[crypto] Support extracting certificates from EFI signature list images

Add support for the EFI signature list image format (as produced by tools such as efisecdb). The parsing code does not require any EFI boot services functions and so may be enabled even in non-EFI builds. We default to enabling it only for EFI builds. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-01-21 09:57:23 +03:00 · 2025-03-11 11:58:28 +00:00
parent 26a8fed710
commit 5f3ecbde5a
8 changed files with 449 additions and 0 deletions
--- a/src/config/config_asn1.c
+++ b/src/config/config_asn1.c
@@ -37,3 +37,6 @@ REQUIRE_OBJECT ( der );
 #ifdef IMAGE_PEM
 REQUIRE_OBJECT ( pem );
 #endif
+#ifdef IMAGE_EFISIG
+REQUIRE_OBJECT ( efi_siglist );
+#endif
--- a/src/config/defaults/efi.h
+++ b/src/config/defaults/efi.h
@@ -35,6 +35,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

 #define	IMAGE_EFI		/* EFI image support */
 #define	IMAGE_SCRIPT		/* iPXE script image support */
+#define IMAGE_EFISIG		/* EFI signature list support */

 #define	SANBOOT_PROTO_ISCSI	/* iSCSI protocol */
 #define	SANBOOT_PROTO_AOE	/* AoE protocol */
--- a/src/config/general.h
+++ b/src/config/general.h
@@ -125,6 +125,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define	IMAGE_PNG		/* PNG image support */
 #define	IMAGE_DER		/* DER image support */
 #define	IMAGE_PEM		/* PEM image support */
+//#define	IMAGE_EFISIG		/* EFI signature list image support */
 //#define	IMAGE_ZLIB		/* ZLIB image support */
 //#define	IMAGE_GZIP		/* GZIP image support */
 //#define	IMAGE_UCODE		/* Microcode update image support */