*1) Code First Process* UEFI spec release is published at https://github.com/UEFI/UEFI-Specification-Release.
People can fork and create their own repo and create PR for their own repo (NOT for UEFI spec release repo). Backlog ( https://github.com/orgs/tianocore/projects/10/views/1 ) was updated and had associated UEFI spec PR there. *2) Old issue refresh* https://github.com/tianocore/edk2/issues/12561 It has no PR yet. Wait for Doug's back. *3) Discussion for image verification* https://github.com/microsoft/mu_basecore/pull/1809 -- First Jiewen created a table to summarize the image verification rule ( https://github.com/microsoft/mu_basecore/pull/1809#issuecomment-4715281246 ) Two clarifications: A) Clarify certificate chain trust anchor semantics for db/dbx validation. James and Peter confirmed that revocation should start from the trust anchor, not the full cert chain. B) Clarify digital signature verification in addition to db/dbx checks. Sean will review the table as well. Jiewen mentioned that we need create test cases to cover all those scenario. *AR: Jiewen* to review the multiple signature code first spec PR and prototype PR to ensure these are covered. -- Second Sean raised question on Pkcs7VerifyDxe driver update. Jiewen suggested to create some common and testable code for both ImageVerificationLib and Pkcs7VerifyDxe driver. ( https://github.com/microsoft/mu_basecore/pull/1809#issuecomment-4716235311 ) The goal is to share code, because the verification logic becomes very complicated. We agree the direction to shared code and will do some prototype work. ( *AR: Jiewen/Sean* ) *4) Open: Verification Status reporting.* Question: Since we added multiple signature support, image verification becomes more complicated. Is there any error reporting mechanism to let end user know what the failure is? Current UEFI spec defined Image Execution Information Table ( https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html#image-execution-information-table ). It only reports final image state, but not intermediate state for multiple signature use case. This table was added with Audit mode and presented different information based on Audit mode ON/OFF. Currently, NO OS loader or application is consuming this table. Another concern: No sure how to see this information if an OS application is rejected. Do we need OEM to implement setup UI to show the info? Summary: This table seems not used, and seems not useful now. Can we deprecate or remove it? If we really really want something, this table might NOT be enough (e.g. multiple signature verification state is missing). Also we need a way to present this info to end user (maybe setup UI). *AR: Sean* to submit Code First proposal for Image Execution Information Table deprecation or removal. We can think through and discuss again next week. Thank you Yao, Jiewen -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#121998): https://edk2.groups.io/g/devel/message/121998 Mute This Topic: https://groups.io/mt/119861094/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
