Re: internal structure of EFI_TLS_CA_CERTIFICATE_VARIABLE

[Laszlo Ersek <lersek@redhat.com>]

On 03/22/18 03:02, Wu, Jiaxin wrote:
> On 03/21/18 14:39, Laszlo Ersek wrote:
>> (1) Do you agree EFI_CERT_X509_GUID is the right setting for
>> "EFI_SIGNATURE_LIST.SignatureType" (even though the edk2 code
>> currently ignores it)?
>>
>> This would also imply that we set
>> "EFI_SIGNATURE_LIST.SignatureHeaderSize" to zero, according to the
>> UEFI spec.
>>
> 
> Yes, exactly, EFI_CERT_X509_GUID is the correct SignatureType for the
> CACertificate. SignatureHeaderSize should be set to zero. We do miss
> the check in HttpDxe driver, I'm fine to add back the  SignatureType
> check in TlsConfigCertificate(). So, can you report the Bugzilla for
> this fixing? Thanks.

I've filed <https://bugzilla.tianocore.org/show_bug.cgi?id=909> and
assigned it to myself (for a v1 patch at least).

>> (2) Do you foresee any such restrictions for the
>> "EFI_SIGNATURE_DATA.SignatureOwner" field in
>> EFI_TLS_CA_CERTIFICATE_VARIABLE? Or is it safe if we generate a GUID
>> for the tool with "uuidgen"?
>>
> 
> I don't think it's necessary to restrict/stand the GUID in the field
> of SignatureOwner for the CA certification (at least for now) since
> it's only used to identify the different venders (i.e, Microsoft) so
> as to avoid the following content check. In the UEFI part, we also
> didn't check the SignatureOwner for the any security consideration.
> So, I think it's safe to generate a GUID using the tool at present.

Sounds great, thanks!

Laszlo