diff options
| author | Eric Snowberg <eric.snowberg@oracle.com> | 2022-02-01 15:49:51 -0500 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2022-05-17 18:30:52 -0400 |
| commit | 35d7378d29b9ad6f664df20efc4121e210859e65 (patch) | |
| tree | 40fe172a4f6049fcc14f495405e42876cd4aed96 /Cryptlib/Cipher | |
| parent | acfd48f45b9047fc07b0a184feb91ae31aa41a21 (diff) | |
| download | efi-boot-shim-35d7378d29b9ad6f664df20efc4121e210859e65.tar.gz efi-boot-shim-35d7378d29b9ad6f664df20efc4121e210859e65.zip | |
Load additional certs from a signed binary
Heavily inspired by Matthew Garrett's patch "Allow additional certificates
to be loaded from a signed binary".
Add support for loading a binary, verifying its signature, and then
scanning it for embedded certificates. This is intended to make it
possible to decouple shim builds from vendor signatures. In order to
add new signatures to shim, an EFI Signature List should be generated
and then added to the .db section of a well-formed EFI binary. This
binary should then be signed with a key that shim already trusts (either
a built-in key, one present in the platform firmware or
one present in MOK) and placed in the same directory as shim with a
filename starting "shim_certificate" (eg, "shim_certificate_oracle").
Shim will read multiple files and incorporate the signatures from all of
them. Note that each section *must* be an EFI Signature List, not a raw
certificate.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Diffstat (limited to 'Cryptlib/Cipher')
0 files changed, 0 insertions, 0 deletions