Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP. - efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

diff options

author	Gary Lin <glin@suse.com>	2024-06-05 15:31:04 +0800
committer	Peter Jones <pjones@redhat.com>	2025-02-05 09:18:45 -0500
commit	15c1a9a310645ceb958587fe000d5f60ed3bc4bd (patch)
tree	f56a86c3c8b0af45f6f982dd0d00b67186f41646 /lib/execute.c
parent	e886fb35ad02c3d1aadb974aec7ded3451ea557f (diff)
download	efi-boot-shim-15c1a9a310645ceb958587fe000d5f60ed3bc4bd.tar.gz efi-boot-shim-15c1a9a310645ceb958587fe000d5f60ed3bc4bd.zip

Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP.

Also modify the ModSign EKU check to use VerifyEKUsInPkcs7Signature() to check the signer certificate instead of the certificate directly from the key database. This commit supersedes the PR#232 and PR#661 (Apply the EKU checks) so that author's original codes can be quite independent of other modification. To answer the question in PR#232, author also changed the conditional statement to EFI_Status != EFI_SUCCESS right after VerifyEKUsInPkcs7Signature() in Cryptlib/Pk/CryptPkcs7Verify.c Signed-off-by: Dennis Tseng <dennis.tseng@suse.com> Signed-off-by: Gary Lin <glin@suse.com>

Diffstat (limited to 'lib/execute.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: