public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Wadhawan, Divneil R" <divneil.r.wadhawan@intel.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>, Min Xu <min.m.xu@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>
Subject: [Patch 2/2] SecurityPkg: Add support for SHA-384/SHA-512 digest algos
Date: Thu, 10 Dec 2020 00:02:43 +0530	[thread overview]
Message-ID: <20201209183243.30504-3-divneil.r.wadhawan@intel.com> (raw)
In-Reply-To: <20201209183243.30504-1-divneil.r.wadhawan@intel.com>

o Existing implementation of Authenticated Variables only
  support SHA-256 digest algorithms in signing scheme.

o This has been extended to support SHA-384 and SHA-512 algorithms

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com>
---
 SecurityPkg/Library/AuthVariableLib/AuthService.c |  8 +++--
 AuthVariableDigestUpdate.md                       | 41 +++++++++++++++++++++++
 2 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 AuthVariableDigestUpdate.md

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 4fb609504d..8f024c42a8 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -35,6 +35,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
 
 CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
+CONST UINT8 mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 };
+CONST UINT8 mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 };
 
 //
 // Requirement for different signature type which have been defined in UEFI spec.
@@ -1901,7 +1903,7 @@ VerifyTimeBasedPayload (
 
   //
   // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the
-  // signature. Only a digest algorithm of SHA-256 is accepted.
+  // signature. Digest algorithm of SHA-256, SHA-384, SHA-512 are accepted.
   //
   //    According to PKCS#7 Definition:
   //        SignedData ::= SEQUENCE {
@@ -1916,7 +1918,9 @@ VerifyTimeBasedPayload (
   if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
     if (SigDataSize >= (13 + sizeof (mSha256OidValue))) {
       if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) ||
-           (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) {
+           ((CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0) &&
+            (CompareMem (SigData + 13, &mSha384OidValue, sizeof (mSha384OidValue)) != 0) &&
+            (CompareMem (SigData + 13, &mSha512OidValue, sizeof (mSha512OidValue)) != 0))) {
           return EFI_SECURITY_VIOLATION;
         }
     }
diff --git a/AuthVariableDigestUpdate.md b/AuthVariableDigestUpdate.md
new file mode 100644
index 0000000000..10992845a4
--- /dev/null
+++ b/AuthVariableDigestUpdate.md
@@ -0,0 +1,41 @@
+# Title: Digest Algorithm flexibility in Authenticated Variable signatures
+
+# Status: Draft
+
+# Document: UEFI Specification Version 2.8
+
+# License
+
+SPDX-License-Identifier: CC-BY-4.0
+
+# Submitter: [TianoCore Community](https://www.tianocore.org)
+
+# Summary of the change
+EFI_VARIABLE_AUTHENTICATION_2 specifies the SignedData.digestAlgorithms to be always
+SHA256. The implication is that the signing algorithm can use RSA keys greater than
+2048 bits, but the digest algorithm remains SHA256. The proposed change is to allow
+digest algorithm to be greater than SHA256.
+
+# Benefits of the change
+This brings agility to the signing mechanism of Authenticated variables by allowing
+it to sign a larger digest.
+
+# Impact of the change
+There is no impact on the existing Authenticated variables.
+
+# Detailed description of the change [normative updates]
+
+<b>Bold text</b> indicates the proposed change
+
+8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor
+When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is set, then the Data buffer shall begin with an instance of a complete (and serialized) ...
+
+Construct a DER-encoded PKCS #7 version 1.5 SignedData (see [RFC2315]) with the signed content as follows:
+
+a. SignedData.version shall be set to 1
+
+b. SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the signature. <b>Only a digest algorithm greater than or equal to SHA-256 is accepted.</b>
+
+
+# Special Instructions
+NA
-- 
2.16.2.windows.1


  parent reply	other threads:[~2020-12-09 18:33 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-09 18:32 [Patch 0/2] Extending the signing algorithms for Authenticated Variables Wadhawan, Divneil R
2020-12-09 18:32 ` [Patch 1/2] MdeModulePkg: Add unit test " Wadhawan, Divneil R
2020-12-09 20:18   ` [EXTERNAL] [edk2-devel] " Bret Barkelew
2020-12-10  7:56     ` Wadhawan, Divneil R
2020-12-09 18:32 ` Wadhawan, Divneil R [this message]
2020-12-09 20:21   ` [EXTERNAL] [edk2-devel] [Patch 2/2] SecurityPkg: Add support for SHA-384/SHA-512 digest algos Bret Barkelew
2020-12-09 21:46     ` Michael D Kinney
2020-12-09 22:28       ` Yao, Jiewen
2020-12-09 18:49 ` [edk2-devel] [Patch 0/2] Extending the signing algorithms for Authenticated Variables Michael D Kinney

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201209183243.30504-3-divneil.r.wadhawan@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox