From: "Nhi Pham via groups.io" <nhi=os.amperecomputing.com@groups.io>
To: devel@edk2.groups.io, jiewen.yao@intel.com, "Hou,
Wenxing" <wenxing.hou@intel.com>
Cc: Tam Chi Nguyen <tamnguyenchi@os.amperecomputing.com>,
"Li, Yi1" <yi1.li@intel.com>
Subject: Re: [edk2-devel] [PATCH 1/1] CryptoPkg: Add new API to get PKCS7 Signature
Date: Mon, 19 Feb 2024 10:31:01 +0700 [thread overview]
Message-ID: <e1fcf190-ac27-40d9-b7b6-4c79c5ac0e61@os.amperecomputing.com> (raw)
In-Reply-To: <MW4PR11MB587249205C50829C60EF384E8C432@MW4PR11MB5872.namprd11.prod.outlook.com>
On 2/1/2024 9:09 AM, Yao, Jiewen via groups.io wrote:
> Hi Nhi
> Would you please:
> 1) File an issue in Bugzilla - https://bugzilla.tianocore.org/
> 2) Share with us the usage of this new API.
>
> We are trying to understand why it is needed.
Hi Jiewen,
Sorry for late response. I've just been back from vacation. Happy Lunar
New Year!
Let me try to explain the demand. This new API is consumed by Ampere
Altra EDK2 [1] for enrolling platform UEFI boot/update keys managed by
secure storage service in secure world. That is Ampere Trusted Firmware
Secure Boot/Update Design [2] which provides platform firmware owners a
way to generate the pair of keys, sign their UEFI firmware, and enroll
their public key under the UEFI Secure Variable Format.
Any update (modify/append/delete) must be authenticated in secure world.
Hence, that is the reason we have to extract the key and pass the
signature to secure storage service.
I wonder whether it would be possible to have this API in the CryptLib
before opening the Bugzilla ticket?
[1]
https://github.com/AmpereComputing/edk2-platforms/blob/ampere/Silicon/Ampere/AmpereAltraPkg/Library/SecVarLib/SecVarLib.c#L613
[2] https://blog.cloudflare.com/armed-to-boot
Thanks,
Nhi
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115583): https://edk2.groups.io/g/devel/message/115583
Mute This Topic: https://groups.io/mt/104048629/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
prev parent reply other threads:[~2024-02-19 3:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-30 5:44 [edk2-devel] [PATCH 1/1] CryptoPkg: Add new API to get PKCS7 Signature Nhi Pham via groups.io
2024-01-30 9:46 ` Wenxing Hou
2024-01-30 9:48 ` Nhi Pham via groups.io
2024-02-01 2:09 ` Yao, Jiewen
2024-02-19 3:31 ` Nhi Pham via groups.io [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1fcf190-ac27-40d9-b7b6-4c79c5ac0e61@os.amperecomputing.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox