Zammis Clark wrote:
> > It doesn't help that Microsoft does not embed the name of the party
> who submitted an UEFI driver for signing in the signature itself.
>
> Microsoft does do this; it's in an authenticated attribute with OID
> 1.3.6.1.4.1.311.2.1.12, aka "SPC_SP_OPUS_INFO_OBJID", it's documented as
> part of Office document file formats (VBA signing):
> https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-oshared/9…
With a name like this (a cryptic abbreviation "SPC_SP_OPUS_INFO_OBJID" that
does not make it obvious that this is the submitter) and documentation in
such a weird place (only one of the many items that can be signed by
Microsoft), is it any wonder that, as you write:
> The same thing is done for Windows drivers that they sign; Windows
> understands this attribute (binaries from specific parties can be
> blocked by the CiPolicy/SiPolicy which is Microsoft's current
> Windows-specific revocation list du jour), but UEFI firmware does not
> (yet).
only Windows understands this attribute?
Kevin Kofler