From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 70AC122551BBB for ; Thu, 22 Mar 2018 02:13:53 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 82E8A406E8A4; Thu, 22 Mar 2018 09:20:24 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-114.rdu2.redhat.com [10.10.120.114]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9DC107C31; Thu, 22 Mar 2018 09:20:23 +0000 (UTC) To: "Wu, Jiaxin" , "Fu, Siyuan" Cc: edk2-devel-01 , "Daniel P. Berrange" References: <32764418-f00f-2423-216d-24b3f842a3c7@redhat.com> <74abb2db-a6d0-d88d-7153-0347f5cb64bb@redhat.com> <895558F6EA4E3B41AC93A00D163B72741639CF62@SHSMSX103.ccr.corp.intel.com> From: Laszlo Ersek Message-ID: Date: Thu, 22 Mar 2018 10:20:22 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <895558F6EA4E3B41AC93A00D163B72741639CF62@SHSMSX103.ccr.corp.intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Thu, 22 Mar 2018 09:20:24 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Thu, 22 Mar 2018 09:20:24 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: internal structure of EFI_TLS_CA_CERTIFICATE_VARIABLE X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 09:13:54 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 03/22/18 03:02, Wu, Jiaxin wrote: > On 03/21/18 14:39, Laszlo Ersek wrote: >> (1) Do you agree EFI_CERT_X509_GUID is the right setting for >> "EFI_SIGNATURE_LIST.SignatureType" (even though the edk2 code >> currently ignores it)? >> >> This would also imply that we set >> "EFI_SIGNATURE_LIST.SignatureHeaderSize" to zero, according to the >> UEFI spec. >> > > Yes, exactly, EFI_CERT_X509_GUID is the correct SignatureType for the > CACertificate. SignatureHeaderSize should be set to zero. We do miss > the check in HttpDxe driver, I'm fine to add back the SignatureType > check in TlsConfigCertificate(). So, can you report the Bugzilla for > this fixing? Thanks. I've filed and assigned it to myself (for a v1 patch at least). >> (2) Do you foresee any such restrictions for the >> "EFI_SIGNATURE_DATA.SignatureOwner" field in >> EFI_TLS_CA_CERTIFICATE_VARIABLE? Or is it safe if we generate a GUID >> for the tool with "uuidgen"? >> > > I don't think it's necessary to restrict/stand the GUID in the field > of SignatureOwner for the CA certification (at least for now) since > it's only used to identify the different venders (i.e, Microsoft) so > as to avoid the following content check. In the UEFI part, we also > didn't check the SignatureOwner for the any security consideration. > So, I think it's safe to generate a GUID using the tool at present. Sounds great, thanks! Laszlo