* Why does EDK2 disable time checks on certificates?
@ 2018-02-05 21:51 Bryan Rosario
2018-02-06 0:55 ` Long, Qin
0 siblings, 1 reply; 5+ messages in thread
From: Bryan Rosario @ 2018-02-05 21:51 UTC (permalink / raw)
To: edk2-devel
See here ("Currently certificate time expiration checking is ignored."):
https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Security
.
Is this behavior part of the UEFI specification or is it EDK2-only? And
what's the reasoning for it?
Thanks,
Bryan
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Why does EDK2 disable time checks on certificates?
2018-02-05 21:51 Why does EDK2 disable time checks on certificates? Bryan Rosario
@ 2018-02-06 0:55 ` Long, Qin
2018-02-06 1:45 ` Zhang, Chao B
0 siblings, 1 reply; 5+ messages in thread
From: Long, Qin @ 2018-02-06 0:55 UTC (permalink / raw)
To: Bryan Rosario, edk2-devel@lists.01.org
It's EDK2-only.
The current pre-boot environment have no trusted timer synchronization service. And it's very likely the system time is not the real-time (esp under dev environment). So the certificate time expiration checking was bypassed to avoid any boot break.
Against the corresponding certificate revocation case, the UEFI introduced the DBX database (forbidden list) to address this.
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Bryan Rosario
Sent: Tuesday, February 6, 2018 5:52 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Why does EDK2 disable time checks on certificates?
See here ("Currently certificate time expiration checking is ignored."):
https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Security
.
Is this behavior part of the UEFI specification or is it EDK2-only? And what's the reasoning for it?
Thanks,
Bryan
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Why does EDK2 disable time checks on certificates?
2018-02-06 0:55 ` Long, Qin
@ 2018-02-06 1:45 ` Zhang, Chao B
2018-02-06 2:16 ` Bryan Rosario
0 siblings, 1 reply; 5+ messages in thread
From: Zhang, Chao B @ 2018-02-06 1:45 UTC (permalink / raw)
To: Long, Qin, Bryan Rosario, edk2-devel@lists.01.org
Bryan:
You can reference EFI_CERT_X509_SHA256, EFI_CERT_X509_SHA384, EFI_CERT_X509_SHA512 data structure definition in UEFI spec.
Now they are only supported in DBX. Revocation time here is defined by user instead of directly from Validity of X059 Certificate in order to address the issue mentioned below.
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Long, Qin
Sent: Tuesday, February 6, 2018 8:55 AM
To: Bryan Rosario <bcr@google.com>; edk2-devel@lists.01.org
Subject: Re: [edk2] Why does EDK2 disable time checks on certificates?
It's EDK2-only.
The current pre-boot environment have no trusted timer synchronization service. And it's very likely the system time is not the real-time (esp under dev environment). So the certificate time expiration checking was bypassed to avoid any boot break.
Against the corresponding certificate revocation case, the UEFI introduced the DBX database (forbidden list) to address this.
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Bryan Rosario
Sent: Tuesday, February 6, 2018 5:52 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Why does EDK2 disable time checks on certificates?
See here ("Currently certificate time expiration checking is ignored."):
https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Security
.
Is this behavior part of the UEFI specification or is it EDK2-only? And what's the reasoning for it?
Thanks,
Bryan
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Why does EDK2 disable time checks on certificates?
2018-02-06 1:45 ` Zhang, Chao B
@ 2018-02-06 2:16 ` Bryan Rosario
2018-02-06 2:50 ` Long, Qin
0 siblings, 1 reply; 5+ messages in thread
From: Bryan Rosario @ 2018-02-06 2:16 UTC (permalink / raw)
To: Zhang, Chao B
Cc: Long, Qin, edk2-devel@lists.01.org, Alain Gefflaut,
Andrew Thornton
Thanks for the info.
Another question: if I enable time checks in my local copy of EDK2 (or if
there is another UEFI implementation with time checks enabled), do
operating systems generally update their certificates periodically to avoid
them expiring?
In particular, I'm wondering about bootloaders that are signed for secure
boot. I've seen expiration times on the attached certificates and I'm
wondering if the bootloader will be periodically updated, or if operating
systems will just expect that the firmware doesn't actually enforce the
expiration time.
On Mon, Feb 5, 2018 at 5:45 PM, Zhang, Chao B <chao.b.zhang@intel.com>
wrote:
> Bryan:
> You can reference EFI_CERT_X509_SHA256, EFI_CERT_X509_SHA384,
> EFI_CERT_X509_SHA512 data structure definition in UEFI spec.
> Now they are only supported in DBX. Revocation time here is defined by
> user instead of directly from Validity of X059 Certificate in order to
> address the issue mentioned below.
>
>
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Long, Qin
> Sent: Tuesday, February 6, 2018 8:55 AM
> To: Bryan Rosario <bcr@google.com>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Why does EDK2 disable time checks on certificates?
>
> It's EDK2-only.
> The current pre-boot environment have no trusted timer synchronization
> service. And it's very likely the system time is not the real-time (esp
> under dev environment). So the certificate time expiration checking was
> bypassed to avoid any boot break.
>
> Against the corresponding certificate revocation case, the UEFI introduced
> the DBX database (forbidden list) to address this.
>
>
> Best Regards & Thanks,
> LONG, Qin
>
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Bryan Rosario
> Sent: Tuesday, February 6, 2018 5:52 AM
> To: edk2-devel@lists.01.org
> Subject: [edk2] Why does EDK2 disable time checks on certificates?
>
> See here ("Currently certificate time expiration checking is ignored."):
> https://github.com/tianocore/tianocore.github.io/wiki/How-
> to-Enable-Security
> .
>
> Is this behavior part of the UEFI specification or is it EDK2-only? And
> what's the reasoning for it?
>
> Thanks,
> Bryan
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Why does EDK2 disable time checks on certificates?
2018-02-06 2:16 ` Bryan Rosario
@ 2018-02-06 2:50 ` Long, Qin
0 siblings, 0 replies; 5+ messages in thread
From: Long, Qin @ 2018-02-06 2:50 UTC (permalink / raw)
To: Bryan Rosario, Zhang, Chao B; +Cc: edk2-devel@lists.01.org, Alain Gefflaut
The OS can update the certificates by correct SetVariable() call with authenticated payload (following UEFI secure boot / authenticated variable definitions. Refer to the section 8.2 "Variable Services" and chapter 31 "Secure Boot and Driver Signing" for more details).
I am not sure if current OS will enforce any periodical update. Currently, UEFI is just distributing the revocation list file to address possible security risks (http://www.uefi.org/revocationlistfile).
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Bryan Rosario
Sent: Tuesday, February 6, 2018 10:17 AM
To: Zhang, Chao B <chao.b.zhang@intel.com>
Cc: edk2-devel@lists.01.org; Alain Gefflaut <alaingef@google.com>; Long, Qin <qin.long@intel.com>
Subject: Re: [edk2] Why does EDK2 disable time checks on certificates?
Thanks for the info.
Another question: if I enable time checks in my local copy of EDK2 (or if there is another UEFI implementation with time checks enabled), do operating systems generally update their certificates periodically to avoid them expiring?
In particular, I'm wondering about bootloaders that are signed for secure boot. I've seen expiration times on the attached certificates and I'm wondering if the bootloader will be periodically updated, or if operating systems will just expect that the firmware doesn't actually enforce the expiration time.
On Mon, Feb 5, 2018 at 5:45 PM, Zhang, Chao B <chao.b.zhang@intel.com>
wrote:
> Bryan:
> You can reference EFI_CERT_X509_SHA256, EFI_CERT_X509_SHA384,
> EFI_CERT_X509_SHA512 data structure definition in UEFI spec.
> Now they are only supported in DBX. Revocation time here is defined
> by user instead of directly from Validity of X059 Certificate in order
> to address the issue mentioned below.
>
>
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Long, Qin
> Sent: Tuesday, February 6, 2018 8:55 AM
> To: Bryan Rosario <bcr@google.com>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Why does EDK2 disable time checks on certificates?
>
> It's EDK2-only.
> The current pre-boot environment have no trusted timer synchronization
> service. And it's very likely the system time is not the real-time
> (esp under dev environment). So the certificate time expiration
> checking was bypassed to avoid any boot break.
>
> Against the corresponding certificate revocation case, the UEFI
> introduced the DBX database (forbidden list) to address this.
>
>
> Best Regards & Thanks,
> LONG, Qin
>
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Bryan Rosario
> Sent: Tuesday, February 6, 2018 5:52 AM
> To: edk2-devel@lists.01.org
> Subject: [edk2] Why does EDK2 disable time checks on certificates?
>
> See here ("Currently certificate time expiration checking is ignored."):
> https://github.com/tianocore/tianocore.github.io/wiki/How-
> to-Enable-Security
> .
>
> Is this behavior part of the UEFI specification or is it EDK2-only?
> And what's the reasoning for it?
>
> Thanks,
> Bryan
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
>
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-02-06 2:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-05 21:51 Why does EDK2 disable time checks on certificates? Bryan Rosario
2018-02-06 0:55 ` Long, Qin
2018-02-06 1:45 ` Zhang, Chao B
2018-02-06 2:16 ` Bryan Rosario
2018-02-06 2:50 ` Long, Qin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox