[Skiboot] [PATCH 2/2] secvar/backend: add EFI_CERT_RSA2048_GUID

Nick Child nnac123 at gmail.com
Sat May 8 03:11:02 AEST 2021

After going down a bit of a rabbit hole looking for the significance of
`EFI_CERT_RSA2048_GUID` in secvarctl (a package which depends on skiboot) ,
I have come to the conclusion that the uuid is not directly imperative to
any secvarctl or skiboot processes. This GUID is only contained in an ESL
if it contains an RSA key, which is invalid since, for secvar purposes, we
only accept ESLS which contain X509's (or hashes if the ESL is for the dbx
secvar). That being said, it is useful for things like error messages (or
logs in skiboots case) because we tell the user "your ESL is invalid
because it contains an RSA key, go put this thing in an x509" or something
like that. Its origins are from tianocore and I likely added it to
secvarctl since it appeared relevant when I was just starting my project.
Sorry for rambling but what I am getting at is: As of now,
`EFI_CERT_RSA2048_GUID` is useful solely for telling the user what data we
do not accept. This GUID may have been useful in the past and it may become
useful in the future but for now it is not directly useful to any secvar
update process.  That being said, I see no harm in adding it to skiboot. Of
course the decision is the maintainers to make, I just hope this gives some
useful context.

-Nick Child

On Tue, May 4, 2021 at 11:56 PM Daniel Axtens <dja at axtens.net> wrote:

> This isn't currently used in skiboot but may be used by external
> users of skiboot's secvar code.
> Signed-off-by: Daniel Axtens <dja at axtens.net>
> ---
>  libstb/secvar/backend/edk2.h | 2 ++
>  1 file changed, 2 insertions(+)
> diff --git a/libstb/secvar/backend/edk2.h b/libstb/secvar/backend/edk2.h
> index 85e117861dff..ef6d7c79e7ff 100644
> --- a/libstb/secvar/backend/edk2.h
> +++ b/libstb/secvar/backend/edk2.h
> @@ -83,6 +83,8 @@ static const uuid_t EFI_CERT_SHA384_GUID = {{ 0x07,
> 0x53, 0x3e, 0xff, 0xd0, 0x9f
>  static const uuid_t EFI_CERT_SHA512_GUID = {{ 0xae, 0x0f, 0x3e, 0x09,
> 0xc4, 0xa6, 0x50, 0x4f, 0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a }};
> +static const uuid_t EFI_CERT_RSA2048_GUID = {{ 0xe8, 0x66, 0x57, 0x3c,
> 0x9c, 0x26, 0x34, 0x4e, 0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }};
> +
>  #define EFI_VARIABLE_NON_VOLATILE                              0x00000001
> 0x00000002
>  #define EFI_VARIABLE_RUNTIME_ACCESS                            0x00000004
> --
> 2.27.0
> _______________________________________________
> Skiboot mailing list
> Skiboot at lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/skiboot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/skiboot/attachments/20210507/c7f651b2/attachment.htm>

More information about the Skiboot mailing list