018 18:50:04 -0800 Received: from fmsmsx113.amr.corp.intel.com (10.18.116.7) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 5 Feb 2018 18:50:04 -0800 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX113.amr.corp.intel.com (10.18.116.7) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 5 Feb 2018 18:50:03 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.116]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.116]) with mapi id 14.03.0319.002; Tue, 6 Feb 2018 10:50:02 +0800 From: "Long, Qin" To: Bryan Rosario , "Zhang, Chao B" CC: "edk2-devel@lists.01.org" , Alain Gefflaut Thread-Topic: [edk2] Why does EDK2 disable time checks on certificates? Thread-Index: AQHTnsuRGlQiO6F320q/HhDKr+C+B6OWiLyA//+L9QCAAAi4AIAAigBA Date: Tue, 6 Feb 2018 02:50:02 +0000 Message-ID: References: In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: Why does EDK2 disable time checks on certificates? X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2018 02:44:23 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The OS can update the certificates by correct SetVariable() call with authe= nticated payload (following UEFI secure boot / authenticated variable defin= itions. Refer to the section 8.2 "Variable Services" and chapter 31 "Secur= e Boot and Driver Signing" for more details).=20 I am not sure if current OS will enforce any periodical update. Currently, = UEFI is just distributing the revocation list file to address possible secu= rity risks (http://www.uefi.org/revocationlistfile).=20 Best Regards & Thanks, LONG, Qin -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Brya= n Rosario Sent: Tuesday, February 6, 2018 10:17 AM To: Zhang, Chao B Cc: edk2-devel@lists.01.org; Alain Gefflaut ; Long, Qi= n Subject: Re: [edk2] Why does EDK2 disable time checks on certificates? Thanks for the info. Another question: if I enable time checks in my local copy of EDK2 (or if t= here is another UEFI implementation with time checks enabled), do operating= systems generally update their certificates periodically to avoid them exp= iring? In particular, I'm wondering about bootloaders that are signed for secure b= oot. I've seen expiration times on the attached certificates and I'm wonder= ing if the bootloader will be periodically updated, or if operating systems= will just expect that the firmware doesn't actually enforce the expiration= time. On Mon, Feb 5, 2018 at 5:45 PM, Zhang, Chao B wrote: > Bryan: > You can reference EFI_CERT_X509_SHA256, EFI_CERT_X509_SHA384, > EFI_CERT_X509_SHA512 data structure definition in UEFI spec. > Now they are only supported in DBX. Revocation time here is defined=20 > by user instead of directly from Validity of X059 Certificate in order=20 > to address the issue mentioned below. > > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of=20 > Long, Qin > Sent: Tuesday, February 6, 2018 8:55 AM > To: Bryan Rosario ; edk2-devel@lists.01.org > Subject: Re: [edk2] Why does EDK2 disable time checks on certificates? > > It's EDK2-only. > The current pre-boot environment have no trusted timer synchronization=20 > service. And it's very likely the system time is not the real-time=20 > (esp under dev environment). So the certificate time expiration=20 > checking was bypassed to avoid any boot break. > > Against the corresponding certificate revocation case, the UEFI=20 > introduced the DBX database (forbidden list) to address this. > > > Best Regards & Thanks, > LONG, Qin > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of=20 > Bryan Rosario > Sent: Tuesday, February 6, 2018 5:52 AM > To: edk2-devel@lists.01.org > Subject: [edk2] Why does EDK2 disable time checks on certificates? > > See here ("Currently certificate time expiration checking is ignored."): > https://github.com/tianocore/tianocore.github.io/wiki/How- > to-Enable-Security > . > > Is this behavior part of the UEFI specification or is it EDK2-only?=20 > And what's the reasoning for it? > > Thanks, > Bryan > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel