Authenticated variable tests, now time based auth variable only allow SHA256.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Firmware Test Suite |
Fix Released
|
Undecided
|
Ivan Hu |
Bug Description
We test failed on fwts UEFI test, uefirtauthvar: Authenticated variable tests
Test 1 of 12: Create authenticated variable test.
FAILED [HIGH] Failed to create authenticated variable with UEFI runtime service.
Return status: EFI_SECURITY_
This fail disappear after I revert an EDKII change.
---
Revision: c035e37335ae432
Author: Zhang Lubo <email address hidden>
Date: 1/5/2017 2:58:05 PM
Message:
SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.
V3: code clean up
prohibit Image SHA-1 hash option in SecureBootConfi
Timebased Auth Variable driver should ensure AuthAlgorithm
is SHA256 before further verification
---
The EDKII change of AuthService.c file is corresponding to UEFI spec 2.7 CH. 8.2.1 """Only a digest algorithm of SHA-256 is accepted."""
So, there might be something wrong in fwts set auth variable test.
Changed in fwts: | |
assignee: | nobody → Ivan Hu (ivan.hu) |
This bug is due to the auth test data is follow the typical ASN.1 structure of PKCS7 Signature
ContentInfo {
contentType = 1.2.840. 113549. 1.7.2 //(signedData)
content {
SignedData {
version = 1
...
}
}
}
But in the UEFI spec defined only needs the SignedData as the certificate data.