You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Because the DBX may have multiple servicers via the KEK the timestamp during a APPEND operation is not checked thus enabling multiple servicers.
Some python tooling to create signed payloads can be found in edk2toollib
One thing to note is that the attributes are used to create the signature.
# This is the digest being signed that all signer's must signself.digest_without_payload= (
name.encode("utf_16_le")
+guid.bytes_le+efi_attributes.encode()
+self.authenticated_variable.time.encode()
)
Since the attributes are in the signature the firmware should disallow any attempt at using an APPEND payload as a SET payload.
Many OEMs attempt to create security features that would differentiate themselves from their competitors. These security features often take dependencies on consistent behavior that we would be likely to break. Thus we're unlikely to change this date until we start signing with the new certificate.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
This is a follow on discussion / documentation for #157.
As a quick recap!
Microsoft uses a timestamp of
2010-03-06T19:17:21Zin the EFI_VARIABLE_AUTHENTICATION_2 for UEFI DBX Payloads.The format of EFI_VARIABLE_AUTHENTICATION_2 can be broken down like so:
[EFI_TIME][WIN_CERTIFICATE][SIGNATURE][DATA] | | | | | | | `---- Variable Size | | `------------- Variable Size | `--------------------------- Fixed Size `---------------------------------------- Fixed Size Where SIGNATURE = Asn.1 `SignedData` object or `ContentInfo` object And DATA = EFI_SIGNATURE_LISTFor more information see:
The edk2 code performing the validation for the authenticated variable can be found in the function: VerifyTimeBasedPayload (..)
In the case of an
APPENDoperation the timestamp is not verified and is checked in the case of aSETBecause the
DBXmay have multiple servicers via theKEKthe timestamp during aAPPENDoperation is not checked thus enabling multiple servicers.Some python tooling to create signed payloads can be found in edk2toollib
One thing to note is that the attributes are used to create the signature.
Since the attributes are in the signature the firmware should disallow any attempt at using an
APPENDpayload as aSETpayload.Many OEMs attempt to create security features that would differentiate themselves from their competitors. These security features often take dependencies on consistent behavior that we would be likely to break. Thus we're unlikely to change this date until we start signing with the new certificate.
Beta Was this translation helpful? Give feedback.
All reactions