mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-11-16 01:38:22 +00:00
4540dabdca
With this commit, image validation can be enforced, as UEFI specification
section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
Currently we support
* authentication based on db and dbx,
so dbx-validated image will always be rejected.
* following signature types:
EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certificate revocation is not supported here.
Internally, authentication data is stored in one of certificates tables
of PE image (See efi_image_parse()) and will be verified by
efi_image_authenticate() before loading a given image.
It seems that UEFI specification defines the verification process
in a bit ambiguous way. I tried to implement it as closely to as
EDK2 does.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
||
|---|---|---|
| .. | ||
| .gitignore | ||
| efi_acpi.c | ||
| efi_bootmgr.c | ||
| efi_boottime.c | ||
| efi_console.c | ||
| efi_device_path.c | ||
| efi_device_path_to_text.c | ||
| efi_device_path_utilities.c | ||
| efi_disk.c | ||
| efi_file.c | ||
| efi_freestanding.c | ||
| efi_gop.c | ||
| efi_hii.c | ||
| efi_hii_config.c | ||
| efi_image_loader.c | ||
| efi_load_initrd.c | ||
| efi_memory.c | ||
| efi_net.c | ||
| efi_rng.c | ||
| efi_root_node.c | ||
| efi_runtime.c | ||
| efi_setup.c | ||
| efi_signature.c | ||
| efi_smbios.c | ||
| efi_unicode_collation.c | ||
| efi_variable.c | ||
| efi_watchdog.c | ||
| helloworld.c | ||
| Kconfig | ||
| Makefile | ||