Pull request for UEFI sub-system for efi-2020-10-rc3 (2)

This series includes bug fixes for: * UEFI secure boot - images with multiple signatures * UEFI secure boot - support for intermediate certificates * corrections for UEFI unit tests * missing loadaddr on MAIX board -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAl82zyEACgkQxIHbvCwF GsR8GQ/9FzCCfmhu2VhVI1cUKIT2B/FhAXbADAAhmBFk1SezhnKrsWUFFUbHeD+v c0+QKBldIARxpD40M68FNP7QVA35iaU2+Z5jBQ7r5ZUuTuZkxeFavtHRXlSCL02R rmdsKTtwPTRgve3IxEFJcxc4jpvAhNH+QLveK+PA+gUGjd2UoYWoGknJ4n8oe2rG uDX4em8Sy1LXrkJLCf5Ae8+M3FBOtsBAFif1tX5cWnH5kP3DbL9A5A5JHxlVJEQi SBC8NuJW+At89VlckEGpREt8itFMicdbLT/dSKDU3kh+l/h6zTbd9fGmoKLKXDdw O/qwC2kwsKg/jrfZwYOTzUIpRt3jhe+CwrEajVJY12jIQzAW4kvj2mo9AeBEydHO umFfbExGH8zwZgynrhhbjHdNxcGBahUGLoKLCkJI51I7EwCMCrN5rtUpUzxVybTE VJKyTqlyUSIZGU4AsQT3KflLGRGU/HNS2ariQWjEbKWcCC03Q7dXH1RQMUxTlqL3 Owhqv/NI07WIvQZD3oWPkn3Z8tiQMzF370qO2gb/AwM7U0P3ggkcUxAs7mCIj5x6 81PP65di4+zRzCyU1IHCILem7LHxGR6drGatbHspGBYAJrPduyM2cYAa0eXUOCvX Hz1GURhlVGwBdBAwaZ+g13/NtisrkRBQQYZO8jiEBqhnWoc3514= =0ZD1 -----END PGP SIGNATURE----- Merge tag 'efi-2020-10-rc3-2' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi Pull request for UEFI sub-system for efi-2020-10-rc3 (2) This series includes bug fixes for: * UEFI secure boot - images with multiple signatures * UEFI secure boot - support for intermediate certificates * corrections for UEFI unit tests * missing loadaddr on MAIX board
2025-04-30 16:35:37 +00:00 · 2020-08-15 09:01:01 -04:00 · 2020-08-15 09:01:01 -04:00 · 789bfb5266
commit 789bfb5266
parent c0192950df a4bda5ebab
12 changed files with 556 additions and 315 deletions
--- a/cmd/efidebug.c
+++ b/cmd/efidebug.c
@ -1126,7 +1126,7 @@ static int do_efi_test_bootmgr(struct cmd_tbl *cmdtp, int flag,
 	efi_uintn_t exit_data_size = 0;
 	u16 *exit_data = NULL;
 	efi_status_t ret;
-	void *load_options;
+	void *load_options = NULL;
 	ret = efi_bootmgr_load(&image, &load_options);
 	printf("efi_bootmgr_load() returned: %ld\n", ret & ~EFI_ERROR_MASK);
--- a/include/configs/sipeed-maix.h
+++ b/include/configs/sipeed-maix.h
@ -21,4 +21,13 @@
 /* For early init */
 #define K210_SYSCTL_BASE 0x50440000
 #ifndef CONFIG_EXTRA_ENV_SETTINGS
 #define CONFIG_EXTRA_ENV_SETTINGS \
 	"loadaddr=0x80060000\0" \
 	"fdt_addr_r=0x80028000\0" \
 	"scriptaddr=0x80020000\0" \
 	"kernel_addr_r=0x80060000\0" \
 	"fdtfile=kendryte/" CONFIG_DEFAULT_DEVICE_TREE ".dtb\0"
 #endif
 #endif /* CONFIGS_SIPEED_MAIX_H */
--- a/include/efi_loader.h
+++ b/include/efi_loader.h
@ -773,13 +773,16 @@ struct pkcs7_message;
 bool efi_signature_lookup_digest(struct efi_image_regions *regs,
 				 struct efi_signature_store *db);
-bool efi_signature_verify_one(struct efi_image_regions *regs,
+bool efi_signature_verify(struct efi_image_regions *regs,
-			      struct pkcs7_message *msg,
+			  struct pkcs7_message *msg,
-			      struct efi_signature_store *db);
+			  struct efi_signature_store *db,
-bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs,
+			  struct efi_signature_store *dbx);
-				     struct pkcs7_message *msg,
+static inline bool efi_signature_verify_one(struct efi_image_regions *regs,
-				     struct efi_signature_store *db,
+					    struct pkcs7_message *msg,
-				     struct efi_signature_store *dbx);
+					    struct efi_signature_store *db)
 {
 	return efi_signature_verify(regs, msg, db, NULL);
 }
 bool efi_signature_check_signers(struct pkcs7_message *msg,
 				 struct efi_signature_store *dbx);
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@ -205,6 +205,7 @@ config EFI_SECURE_BOOT
 	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
 	select X509_CERTIFICATE_PARSER
 	select PKCS7_MESSAGE_PARSER
 	select PKCS7_VERIFY
 	default n
 	help
 	  Select this option to enable EFI secure boot support.
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@ -546,6 +546,11 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
 		goto err;
 	}
 	if (efi_signature_lookup_digest(regs, dbx)) {
 		EFI_PRINT("Image's digest was found in \"dbx\"\n");
 		goto err;
 	}
 	/*
 	 * go through WIN_CERTIFICATE list
 	 * NOTE:
@ -553,10 +558,9 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
 	 * in PE header, or as pkcs7 SignerInfo's in SignedData.
