On Wed, 3 Jul 2019 at 02:00, AKASHI Takahiro takahiro.akashi@linaro.org wrote:
On Tue, Jul 02, 2019 at 08:43:26AM +0100, Francois Ozog wrote:
Le mar. 2 juil. 2019 à 08:32, Peter Robinson pbrobinson@gmail.com a écrit :
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant
timestamp?
I believe we (the RH distros) use pesign tool for this [1] but pjones would know all the intricate details of that.
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
Thanks peter. Should we want to contribute say « file_fit » to sign FIT image, does
this
sound reasonable ?
I *dare* want to ask you what you mean by signing FIT image. U-Boot's mkimage tool has a signing feature in a sense, so it would be best to expand its functionality to avoid any confusion.
The exact details of signing are specified in different specs.
My view is that in a "signing realm", (say UEFI signing) one should use a consistent set of tools to sign and verify signing. When U-Boot is used in the context UEFI SecureBoot, we should use a signle UEFI signing tool regarless of the nature of the file (PE, FIT, ...) We could use different tools to sign different file types, but if UEFI signing policy changes, you have to change a number of tools which does not look good to me.
-Takahiro Akashi
[1] https://github.com/rhboot/pesign _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
-- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog@linaro.org | Skype: ffozog