On Wed, 2019-12-04 at 14:33 +0000, Paul Moore (pmoore2) wrote: > > Can you elaborate a bit more on what you mean by "the root of > certificate"? Alternatively, could you upload the kernel and signing > certificate somewhere I could grab so I can play with it? >
Maybe I used wrong words, I am talking about pkcs1_search_signer function and following lines: if (!asn1_blob_cmp(&entry->cert.serial, serial) && !asn1_blob_cmp(&entry->cert.ca->subject, subject)) If I change them to if (!asn1_blob_cmp(&entry->cert.serial, serial) && !asn1_blob_cmp(&entry->cert.subject, subject)) it will find my certificate. Could you please explain me why are you using serial from root of entry and subject from sub-element? Is it connected with certificate chain? What if there is just the simplest possible certificate that is not signed by anybody? I have uploaded certificate and key that I have generated here: https://cloud.hawrylko.pl/s/ivHd7HZpuLIjQ88 there is also a signed bzImage that I am using. On Thu, 2019-12-05 at 17:20 +0000, Paul Moore (pmoore2) wrote: > > A question for discussion: if the VLP is loaded from it's own nvindex, > and there is also a VLP present inside the LCP, which VLP do we want to > use? I'm assuming it is the VLP we loaded directly, and not from inside > the LCP, but thought it was worth checking. > In "stock" TBOOT, VLP loaded from its own index has higher priority over one embedded in LCP, so I agree with you that here it should work like that. Thanks, Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel