From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <chao.b.zhang@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.31; helo=mga06.intel.com;
 envelope-from=chao.b.zhang@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga06.intel.com (mga06.intel.com [134.134.136.31])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 341BF21F0DA61
 for <edk2-devel@lists.01.org>; Mon,  5 Feb 2018 17:40:04 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga008.jf.intel.com ([10.7.209.65])
 by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 05 Feb 2018 17:45:46 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.46,467,1511856000"; d="scan'208";a="15721316"
Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203])
 by orsmga008.jf.intel.com with ESMTP; 05 Feb 2018 17:45:45 -0800
Received: from fmsmsx114.amr.corp.intel.com (10.18.116.8) by
 FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Mon, 5 Feb 2018 17:45:45 -0800
Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by
 FMSMSX114.amr.corp.intel.com (10.18.116.8) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Mon, 5 Feb 2018 17:45:45 -0800
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.124]) by
 SHSMSX103.ccr.corp.intel.com ([169.254.4.116]) with mapi id 14.03.0319.002;
 Tue, 6 Feb 2018 09:45:43 +0800
From: "Zhang, Chao B" <chao.b.zhang@intel.com>
To: "Long, Qin" <qin.long@intel.com>, Bryan Rosario <bcr@google.com>,
 "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Thread-Topic: [edk2] Why does EDK2 disable time checks on certificates?
Thread-Index: AQHTnsuR7U5vrxtUfU2g9XtU3qgDhqOWBpaAgACNqyA=
Date: Tue, 6 Feb 2018 01:45:42 +0000
Message-ID: <FF72C7E4248F3C4E9BDF19D4918E90F2496560C9@shsmsx102.ccr.corp.intel.com>
References: <CAAz1XL+TyRLK-T0wGzpMre6Z8tosE9ztPo=n8J6LX5sxk21mqQ@mail.gmail.com>
 <BF2CCE9263284D428840004653A28B6E540668B7@SHSMSX103.ccr.corp.intel.com>
In-Reply-To: <BF2CCE9263284D428840004653A28B6E540668B7@SHSMSX103.ccr.corp.intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ctpclassification: CTP_NT
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiM2ZiMGY2NmEtNWVlMi00Yzg3LWE4NTMtYjg4ZjZkNzE1ZGRmIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJSSTdqTlprR0RTSGp5NURzQmxkblwvWnJQK0NtRWl6Q1REdXh5ZzJTODZOdW5jSngxWk0xMHRxaGZYSlFadzBLRCJ9
dlp-product: dlpe-windows
dlp-version: 11.0.0.116
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: Why does EDK2 disable time checks on certificates?
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 01:40:05 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Bryan:   =20
       You can reference EFI_CERT_X509_SHA256,  EFI_CERT_X509_SHA384, EFI_C=
ERT_X509_SHA512 data structure definition in UEFI spec.
  Now they are only supported in DBX.  Revocation time here is defined by u=
ser instead of directly from Validity of X059 Certificate in order to addre=
ss the issue mentioned below.
       =20

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Long=
, Qin
Sent: Tuesday, February 6, 2018 8:55 AM
To: Bryan Rosario <bcr@google.com>; edk2-devel@lists.01.org
Subject: Re: [edk2] Why does EDK2 disable time checks on certificates?

It's EDK2-only.=20
The current pre-boot environment have no trusted timer synchronization serv=
ice. And it's very likely the system time is not the real-time (esp under d=
ev environment). So the certificate time expiration checking was bypassed t=
o avoid any boot break.=20

Against the corresponding certificate revocation case, the UEFI introduced =
the DBX database (forbidden list) to address this.=20


Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Brya=
n Rosario
Sent: Tuesday, February 6, 2018 5:52 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Why does EDK2 disable time checks on certificates?

See here ("Currently certificate time expiration checking is ignored."):
https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Securit=
y
.

Is this behavior part of the UEFI specification or is it EDK2-only? And wha=
t's the reasoning for it?

Thanks,
Bryan
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel