diff options
| author | AKASHI Takahiro <takahiro.akashi@linaro.org> | 2020-07-21 13:35:22 +0300 |
|---|---|---|
| committer | Heinrich Schuchardt <xypron.glpk@gmx.de> | 2020-08-13 23:37:36 +0300 |
| commit | 1115edd8462b047f83fcca4abcf89b68f2d87041 (patch) | |
| tree | 724a209c24bfe0ec2c6ce63341d0a699f6fa8c37 /lib/efi_loader/Kconfig | |
| parent | 0658bb29b026a6af434b9e0cdeced5d25bdd206f (diff) | |
| download | u-boot-1115edd8462b047f83fcca4abcf89b68f2d87041.tar.xz | |
efi_loader: signature: rework for intermediate certificates support
In this commit, efi_signature_verify(with_sigdb) will be re-implemented
using pcks7_verify_one() in order to support certificates chain, where
the signer's certificate will be signed by an intermediate CA (certificate
authority) and the latter's certificate will also be signed by another CA
and so on.
What we need to do here is to search for certificates in a signature,
build up a chain of certificates and verify one by one. pkcs7_verify_one()
handles most of these steps except the last one.
pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
which can be either a self-signed one or one that should be signed by one
of certificates in "db". Re-worked efi_signature_verify() will take care
of this step.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Diffstat (limited to 'lib/efi_loader/Kconfig')
| -rw-r--r-- | lib/efi_loader/Kconfig | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 6017ffe9a6..bad1a29ba8 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -205,6 +205,7 @@ config EFI_SECURE_BOOT select ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER + select PKCS7_VERIFY default n help Select this option to enable EFI secure boot support. |