 	 * So the verification policy here is:
 	 *   - Success if, at least, one of signatures is verified
-	 *   - unless
+	 *   - unless signature is rejected explicitly with its digest.
 	 *       any of signatures is rejected explicitly, or
 	 *       none of digest algorithms are supported
 	 */
 	for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len;
 	     (u8 *)wincert < wincerts_end;
 	     wincert = (WIN_CERTIFICATE *)
@ -627,32 +631,29 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
 		/* try black-list first */
 		if (efi_signature_verify_one(regs, msg, dbx)) {
 			EFI_PRINT("Signature was rejected by \"dbx\"\n");
-			goto err;
+			continue;
 		}
 		if (!efi_signature_check_signers(msg, dbx)) {
 			EFI_PRINT("Signer(s) in \"dbx\"\n");
-			goto err;
+			continue;
 		}
 		if (efi_signature_lookup_digest(regs, dbx)) {
 			EFI_PRINT("Image's digest was found in \"dbx\"\n");
 			goto err;
 		}
 		/* try white-list */
-		if (efi_signature_verify_with_sigdb(regs, msg, db, dbx))
+		if (efi_signature_verify(regs, msg, db, dbx)) {
-			continue;
+			ret = true;
 			break;
 		}
 		debug("Signature was not verified by \"db\"\n");
-		if (efi_signature_lookup_digest(regs, db))
+		if (efi_signature_lookup_digest(regs, db)) {
-			continue;
+			ret = true;
 			break;
 		}
 		debug("Image's digest was not found in \"db\" or \"dbx\"\n");
 		goto err;
 	}
 	ret = true;
 err:
 	efi_sigstore_free(db);
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@ -10,7 +10,9 @@
 #include <image.h>
 #include <hexdump.h>
 #include <malloc.h>
 #include <crypto/pkcs7.h>
 #include <crypto/pkcs7_parser.h>
 #include <crypto/public_key.h>
 #include <linux/compat.h>
 #include <linux/oid_registry.h>
 #include <u-boot/rsa.h>
@ -60,143 +62,6 @@ static bool efi_hash_regions(struct image_region *regs, int count,
 	return true;
 }
 /**
 * efi_hash_msg_content - calculate a hash value of contentInfo
 * @msg:	Signature
 * @hash:	Pointer to a pointer to buffer holding a hash value
 * @size:	Size of buffer to be returned
 *
 * Calculate a sha256 value of contentInfo in @msg and return a value in @hash.
 *
 * Return:	true on success, false on error
 */
 static bool efi_hash_msg_content(struct pkcs7_message *msg, void **hash,
 				 size_t *size)
 {
 	struct image_region regtmp;
 	regtmp.data = msg->data;
 	regtmp.size = msg->data_len;
 	return efi_hash_regions(&regtmp, 1, hash, size);
 }
 /**
 * efi_signature_verify - verify a signature with a certificate
 * @regs:		List of regions to be authenticated
 * @signed_info:	Pointer to PKCS7's signed_info
 * @cert:		x509 certificate
 *
 * Signature pointed to by @signed_info against image pointed to by @regs
 * is verified by a certificate pointed to by @cert.
 * @signed_info holds a signature, including a message digest which is to be
 * compared with a hash value calculated from @regs.
 *
 * Return:	true if signature is verified, false if not
 */
 static bool efi_signature_verify(struct efi_image_regions *regs,
 				 struct pkcs7_message *msg,
 				 struct pkcs7_signed_info *ps_info,
 				 struct x509_certificate *cert)
 {
 	struct image_sign_info info;
 	struct image_region regtmp[2];
 	void *hash;
 	size_t size;
 	char c;
 	bool verified;
 	EFI_PRINT("%s: Enter, %p, %p, %p(issuer: %s, subject: %s)\n", __func__,
 		  regs, ps_info, cert, cert->issuer, cert->subject);
 	verified = false;
 	memset(&info, '\0', sizeof(info));
 	info.padding = image_get_padding_algo("pkcs-1.5");
 	/*
 	 * Note: image_get_[checksum|crypto]_algo takes an string
 	 * argument like "<checksum>,<crypto>"
 	 * TODO: support other hash algorithms
 	 */
 	if (!strcmp(ps_info->sig->hash_algo, "sha1")) {
 		info.checksum = image_get_checksum_algo("sha1,rsa2048");
 		info.name = "sha1,rsa2048";
 	} else if (!strcmp(ps_info->sig->hash_algo, "sha256")) {
 		info.checksum = image_get_checksum_algo("sha256,rsa2048");
 		info.name = "sha256,rsa2048";
 	} else {
 		EFI_PRINT("unknown msg digest algo: %s\n",
 			  ps_info->sig->hash_algo);
 		goto out;
 	}
 	info.crypto = image_get_crypto_algo(info.name);
 	info.key = cert->pub->key;
 	info.keylen = cert->pub->keylen;
 	/* verify signature */
 	EFI_PRINT("%s: crypto: %s, signature len:%x\n", __func__,
 		  info.name, ps_info->sig->s_size);
 	if (ps_info->aa_set & (1UL << sinfo_has_message_digest)) {
 		EFI_PRINT("%s: RSA verify authentication attribute\n",
 			  __func__);
 		/*
 		 * NOTE: This path will be executed only for
 		 * PE image authentication
 		 */
 		/* check if hash matches digest first */
 		EFI_PRINT("checking msg digest first, len:0x%x\n",
 			  ps_info->msgdigest_len);
 #ifdef DEBUG
 		EFI_PRINT("hash in database:\n");
 		print_hex_dump("    ", DUMP_PREFIX_OFFSET, 16, 1,
 			       ps_info->msgdigest, ps_info->msgdigest_len,
 			       false);
 #endif
 		/* against contentInfo first */
 		hash = NULL;
