Hi,
On Wed, 7 Dec 2022 at 19:50, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Stuart,
On Tue, 6 Dec 2022 at 19:58, Stuart Yoder stuart.yoder@arm.com wrote:
All,
I saw the meeting notes on the wiki:
Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not support all types of certificate, probably will break SIE ACS. Need a test using an unsupported certificate in dbx, try to boot, should be rejected by bootloader
Heinrich: edk2 will support all types. At least make sure we support the secure certificate types (e.g. not sha1) Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with Stuart
Currently the certificates used in the SIE ACS are all X.509, RSA2048, SHA256.
That is also what is reflected in the SCT public spec for the new secure boot tests: https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT...
Ok thanks. As I said I'll try to run it on hardware and share the results
What certificate types will u-boot not support?
EFI_CERT_RSA2048_GUID, EFI_CERT_RSA2048_SHA256_GUID, EFI_CERT_SHA1_GUID, EFI_CERT_RSA2048_SHA_GUID, EFI_CERT_SHA224_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID,
are currently unsupported. Keep in mind that if U-Boot finds any of those types in DBX, it will unconditionally reject images.
I don't know anything about this, but why does U-Boot not support those?
Regards, Simon