From: Laszlo Ersek <lersek@redhat.com>
To: "David F." <df7729@gmail.com>
Cc: edk2 developers list <edk2-devel@lists.01.org>
Subject: Re: Set "db" variable in secure boot setup mode still requires generating PKCS#7?
Date: Wed, 2 May 2018 12:21:23 +0200 [thread overview]
Message-ID: <c611fa4c-97fd-42f9-242f-5c71137af2a9@redhat.com> (raw)
In-Reply-To: <CAGRSmLsfL7REVS9EtJD7FwNbHp-ZvP2-jOB3SWw-rX9axxf08w@mail.gmail.com>
On 05/01/18 23:13, David F. wrote:
> Hi,
>
> Had a fairly simple task of wanting to install the latest MS .crt
> files for KEK, and their two files for the "db" (the Windows CA and
> UEFI CA) in a system placed in setup/custom mode. However, even
> though it seemed to take the KEK, it never took the "db", always had a
> problem on a DH77KC mobo (dumped data headers looked as expected). Now
> when I constructed it, I thought I could leave out any PKCS#7 data
> (set the expected CertType but in the Hdr dwLength only included
> CertType and not any CertData),
Right, I've stumbled upon that too. According to the UEFI spec, dwLength
should include CertData too, but edk2 does *not* accept that. This can
be seen e.g. in
"SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c",
function CreateTimeBasedPayload():
> //
> // In Setup mode or Custom mode, the variable does not need to be signed but the
> // parameters to the SetVariable() call still need to be prepared as authenticated
> // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
> // data in it.
> //
> ...
> DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
Back to your email:
On 05/01/18 23:13, David F. wrote:
> but looking at the algo in UEFI Spec 2.6 page 245, it looks like we'd
> always have to generate the hash, sign it, create all the PKCS stuff
> even in setup mode? That would surely unnecessarily bloat any apps
> that really only need to update things in setup mode wouldn't it? So
> to confirm, that is a requirement even in setup mode? If so, why?
It's not a requirement; see the code comment I quoted above.
Thanks,
Laszlo
next prev parent reply other threads:[~2018-05-02 10:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-01 21:13 Set "db" variable in secure boot setup mode still requires generating PKCS#7? David F.
2018-05-01 21:25 ` Bill Paul
2018-05-02 2:23 ` David F.
2018-05-02 10:21 ` Laszlo Ersek [this message]
2018-05-02 16:26 ` David F.
2018-05-03 3:09 ` Long, Qin
2018-05-20 19:54 ` David F.
2018-05-21 1:46 ` Zhang, Chao B
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c611fa4c-97fd-42f9-242f-5c71137af2a9@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox