diff options
author | AKASHI Takahiro | 2020-04-14 11:51:44 +0900 |
---|---|---|
committer | Heinrich Schuchardt | 2020-04-16 08:12:46 +0200 |
commit | 4540dabdcacaea50bf874115f28adc103966d25a (patch) | |
tree | e597a3d1c790760d4d5893da98c39b6fe2e494b7 /include/ioports.h | |
parent | 8353516f4a7e31ee655050033b65218c9733c65a (diff) |
efi_loader: image_loader: support image authentication
With this commit, image validation can be enforced, as UEFI specification
section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
Currently we support
* authentication based on db and dbx,
so dbx-validated image will always be rejected.
* following signature types:
EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certificate revocation is not supported here.
Internally, authentication data is stored in one of certificates tables
of PE image (See efi_image_parse()) and will be verified by
efi_image_authenticate() before loading a given image.
It seems that UEFI specification defines the verification process
in a bit ambiguous way. I tried to implement it as closely to as
EDK2 does.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Diffstat (limited to 'include/ioports.h')
0 files changed, 0 insertions, 0 deletions