Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP.
Also modify the ModSign EKU check to use VerifyEKUsInPkcs7Signature() to
check the signer certificate instead of the certificate directly from the
key database.
These commits supersede the PR#232 and PR#661 (Apply the EKU checks) and
separate the original author's codes from other commit so that the author's
original codes can be quite independent.
The author also answered the question in PR#232 and changed the conditional
statement to EFI_Status != EFI_SUCCESS right after VerifyEKUsInPkcs7Signature()
in Cryptlib/Pk/CryptPkcs7Verify.c
User can optionally enable codesign EKU check in compiling time.
To enable the codesign check, set ENABLE_CODESIGN_EKU to 1.
To disable the codesign check, set ENABLE_CODESIGN_EKU to 0
or just omit this flag.
For example:
make xxxx ENABLE_CODESIGN_EKU=1 xxxx shim.efi
Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP. Also modify the ModSign EKU check to use VerifyEKUsInPkcs7Signature() to check the signer certificate instead of the certificate directly from the key database.
These commits supersede the PR#232 and PR#661 (Apply the EKU checks) and separate the original author's codes from other commit so that the author's original codes can be quite independent.
The author also answered the question in PR#232 and changed the conditional statement to EFI_Status != EFI_SUCCESS right after VerifyEKUsInPkcs7Signature() in Cryptlib/Pk/CryptPkcs7Verify.c
User can optionally enable codesign EKU check in compiling time. To enable the codesign check, set ENABLE_CODESIGN_EKU to 1. To disable the codesign check, set ENABLE_CODESIGN_EKU to 0 or just omit this flag.
For example: make xxxx ENABLE_CODESIGN_EKU=1 xxxx shim.efi