Hi,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant timestamp?
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Thanks, -Takahiro Akashi
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant timestamp?
I believe we (the RH distros) use pesign tool for this [1] but pjones would know all the intricate details of that.
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
Le mar. 2 juil. 2019 à 08:32, Peter Robinson pbrobinson@gmail.com a écrit :
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant timestamp?
I believe we (the RH distros) use pesign tool for this [1] but pjones would know all the intricate details of that.
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
Thanks peter. Should we want to contribute say « file_fit » to sign FIT image, does this sound reasonable ?
[1] https://github.com/rhboot/pesign _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
On Tue, Jul 2, 2019 at 8:43 AM Francois Ozog francois.ozog@linaro.org wrote:
Le mar. 2 juil. 2019 à 08:32, Peter Robinson pbrobinson@gmail.com a écrit :
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant timestamp?
I believe we (the RH distros) use pesign tool for this [1] but pjones would know all the intricate details of that.
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
Thanks peter. Should we want to contribute say « file_fit » to sign FIT image, does this sound reasonable ?
pjones would be the best person to answer to that as he's the maintainer but it sounds fine to me.
Peter
On Tue, Jul 02, 2019 at 08:43:26AM +0100, Francois Ozog wrote:
Le mar. 2 juil. 2019 à 08:32, Peter Robinson pbrobinson@gmail.com a écrit :
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant timestamp?
I believe we (the RH distros) use pesign tool for this [1] but pjones would know all the intricate details of that.
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
Thanks peter. Should we want to contribute say « file_fit » to sign FIT image, does this sound reasonable ?
I *dare* want to ask you what you mean by signing FIT image. U-Boot's mkimage tool has a signing feature in a sense, so it would be best to expand its functionality to avoid any confusion.
-Takahiro Akashi
[1] https://github.com/rhboot/pesign _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
-- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog@linaro.org | Skype: ffozog
On Wed, 3 Jul 2019 at 02:00, AKASHI Takahiro takahiro.akashi@linaro.org wrote:
On Tue, Jul 02, 2019 at 08:43:26AM +0100, Francois Ozog wrote:
Le mar. 2 juil. 2019 à 08:32, Peter Robinson pbrobinson@gmail.com a écrit :
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant
timestamp?
I believe we (the RH distros) use pesign tool for this [1] but pjones would know all the intricate details of that.
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
Thanks peter. Should we want to contribute say « file_fit » to sign FIT image, does
this
sound reasonable ?
I *dare* want to ask you what you mean by signing FIT image. U-Boot's mkimage tool has a signing feature in a sense, so it would be best to expand its functionality to avoid any confusion.
The exact details of signing are specified in different specs.
My view is that in a "signing realm", (say UEFI signing) one should use a consistent set of tools to sign and verify signing. When U-Boot is used in the context UEFI SecureBoot, we should use a signle UEFI signing tool regarless of the nature of the file (PE, FIT, ...) We could use different tools to sign different file types, but if UEFI signing policy changes, you have to change a number of tools which does not look good to me.
-Takahiro Akashi
[1] https://github.com/rhboot/pesign _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
-- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog@linaro.org | Skype: ffozog
On Wed, Jul 03, 2019 at 09:56:58AM +0200, Francois Ozog wrote:
On Wed, 3 Jul 2019 at 02:00, AKASHI Takahiro takahiro.akashi@linaro.org wrote:
On Tue, Jul 02, 2019 at 08:43:26AM +0100, Francois Ozog wrote:
Le mar. 2 juil. 2019 à 08:32, Peter Robinson pbrobinson@gmail.com a écrit :
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant
timestamp?
I believe we (the RH distros) use pesign tool for this [1] but pjones would know all the intricate details of that.
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
Thanks peter. Should we want to contribute say « file_fit » to sign FIT image, does
this
sound reasonable ?
I *dare* want to ask you what you mean by signing FIT image. U-Boot's mkimage tool has a signing feature in a sense, so it would be best to expand its functionality to avoid any confusion.
The exact details of signing are specified in different specs.
My view is that in a "signing realm", (say UEFI signing) one should use a consistent set of tools to sign and verify signing.