 		if ((msg->data && efi_hash_msg_content(msg, &hash, &size)) ||
 				/* for signed image */
 		    efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
 				/* for authenticated variable */
 			if (ps_info->msgdigest_len != size ||
 			    memcmp(hash, ps_info->msgdigest, size)) {
 				EFI_PRINT("Digest doesn't match\n");
 				free(hash);
 				goto out;
 			}
 			free(hash);
 		} else {
 			EFI_PRINT("Digesting image failed\n");
 			goto out;
 		}
 		/* against digest */
 		c = 0x31;
 		regtmp[0].data = &c;
 		regtmp[0].size = 1;
 		regtmp[1].data = ps_info->authattrs;
 		regtmp[1].size = ps_info->authattrs_len;
 		if (!rsa_verify(&info, regtmp, 2,
 				ps_info->sig->s, ps_info->sig->s_size))
 			verified = true;
 	} else {
 		EFI_PRINT("%s: RSA verify content data\n", __func__);
 		/* against all data */
 		if (!rsa_verify(&info, regs->reg, regs->num,
 				ps_info->sig->s, ps_info->sig->s_size))
 			verified = true;
 	}
 out:
 	EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified);
 	return verified;
 }
 /**
 * efi_signature_lookup_digest - search for an image's digest in sigdb
 * @regs:	List of regions to be authenticated
@ -260,61 +125,129 @@ out:
 }
 /**
- * efi_signature_verify_with_list - verify a signature with signature list
+ * efi_lookup_certificate - find a certificate within db
- * @regs:		List of regions to be authenticated
+ * @msg:	Signature
- * @msg:		Signature
+ * @db:		Signature database
 * @signed_info:	Pointer to PKCS7's signed_info
 * @siglist:		Signature list for certificates
 * @valid_cert:		x509 certificate that verifies this signature
 *
- * Signature pointed to by @signed_info against image pointed to by @regs
+ * Search signature database pointed to by @db and find a certificate
- * is verified by signature list pointed to by @siglist.
+ * pointed to by @cert.
 * Signature database is a simple concatenation of one or more
 * signature list(s).
 *
- * Return:	true if signature is verified, false if not
+ * Return:	true if found, false otherwise.
 */
-static
+static bool efi_lookup_certificate(struct x509_certificate *cert,
-bool efi_signature_verify_with_list(struct efi_image_regions *regs,
+				   struct efi_signature_store *db)
 				    struct pkcs7_message *msg,
 				    struct pkcs7_signed_info *signed_info,
 				    struct efi_signature_store *siglist,
 				    struct x509_certificate **valid_cert)
 {
-	struct x509_certificate *cert;
+	struct efi_signature_store *siglist;
 	struct efi_sig_data *sig_data;
-	bool verified = false;
+	struct image_region reg[1];
 	void *hash = NULL, *hash_tmp = NULL;
 	size_t size = 0;
 	bool found = false;
-	EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__,
+	EFI_PRINT("%s: Enter, %p, %p\n", __func__, cert, db);
 		  regs, signed_info, siglist, valid_cert);
-	if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509)) {
+	if (!cert || !db || !db->sig_data_list)
 		EFI_PRINT("Signature type is not supported: %pUl\n",
 			  &siglist->sig_type);
 		goto out;
 	/*
 	 * TODO: identify a certificate using sha256 digest
 	 * Is there any better way?
 	 */
 	/* calculate hash of TBSCertificate */
 	reg[0].data = cert->tbs;
 	reg[0].size = cert->tbs_size;
 	if (!efi_hash_regions(reg, 1, &hash, &size))
 		goto out;
 	EFI_PRINT("%s: searching for %s\n", __func__, cert->subject);
 	for (siglist = db; siglist; siglist = siglist->next) {
 		/* only with x509 certificate */
 		if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509))
 			continue;
 		for (sig_data = siglist->sig_data_list; sig_data;
 		     sig_data = sig_data->next) {
 			struct x509_certificate *cert_tmp;
 			cert_tmp = x509_cert_parse(sig_data->data,
 						   sig_data->size);
 			if (IS_ERR_OR_NULL(cert_tmp))
 				continue;
 			EFI_PRINT("%s: against %s\n", __func__,
 				  cert_tmp->subject);
 			reg[0].data = cert_tmp->tbs;
 			reg[0].size = cert_tmp->tbs_size;
 			if (!efi_hash_regions(reg, 1, &hash_tmp, NULL))
 				goto out;
 			x509_free_certificate(cert_tmp);
 			if (!memcmp(hash, hash_tmp, size)) {
 				found = true;
 				goto out;
 			}
 		}
 	}
 out:
 	free(hash);
 	free(hash_tmp);
-	/* go through the list */
+	EFI_PRINT("%s: Exit, found: %d\n", __func__, found);
-	for (sig_data = siglist->sig_data_list; sig_data;
+	return found;
-	     sig_data = sig_data->next) {
+}
 		/* TODO: support owner check based on policy */
-		cert = x509_cert_parse(sig_data->data, sig_data->size);
+/**
-		if (IS_ERR(cert)) {
+ * efi_verify_certificate - verify certificate's signature with database
-			EFI_PRINT("Parsing x509 certificate failed\n");
+ * @signer:	Certificate
-			goto out;
+ * @db:		Signature database
 * @root:	Certificate to verify @signer
 *
 * Determine if certificate pointed to by @signer may be verified
 * by one of certificates in signature database pointed to by @db.
 *
 * Return:	true if certificate is verified, false otherwise.
 */
 static bool efi_verify_certificate(struct x509_certificate *signer,
 				   struct efi_signature_store *db,
 				   struct x509_certificate **root)
 {
 	struct efi_signature_store *siglist;
 	struct efi_sig_data *sig_data;
 	struct x509_certificate *cert;
 	bool verified = false;
 	int ret;
 	EFI_PRINT("%s: Enter, %p, %p\n", __func__, signer, db);
 	if (!signer || !db || !db->sig_data_list)
 		goto out;
 	for (siglist = db; siglist; siglist = siglist->next) {
 		/* only with x509 certificate */
 		if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509))
 			continue;
 		for (sig_data = siglist->sig_data_list; sig_data;
 		     sig_data = sig_data->next) {
 			cert = x509_cert_parse(sig_data->data, sig_data->size);
 			if (IS_ERR_OR_NULL(cert)) {
 				EFI_PRINT("Cannot parse x509 certificate\n");
 				continue;
 			}
 			ret = public_key_verify_signature(cert->pub,
 							  signer->sig);
 			if (!ret) {
 				verified = true;
 				if (root)
 					*root = cert;
 				else
 					x509_free_certificate(cert);
 				goto out;
 			}
 			x509_free_certificate(cert);
 		}
 		verified = efi_signature_verify(regs, msg, signed_info, cert);
 		if (verified) {
 			if (valid_cert)
 				*valid_cert = cert;
 			else
 				x509_free_certificate(cert);
 			break;
 		}
 		x509_free_certificate(cert);
 	}
 out:
@ -335,7 +268,7 @@ out:
 * protocol at this time and any image will be unconditionally revoked
 * when this match occurs.
 *
- * Return:	true if check passed, false otherwise.
+ * Return:	true if check passed (not found), false otherwise.
 */
 static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo,
 					   struct x509_certificate *cert,
@ -405,56 +338,8 @@ out:
 	return !revoked;
 }
-/**
+/*
- * efi_signature_verify_one - verify signatures with database
+ * efi_signature_verify - verify signatures with db and dbx
 * @regs:	List of regions to be authenticated
 * @msg:	Signature
 * @db:		Signature database
 *
 * All the signature pointed to by @msg against image pointed to by @regs
 * will be verified by signature database pointed to by @db.
 *
 * Return:	true if verification for one of signatures passed, false
 *		otherwise
 */
 bool efi_signature_verify_one(struct efi_image_regions *regs,
 			      struct pkcs7_message *msg,
 			      struct efi_signature_store *db)
 {
 	struct pkcs7_signed_info *sinfo;
 	struct efi_signature_store *siglist;
 	struct x509_certificate *cert;
 	bool verified = false;
 	EFI_PRINT("%s: Enter, %p, %p, %p\n", __func__, regs, msg, db);
 	if (!db)
 		goto out;
 	if (!db->sig_data_list)
 		goto out;
 	EFI_PRINT("%s: Verify signed image with db\n", __func__);
 	for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) {
 		EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n",
 			  sinfo->sig->hash_algo, sinfo->sig->pkey_algo);
 		for (siglist = db; siglist; siglist = siglist->next)
 			if (efi_signature_verify_with_list(regs, msg, sinfo,
 							   siglist, &cert)) {
 				verified = true;
 				goto out;
 			}
 		EFI_PRINT("Valid certificate not in \"db\"\n");
 	}
 out:
 	EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified);
 	return verified;
 }
 /**
 * efi_signature_verify_with_sigdb - verify signatures with db and dbx
 * @regs:	List of regions to be authenticated
 * @msg:	Signature
 * @db:		Signature database for trusted certificates
@ -465,43 +350,71 @@ out:
 *
 * Return:	true if verification for all signatures passed, false otherwise
 */
-bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs,
+bool efi_signature_verify(struct efi_image_regions *regs,
-				     struct pkcs7_message *msg,
+			  struct pkcs7_message *msg,
-				     struct efi_signature_store *db,
+			  struct efi_signature_store *db,
-				     struct efi_signature_store *dbx)
+			  struct efi_signature_store *dbx)
 {
-	struct pkcs7_signed_info *info;
+	struct pkcs7_signed_info *sinfo;
-	struct efi_signature_store *siglist;
+	struct x509_certificate *signer, *root;
 	struct x509_certificate *cert;
 	bool verified = false;
 	int ret;
 	EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, regs, msg, db, dbx);
 	if (!regs || !msg || !db || !db->sig_data_list)
 		goto out;
-	for (info = msg->signed_infos; info; info = info->next) {
+	for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) {
 		EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n",
-			  info->sig->hash_algo, info->sig->pkey_algo);
+			  sinfo->sig->hash_algo, sinfo->sig->pkey_algo);
-		for (siglist = db; siglist; siglist = siglist->next) {
+		/*
-			if (efi_signature_verify_with_list(regs, msg, info,
+		 * only for authenticated variable.
-							   siglist, &cert))
+		 *
-				break;
+		 * If this function is called for image,
-		}
+		 * hash calculation will be done in
-		if (!siglist) {
+		 * pkcs7_verify_one().
