[Skiboot] [PATCH 2/2] secvar/backend: add EFI_CERT_RSA2048_GUID

Vasant Hegde hegdevasant at linux.vnet.ibm.com
Thu May 13 23:53:50 AEST 2021


On 5/10/21 12:25 PM, Daniel Axtens wrote:
> Hi Nick,
> 
>> After going down a bit of a rabbit hole looking for the significance of
>> `EFI_CERT_RSA2048_GUID` in secvarctl (a package which depends on skiboot) ,
>> I have come to the conclusion that the uuid is not directly imperative to
>> any secvarctl or skiboot processes. This GUID is only contained in an ESL
>> if it contains an RSA key, which is invalid since, for secvar purposes, we
>> only accept ESLS which contain X509's (or hashes if the ESL is for the dbx
>> secvar). That being said, it is useful for things like error messages (or
>> logs in skiboots case) because we tell the user "your ESL is invalid
>> because it contains an RSA key, go put this thing in an x509" or something
>> like that. Its origins are from tianocore and I likely added it to
>> secvarctl since it appeared relevant when I was just starting my project.
>> Sorry for rambling but what I am getting at is: As of now,
>> `EFI_CERT_RSA2048_GUID` is useful solely for telling the user what data we
>> do not accept. This GUID may have been useful in the past and it may become
>> useful in the future but for now it is not directly useful to any secvar
>> update process.  That being said, I see no harm in adding it to skiboot. Of
>> course the decision is the maintainers to make, I just hope this gives some
>> useful context.
>>
>> -Nick Child
> 
> 
> Thanks for the background!
> 
> I would say that given that the definition won't end up in skiboot
> binaries unless it's referenced in skiboot code, and that it is used to
> make error messages more helpful in secvarctl, it's worth having. But
> I'm OK either way.

Thanks Daniel and Nick for patch and detailed background explanation.
I decided to merge this series. Merged to master as of c44b8891ca.


-Vasant


More information about the Skiboot mailing list