review.tizen.org Git - platform/kernel/u-boot.git/commit

author	AKASHI Takahiro <takahiro.akashi@linaro.org>
	Tue, 21 Jul 2020 10:35:22 +0000 (19:35 +0900)
committer	Heinrich Schuchardt <xypron.glpk@gmx.de>
	Thu, 13 Aug 2020 20:37:36 +0000 (22:37 +0200)
commit	1115edd8462b047f83fcca4abcf89b68f2d87041
tree	724a209c24bfe0ec2c6ce63341d0a699f6fa8c37	tree \| snapshot
parent	0658bb29b026a6af434b9e0cdeced5d25bdd206f	commit \| diff

efi_loader: signature: rework for intermediate certificates support

In this commit, efi_signature_verify(with_sigdb) will be re-implemented
using pcks7_verify_one() in order to support certificates chain, where
the signer's certificate will be signed by an intermediate CA (certificate
authority) and the latter's certificate will also be signed by another CA
and so on.

What we need to do here is to search for certificates in a signature,
build up a chain of certificates and verify one by one. pkcs7_verify_one()
handles most of these steps except the last one.

pkcs7_verify_one() returns, if succeeded, the last certificate to verify,
which can be either a self-signed one or one that should be signed by one
of certificates in "db". Re-worked efi_signature_verify() will take care
of this step.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

include/efi_loader.h		diff \| blob \| history
lib/efi_loader/Kconfig		diff \| blob \| history
lib/efi_loader/efi_image_loader.c		diff \| blob \| history
lib/efi_loader/efi_signature.c		diff \| blob \| history
lib/efi_loader/efi_variable.c		diff \| blob \| history