-			EFI_PRINT("Valid certificate not in \"db\"\n");
+		 */
 		if (!msg->data &&
 		    !efi_hash_regions(regs->reg, regs->num,
 				      (void **)&sinfo->sig->digest, NULL)) {
 			EFI_PRINT("Digesting an image failed\n");
 			goto out;
 		}
-		if (!dbx || efi_signature_check_revocation(info, cert, dbx))
+		EFI_PRINT("Verifying certificate chain\n");
 		signer = NULL;
 		ret = pkcs7_verify_one(msg, sinfo, &signer);
 		if (ret == -ENOPKG)
 			continue;
-		EFI_PRINT("Certificate in \"dbx\"\n");
+		if (ret < 0 || !signer)
-		goto out;
+			goto out;
 	}
 	verified = true;
 		if (sinfo->blacklisted)
 			goto out;
 		EFI_PRINT("Verifying last certificate in chain\n");
 		if (signer->self_signed) {
 			if (efi_lookup_certificate(signer, db))
 				if (efi_signature_check_revocation(sinfo,
 								   signer, dbx))
 					break;
 		} else if (efi_verify_certificate(signer, db, &root)) {
 			bool check;
 			check = efi_signature_check_revocation(sinfo, root,
 							       dbx);
 			x509_free_certificate(root);
 			if (check)
 				break;
 		}
 		EFI_PRINT("Certificate chain didn't reach trusted CA\n");
 	}
 	if (sinfo)
 		verified = true;
 out:
 	EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified);
 	return verified;
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@ -37,16 +37,21 @@ static u8 pkcs7_hdr[] = {
 * efi_variable_parse_signature - parse a signature in variable
 * @buf:	Pointer to variable's value
 * @buflen:	Length of @buf
 * @tmpbuf:	Pointer to temporary buffer
 *
 * Parse a signature embedded in variable's value and instantiate
 * a pkcs7_message structure. Since pkcs7_parse_message() accepts only
 * pkcs7's signedData, some header needed be prepended for correctly
 * parsing authentication data, particularly for variable's.
 * A temporary buffer will be allocated if needed, and it should be
 * kept valid during the authentication because some data in the buffer
 * will be referenced by efi_signature_verify().
 *
 * Return:	Pointer to pkcs7_message structure on success, NULL on error
 */
 static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
-							  size_t buflen)
+							  size_t buflen,
 							  u8 **tmpbuf)
 {
 	u8 *ebuf;
 	size_t ebuflen, len;
@ -59,7 +64,9 @@ static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
 	if (buflen > sizeof(pkcs7_hdr) &&
 	    !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) {
 		msg = pkcs7_parse_message(buf, buflen);
-		goto out;
+		if (IS_ERR(msg))
 			return NULL;
 		return msg;
 	}
 	/*
@ -94,12 +101,12 @@ static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
 	msg = pkcs7_parse_message(ebuf, ebuflen);
-	free(ebuf);
+	if (IS_ERR(msg)) {
-
+		free(ebuf);
 out:
 	if (IS_ERR(msg))
 		return NULL;
 	}
 	*tmpbuf = ebuf;
 	return msg;
 }
@ -136,6 +143,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
 	struct efi_time timestamp;
 	struct rtc_time tm;
 	u64 new_time;
 	u8 *ebuf;
 	enum efi_auth_var_type var_type;
 	efi_status_t ret;
@ -143,6 +151,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
 	truststore = NULL;
 	truststore2 = NULL;
 	regs = NULL;
 	ebuf = NULL;
 	ret = EFI_SECURITY_VIOLATION;
 	if (*data_size < sizeof(struct efi_variable_authentication_2))
@ -204,9 +213,12 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
 	/* variable's signature list */
 	if (auth->auth_info.hdr.dwLength < sizeof(auth->auth_info))
 		goto err;
 	/* ebuf should be kept valid during the authentication */
 	var_sig = efi_variable_parse_signature(auth->auth_info.cert_data,
 					       auth->auth_info.hdr.dwLength
-						   - sizeof(auth->auth_info));
+						   - sizeof(auth->auth_info),
 					       &ebuf);
 	if (!var_sig) {
 		EFI_PRINT("Parsing variable's signature failed\n");
 		goto err;
@ -241,12 +253,11 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
 	}
 	/* verify signature */
-	if (efi_signature_verify_with_sigdb(regs, var_sig, truststore, NULL)) {
+	if (efi_signature_verify(regs, var_sig, truststore, NULL)) {
 		EFI_PRINT("Verified\n");
 	} else {
 		if (truststore2 &&
-		    efi_signature_verify_with_sigdb(regs, var_sig,
+		    efi_signature_verify(regs, var_sig, truststore2, NULL)) {
 						    truststore2, NULL)) {
 			EFI_PRINT("Verified\n");
 		} else {
 			EFI_PRINT("Verifying variable's signature failed\n");
@ -262,6 +273,7 @@ err:
 	efi_sigstore_free(truststore);
 	efi_sigstore_free(truststore2);
 	pkcs7_free_message(var_sig);
 	free(ebuf);
 	free(regs);
 	return ret;
@ -496,10 +508,6 @@ efi_status_t efi_init_variables(void)
 	if (ret != EFI_SUCCESS)
 		return ret;
 	ret = efi_init_secure_state();
 	if (ret != EFI_SUCCESS)
 		return ret;
 	if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
 		ret = efi_var_restore((struct efi_var_file *)
 				      __efi_var_file_begin);
@ -507,5 +515,9 @@ efi_status_t efi_init_variables(void)
 			log_err("Invalid EFI variable seed\n");
 	}
-	return efi_var_from_file();
+	ret = efi_var_from_file();
 	if (ret != EFI_SUCCESS)
 		return ret;
 	return efi_init_secure_state();
 }
--- a/test/py/tests/test_efi_secboot/conftest.py
+++ b/test/py/tests/test_efi_secboot/conftest.py
@ -25,13 +25,8 @@ def efi_boot_env(request, u_boot_config):
    Return:
        A path to disk image to be used for testing
    """
    global HELLO_PATH
    image_path = u_boot_config.persistent_data_dir
-    image_path = image_path + '/' + EFI_SECBOOT_IMAGE_NAME
+    image_path = image_path + '/test_efi_secboot.img'
    if HELLO_PATH == '':
        HELLO_PATH = u_boot_config.build_dir + '/lib/efi_loader/helloworld.efi'
    try:
        mnt_point = u_boot_config.build_dir + '/mnt_efisecure'
@ -75,9 +70,6 @@ def efi_boot_env(request, u_boot_config):
        check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key db db1.esl db1.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        # db1-update
        check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth'
                   % (mnt_point, EFITOOLS_PATH), shell=True)
        # dbx (TEST_dbx certificate)
        check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365'
                   % mnt_point, shell=True)
@ -89,7 +81,7 @@ def efi_boot_env(request, u_boot_config):
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        # dbx_hash1 (digest of TEST_db1 certificate)
-        check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
+        check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        # dbx_db (with TEST_db certificate)
@ -98,7 +90,8 @@ def efi_boot_env(request, u_boot_config):
                   shell=True)
        # Copy image
-        check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True)
+        check_call('cp %s/lib/efi_loader/helloworld.efi %s' %
                   (u_boot_config.build_dir, mnt_point), shell=True)
        # Sign image
        check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi'
@ -128,3 +121,119 @@ def efi_boot_env(request, u_boot_config):
        yield image_path
    finally:
        call('rm -f %s' % image_path, shell=True)
 #
 # Fixture for UEFI secure boot test of intermediate certificates
 #
@pytest.fixture(scope='session')
 def efi_boot_env_intca(request, u_boot_config):
    """Set up a file system to be used in UEFI secure boot test
    of intermediate certificates.
    Args:
        request: Pytest request object.
        u_boot_config: U-boot configuration.
    Return:
        A path to disk image to be used for testing
    """
    image_path = u_boot_config.persistent_data_dir
    image_path = image_path + '/test_efi_secboot_intca.img'
    try:
        mnt_point = u_boot_config.persistent_data_dir + '/mnt_efi_secboot_intca'
        check_call('rm -rf {}'.format(mnt_point), shell=True)
        check_call('mkdir -p {}'.format(mnt_point), shell=True)
        # Create signature database
        # PK
        check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365'
                   % mnt_point, shell=True)
        check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        # KEK
        check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365'
                   % mnt_point, shell=True)
        check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        # We will have three-tier hierarchy of certificates:
        #   TestRoot: Root CA (self-signed)
        #   TestSub: Intermediate CA (signed by Root CA)
        #   TestCert: User certificate (signed by Intermediate CA, and used
        #             for signing an image)
        #
        # NOTE:
        # I consulted the following EDK2 document for certificate options:
        #     BaseTools/Source/Python/Pkcs7Sign/Readme.md
        # Please not use them as they are in product system. They are
        # for test purpose only.
        # TestRoot
        check_call('cp %s/test/py/tests/test_efi_secboot/openssl.cnf %s'
                   % (u_boot_config.source_dir, mnt_point), shell=True)
        check_call('cd %s; export OPENSSL_CONF=./openssl.cnf; openssl genrsa -out TestRoot.key 2048; openssl req -extensions v3_ca -new -x509 -days 365 -key TestRoot.key -out TestRoot.crt -subj "/CN=TEST_root/"; touch index.txt; touch index.txt.attr'
                   % mnt_point, shell=True)
        # TestSub
        check_call('cd %s; touch serial.new; export OPENSSL_CONF=./openssl.cnf; openssl genrsa -out TestSub.key 2048; openssl req -new -key TestSub.key -out TestSub.csr -subj "/CN=TEST_sub/"; openssl ca -in TestSub.csr -out TestSub.crt -extensions v3_int_ca -days 365 -batch -rand_serial -cert TestRoot.crt -keyfile TestRoot.key'
                   % mnt_point, shell=True)
        # TestCert
        check_call('cd %s; touch serial.new; export OPENSSL_CONF=./openssl.cnf; openssl genrsa -out TestCert.key 2048; openssl req -new -key TestCert.key -out TestCert.csr -subj "/CN=TEST_cert/"; openssl ca -in TestCert.csr -out TestCert.crt -extensions usr_cert -days 365 -batch -rand_serial -cert TestSub.crt -keyfile TestSub.key'
                   % mnt_point, shell=True)
        # db
        #  for TestCert
        check_call('cd %s; %scert-to-efi-sig-list -g %s TestCert.crt TestCert.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key db TestCert.esl db_a.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        #  for TestSub
        check_call('cd %s; %scert-to-efi-sig-list -g %s TestSub.crt TestSub.esl; %ssign-efi-sig-list -t "2020-07-16" -c KEK.crt -k KEK.key db TestSub.esl db_b.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        #  for TestRoot
        check_call('cd %s; %scert-to-efi-sig-list -g %s TestRoot.crt TestRoot.esl; %ssign-efi-sig-list -t "2020-07-17" -c KEK.crt -k KEK.key db TestRoot.esl db_c.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        ## dbx (hash of certificate with revocation time)
        #  for TestCert
        check_call('cd %s; %scert-to-efi-hash-list -g %s -t "2020-07-20" -s 256 TestCert.crt TestCert.crl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx TestCert.crl dbx_a.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        #  for TestSub
        check_call('cd %s; %scert-to-efi-hash-list -g %s -t "2020-07-21" -s 256 TestSub.crt TestSub.crl; %ssign-efi-sig-list -t "2020-07-18" -c KEK.crt -k KEK.key dbx TestSub.crl dbx_b.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        #  for TestRoot
        check_call('cd %s; %scert-to-efi-hash-list -g %s -t "2020-07-22" -s 256 TestRoot.crt TestRoot.crl; %ssign-efi-sig-list -t "2020-07-19" -c KEK.crt -k KEK.key dbx TestRoot.crl dbx_c.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        # Sign image
        # additional intermediate certificates may be included
        # in SignedData
        check_call('cp %s/lib/efi_loader/helloworld.efi %s' %
                   (u_boot_config.build_dir, mnt_point), shell=True)
        # signed by TestCert
        check_call('cd %s; %ssbsign --key TestCert.key --cert TestCert.crt --out helloworld.efi.signed_a helloworld.efi'
                   % (mnt_point, SBSIGN_PATH), shell=True)
        # signed by TestCert with TestSub in signature
        check_call('cd %s; %ssbsign --key TestCert.key --cert TestCert.crt --addcert TestSub.crt --out helloworld.efi.signed_ab helloworld.efi'
                   % (mnt_point, SBSIGN_PATH), shell=True)
        # signed by TestCert with TestSub and TestRoot in signature
        check_call('cd %s; cat TestSub.crt TestRoot.crt > TestSubRoot.crt; %ssbsign --key TestCert.key --cert TestCert.crt --addcert TestSubRoot.crt --out helloworld.efi.signed_abc helloworld.efi'
                   % (mnt_point, SBSIGN_PATH), shell=True)
        check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat {} {}'.format(mnt_point, image_path), shell=True)
        check_call('rm -rf {}'.format(mnt_point), shell=True)
    except CalledProcessError as e:
