From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:400e:c05::22c; helo=mail-pg0-x22c.google.com; envelope-from=df7729@gmail.com; receiver=edk2-devel@lists.01.org Received: from mail-pg0-x22c.google.com (mail-pg0-x22c.google.com [IPv6:2607:f8b0:400e:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 534B22007E814 for ; Tue, 1 May 2018 14:13:10 -0700 (PDT) Received: by mail-pg0-x22c.google.com with SMTP id i194-v6so9065363pgd.0 for ; Tue, 01 May 2018 14:13:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=D2/WqlxmZvgJ4xyZsk3GUdgRf/TQmIfdE7EM0EkKzWg=; b=rhwqRMePqDEtIELiyWBHjfoiDCbfL82+87iHPu0f0GhDJkb0/4CepaLFxepAa7n16N kvs0s+iOayS7yM6yw9BtVfusShPX1EOQ0k3fp0dA28nJRiMTFxWhj4TzcijoiPt+ENUW flJ0Qw5OPwEI/stNKzHhwaxdcch7yCYcNoSoffJK6dD++gPzAU7sFFIr4+1z+uOOef7c sIv13mm5NVhbwwVoz+66FJDXr5vshcD9rfycQRifYIxtR7aUe+5vTz1PRdqATUQlW1mE VAbsAdeUUxVpm+we4E/KY5AgeZZdlcim0C6+sqrceeGR75aWmWXNP5J8uHMreYOguooS hvVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=D2/WqlxmZvgJ4xyZsk3GUdgRf/TQmIfdE7EM0EkKzWg=; b=nN/8Ns1CP5gMOfn6Y9q2A426jl4Rrc+bffcvKbkZGGjY9I3fiCveqTcAHlS72rTz5S bxRRwoNsUBPzKGwG31vWA2brUWg10SnIPCvm62ARuFPGv3uqJBiI1Hs9t20p2DLCa3pT YkjD1ruCwPCQs5bH7+dzHY4hM/n3Jx1I61+qdcJvUT1q/kx1L5LcqNb4X/ebgWTMaH4s WY9ZVsPzKMsiErRI4rdBGQJJ68VY91wzIZ8Rv5JW+8Wcb0fAm25UKHnhK4igcA1jk6Wy 2gqPYfgJOUNAW86NBLylPMzzSJcGL99ZTe1LoRSeTYFZhGs4gTdOggAgsN4k/bM9hNV2 BFHQ== X-Gm-Message-State: ALQs6tBY8X3WBDTw8SlhkT6TPtqEmWVQC9R9DV7y/RdJX+iIz4yyqGt/ hPXipC1vLwYug1UQ//lwSyapeNXjhRMNqgFiXKM= X-Google-Smtp-Source: AB8JxZpXgIKsHwl08KhPC9h+oif1FQ09NGcE7go69YHfN/bAdRLwS2OuYdIW0QK7L4XxeXmUQvY09yFhAojNmDHHgLg= X-Received: by 2002:a63:9e12:: with SMTP id s18-v6mr3575104pgd.207.1525209189684; Tue, 01 May 2018 14:13:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.236.172.9 with HTTP; Tue, 1 May 2018 14:13:09 -0700 (PDT) From: "David F." Date: Tue, 1 May 2018 14:13:09 -0700 Message-ID: To: edk2 developers list Subject: Set "db" variable in secure boot setup mode still requires generating PKCS#7? X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 May 2018 21:13:10 -0000 Content-Type: text/plain; charset="UTF-8" Hi, Had a fairly simple task of wanting to install the latest MS .crt files for KEK, and their two files for the "db" (the Windows CA and UEFI CA) in a system placed in setup/custom mode. However, even though it seemed to take the KEK, it never took the "db", always had a problem on a DH77KC mobo (dumped data headers looked as expected). Now when I constructed it, I thought I could leave out any PKCS#7 data (set the expected CertType but in the Hdr dwLength only included CertType and not any CertData), but looking at the algo in UEFI Spec 2.6 page 245, it looks like we'd always have to generate the hash, sign it, create all the PKCS stuff even in setup mode? That would surely unnecessarily bloat any apps that really only need to update things in setup mode wouldn't it? So to confirm, that is a requirement even in setup mode? If so, why? TIA!!