From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web11.5226.1684992201628739504 for ; Wed, 24 May 2023 22:23:22 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=KDk9y0gG; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: w.sheng@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1684992201; x=1716528201; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=sxh3Dg6ZA+G7628CDfk7uKiOs49MpOos54Sti3LZVIM=; b=KDk9y0gGDLqn4eTQHdSq99bIV68RPT6b9Gu8/dU/XCZ8FXkaxddwLSHk /wf4CdJpC1DGonHNynYUG0q865HulH0Z8QtxnqY57f49zDAexFichdEu0 xhKXODlvEzbWwZMI3//N60bJ30BJ+XkuV5oIgto2XNB8z7hYhQN9ay3y5 FqacyPgyW6TL532EeP5QZS4irOWp159krSnnlbFaUiIDKfOSdRss24GRL FY99wU44xGSfWothbT+neokRdiUJpueheNcj9YjozewJBJewZC5KeBl06 QJr+qP2Zbe6r+cGt7/1ML5a9CtwJWRVvJ8mIUzSI+5S+E1HIBzv16NqCi w==; X-IronPort-AV: E=McAfee;i="6600,9927,10720"; a="338361396" X-IronPort-AV: E=Sophos;i="6.00,190,1681196400"; d="scan'208";a="338361396" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 May 2023 22:23:21 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10720"; a="737574163" X-IronPort-AV: E=Sophos;i="6.00,190,1681196400"; d="scan'208";a="737574163" Received: from shwdesssddpdwei.ccr.corp.intel.com ([10.239.157.28]) by orsmga001.jf.intel.com with ESMTP; 24 May 2023 22:23:18 -0700 From: "Sheng Wei" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Zeyi Chen , Fiona Wang Subject: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Date: Thu, 25 May 2023 13:23:16 +0800 Message-Id: <20230525052316.512-1-w.sheng@intel.com> X-Mailer: git-send-email 2.26.2.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3413 Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Zeyi Chen Cc: Fiona Wang Signed-off-by: Sheng Wei --- CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- MdePkg/Include/Guid/ImageAuthentication.h | 26 ++ MdePkg/MdePkg.dec | 2 + .../Library/AuthVariableLib/AuthService.c | 272 ++++++++++++++++-- .../Library/AuthVariableLib/AuthVariableLib.c | 4 +- .../DxeImageVerificationLib.c | 35 ++- .../DxeImageVerificationLib.inf | 1 + SecurityPkg/SecurityPkg.dec | 7 + .../SecureBootConfigDxe.inf | 19 ++ .../SecureBootConfigImpl.c | 122 +++++++- .../SecureBootConfigImpl.h | 2 + .../SecureBootConfigStrings.uni | 6 + 12 files changed, 463 insertions(+), 36 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Librar= y/BaseCryptLib/Pk/CryptTs.c index 027dbb6842..944bcf8d38 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c @@ -591,7 +591,8 @@ ImageTimestampVerify ( // Register & Initialize necessary digest algorithms for PKCS#7 Handling= .=0D //=0D if ((EVP_add_digest (EVP_md5 ()) =3D=3D 0) || (EVP_add_digest (EVP_sha1 = ()) =3D=3D 0) ||=0D - (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || ((EVP_add_digest_alias = (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0))=0D + (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || (EVP_add_digest (EVP_sh= a384 ()) =3D=3D 0) ||=0D + (EVP_add_digest (EVP_sha512 ()) =3D=3D 0) || ((EVP_add_digest_alias = (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0))=0D {=0D return FALSE;=0D }=0D diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Gui= d/ImageAuthentication.h index fe83596571..c8ea2c14fb 100644 --- a/MdePkg/Include/Guid/ImageAuthentication.h +++ b/MdePkg/Include/Guid/ImageAuthentication.h @@ -144,6 +144,30 @@ typedef struct { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3,= 0xb6} \=0D }=0D =0D +///=0D +/// This identifies a signature containing an RSA-3072 key. The key (only = the modulus=0D +/// since the public key exponent is known to be 0x10001) shall be stored = in big-endian=0D +/// order.=0D +/// The SignatureHeader size shall always be 0. The SignatureSize shall al= ways be 16 (size=0D +/// of SignatureOwner component) + 384 bytes.=0D +///=0D +#define EFI_CERT_RSA3072_GUID \=0D + { \=0D + 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee,= 0x92 } \=0D + }=0D +=0D +///=0D +/// This identifies a signature containing an RSA-4096 key. The key (only = the modulus=0D +/// since the public key exponent is known to be 0x10001) shall be stored = in big-endian=0D +/// order.=0D +/// The SignatureHeader size shall always be 0. The SignatureSize shall al= ways be 16 (size=0D +/// of SignatureOwner component) + 512 bytes.