        pytest.skip('Setup failed: %s' % e.cmd)
        return
    else:
        yield image_path
    finally:
        call('rm -f %s' % image_path, shell=True)
--- a/test/py/tests/test_efi_secboot/defs.py
+++ b/test/py/tests/test_efi_secboot/defs.py
@ -1,14 +1,14 @@
 # SPDX-License-Identifier:      GPL-2.0+
 # Disk image name
 EFI_SECBOOT_IMAGE_NAME = 'test_efi_secboot.img'
 # Owner guid
 GUID = '11111111-2222-3333-4444-123456789abc'
 # v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
 # you need build a newer version on your own.
 # The path must terminate with '/'.
 EFITOOLS_PATH = ''
-# Hello World application for sandbox
+# "--addcert" option of sbsign must be available, otherwise
-HELLO_PATH = ''
+# you need build a newer version on your own.
 # The path must terminate with '/'.
 SBSIGN_PATH = ''
--- a/test/py/tests/test_efi_secboot/openssl.cnf
+++ b/test/py/tests/test_efi_secboot/openssl.cnf
@ -0,0 +1,48 @@
 [ ca ]
 default_ca = CA_default
 [ CA_default ]
 new_certs_dir = .
 database = ./index.txt
 serial = ./serial
 default_md = sha256
 policy = policy_min
 [ req ]
 distinguished_name = def_distinguished_name
 [def_distinguished_name]
 # Extensions
 #   -addext " ... = ..."
 #
 [ v3_ca ]
   # Extensions for a typical Root CA.
   basicConstraints = critical,CA:TRUE
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
 [ v3_int_ca ]
   # Extensions for a typical intermediate CA.
   basicConstraints = critical, CA:TRUE
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
 [ usr_cert ]
   # Extensions for user end certificates.
   basicConstraints = CA:FALSE
   keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
   extendedKeyUsage = clientAuth, emailProtection
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer
 [ policy_min ]
   countryName		= optional
   stateOrProvinceName	= optional
   localityName		= optional
   organizationName	= optional
   organizationalUnitName = optional
   commonName		= supplied
   emailAddress		= optional
--- a/test/py/tests/test_efi_secboot/test_signed.py
+++ b/test/py/tests/test_efi_secboot/test_signed.py
@ -157,7 +157,8 @@ class TestEfiSignedImage(object):
        u_boot_console.restart_uboot()
        disk_img = efi_boot_env
        with u_boot_console.log.section('Test Case 5a'):
-            # Test Case 5a, rejected if any of signatures is not verified
+            # Test Case 5a, authenticated even if only one of signatures
            # is verified
            output = u_boot_console.run_command_list([
                'host bind 0 %s' % disk_img,
                'fatload host 0:1 4000000 db.auth',
@ -171,8 +172,7 @@ class TestEfiSignedImage(object):
                'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
                'efidebug boot next 1',
                'efidebug test bootmgr'])
-            assert '\'HELLO\' failed' in ''.join(output)
+            assert 'Hello, world!' in ''.join(output)
            assert 'efi_start_image() returned: 26' in ''.join(output)
        with u_boot_console.log.section('Test Case 5b'):
            # Test Case 5b, authenticated if both signatures are verified
@ -181,19 +181,29 @@ class TestEfiSignedImage(object):
                'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db'])
            assert 'Failed to set EFI variable' not in ''.join(output)
            output = u_boot_console.run_command_list([
                'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
                'efidebug boot next 1',
-                'bootefi bootmgr'])
+                'efidebug test bootmgr'])
            assert 'Hello, world!' in ''.join(output)
        with u_boot_console.log.section('Test Case 5c'):
-            # Test Case 5c, rejected if any of signatures is revoked
+            # Test Case 5c, not rejected if one of signatures (digest of
            # certificate) is revoked
            output = u_boot_console.run_command_list([
-                'fatload host 0:1 4000000 dbx_hash1.auth',
+                'fatload host 0:1 4000000 dbx_hash.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
            assert 'Failed to set EFI variable' not in ''.join(output)
            output = u_boot_console.run_command_list([
-                'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
+                'efidebug boot next 1',
                'efidebug test bootmgr'])
            assert 'Hello, world!' in ''.join(output)
        with u_boot_console.log.section('Test Case 5d'):
            # Test Case 5d, rejected if both of signatures are revoked
            output = u_boot_console.run_command_list([
                'fatload host 0:1 4000000 dbx_hash1.auth',
                'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize dbx'])
            assert 'Failed to set EFI variable' not in ''.join(output)
            output = u_boot_console.run_command_list([
                'efidebug boot next 1',
                'efidebug test bootmgr'])
            assert '\'HELLO\' failed' in ''.join(output)
--- a/test/py/tests/test_efi_secboot/test_signed_intca.py
+++ b/test/py/tests/test_efi_secboot/test_signed_intca.py
@ -0,0 +1,135 @@
 # SPDX-License-Identifier:      GPL-2.0+
 # Copyright (c) 2020, Linaro Limited
 # Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
 #
 # U-Boot UEFI: Image Authentication Test (signature with certificates chain)
 """
 This test verifies image authentication for a signed image which is signed
 by user certificate and contains additional intermediate certificates in its
 signature.
