[Code First]: Clarify certificate expiry and the use of the system time #12109
Description
Code First Item Overview
The UEFI spec supports several time based revocation mechanisms, all of which operate relative to times in structures. Nowhere does it mention the use of X.509 certificate not before and not after dates. Since the system clock in UEFI is not secure (and could be set to an arbitrary value either accidentally or on purpose) it may not be relied on to enforce absolute certificate expiry, thus the spec should state explicitly that the validity of any UEFI certificate should not be compared against system time.
The proposal is to add an additional paragraph to 32.6.1 UEFI Image Validation - Overview
[Proposal]
If a firmware supports the EFI_CERT_X509_SHA*_GUID signature types it should not compare the certificate validity period against system date and time. This is because the system date and time are insecure and may not be correctly set on some systems so doing validity comparisons could result in spurious and hard to diagnose image validation failures. The upshot is that any X509 certificate should always be treated as unexpired but it may be still revoked using a time based revocation.
What specification(s) are directly related?
UEFI
Anything else?
No response