On 08/12/2025 22.32, Zhuoying Cai wrote:
From: Collin Walling <[email protected]>DIAG 508 subcode 1 performs signature-verification on signed components. A signed component may be a Linux kernel image, or any other signed binary. **Verification of initrd is not supported.** The instruction call expects two item-pairs: an address of a device component, an address of the analogous signature file (in PKCS#7 DER format), and their respective lengths. All of this data should be encapsulated within a Diag508SigVerifBlock. The DIAG handler will read from the provided addresses to retrieve the necessary data, parse the signature file, then perform the signature-verification. Because there is no way to correlate a specific certificate to a component, each certificate in the store is tried until either verification succeeds, or all certs have been exhausted. A return code of 1 indicates success, and the index and length of the corresponding certificate will be set in the Diag508SigVerifBlock. The following values indicate failure: 0x0102: no certificates are available in the store 0x0202: component data is invalid 0x0302: PKCS#7 format signature is invalid 0x0402: signature-verification failed 0x0502: length of Diag508SigVerifBlock is invalid Signed-off-by: Collin Walling <[email protected]> Signed-off-by: Zhuoying Cai <[email protected]> ---
Reviewed-by: Thomas Huth <[email protected]>