 """
 import pytest
@pytest.mark.boardspec('sandbox')
@pytest.mark.buildconfigspec('efi_secure_boot')
@pytest.mark.buildconfigspec('cmd_efidebug')
@pytest.mark.buildconfigspec('cmd_fat')
@pytest.mark.buildconfigspec('cmd_nvedit_efi')
@pytest.mark.slow
 class TestEfiSignedImageIntca(object):
    def test_efi_signed_image_intca1(self, u_boot_console, efi_boot_env_intca):
        """
        Test Case 1 - authenticated by root CA in db
        """
        u_boot_console.restart_uboot()
        disk_img = efi_boot_env_intca
        with u_boot_console.log.section('Test Case 1a'):
            # Test Case 1a, with no Int CA and not authenticated by root CA
            output = u_boot_console.run_command_list([
                'host bind 0 %s' % disk_img,
                'fatload host 0:1 4000000 db_c.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
                'fatload host 0:1 4000000 KEK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
                'fatload host 0:1 4000000 PK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
            assert 'Failed to set EFI variable' not in ''.join(output)
            output = u_boot_console.run_command_list([
                'efidebug boot add 1 HELLO_a host 0:1 /helloworld.efi.signed_a ""',
                'efidebug boot next 1',
                'efidebug test bootmgr'])
            assert '\'HELLO_a\' failed' in ''.join(output)
            assert 'efi_start_image() returned: 26' in ''.join(output)
        with u_boot_console.log.section('Test Case 1b'):
            # Test Case 1b, signed and authenticated by root CA
            output = u_boot_console.run_command_list([
                'efidebug boot add 2 HELLO_ab host 0:1 /helloworld.efi.signed_ab ""',
                'efidebug boot next 2',
                'bootefi bootmgr'])
            assert 'Hello, world!' in ''.join(output)
    def test_efi_signed_image_intca2(self, u_boot_console, efi_boot_env_intca):
        """
        Test Case 2 - authenticated by root CA in db
        """
        u_boot_console.restart_uboot()
        disk_img = efi_boot_env_intca
        with u_boot_console.log.section('Test Case 2a'):
            # Test Case 2a, unsigned and not authenticated by root CA
            output = u_boot_console.run_command_list([
                'host bind 0 %s' % disk_img,
                'fatload host 0:1 4000000 KEK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
                'fatload host 0:1 4000000 PK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
            assert 'Failed to set EFI variable' not in ''.join(output)
            output = u_boot_console.run_command_list([
                'efidebug boot add 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc ""',
                'efidebug boot next 1',
                'efidebug test bootmgr'])
            assert '\'HELLO_abc\' failed' in ''.join(output)
            assert 'efi_start_image() returned: 26' in ''.join(output)
        with u_boot_console.log.section('Test Case 2b'):
            # Test Case 2b, signed and authenticated by root CA
            output = u_boot_console.run_command_list([
                'fatload host 0:1 4000000 db_b.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
                'efidebug boot next 1',
                'efidebug test bootmgr'])
            assert '\'HELLO_abc\' failed' in ''.join(output)
            assert 'efi_start_image() returned: 26' in ''.join(output)
        with u_boot_console.log.section('Test Case 2c'):
            # Test Case 2c, signed and authenticated by root CA
            output = u_boot_console.run_command_list([
                'fatload host 0:1 4000000 db_c.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
                'efidebug boot next 1',
                'efidebug test bootmgr'])
            assert 'Hello, world!' in ''.join(output)
    def test_efi_signed_image_intca3(self, u_boot_console, efi_boot_env_intca):
        """
        Test Case 3 - revoked by dbx
        """
        u_boot_console.restart_uboot()
        disk_img = efi_boot_env_intca
        with u_boot_console.log.section('Test Case 3a'):
            # Test Case 3a, revoked by int CA in dbx
            output = u_boot_console.run_command_list([
                'host bind 0 %s' % disk_img,
                'fatload host 0:1 4000000 dbx_b.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
                'fatload host 0:1 4000000 db_c.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
                'fatload host 0:1 4000000 KEK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
                'fatload host 0:1 4000000 PK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
            assert 'Failed to set EFI variable' not in ''.join(output)
            output = u_boot_console.run_command_list([
                'efidebug boot add 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc ""',
                'efidebug boot next 1',
                'efidebug test bootmgr'])
            assert 'Hello, world!' in ''.join(output)
            # Or,
            # assert '\'HELLO_abc\' failed' in ''.join(output)
            # assert 'efi_start_image() returned: 26' in ''.join(output)
        with u_boot_console.log.section('Test Case 3b'):
            # Test Case 3b, revoked by root CA in dbx
            output = u_boot_console.run_command_list([
                'fatload host 0:1 4000000 dbx_c.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
                'efidebug boot next 1',
                'efidebug test bootmgr'])
            assert '\'HELLO_abc\' failed' in ''.join(output)
            assert 'efi_start_image() returned: 26' in ''.join(output)