On Tue, Jul 02, 2019 at 08:43:26AM +0100, Francois Ozog wrote:
Le mar. 2 juil. 2019 à 08:32, Peter Robinson pbrobinson@gmail.com a écrit :
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant timestamp?
I believe we (the RH distros) use pesign tool for this [1] but pjones would know all the intricate details of that.
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
Thanks peter. Should we want to contribute say « file_fit » to sign FIT image, does this sound reasonable ?
I *dare* want to ask you what you mean by signing FIT image. U-Boot's mkimage tool has a signing feature in a sense, so it would be best to expand its functionality to avoid any confusion.
-Takahiro Akashi
[1] https://github.com/rhboot/pesign _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
-- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog@linaro.org | Skype: ffozog