Authenticated variable tests, now time based auth variable only allow SHA256.
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Firmware Test Suite |
Fix Released
|
Undecided
|
Ivan Hu | ||
Bug Description
We test failed on fwts UEFI test, uefirtauthvar: Authenticated variable tests
Test 1 of 12: Create authenticated variable test.
FAILED [HIGH] Failed to create authenticated variable with UEFI runtime service.
Return status: EFI_SECURITY_
This fail disappear after I revert an EDKII change.
---
Revision: c035e37335ae432
Author: Zhang Lubo <email address hidden>
Date: 1/5/2017 2:58:05 PM
Message:
SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.
V3: code clean up
prohibit Image SHA-1 hash option in SecureBootConfi
Timebased Auth Variable driver should ensure AuthAlgorithm
is SHA256 before further verification
---
The EDKII change of AuthService.c file is corresponding to UEFI spec 2.7 CH. 8.2.1 """Only a digest algorithm of SHA-256 is accepted."""
So, there might be something wrong in fwts set auth variable test.
| Derek Lin (dereklin) wrote | #1 |
| Changed in fwts: | |
| assignee: | nobody → Ivan Hu (ivan.hu) |
| Ivan Hu (ivan.hu) wrote | #2 |
| Changed in fwts: | |
| status: | New → In Progress |
| Ivan Hu (ivan.hu) wrote | #3 |
| Changed in fwts: | |
| status: | In Progress → Fix Released |
| Derek Lin (dereklin) wrote | #4 |
This bug is due to the auth test data is follow the typical ASN.1 structure of PKCS7 Signature
ContentInfo {
contentType = 1.2.840.
content {
SignedData {
version = 1
...
}
}
}
But in the UEFI spec defined only needs the SignedData as the certificate data.