From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5C3E020957B04 for ; Wed, 2 May 2018 03:21:25 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 466D630B79E0; Wed, 2 May 2018 10:21:25 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-197.rdu2.redhat.com [10.10.120.197]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8D60F2A16D; Wed, 2 May 2018 10:21:24 +0000 (UTC) To: "David F." References: From: Laszlo Ersek Cc: edk2 developers list Message-ID: Date: Wed, 2 May 2018 12:21:23 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Wed, 02 May 2018 10:21:25 +0000 (UTC) Subject: Re: Set "db" variable in secure boot setup mode still requires generating PKCS#7? X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2018 10:21:26 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 05/01/18 23:13, David F. wrote: > Hi, > > Had a fairly simple task of wanting to install the latest MS .crt > files for KEK, and their two files for the "db" (the Windows CA and > UEFI CA) in a system placed in setup/custom mode. However, even > though it seemed to take the KEK, it never took the "db", always had a > problem on a DH77KC mobo (dumped data headers looked as expected). Now > when I constructed it, I thought I could leave out any PKCS#7 data > (set the expected CertType but in the Hdr dwLength only included > CertType and not any CertData), Right, I've stumbled upon that too. According to the UEFI spec, dwLength should include CertData too, but edk2 does *not* accept that. This can be seen e.g. in "SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c", function CreateTimeBasedPayload(): > // > // In Setup mode or Custom mode, the variable does not need to be signed but the > // parameters to the SetVariable() call still need to be prepared as authenticated > // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate > // data in it. > // > ... > DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); Back to your email: On 05/01/18 23:13, David F. wrote: > but looking at the algo in UEFI Spec 2.6 page 245, it looks like we'd > always have to generate the hash, sign it, create all the PKCS stuff > even in setup mode? That would surely unnecessarily bloat any apps > that really only need to update things in setup mode wouldn't it? So > to confirm, that is a requirement even in setup mode? If so, why? It's not a requirement; see the code comment I quoted above. Thanks, Laszlo