Hi,
I hope everybody is doing well.
We will have an EBBR call[1] today at 15h UTC/BST.
Also, there will be no call on Dec 19. If practicable for everyone, the meeting after the one today shall be next year on Jan 2 2023 (let's confirm during the call today).
On the agenda[2] today:
- Preparing for version 2.1.0 - Issues[3] scrub - Continue the discussion on Minimum Viable Product (MVP) - Confirm Jan 2 meeting
Feel free to add to the agenda, directly on the wiki page or by e-mail. We can use this pad[4] for the meeting notes.
Best regards,
Vincent Stehlé System Architect - Arm
[1]: https://armltd.zoom.us/j/92081365511?pwd=SFZpRitXUEp3Zy9GM0h3UUZ1b1pnUT09 [2]: https://github.com/ARM-software/ebbr/wiki/EBBR-Meetings [3]: https://github.com/ARM-software/ebbr/issues [4]: https://mensuel.framapad.org/p/ebbr-notes-20221205-9xzm?lang=en
Thank you for attending the call yesterday,
The notes are now on the wiki[1] (feel free to amend if you find any mistake or if anything is missing).
Best regards,
Vincent Stehlé System Architect - Arm
[1]: https://github.com/ARM-software/ebbr/wiki/EBBR-Notes-2022.12.05
All,
I saw the meeting notes on the wiki:
Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not support all types of certificate, probably will break SIE ACS. Need a test using an unsupported certificate in dbx, try to boot, should be rejected by bootloader
Heinrich: edk2 will support all types. At least make sure we support the secure certificate types (e.g. not sha1) Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with Stuart
Currently the certificates used in the SIE ACS are all X.509, RSA2048, SHA256.
That is also what is reflected in the SCT public spec for the new secure boot tests: https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT...
What certificate types will u-boot not support?
Thanks, Stuart
On 12/6/22 7:07 AM, Vincent Stehlé wrote:
Thank you for attending the call yesterday,
The notes are now on the wiki[1] (feel free to amend if you find any mistake or if anything is missing).
Best regards,
Vincent Stehlé System Architect - Arm
boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-leave@lists.linaro.org
Hi Stuart,
On Tue, 6 Dec 2022 at 19:58, Stuart Yoder stuart.yoder@arm.com wrote:
All,
I saw the meeting notes on the wiki:
Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not support all types of certificate, probably will break SIE ACS. Need a test using an unsupported certificate in dbx, try to boot, should be rejected by bootloader
Heinrich: edk2 will support all types. At least make sure we support the secure certificate types (e.g. not sha1) Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with Stuart
Currently the certificates used in the SIE ACS are all X.509, RSA2048, SHA256.
That is also what is reflected in the SCT public spec for the new secure boot tests: https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT...
Ok thanks. As I said I'll try to run it on hardware and share the results
What certificate types will u-boot not support?
EFI_CERT_RSA2048_GUID, EFI_CERT_RSA2048_SHA256_GUID, EFI_CERT_SHA1_GUID, EFI_CERT_RSA2048_SHA_GUID, EFI_CERT_SHA224_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID,
are currently unsupported. Keep in mind that if U-Boot finds any of those types in DBX, it will unconditionally reject images.
Thanks /Ilias
Thanks, Stuart
On 12/6/22 7:07 AM, Vincent Stehlé wrote:
Thank you for attending the call yesterday,
The notes are now on the wiki[1] (feel free to amend if you find any mistake or if anything is missing).
Best regards,
Vincent Stehlé System Architect - Arm
boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-leave@lists.linaro.org
boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-leave@lists.linaro.org
Hi,
On Wed, 7 Dec 2022 at 19:50, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Stuart,
On Tue, 6 Dec 2022 at 19:58, Stuart Yoder stuart.yoder@arm.com wrote:
All,
I saw the meeting notes on the wiki:
Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not support all types of certificate, probably will break SIE ACS. Need a test using an unsupported certificate in dbx, try to boot, should be rejected by bootloader
Heinrich: edk2 will support all types. At least make sure we support the secure certificate types (e.g. not sha1) Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with Stuart
Currently the certificates used in the SIE ACS are all X.509, RSA2048, SHA256.
That is also what is reflected in the SCT public spec for the new secure boot tests: https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT...
Ok thanks. As I said I'll try to run it on hardware and share the results
What certificate types will u-boot not support?
EFI_CERT_RSA2048_GUID, EFI_CERT_RSA2048_SHA256_GUID, EFI_CERT_SHA1_GUID, EFI_CERT_RSA2048_SHA_GUID, EFI_CERT_SHA224_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID,
are currently unsupported. Keep in mind that if U-Boot finds any of those types in DBX, it will unconditionally reject images.
I don't know anything about this, but why does U-Boot not support those?
Regards, Simon
On 12/7/22 12:49 AM, Ilias Apalodimas wrote:
Hi Stuart,
On Tue, 6 Dec 2022 at 19:58, Stuart Yoder stuart.yoder@arm.com wrote:
All,
I saw the meeting notes on the wiki:
Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not support all types of certificate, probably will break SIE ACS. Need a test using an unsupported certificate in dbx, try to boot, should be rejected by bootloader
Heinrich: edk2 will support all types. At least make sure we support the secure certificate types (e.g. not sha1) Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with Stuart
Currently the certificates used in the SIE ACS are all X.509, RSA2048, SHA256.
That is also what is reflected in the SCT public spec for the new secure boot tests: https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT...
Ok thanks. As I said I'll try to run it on hardware and share the results
What certificate types will u-boot not support?
EFI_CERT_RSA2048_GUID, EFI_CERT_RSA2048_SHA256_GUID, EFI_CERT_SHA1_GUID, EFI_CERT_RSA2048_SHA_GUID, EFI_CERT_SHA224_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID,
are currently unsupported. Keep in mind that if U-Boot finds any of those types in DBX, it will unconditionally reject images.
Of the various signature types that can be in db and dbx, the SIE ACS tests the following:
-for db siglists -for certificates: EFI_CERT_X509_GUID -for hashes of images: EFI_CERT_SHA256_GUID
-for dbx siglists -for revocations of certificates: EFI_CERT_X509_GUID -for revocations of certificates by hash: EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID -for revocations of images by hash: EFI_CERT_SHA256_GUID
The reason for picking those is that those GUIDs are the only ones supported by the efitools used in generating test signature lists. Updating efitools with additional GUIDs was out of scope of what we were able to do.
So it would be nice if u-boot supported revocations of EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID.
Thanks, Stuart
On Thu, 8 Dec 2022 at 08:12, Stuart Yoder stuart.yoder@arm.com wrote:
On 12/7/22 12:49 AM, Ilias Apalodimas wrote:
Hi Stuart,
On Tue, 6 Dec 2022 at 19:58, Stuart Yoder stuart.yoder@arm.com wrote:
All,
I saw the meeting notes on the wiki:
Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not support all types of certificate, probably will break SIE ACS. Need a test using an unsupported certificate in dbx, try to boot, should be rejected by bootloader
Heinrich: edk2 will support all types. At least make sure we support the secure certificate types (e.g. not sha1) Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with Stuart
Currently the certificates used in the SIE ACS are all X.509, RSA2048, SHA256.
That is also what is reflected in the SCT public spec for the new secure boot tests: https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT...
Ok thanks. As I said I'll try to run it on hardware and share the results
What certificate types will u-boot not support?
EFI_CERT_RSA2048_GUID, EFI_CERT_RSA2048_SHA256_GUID, EFI_CERT_SHA1_GUID, EFI_CERT_RSA2048_SHA_GUID, EFI_CERT_SHA224_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID,
are currently unsupported. Keep in mind that if U-Boot finds any of those types in DBX, it will unconditionally reject images.
Of the various signature types that can be in db and dbx, the SIE ACS tests the following:
-for db siglists -for certificates: EFI_CERT_X509_GUID -for hashes of images: EFI_CERT_SHA256_GUID
-for dbx siglists -for revocations of certificates: EFI_CERT_X509_GUID -for revocations of certificates by hash: EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID
It would be as follows according to [0]? EFI_CERT_SHA256_GUID -> EFI_CERT_X509_SHA256_GUID EFI_CERT_SHA384_GUID -> EFI_CERT_X509_SHA384_GUID EFI_CERT_SHA512_GUID -> EFI_CERT_X509_SHA512_GUID
If so, U-Boot supports these dbx siglists for revocation. EFI_CERT_X509_SHA256_GUID EFI_CERT_X509_SHA384_GUID EFI_CERT_X509_SHA512_GUID
[0] https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT...
Regards, Masahisa Kojima
-for revocations of images by hash: EFI_CERT_SHA256_GUIDThe reason for picking those is that those GUIDs are the only ones supported by the efitools used in generating test signature lists. Updating efitools with additional GUIDs was out of scope of what we were able to do.
So it would be nice if u-boot supported revocations of EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID.
Thanks, Stuart _______________________________________________ boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-leave@lists.linaro.org
On Thu, Dec 08, 2022 at 10:28:43AM +0900, Masahisa Kojima wrote:
On Thu, 8 Dec 2022 at 08:12, Stuart Yoder stuart.yoder@arm.com wrote:
On 12/7/22 12:49 AM, Ilias Apalodimas wrote:
Hi Stuart,
On Tue, 6 Dec 2022 at 19:58, Stuart Yoder stuart.yoder@arm.com wrote:
All,
I saw the meeting notes on the wiki:
Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not support all types of certificate, probably will break SIE ACS. Need a test using an unsupported certificate in dbx, try to boot, should be rejected by bootloader
Heinrich: edk2 will support all types. At least make sure we support the secure certificate types (e.g. not sha1) Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with Stuart
Currently the certificates used in the SIE ACS are all X.509, RSA2048, SHA256.
That is also what is reflected in the SCT public spec for the new secure boot tests: https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT...
Ok thanks. As I said I'll try to run it on hardware and share the results
What certificate types will u-boot not support?
EFI_CERT_RSA2048_GUID, EFI_CERT_RSA2048_SHA256_GUID, EFI_CERT_SHA1_GUID, EFI_CERT_RSA2048_SHA_GUID, EFI_CERT_SHA224_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID,
are currently unsupported. Keep in mind that if U-Boot finds any of those types in DBX, it will unconditionally reject images.
Of the various signature types that can be in db and dbx, the SIE ACS tests the following:
-for db siglists -for certificates: EFI_CERT_X509_GUID -for hashes of images: EFI_CERT_SHA256_GUID
-for dbx siglists -for revocations of certificates: EFI_CERT_X509_GUID -for revocations of certificates by hash: EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID
It would be as follows according to [0]? EFI_CERT_SHA256_GUID -> EFI_CERT_X509_SHA256_GUID EFI_CERT_SHA384_GUID -> EFI_CERT_X509_SHA384_GUID EFI_CERT_SHA512_GUID -> EFI_CERT_X509_SHA512_GUID
If so, U-Boot supports these dbx siglists for revocation. EFI_CERT_X509_SHA256_GUID EFI_CERT_X509_SHA384_GUID EFI_CERT_X509_SHA512_GUID
That's right.
FYI, my pytest in U-Boot repository (test_efi_secboot/test_signed.py) covers all the cases:
-for dbx siglists -for revocations of certificates: EFI_CERT_X509_GUID
Test case 6b
-for revocations of certificates by hash: EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID
Test case 4 and case 7
-for revocations of images by hash: EFI_CERT_SHA256_GUID
Test case 6c
-Takahiro Akashi
[0] https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT...
Regards, Masahisa Kojima
-for revocations of images by hash: EFI_CERT_SHA256_GUIDThe reason for picking those is that those GUIDs are the only ones supported by the efitools used in generating test signature lists. Updating efitools with additional GUIDs was out of scope of what we were able to do.
So it would be nice if u-boot supported revocations of EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID.
Thanks, Stuart _______________________________________________ boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-leave@lists.linaro.org
boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-leave@lists.linaro.org
On 12/7/22 7:28 PM, Masahisa Kojima wrote:
On Thu, 8 Dec 2022 at 08:12, Stuart Yoder stuart.yoder@arm.com wrote:
On 12/7/22 12:49 AM, Ilias Apalodimas wrote:
Hi Stuart,
On Tue, 6 Dec 2022 at 19:58, Stuart Yoder stuart.yoder@arm.com wrote:
All,
I saw the meeting notes on the wiki:
Ilias: PKCS7, ACS, authenticated UEFI variables. U-Boot will not support all types of certificate, probably will break SIE ACS. Need a test using an unsupported certificate in dbx, try to boot, should be rejected by bootloader
Heinrich: edk2 will support all types. At least make sure we support the secure certificate types (e.g. not sha1) Action: Ilias to run SIE ACS on Synquacer, Vincent to follow up with Stuart
Currently the certificates used in the SIE ACS are all X.509, RSA2048, SHA256.
That is also what is reflected in the SCT public spec for the new secure boot tests: https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT...
Ok thanks. As I said I'll try to run it on hardware and share the results
What certificate types will u-boot not support?
EFI_CERT_RSA2048_GUID, EFI_CERT_RSA2048_SHA256_GUID, EFI_CERT_SHA1_GUID, EFI_CERT_RSA2048_SHA_GUID, EFI_CERT_SHA224_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID,
are currently unsupported. Keep in mind that if U-Boot finds any of those types in DBX, it will unconditionally reject images.
Of the various signature types that can be in db and dbx, the SIE ACS tests the following:
-for db siglists -for certificates: EFI_CERT_X509_GUID -for hashes of images: EFI_CERT_SHA256_GUID
-for dbx siglists -for revocations of certificates: EFI_CERT_X509_GUID -for revocations of certificates by hash: EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID
It would be as follows according to [0]? EFI_CERT_SHA256_GUID -> EFI_CERT_X509_SHA256_GUID EFI_CERT_SHA384_GUID -> EFI_CERT_X509_SHA384_GUID EFI_CERT_SHA512_GUID -> EFI_CERT_X509_SHA512_GUID
Yes, you are right.
If so, U-Boot supports these dbx siglists for revocation. EFI_CERT_X509_SHA256_GUID EFI_CERT_X509_SHA384_GUID EFI_CERT_X509_SHA512_GUID
Ok, good.
Thanks, Stuart
boot-architecture@lists.linaro.org
-
AKASHI Takahiro -
Ilias Apalodimas -
Masahisa Kojima -
Simon Glass -
Stuart Yoder -
Vincent Stehlé