[crypto] Support extracting certificates from EFI signature list images

Add support for the EFI signature list image format (as produced by tools such as efisecdb). The parsing code does not require any EFI boot services functions and so may be enabled even in non-EFI builds. We default to enabling it only for EFI builds. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-01-23 04:29:01 +03:00 · 2025-03-11 11:58:28 +00:00
parent 26a8fed710
commit 5f3ecbde5a
8 changed files with 449 additions and 0 deletions
--- a/src/include/ipxe/efi/efi_siglist.h
+++ b/src/include/ipxe/efi/efi_siglist.h
@@ -0,0 +1,22 @@
+#ifndef _IPXE_EFI_SIGLIST_H
+#define _IPXE_EFI_SIGLIST_H
+
+/** @file
+ *
+ * PEM-encoded ASN.1 data
+ *
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+#include <stdint.h>
+#include <ipxe/uaccess.h>
+#include <ipxe/asn1.h>
+#include <ipxe/image.h>
+
+extern int efisig_asn1 ( userptr_t data, size_t len, size_t offset,
+			 struct asn1_cursor **cursor );
+
+extern struct image_type efisig_image_type __image_type ( PROBE_NORMAL );
+
+#endif /* _IPXE_EFI_SIGLIST_H */
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -323,6 +323,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define ERRFILE_archive		      ( ERRFILE_IMAGE | 0x000a0000 )
 #define ERRFILE_zlib		      ( ERRFILE_IMAGE | 0x000b0000 )
 #define ERRFILE_gzip		      ( ERRFILE_IMAGE | 0x000c0000 )
+#define ERRFILE_efi_siglist	      ( ERRFILE_IMAGE | 0x000d0000 )

 #define ERRFILE_asn1		      ( ERRFILE_OTHER | 0x00000000 )
 #define ERRFILE_chap		      ( ERRFILE_OTHER | 0x00010000 )