=0D +///=0D +#define EFI_CERT_RSA4096_GUID \=0D + { \=0D + 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98,= 0x2c } \=0D + }=0D +=0D ///=0D /// This identifies a signature containing a RSA-2048 signature of a SHA-2= 56 hash. The=0D /// SignatureHeader size shall always be 0. The SignatureSize shall always= be 16 (size of=0D @@ -330,6 +354,8 @@ typedef struct { extern EFI_GUID gEfiImageSecurityDatabaseGuid;=0D extern EFI_GUID gEfiCertSha256Guid;=0D extern EFI_GUID gEfiCertRsa2048Guid;=0D +extern EFI_GUID gEfiCertRsa3072Guid;=0D +extern EFI_GUID gEfiCertRsa4096Guid;=0D extern EFI_GUID gEfiCertRsa2048Sha256Guid;=0D extern EFI_GUID gEfiCertSha1Guid;=0D extern EFI_GUID gEfiCertRsa2048Sha1Guid;=0D diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index 80b6559053..782f6d184d 100644 --- a/MdePkg/MdePkg.dec +++ b/MdePkg/MdePkg.dec @@ -562,6 +562,8 @@ gEfiImageSecurityDatabaseGuid =3D { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, = 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }}=0D gEfiCertSha256Guid =3D { 0xc1c41626, 0x504c, 0x4092, {0xac, = 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }}=0D gEfiCertRsa2048Guid =3D { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, = 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}=0D + gEfiCertRsa3072Guid =3D { 0xedd320c2, 0xb057, 0x4b8e, {0xad, = 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}=0D + gEfiCertRsa4096Guid =3D { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, = 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }}=0D gEfiCertRsa2048Sha256Guid =3D { 0xe2b36190, 0x879b, 0x4a3d, {0xad, = 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}=0D gEfiCertSha1Guid =3D { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, = 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }}=0D gEfiCertRsa2048Sha1Guid =3D { 0x67f8444f, 0x8743, 0x48f1, {0xa3, = 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}=0D diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk= g/Library/AuthVariableLib/AuthService.c index 452ed491ea..288e44a359 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -29,12 +29,16 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include =0D #include =0D =0D +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE=0D +=0D //=0D // Public Exponent of RSA Key.=0D //=0D CONST UINT8 mRsaE[] =3D { 0x01, 0x00, 0x01 };=0D =0D CONST UINT8 mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0= x04, 0x02, 0x01 };=0D +CONST UINT8 mSha384OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0= x04, 0x02, 0x02 };=0D +CONST UINT8 mSha512OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0= x04, 0x02, 0x03 };=0D =0D //=0D // Requirement for different signature type which have been defined in UEF= I spec.=0D @@ -44,6 +48,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] =3D { // {SigType, SigHeaderSize, SigDataSize }=0D { EFI_CERT_SHA256_GUID, 0, 32 },=0D { EFI_CERT_RSA2048_GUID, 0, 256 },=0D + { EFI_CERT_RSA3072_GUID, 0, 384 },=0D + { EFI_CERT_RSA4096_GUID, 0, 512 },=0D { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 },=0D { EFI_CERT_SHA1_GUID, 0, 20 },=0D { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 },=0D @@ -1172,6 +1178,172 @@ CalculatePrivAuthVarSignChainSHA256Digest ( return EFI_SUCCESS;=0D }=0D =0D +/**=0D + Calculate SHA38 digest of SignerCert CommonName + ToplevelCert tbsCertif= icate=0D + SignerCert and ToplevelCert are inside the signer certificate chain.=0D +=0D + @param[in] SignerCert A pointer to SignerCert data.=0D + @param[in] SignerCertSize Length of SignerCert data.=0D + @param[in] TopLevelCert A pointer to TopLevelCert data.=0D + @param[in] TopLevelCertSize Length of TopLevelCert data.=0D + @param[out] Sha384Digest Sha384 digest calculated.=0D +=0D + @return EFI_ABORTED Digest process failed.=0D + @return EFI_SUCCESS SHA384 Digest is successfully calculated.=0D +=0D +**/=0D +EFI_STATUS=0D +CalculatePrivAuthVarSignChainSHA384Digest (=0D + IN UINT8 *SignerCert,=0D + IN UINTN SignerCertSize,=0D + IN UINT8 *TopLevelCert,=0D + IN UINTN TopLevelCertSize,=0D + OUT UINT8 *Sha384Digest=0D + )=0D +{=0D + UINT8 *TbsCert;=0D + UINTN TbsCertSize;=0D + CHAR8 CertCommonName[128];=0D + UINTN CertCommonNameSize;=0D + BOOLEAN CryptoStatus;=0D + EFI_STATUS Status;=0D +=0D + CertCommonNameSize =3D sizeof (CertCommonName);=0D +=0D + //=0D + // Get SignerCert CommonName=0D + //=0D + Status =3D X509GetCommonName (SignerCert, SignerCertSize, CertCommonName= , &CertCommonNameSize);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_INFO, "%a Get SignerCert CommonName failed with status %= x\n", __FUNCTION__, Status));=0D + return EFI_ABORTED;=0D + }=0D +=0D + //=0D + // Get TopLevelCert tbsCertificate=0D + //=0D + if (!X509GetTBSCert (TopLevelCert, TopLevelCertSize, &TbsCert, &TbsCertS= ize)) {=0D + DEBUG ((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate failed!\n", = __FUNCTION__));=0D + return EFI_ABORTED;=0D + }=0D +=0D + //=0D + // Digest SignerCert CN + TopLevelCert tbsCertificate=0D + //=0D + ZeroMem (Sha384Digest, SHA384_DIGEST_SIZE);=0D + CryptoStatus =3D Sha384Init (mHashCtx);=0D + if (!CryptoStatus) {=0D + return EFI_ABORTED;=0D + }=0D +=0D + //=0D + // '\0' is forced in CertCommonName. No overflow issue=0D + //=0D + CryptoStatus =3D Sha384Update (=0D + mHashCtx,=0D + CertCommonName,=0D + AsciiStrLen (CertCommonName)=0D + );=0D + if (!CryptoStatus) {=0D + return EFI_ABORTED;=0D + }=0D +=0D + CryptoStatus =3D Sha384Update (mHashCtx, TbsCert, TbsCertSize);=0D + if (!CryptoStatus) {=0D + return EFI_ABORTED;=0D + }=0D +=0D + CryptoStatus =3D Sha384Final (mHashCtx, Sha384Digest);=0D + if (!CryptoStatus) {=0D + return EFI_ABORTED;=0D + }=0D +=0D + return EFI_SUCCESS;=0D +}=0D +=0D +/**=0D + Calculate SHA512 digest of SignerCert CommonName + ToplevelCert tbsCerti= ficate=0D + SignerCert and ToplevelCert are inside the signer certificate chain.=0D +=0D + @param[in] SignerCert A pointer to SignerCert data.=0D + @param[in] SignerCertSize Length of SignerCert data.=0D + @param[in] TopLevelCert A pointer to TopLevelCert data.=0D + @param[in] TopLevelCertSize Length of TopLevelCert data.=0D + @param[out] Sha512Digest Sha512 digest calculated.=0D +=0D + @return EFI_ABORTED Digest process failed.=0D + @return EFI_SUCCESS SHA512 Digest is successfully calculated.=0D +=0D +**/=0D +EFI_STATUS=0D +CalculatePrivAuthVarSignChainSHA512Digest (=0D + IN UINT8 *SignerCert,=0D + IN UINTN SignerCertSize,=0D + IN UINT8 *TopLevelCert,=0D + IN UINTN TopLevelCertSize,=0D + OUT UINT8 *Sha512Digest=0D + )=0D +{=0D + UINT8 *TbsCert;=0D + UINTN TbsCertSize;=0D + CHAR8 CertCommonName[128];=0D + UINTN CertCommonNameSize;=0D + BOOLEAN CryptoStatus;=0D + EFI_STATUS Status;=0D +=0D + CertCommonNameSize =3D sizeof (CertCommonName);=0D +=0D + //=0D + // Get SignerCert CommonName=0D + //=0D + Status =3D X509GetCommonName (SignerCert, SignerCertSize, CertCommonName= , &CertCommonNameSize);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_INFO, "%a Get SignerCert CommonName failed with status %= x\n", __FUNCTION__, Status));=0D + return EFI_ABORTED;=0D + }=0D +=0D + //=0D + // Get TopLevelCert tbsCertificate=0D + //=0D + if (!X509GetTBSCert (TopLevelCert, TopLevelCertSize, &TbsCert, &TbsCertS= ize)) {=0D + DEBUG ((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate failed!\n", = __FUNCTION__));=0D + return EFI_ABORTED;=0D + }=0D +=0D + //=0D + // Digest SignerCert CN + TopLevelCert tbsCertificate=0D + //=0D + ZeroMem (Sha512Digest, SHA512_DIGEST_SIZE);=0D + CryptoStatus =3D Sha512Init (mHashCtx);=0D + if (!CryptoStatus) {=0D + return EFI_ABORTED;=0D + }=0D +=0D + //=0D + // '\0' is forced in CertCommonName. No overflow issue=0D + //=0D + CryptoStatus =3D Sha512Update (=0D + mHashCtx,=0D + CertCommonName,=0D + AsciiStrLen (CertCommonName)=0D + );=0D + if (!CryptoStatus) {=0D + return EFI_ABORTED;=0D + }=0D +=0D + CryptoStatus =3D Sha512Update (mHashCtx, TbsCert, TbsCertSize);=0D + if (!CryptoStatus) {=0D + return EFI_ABORTED;=0D + }=0D +=0D + CryptoStatus =3D Sha512Final (mHashCtx, Sha512Digest);=0D + if (!CryptoStatus) {=0D + return EFI_ABORTED;=0D + }=0D +=0D + return EFI_SUCCESS;=0D +}=0D +=0D /**=0D Find matching signer's certificates for common authenticated variable=0D by corresponding VariableName and VendorGuid from "certdb" or "certdbv".= =0D @@ -1526,6 +1698,7 @@ DeleteCertsFromDb ( @param[in] SignerCertSize Length of signer certificate.=0D @param[in] TopLevelCert Top-level certificate data.=0D @param[in] TopLevelCertSize Length of top-level certificate.=0D + @param[in] DigestSize Digest Size.=0D =0D @retval EFI_INVALID_PARAMETER Any input parameter is invalid.=0D @retval EFI_ACCESS_DENIED An AUTH_CERT_DB_DATA entry with same Vari= ableName=0D @@ -1542,7 +1715,8 @@ InsertCertsToDb ( IN UINT8 *SignerCert,=0D IN UINTN SignerCertSize,=0D IN UINT8 *TopLevelCert,=0D - IN UINTN TopLevelCertSize=0D + IN UINTN TopLevelCertSize,=0D + IN UINT32 DigestSize=0D )=0D {=0D EFI_STATUS Status;=0D @@ -1556,7 +1730,7 @@ InsertCertsToDb ( UINT32 CertDataSize;=0D AUTH_CERT_DB_DATA *Ptr;=0D CHAR16 *DbName;=0D - UINT8 Sha256Digest[SHA256_DIGEST_SIZE];=0D + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX];=0D =0D if ((VariableName =3D=3D NULL) || (VendorGuid =3D=3D NULL) || (SignerCer= t =3D=3D NULL) || (TopLevelCert =3D=3D NULL)) {=0D return EFI_INVALID_PARAMETER;=0D @@ -1618,20 +1792,41 @@ InsertCertsToDb ( // Construct new data content of variable "certdb" or "certdbv".