Even today, distros/vendors use different tools, not many but a few though.
When U-Boot is used in the context UEFI SecureBoot, we should use a signle UEFI signing tool regarless of the nature of the file (PE, FIT, ...) We could use different tools to sign different file types, but if UEFI signing policy changes, you have to change a number of tools which does not look good to me.
Can you give me an example of "UEFI signing policy" or point to any reference/document? What's important is a well-defined format/rule, not a tool, isn't it? Conformance is a totally different issue.
-Takahiro Akashi
-Takahiro Akashi
[1] https://github.com/rhboot/pesign _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
-- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog@linaro.org | Skype: ffozog
-- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog@linaro.org | Skype: ffozog
On Wed, 3 Jul 2019 at 10:12, AKASHI Takahiro takahiro.akashi@linaro.org wrote:
On Wed, Jul 03, 2019 at 09:56:58AM +0200, Francois Ozog wrote:
On Wed, 3 Jul 2019 at 02:00, AKASHI Takahiro <takahiro.akashi@linaro.org
wrote:
On Tue, Jul 02, 2019 at 08:43:26AM +0100, Francois Ozog wrote:
Le mar. 2 juil. 2019 à 08:32, Peter Robinson pbrobinson@gmail.com
a
écrit :
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to
understand.
# I've got what it means only after reading corresponding EDK2
code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant
timestamp?
I believe we (the RH distros) use pesign tool for this [1] but
pjones
would know all the intricate details of that.
I know that "signtool" in Microsoft's Windows SDK has this
feature,
but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own
distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
Thanks peter. Should we want to contribute say « file_fit » to sign FIT image, does
this
sound reasonable ?
I *dare* want to ask you what you mean by signing FIT image. U-Boot's mkimage tool has a signing feature in a sense, so it would be best to expand its functionality to avoid any confusion.
The exact details of signing are specified in different specs.
My view is that in a "signing realm", (say UEFI signing) one should use a consistent set of tools to sign and verify signing.
Even today, distros/vendors use different tools, not many but a few though.
Each distro can have its signing tool for modules, shared libs or executables. This is good as it fits a "distro signing realm". What shall be in signature, how it is effectively signed can be specific to each realm.
When U-Boot is used in the context UEFI SecureBoot, we should use a signle
UEFI signing tool regarless of the nature of the file (PE, FIT, ...) We could use different tools to sign different file types, but if UEFI signing policy changes, you have to change a number of tools which does
not
look good to me.
Can you give me an example of "UEFI signing policy" or point to any reference/document?
Isn't section 30 of UEFI spec (2.6) describing a "policy" ? UEFI realm GUIDs and stuff like that. Shall this section add a mandatory attribute for next version of signature, signing tools will have to be updated.
What's important is a well-defined format/rule, not a tool, isn't it?
Conformance is a totally different issue.
I hate plugfests. (I spent a big chunk of my life when multiple "conformant" SS7 implementations were not interoperable). Bottom line, I actually do not really care if there is a single tool. I just say that for the next evolution of UEFI signing, we'll depend on multiple tools conformant updates, which may depend on a plugfest.
-Takahiro Akashi
-Takahiro Akashi
[1] https://github.com/rhboot/pesign _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
-- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog@linaro.org | Skype: ffozog
-- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog@linaro.org | Skype: ffozog
Hi Peter,
On Tue, Jul 02, 2019 at 08:32:02AM +0100, Peter Robinson wrote:
Hi AKASHI,
I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant timestamp?
I believe we (the RH distros) use pesign tool for this [1] but pjones would know all the intricate details of that.
Thank you for the reference, but I don't think that it is what I'm looking for.
As far as I know by looking at EDK2's CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c RFC3161-compliant timestamp is expected to be stored in unauthenticatedAttribute of PKCS7's SingerInfo.
On the other hand, "pesign" tool defines struct SpcSignerInfo with "unsignedAttrs," which I believe is an alias name of unauthenticatedAttribute, but does never set any meaningful data in it.
I hope Peter(pjones) will confirm this.
Thanks, -Takahiro Akashi
I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing.
Peter
boot-architecture@lists.linaro.org
-
AKASHI Takahiro -
Francois Ozog -
Peter Robinson