On Wed, 2019-12-04 at 14:33 +0000, Paul Moore (pmoore2) wrote:
>
> Can you elaborate a bit more on what you mean by "the root of
> certificate"? Alternatively, could you upload the kernel and signing
> certificate somewhere I could grab so I can play with it?
>
Maybe I used wrong words, I am talking about pkcs1_search_signer
function and following lines:
if (!asn1_blob_cmp(&entry->cert.serial, serial) &&
!asn1_blob_cmp(&entry->cert.ca->subject, subject))
If I change them to
if (!asn1_blob_cmp(&entry->cert.serial, serial) &&
!asn1_blob_cmp(&entry->cert.subject, subject))
it will find my certificate. Could you please explain me why are you
using serial from root of entry and subject from sub-element? Is it
connected with certificate chain? What if there is just the simplest
possible certificate that is not signed by anybody?
I have uploaded certificate and key that I have generated here:
https://cloud.hawrylko.pl/s/ivHd7HZpuLIjQ88 there is also a signed
bzImage that I am using.
On Thu, 2019-12-05 at 17:20 +0000, Paul Moore (pmoore2) wrote:
>
> A question for discussion: if the VLP is loaded from it's own nvindex,
> and there is also a VLP present inside the LCP, which VLP do we want to
> use? I'm assuming it is the VLP we loaded directly, and not from inside
> the LCP, but thought it was worth checking.
>
In "stock" TBOOT, VLP loaded from its own index has higher priority over
one embedded in LCP, so I agree with you that here it should work like
that.
Thanks,
Lukasz
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
