vbatts/sbsigntools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
my fork of https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git
182 commits 2 branches 8 tags 366 KiB
C 91.9%
Shell 4.4%
Makefile 2.2%
M4 1.5%
Find a file
Daniel Axtens 4b8fc11877 sbvarsign: do not include PKCS#7 attributes 
The UEFI spec (8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2
descriptor) includes the following information about constructing
the PKCS#7 message for the authentication descriptor under
point 4(g):

    SignedData.signerInfos shall be constructed as:
    ...
     - SignerInfo.authenticatedAttributes shall not be present.

sbvarsign does not currently honour this, and generates a PKCS#7
message containing authenticated attributes. This is a snippet from
OpenSSL's printout of a message I reconstructed from an auth file:

         signedAttrs:
            object: contentType (1.2.840.113549.1.9.3)
            set:
              OBJECT:pkcs7-data (1.2.840.113549.1.7.1)

            object: signingTime (1.2.840.113549.1.9.5)
            set:
              UTCTIME:Mar  2 11:20:21 2021 GMT

            object: messageDigest (1.2.840.113549.1.9.4)
            set:
              OCTET STRING:
                0000 - 99 58 87 86 82 82 b6 4b-c4 6a e4 e5 6b   .X.....K.j..k
                000d - 51 39 ac c3 b8 21 24 30-0c 28 e6 e3 aa   Q9...!$0.(...
                001a - 5c 33 c1 80 3f d1                        \3..?.

Tell OpenSSL to stop adding attributes.

This also brings sbvarsign in to line with sign-efi-sig-list.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2022-02-21 07:45:56 -05:00
docs docs: add man page for sbkeysync 2020-06-06 17:22:39 -07:00
lib autoconfiscate 2012-05-28 22:35:48 +08:00
src sbvarsign: do not include PKCS#7 attributes 2022-02-21 07:45:56 -05:00
tests Tests: Add intermediate certificate tests to the sign-verify cases 2020-06-05 18:34:55 -07:00
.gitmodules Move ccan submodule 2012-05-24 15:17:18 +08:00
autogen.sh Update the PE checksum field using the somewhat-underdocumented 2016-01-27 11:38:00 -08:00
configure.ac Version 0.9.4 2020-06-11 16:32:13 -07:00
COPYING license: Add OpenSSL exception to GPLv3 terms 2012-06-28 15:06:31 +08:00
LICENSE.GPLv3 license: Add OpenSSL exception to GPLv3 terms 2012-06-28 15:06:31 +08:00
Makefile.am Move sources to src/ subdirectory 2012-08-13 15:10:21 +08:00
NEWS sbkeysync: change default efivarfs mountpoint to /sys/.../efivars/ 2012-10-08 12:07:43 +08:00
README README: update git location and add mailing list information 2020-01-09 09:29:39 -08:00

README 

sbsigntool - Signing utility for UEFI secure boot

  Copyright (C) 2102 Jeremy Kerr <jeremy.kerr@canonical.com>

  Copying and distribution of this file, with or without modification,
  are permitted in any medium without royalty provided the copyright
  notice and this notice are preserved.

See file ./INSTALL for building and installation instructions.

Original development was done at:
  git://kernel.ubuntu.com/jk/sbsigntool.git

The current maintained fork resides at:

  https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/

And a very low volume mailing list for bugs and patches is setup at

 sbsigntools@groups.io

Thanks to groups.io policies, non-members can post to this list, but
non-member postings are moderated until released (so they won't show
up immediately).  The list archives are available:

 https://groups.io/g/sbsigntools/topics

sbsigntool is free software.  See the file COPYING for copying conditions.