The secure boot framework does not support RSA-PSS.


The secure boot framework finally invokes PKCS7_verify() of OpenSSL. It has been verified that PKCS7_verify() does not support verifying the contents of an RSA-PSS signature. The CMS_verify() interface supports RSA-PSS verification. I would like to ask if the EDK2 Secure Boot Framework has any plans to support RSA-PSS.

BUG 3314 seems to introduce an interface for RSA-PSS(RsaPssVerify). However, this interface is not applicable to secure boot frameworks. It's just an underlying interface.