On Tue, Jul 2, 2019 at 8:43 AM Francois Ozog francois.ozog@linaro.org wrote:
Le mar. 2 juil. 2019 à 08:32, Peter Robinson pbrobinson@gmail.com a écrit :
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant timestamp?
I believe we (the RH distros) use pesign tool for this [1] but pjones would know all the intricate details of that.
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
Thanks peter. Should we want to contribute say « file_fit » to sign FIT image, does this sound reasonable ?
pjones would be the best person to answer to that as he's the maintainer but it sounds fine to me.
Peter