*1) Code First Process*

UEFI spec release is published at 
https://github.com/UEFI/UEFI-Specification-Release.

People can fork and create their own repo and create PR for their own repo (NOT 
for UEFI spec release repo).

Backlog ( https://github.com/orgs/tianocore/projects/10/views/1 ) was updated 
and had associated UEFI spec PR there.

*2) Old issue refresh*

https://github.com/tianocore/edk2/issues/12561

It has no PR yet. Wait for Doug's back.

*3) Discussion for image verification*

https://github.com/microsoft/mu_basecore/pull/1809

-- First

Jiewen created a table to summarize the image verification rule ( 
https://github.com/microsoft/mu_basecore/pull/1809#issuecomment-4715281246 )

Two clarifications:
A) Clarify certificate chain trust anchor semantics for db/dbx validation.

James and Peter confirmed that revocation should start from the trust anchor, 
not the full cert chain.

B) Clarify digital signature verification in addition to db/dbx checks.

Sean will review the table as well.

Jiewen mentioned that we need create test cases to cover all those scenario.

*AR: Jiewen* to review the multiple signature code first spec PR and prototype 
PR to ensure these are covered.

-- Second

Sean raised question on Pkcs7VerifyDxe driver update.
Jiewen suggested to create some common and testable code for both 
ImageVerificationLib and Pkcs7VerifyDxe driver. ( 
https://github.com/microsoft/mu_basecore/pull/1809#issuecomment-4716235311 )

The goal is to share code, because the verification logic becomes very 
complicated.

We agree the direction to shared code and will do some prototype work. ( *AR: 
Jiewen/Sean* )

*4) Open: Verification Status reporting.*

Question: Since we added multiple signature support, image verification becomes 
more complicated. Is there any error reporting mechanism to let end user know 
what the failure is?

Current UEFI spec defined Image Execution Information Table ( 
https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html#image-execution-information-table
 ).

It only reports final image state, but not intermediate state for multiple 
signature use case.

This table was added with Audit mode and presented different information based 
on Audit mode ON/OFF.

Currently, NO OS loader or application is consuming this table.

Another concern: No sure how to see this information if an OS application is 
rejected. Do we need OEM to implement setup UI to show the info?

Summary:
This table seems not used, and seems not useful now. Can we deprecate or remove 
it?
If we really really want something, this table might NOT be enough (e.g. 
multiple signature verification state is missing). Also we need a way to 
present this info to end user (maybe setup UI).

*AR: Sean* to submit Code First proposal for Image Execution Information Table 
deprecation or removal.
We can think through and discuss again next week.

Thank you
Yao, Jiewen


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121998): https://edk2.groups.io/g/devel/message/121998
Mute This Topic: https://groups.io/mt/119861094/21656
Group Owner: [email protected]
Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to