Intel Extensible Firmware Interface User Manual

Protocols

— Network Support

Version 1.10

12/01/02

15-97

This identifies the section that carries the integrity data for the Boot Object. The string
“

memory:BootObject

” must appear exactly as shown. Note that the Boot Object cannot be

found directly from this manifest. A caller verifying the Boot Object integrity must load the Boot
Object into memory and specify its memory location explicitly to this verification function through
the

DataObject

parameter.

Digest-Algorithms: SHA-1

This enumerates the digest algorithms for which integrity data is included for the data object. For
systems with DSA signing, SHA-1 hash, and 1024-bit key length, the digest algorithm must be
“

SHA-1

.” For systems with RSA signing, MD5 hash, and 512-bit key length, the digest algorithm

must be “

MD5

.” Multiple algorithms can be specified as a whitespace-separated list. For every

digest algorithm

XXX

listed, there must also be a corresponding

XXX-Digest

line.

SHA-1-Digest: (base-64 representation of a SHA-1 digest of the boot object)

Gives the corresponding digest value for the data object. The value is base-64 encoded.

//**********************************************************
// Signer’s Information File Example
//**********************************************************

The signer’s information file must include a section whose name matches the reserved data object
section name of the section in the Manifest file. This section in the signer’s information file carries
the integrity data for the corresponding section in the manifest file. An example signer’s
information file is shown below.

Signature-Version: 2.0
SignerInformationPersistentId: (base-64 representation of a
unique GUID)
SignerInformationName: BIS_VerifiableObjectSignerInfoName

Name: memory:BootObject
Digest-Algorithms: SHA-1
SHA-1-Digest: (base-64 representation of a SHA-1 digest of the
corresponding manifest section)

A line-by-line description of this signer’s information file is as follows.

Signature-Version: 2.0

This is a standard header line that all signed manifests have. It must appear exactly as shown.

SignerInformationPersistentId: (base-64 representation of a unique GUID)

The left-hand string must appear exactly as shown. The right-hand string must be a unique GUID
for every signer’s information file created. The Win32 function UuidCreate() can be used for this
on Win32 systems. The GUID is a binary value that must be base-64 encoded. Base-64 is a simple
encoding scheme for representing binary values that uses only printing characters. Base-64
encoding is described in [BASE-64].

SignerInformationName: BIS_VerifiableObjectSignerInfoName