=0D //=0D NameSize =3D (UINT32)StrLen (VariableName);=0D - CertDataSize =3D sizeof (Sha256Digest);=0D + CertDataSize =3D DigestSize;=0D CertNodeSize =3D sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + Na= meSize * sizeof (CHAR16);=0D NewCertDbSize =3D (UINT32)DataSize + CertNodeSize;=0D if (NewCertDbSize > mMaxCertDbSize) {=0D return EFI_OUT_OF_RESOURCES;=0D }=0D =0D - Status =3D CalculatePrivAuthVarSignChainSHA256Digest (=0D - SignerCert,=0D - SignerCertSize,=0D - TopLevelCert,=0D - TopLevelCertSize,=0D - Sha256Digest=0D - );=0D + if (DigestSize =3D=3D SHA256_DIGEST_SIZE) {=0D + Status =3D CalculatePrivAuthVarSignChainSHA256Digest (=0D + SignerCert,=0D + SignerCertSize,=0D + TopLevelCert,=0D + TopLevelCertSize,=0D + ShaDigest=0D + );=0D + } else if (DigestSize =3D=3D SHA384_DIGEST_SIZE) {=0D + Status =3D CalculatePrivAuthVarSignChainSHA384Digest (=0D + SignerCert,=0D + SignerCertSize,=0D + TopLevelCert,=0D + TopLevelCertSize,=0D + ShaDigest=0D + );=0D + } else if (DigestSize =3D=3D SHA512_DIGEST_SIZE) {=0D + Status =3D CalculatePrivAuthVarSignChainSHA512Digest (=0D + SignerCert,=0D + SignerCertSize,=0D + TopLevelCert,=0D + TopLevelCertSize,=0D + ShaDigest=0D + );=0D + } else {=0D + return EFI_UNSUPPORTED;=0D + }=0D +=0D if (EFI_ERROR (Status)) {=0D return Status;=0D }=0D @@ -1663,7 +1858,7 @@ InsertCertsToDb ( =0D CopyMem (=0D (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16= ),=0D - Sha256Digest,=0D + ShaDigest,=0D CertDataSize=0D );=0D =0D @@ -1857,7 +2052,7 @@ VerifyTimeBasedPayload ( UINTN CertStackSize;=0D UINT8 *CertsInCertDb;=0D UINT32 CertsSizeinDb;=0D - UINT8 Sha256Digest[SHA256_DIGEST_SIZE];=0D + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX];=0D EFI_CERT_DATA *CertDataPtr;=0D =0D //=0D @@ -1928,7 +2123,7 @@ VerifyTimeBasedPayload ( =0D //=0D // SignedData.digestAlgorithms shall contain the digest algorithm used w= hen preparing the=0D - // signature. Only a digest algorithm of SHA-256 is accepted.=0D + // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is = accepted.=0D //=0D // According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc= 2315):=0D // SignedData ::=3D SEQUENCE {=0D @@ -1978,7 +2173,19 @@ VerifyTimeBasedPayload ( || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha2= 56OidValue)) !=3D 0)))=0D && ( (SigDataSize >=3D (32 + sizeof (mSha256OidValue)))=0D && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE)= =0D - || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha2= 56OidValue)) !=3D 0))))=0D + || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha2= 56OidValue)) !=3D 0)))=0D + && ( (SigDataSize >=3D (13 + sizeof (mSha384OidValue)))=0D + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE)= =0D + || (CompareMem (SigData + 13, &mSha384OidValue, sizeof (mSha3= 84OidValue)) !=3D 0)))=0D + && ( (SigDataSize >=3D (32 + sizeof (mSha384OidValue)))=0D + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE)= =0D + || (CompareMem (SigData + 32, &mSha384OidValue, sizeof (mSha3= 84OidValue)) !=3D 0)))=0D + && ( (SigDataSize >=3D (13 + sizeof (mSha512OidValue)))=0D + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE)= =0D + || (CompareMem (SigData + 13, &mSha512OidValue, sizeof (mSha5= 12OidValue)) !=3D 0)))=0D + && ( (SigDataSize >=3D (32 + sizeof (mSha512OidValue)))=0D + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE)= =0D + || (CompareMem (SigData + 32, &mSha512OidValue, sizeof (mSha5= 12OidValue)) !=3D 0))))=0D {=0D return EFI_SECURITY_VIOLATION;=0D }=0D @@ -2180,9 +2387,39 @@ VerifyTimeBasedPayload ( ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertData= Length)),=0D TopLevelCert,=0D TopLevelCertSize,=0D - Sha256Digest=0D + ShaDigest=0D + );=0D + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, C= ertsSizeinDb) !=3D 0)) {=0D + goto Exit;=0D + }=0D + } else if (CertsSizeinDb =3D=3D SHA384_DIGEST_SIZE) {=0D + //=0D + // Check hash of signer cert CommonName + Top-level issuer tbsCert= ificate against data in CertDb=0D + //=0D + CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1);=0D + Status =3D CalculatePrivAuthVarSignChainSHA384Digest (=0D + CertDataPtr->CertDataBuffer,=0D + ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertData= Length)),=0D + TopLevelCert,=0D + TopLevelCertSize,=0D + ShaDigest=0D + );=0D + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, C= ertsSizeinDb) !=3D 0)) {=0D + goto Exit;=0D + }=0D + } else if (CertsSizeinDb =3D=3D SHA512_DIGEST_SIZE) {=0D + //=0D + // Check hash of signer cert CommonName + Top-level issuer tbsCert= ificate against data in CertDb=0D + //=0D + CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1);=0D + Status =3D CalculatePrivAuthVarSignChainSHA512Digest (=0D + CertDataPtr->CertDataBuffer,=0D + ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertData= Length)),=0D + TopLevelCert,=0D + TopLevelCertSize,=0D + ShaDigest=0D );=0D - if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb= , CertsSizeinDb) !=3D 0)) {=0D + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, C= ertsSizeinDb) !=3D 0)) {=0D goto Exit;=0D }=0D } else {=0D @@ -2221,7 +2458,8 @@ VerifyTimeBasedPayload ( CertDataPtr->CertDataBuffer,=0D ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLe= ngth)),=0D TopLevelCert,=0D - TopLevelCertSize=0D + TopLevelCertSize,=0D + CertsSizeinDb=0D );=0D if (EFI_ERROR (Status)) {=0D VerifyStatus =3D FALSE;=0D diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/Securi= tyPkg/Library/AuthVariableLib/AuthVariableLib.c index dc61ae840c..552c0e99be 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -26,7 +26,7 @@ UINT32 mMaxCertDbSize; UINT32 mPlatformMode;=0D UINT8 mVendorKeyState;=0D =0D -EFI_GUID mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GU= ID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID };=0D +EFI_GUID mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GU= ID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, EFI_CERT_RSA2048_GUID, EFI_= CERT_RSA3072_GUID, EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID };=0D =0D //=0D // Hash context pointer=0D @@ -135,7 +135,7 @@ AuthVariableLibInitialize ( //=0D // Initialize hash context.=0D //=0D - CtxSize =3D Sha256GetContextSize ();=0D + CtxSize =3D Sha512GetContextSize ();=0D mHashCtx =3D AllocateRuntimePool (CtxSize);=0D if (mHashCtx =3D=3D NULL) {=0D return EFI_OUT_OF_RESOURCES;=0D diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 66e2f5eaa3..f642aad64d 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1606,6 +1606,35 @@ Done: return VerifyStatus;=0D }=0D =0D +/**=0D + Get Hash Alg by PcdSecureBootDefaultHashAlg=0D +=0D + @retval UINT32 Hash Alg=0D + **/=0D +UINT32=0D +GetDefaultHashAlg (=0D + VOID=0D + )=0D +{=0D + UINT32 HashAlg;=0D +=0D + switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) {=0D + case 1:=0D + DEBUG ((DEBUG_INFO, "%a use SHA384", __func__));=0D + HashAlg =3D HASHALG_SHA384;=0D + break;=0D + case 2:=0D + DEBUG ((DEBUG_INFO, "%a use SHA512", __func__));=0D + HashAlg =3D HASHALG_SHA512;=0D + break;=0D + default:=0D + DEBUG ((DEBUG_INFO, "%a use SHA256", __func__));=0D + HashAlg =3D HASHALG_SHA256;=0D + break;=0D + }=0D + return HashAlg;=0D +}=0D +=0D /**=0D Provide verification service for signed images, which include both signa= ture validation=0D and platform policy control. For signature types, both UEFI WIN_CERTIFIC= ATE_UEFI_GUID and=0D @@ -1620,7 +1649,7 @@ Done: in the security database "db", and no valid signature nor any hash v= alue of the image may=0D be reflected in the security database "dbx".=0D Otherwise, the image is not signed,=0D - The SHA256 hash value of the image must match a record in the securi= ty database "db", and=0D + The hash value of the image must match a record in the security data= base "db", and=0D not be reflected in the security data base "dbx".=0D =0D Caution: This function may receive untrusted input.=0D @@ -1832,10 +1861,10 @@ DxeImageVerificationHandler ( //=0D if ((SecDataDir =3D=3D NULL) || (SecDataDir->Size =3D=3D 0)) {=0D //=0D - // This image is not signed. The SHA256 hash value of the image must m= atch a record in the security database "db",=0D + // This image is not signed. The hash value of the image must match a = record in the security database "db",=0D // and not be reflected in the security data base "dbx".=0D //=0D - if (!HashPeImage (HASHALG_SHA256)) {=0D + if (!HashPeImage (GetDefaultHashAlg ())) {=0D DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this im= age using %s.\n", mHashTypeStr));=0D goto Failed;=0D }=0D diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.inf b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf index 1e1a639857..f1ef9236c2 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.i= nf +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.i= nf @@ -93,3 +93,4 @@ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy = ## SOMETIMES_CONSUMES=0D gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy = ## SOMETIMES_CONSUMES=0D gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy = ## SOMETIMES_CONSUMES=0D + gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg = ## CONSUMES=0D diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 0382090f4e..4adc2a72ab 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -521,6 +521,13 @@ # @Prompt Skip Hdd Password prompt.=0D gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt|FALSE|BOOLEAN|0x0= 0010021=0D =0D + ## Indicates default hash algorithm in Secure Boot=0D + # 0 - Use SHA256=0D + # 1 - Use SHA384=0D + # 2 - Use SHA512=0D + # @Prompt Secure Boot default hash algorithm=0D + gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg|0|UINT8|0x0001= 0040=0D +=0D [PcdsDynamic, PcdsDynamicEx]=0D =0D ## This PCD indicates Hash mask for TPM 2.0. Bit definition strictly fol= lows TCG Algorithm Registry.

=0D diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 1671d5be7c..4b0012d033 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -70,6 +70,14 @@ ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature.=0D gEfiCertRsa2048Guid=0D =0D + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type o= f the signature.=0D + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature.=0D + gEfiCertRsa3072Guid=0D +=0D + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type o= f the signature.=0D + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature.=0D + gEfiCertRsa4096Guid=0D +=0D ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type o= f the signature.=0D ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature.=0D gEfiCertX509Guid=0D @@ -82,6 +90,14 @@ ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature.=0D gEfiCertSha256Guid=0D =0D + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type o= f the signature.=0D + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature.=0D + gEfiCertSha384Guid=0D +=0D + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type o= f the signature.=0D + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature.=0D + gEfiCertSha512Guid=0D +=0D ## SOMETIMES_CONSUMES ## Variable:L"db"=0D ## SOMETIMES_PRODUCES ## Variable:L"db"=0D ## SOMETIMES_CONSUMES ## Variable:L"dbx"=0D @@ -107,6 +123,9 @@ gEfiCertX509Sha384Guid ## SOMETIMES_PRODUCES ## = GUID # Unique ID for the type of the certificate.=0D gEfiCertX509Sha512Guid ## SOMETIMES_PRODUCES ## = GUID # Unique ID for the type of the certificate.=0D =0D +[Pcd]=0D + gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg = ## CONSUMES=0D +=0D [Protocols]=0D gEfiHiiConfigAccessProtocolGuid ## PRODUCES=0D gEfiDevicePathProtocolGuid ## PRODUCES=0D diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index 4299a6b5e5..0ba029a394 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -560,7 +560,7 @@ ON_EXIT: =0D **/=0D EFI_STATUS=0D -EnrollRsa2048ToKek (=0D +EnrollRsaToKek (=0D IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private=0D )=0D {=0D @@ -603,8 +603,13 @@ EnrollRsa2048ToKek ( =0D ASSERT (KeyBlob !=3D NULL);=0D KeyInfo =3D (CPL_KEY_INFO *)KeyBlob;=0D - if (KeyInfo->KeyLengthInBits / 8 !=3D WIN_CERT_UEFI_RSA2048_SIZE) {=0D - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supporte= d.\n"));=0D + switch (KeyInfo->KeyLengthInBits / 8) {=0D + case WIN_CERT_UEFI_RSA2048_SIZE:=0D + case WIN_CERT_UEFI_RSA3072_SIZE:=0D + case WIN_CERT_UEFI_RSA4096_SIZE:=0D + break;=0D + default :=0D + DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 an= d RSA4096 are supported.\n"));=0D Status =3D EFI_UNSUPPORTED;=0D goto ON_EXIT;=0D }=0D @@ -632,7 +637,7 @@ EnrollRsa2048ToKek ( //=0D KekSigListSize =3D sizeof (EFI_SIGNATURE_LIST)=0D + sizeof (EFI_SIGNATURE_DATA) - 1=0D - + WIN_CERT_UEFI_RSA2048_SIZE;=0D + + KeyLenInBytes;=0D =0D KekSigList =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);= =0D if (KekSigList =3D=3D NULL) {=0D @@ -642,17 +647,32 @@ EnrollRsa2048ToKek ( =0D KekSigList->SignatureListSize =3D sizeof (EFI_SIGNATURE_LIST)=0D + sizeof (EFI_SIGNATURE_DATA) - 1=0D - + WIN_CERT_UEFI_RSA2048_SIZE;=0D + + (UINT32) KeyLenInBytes;=0D KekSigList->SignatureHeaderSize =3D 0;=0D - KekSigList->SignatureSize =3D sizeof (EFI_SIGNATURE_DATA) - 1 + WI= N_CERT_UEFI_RSA2048_SIZE;=0D - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);=0D + KekSigList->SignatureSize =3D sizeof (EFI_SIGNATURE_DATA) - 1 + (U= INT32) KeyLenInBytes;=0D + switch (KeyLenInBytes) {=0D + case WIN_CERT_UEFI_RSA2048_SIZE:=0D + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);=0D + break;=0D + case WIN_CERT_UEFI_RSA3072_SIZE:=0D + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);=0D + break;=0D + case WIN_CERT_UEFI_RSA4096_SIZE:=0D + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);=0D + break;=0D + break;=0D + default :=0D + DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));=0D + Status =3D EFI_UNSUPPORTED;=0D + goto ON_EXIT;=0D + }=0D =0D KEKSigData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_= SIGNATURE_LIST));=0D CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);=0D CopyMem (=0D KEKSigData->SignatureData,=0D KeyBlob + sizeof (CPL_KEY_INFO),=0D - WIN_CERT_UEFI_RSA2048_SIZE=0D + KeyLenInBytes=0D );=0D =0D //=0D @@ -890,7 +910,7 @@ EnrollKeyExchangeKey ( if (IsDerEncodeCertificate (FilePostFix)) {=0D return EnrollX509ToKek (Private);=0D } else if (CompareMem (FilePostFix, L".pbk", 4) =3D=3D 0) {=0D - return EnrollRsa2048ToKek (Private);=0D + return EnrollRsaToKek (Private);=0D } else {=0D //=0D // File type is wrong, simply close it=0D @@ -1847,7 +1867,7 @@ HashPeImage ( SectionHeader =3D NULL;=0D Status =3D FALSE;=0D =0D - if (HashAlg !=3D HASHALG_SHA256) {=0D + if ((HashAlg >=3D HASHALG_MAX)) {=0D return FALSE;=0D }=0D =0D @@ -1856,8 +1876,25 @@ HashPeImage ( //=0D ZeroMem (mImageDigest, MAX_DIGEST_SIZE);=0D =0D - mImageDigestSize =3D SHA256_DIGEST_SIZE;=0D - mCertType =3D gEfiCertSha256Guid;=0D + switch (HashAlg) {=0D + case HASHALG_SHA256:=0D + mImageDigestSize =3D SHA256_DIGEST_SIZE;=0D + mCertType =3D gEfiCertSha256Guid;=0D + break;=0D +=0D + case HASHALG_SHA384:=0D + mImageDigestSize =3D SHA384_DIGEST_SIZE;=0D + mCertType =3D gEfiCertSha384Guid;=0D + break;=0D +=0D + case HASHALG_SHA512:=0D + mImageDigestSize =3D SHA512_DIGEST_SIZE;=0D + mCertType =3D gEfiCertSha512Guid;=0D + break;=0D +=0D + default:=0D + return FALSE;=0D + }=0D =0D CtxSize =3D mHash[HashAlg].GetContextSize ();=0D =0D @@ -2222,6 +2259,35 @@ ON_EXIT: return Status;=0D }=0D =0D +/**=0D + Get Hash Alg by PcdSecureBootDefaultHashAlg=0D +=0D + @retval UINT32 Hash Alg=0D + **/=0D +UINT32=0D +GetDefaultHashAlg (=0D + VOID=0D + )=0D +{=0D + UINT32 HashAlg;=0D +=0D + switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) {=0D + case 1:=0D + DEBUG ((DEBUG_INFO, "%a use SHA384", __func__));=0D + HashAlg =3D HASHALG_SHA384;=0D + break;=0D + case 2:=0D + DEBUG ((DEBUG_INFO, "%a use SHA512", __func__));=0D + HashAlg =3D HASHALG_SHA512;=0D + break;=0D + default:=0D + DEBUG ((DEBUG_INFO, "%a use SHA256", __func__));=0D + HashAlg =3D HASHALG_SHA256;=0D + break;=0D + }=0D + return HashAlg;=0D +}=0D +=0D /**=0D Enroll a new signature of executable into Signature Database.=0D =0D @@ -2289,7 +2355,7 @@ EnrollImageSignatureToSigDB ( }=0D =0D if (mSecDataDir->SizeOfCert =3D=3D 0) {=0D - if (!HashPeImage (HASHALG_SHA256)) {=0D + if (!HashPeImage (GetDefaultHashAlg ())) {=0D Status =3D EFI_SECURITY_VIOLATION;=0D goto ON_EXIT;=0D }=0D @@ -2589,6 +2655,10 @@ UpdateDeletePage ( while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureListS= ize)) {=0D if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) {=0D Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);=0D + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid= )) {=0D + Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID);=0D + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid= )) {=0D + Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID);=0D } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) = {=0D Help =3D STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);=0D } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) = {=0D @@ -2750,6 +2820,8 @@ DeleteKeyExchangeKey ( GuidIndex =3D 0;=0D while ((KekDataSize > 0) && (KekDataSize >=3D CertList->SignatureListSiz= e)) {=0D if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||=0D + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||=0D + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||=0D CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid))=0D {=0D CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + Cer= tList->SignatureHeaderSize));=0D @@ -2952,6 +3024,8 @@ DeleteSignature ( GuidIndex =3D 0;=0D while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureListS= ize)) {=0D if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||=0D + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||=0D + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||=0D CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||=0D CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||=0D CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) ||=0D @@ -3758,12 +3832,20 @@ LoadSignatureList ( while ((RemainingSize > 0) && (RemainingSize >=3D ListWalker->SignatureL= istSize)) {=0D if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) {= =0D ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);=0D + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072Gu= id)) {=0D + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);=0D + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096Gu= id)) {=0D + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);=0D } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)= ) {=0D ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509);=0D } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)= ) {=0D ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA1);=0D } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Gui= d)) {=0D ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA256);=0D + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Gui= d)) {=0D + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA384);=0D + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Gui= d)) {=0D + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA512);=0D } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha25= 6Guid)) {=0D ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);=0D } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha38= 4Guid)) {=0D @@ -4001,6 +4083,14 @@ FormatHelpInfo ( ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);=0D DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID);=0D IsCert =3D TRUE;=0D + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)= ) {=0D + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);=0D + DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID);=0D + IsCert =3D TRUE;=0D + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)= ) {=0D + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);=0D + DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID);=0D + IsCert =3D TRUE;=0D } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) {= =0D ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509);=0D DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID);=0D @@ -4011,6 +4101,12 @@ FormatHelpInfo ( } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid))= {=0D ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA256);=0D DataSize =3D 32;=0D + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid))= {=0D + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA384);=0D + DataSize =3D 48;=0D + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid))= {=0D + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA512);=0D + DataSize =3D 64;=0D } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Gu= id)) {=0D ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);=0D DataSize =3D 32;=0D diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.h index 37c66f1b95..ae50d929a7 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.h @@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE=0D =0D #define WIN_CERT_UEFI_RSA2048_SIZE 256=0D +#define WIN_CERT_UEFI_RSA3072_SIZE 384=0D +#define WIN_CERT_UEFI_RSA4096_SIZE 512=0D =0D //=0D // Support hash types=0D diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe= /SecureBootConfigStrings.uni index 0d01701de7..1b48acc800 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US "Read = the public key of KEK from file"=0D #string STR_FILE_EXPLORER_TITLE #language en-US "File Ex= plorer"=0D #string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US "RSA2048= _SHA256_GUID"=0D +#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US "RSA3072= _SHA384_GUID"=0D +#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US "RSA4096= _SHA512_GUID"=0D #string STR_CERT_TYPE_PCKS7_GUID #language en-US "PKCS7_G= UID"=0D #string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_GU= ID"=0D #string STR_CERT_TYPE_SHA256_GUID #language en-US "SHA256_= GUID"=0D @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SH= A512_GUID"=0D =0D #string STR_LIST_TYPE_RSA2048_SHA256 #language en-US "RSA2048= _SHA256"=0D +#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US "RSA3072= _SHA384"=0D +#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US "RSA4096= _SHA512"=0D #string STR_LIST_TYPE_X509 #language en-US "X509"=0D #string STR_LIST_TYPE_SHA1 #language en-US "SHA1"=0D #string STR_LIST_TYPE_SHA256 #language en-US "SHA256"= =0D +#string STR_LIST_TYPE_SHA384 #language en-US "SHA384"= =0D +#string STR_LIST_TYPE_SHA512 #language en-US "SHA512"= =0D #string STR_LIST_TYPE_X509_SHA256 #language en-US "X509_SH= A256"=0D #string STR_LIST_TYPE_X509_SHA384 #language en-US "X509_SH= A384"=0D #string STR_LIST_TYPE_X509_SHA512 #language en-US "X509_SH= A512"=0D --=20 2.26.2.windows.1