From: "Gary Lin" <glin@suse.com>
To: devel@edk2.groups.io, w.sheng@intel.com
Cc: Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>, Min Xu <min.m.xu@intel.com>,
Zeyi Chen <zeyi.chen@intel.com>,
Fiona Wang <fiona.wang@intel.com>
Subject: Re: [edk2-devel] [PATCH v3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
Date: Thu, 6 Jul 2023 15:28:44 +0800 [thread overview]
Message-ID: <20230706072844.5h6gry4hmu5r7bla@GaryLaptop> (raw)
In-Reply-To: <20230706063654.1576-1-w.sheng@intel.com>
On Thu, Jul 06, 2023 at 02:36:54PM +0800, Sheng Wei via groups.io wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413
>
The title, "Support RSA 512 and RSA 384", looks very strange. I assume
it should be "Support SHA 512 and SHA 384"?
Gary Lin
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Signed-off-by: Sheng Wei <w.sheng@intel.com>
> ---
> CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +-
> MdePkg/Include/Guid/ImageAuthentication.h | 26 +++
> MdePkg/MdePkg.dec | 2 +
> .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++---
> .../AuthVariableLib/AuthServiceInternal.h | 4 +-
> .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++--
> .../DxeImageVerificationLib.c | 73 +++---
> .../SecureBootConfigDxe.inf | 16 ++
> .../SecureBootConfigImpl.c | 108 +++++++--
> .../SecureBootConfigImpl.h | 2 +
> .../SecureBootConfigStrings.uni | 6 +
> 11 files changed, 410 insertions(+), 92 deletions(-)
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> index 027dbb6842..944bcf8d38 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> @@ -591,7 +591,8 @@ ImageTimestampVerify (
> // Register & Initialize necessary digest algorithms for PKCS#7 Handling.
> //
> if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1 ()) == 0) ||
> - (EVP_add_digest (EVP_sha256 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
> + (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest (EVP_sha384 ()) == 0) ||
> + (EVP_add_digest (EVP_sha512 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
> {
> return FALSE;
> }
> diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Guid/ImageAuthentication.h
> index fe83596571..c8ea2c14fb 100644
> --- a/MdePkg/Include/Guid/ImageAuthentication.h
> +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> @@ -144,6 +144,30 @@ typedef struct {
> 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
> }
>
> +///
> +/// This identifies a signature containing an RSA-3072 key. The key (only the modulus
> +/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
> +/// order.
> +/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
> +/// of SignatureOwner component) + 384 bytes.
> +///
> +#define EFI_CERT_RSA3072_GUID \
> + { \
> + 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \
> + }
> +
> +///
> +/// This identifies a signature containing an RSA-4096 key. The key (only the modulus
> +/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
> +/// order.
> +/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
> +/// of SignatureOwner component) + 512 bytes.
> +///
> +#define EFI_CERT_RSA4096_GUID \
> + { \
> + 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \
> + }
> +
> ///
> /// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash. The
> /// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of
> @@ -330,6 +354,8 @@ typedef struct {
> extern EFI_GUID gEfiImageSecurityDatabaseGuid;
> extern EFI_GUID gEfiCertSha256Guid;
> extern EFI_GUID gEfiCertRsa2048Guid;
> +extern EFI_GUID gEfiCertRsa3072Guid;
> +extern EFI_GUID gEfiCertRsa4096Guid;
> extern EFI_GUID gEfiCertRsa2048Sha256Guid;
> extern EFI_GUID gEfiCertSha1Guid;
> extern EFI_GUID gEfiCertRsa2048Sha1Guid;
> diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
> index d6c4179b2a..c88e88fa6b 100644
> --- a/MdePkg/MdePkg.dec
> +++ b/MdePkg/MdePkg.dec
> @@ -571,6 +571,8 @@
> gEfiImageSecurityDatabaseGuid = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }}
> gEfiCertSha256Guid = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }}
> gEfiCertRsa2048Guid = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}
> + gEfiCertRsa3072Guid = { 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}
> + gEfiCertRsa4096Guid = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }}
> gEfiCertRsa2048Sha256Guid = { 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> gEfiCertSha1Guid = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }}
> gEfiCertRsa2048Sha1Guid = { 0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> index d81c581d78..4c268a85cd 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #include <Protocol/VariablePolicy.h>
> #include <Library/VariablePolicyLib.h>
>
> +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
> +
> +/**
> + Retrieves the size, in bytes, of the context buffer required for hash operations.
> +
> + If this interface is not supported, then return zero.
> +
> + @return The size, in bytes, of the context buffer required for hash operations.
> + @retval 0 This interface is not supported.
> +
> +**/
> +typedef
> +UINTN
> +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
> + VOID
> + );
> +
> +/**
> + Initializes user-supplied memory pointed by Sha1Context as hash context for
> + subsequent use.
> +
> + If HashContext is NULL, then return FALSE.
> + If this interface is not supported, then return FALSE.
> +
> + @param[out] HashContext Pointer to Hashcontext being initialized.
> +
> + @retval TRUE Hash context initialization succeeded.
> + @retval FALSE Hash context initialization failed.
> + @retval FALSE This interface is not supported.
> +
> +**/
> +typedef
> +BOOLEAN
> +(EFIAPI *EFI_HASH_INIT)(
> + OUT VOID *HashContext
> + );
> +
> +/**
> + Digests the input data and updates Hash context.
> +
> + This function performs Hash digest on a data buffer of the specified size.
> + It can be called multiple times to compute the digest of long or discontinuous data streams.
> + Hash context should be already correctly initialized by HashInit(), and should not be finalized
> + by HashFinal(). Behavior with invalid context is undefined.
> +
> + If HashContext is NULL, then return FALSE.
> + If this interface is not supported, then return FALSE.
> +
> + @param[in, out] HashContext Pointer to the Hash context.
> + @param[in] Data Pointer to the buffer containing the data to be hashed.
> + @param[in] DataSize Size of Data buffer in bytes.
> +
> + @retval TRUE SHA-1 data digest succeeded.
> + @retval FALSE SHA-1 data digest failed.
> + @retval FALSE This interface is not supported.
> +
> +**/
> +typedef
> +BOOLEAN
> +(EFIAPI *EFI_HASH_UPDATE)(
> + IN OUT VOID *HashContext,
> + IN CONST VOID *Data,
> + IN UINTN DataSize
> + );
> +
> +/**
> + Completes computation of the Hash digest value.
> +
> + This function completes hash computation and retrieves the digest value into
> + the specified memory. After this function has been called, the Hash context cannot
> + be used again.
> + Hash context should be already correctly initialized by HashInit(), and should not be
> + finalized by HashFinal(). Behavior with invalid Hash context is undefined.
> +
> + If HashContext is NULL, then return FALSE.
> + If HashValue is NULL, then return FALSE.
> + If this interface is not supported, then return FALSE.
> +
> + @param[in, out] HashContext Pointer to the Hash context.
> + @param[out] HashValue Pointer to a buffer that receives the Hash digest
> + value.
> +
> + @retval TRUE Hash digest computation succeeded.
> + @retval FALSE Hash digest computation failed.
> + @retval FALSE This interface is not supported.
> +
> +**/
> +typedef
> +BOOLEAN
> +(EFIAPI *EFI_HASH_FINAL)(
> + IN OUT VOID *HashContext,
> + OUT UINT8 *HashValue
> + );
> +
> +typedef struct {
> + UINT32 HashSize;
> + EFI_HASH_GET_CONTEXT_SIZE GetContextSize;
> + EFI_HASH_INIT Init;
> + EFI_HASH_UPDATE Update;
> + EFI_HASH_FINAL Final;
> + VOID **HashShaCtx;
> + UINT8 *OidValue;
> + UINTN OidLength;
> +} EFI_HASH_INFO;
> +
> //
> // Public Exponent of RSA Key.
> //
> CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
>
> -CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
> +UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
> +UINT8 mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 };
> +UINT8 mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 };
> +
> +EFI_HASH_INFO mHashInfo[] = {
> + {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9},
> + {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9},
> + {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9},
> +};
>
> //
> // Requirement for different signature type which have been defined in UEFI spec.
> @@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] = {
> // {SigType, SigHeaderSize, SigDataSize }
> { EFI_CERT_SHA256_GUID, 0, 32 },
> { EFI_CERT_RSA2048_GUID, 0, 256 },
> + { EFI_CERT_RSA3072_GUID, 0, 384 },
> + { EFI_CERT_RSA4096_GUID, 0, 512 },
> { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 },
> { EFI_CERT_SHA1_GUID, 0, 20 },
> { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 },
> @@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp (
> }
>
> /**
> - Calculate SHA256 digest of SignerCert CommonName + ToplevelCert tbsCertificate
> + Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertificate
> SignerCert and ToplevelCert are inside the signer certificate chain.
>
> + @param[in] HashAlgId Hash algorithm index
> @param[in] SignerCert A pointer to SignerCert data.
> @param[in] SignerCertSize Length of SignerCert data.
> @param[in] TopLevelCert A pointer to TopLevelCert data.
> @param[in] TopLevelCertSize Length of TopLevelCert data.
> - @param[out] Sha256Digest Sha256 digest calculated.
> + @param[out] ShaDigest Sha digest calculated.
>
> @return EFI_ABORTED Digest process failed.
> - @return EFI_SUCCESS SHA256 Digest is successfully calculated.
> + @return EFI_SUCCESS SHA Digest is successfully calculated.
>
> **/
> EFI_STATUS
> -CalculatePrivAuthVarSignChainSHA256Digest (
> +CalculatePrivAuthVarSignChainSHADigest (
> + IN UINT8 HashAlgId,
> IN UINT8 *SignerCert,
> IN UINTN SignerCertSize,
> IN UINT8 *TopLevelCert,
> IN UINTN TopLevelCertSize,
> - OUT UINT8 *Sha256Digest
> + OUT UINT8 *ShaDigest
> )
> {
> UINT8 *TbsCert;
> @@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> BOOLEAN CryptoStatus;
> EFI_STATUS Status;
>
> + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> + DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__, HashAlgId));
> + return EFI_ABORTED;
> + }
> +
> CertCommonNameSize = sizeof (CertCommonName);
>
> //
> @@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> //
> // Digest SignerCert CN + TopLevelCert tbsCertificate
> //
> - ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE);
> - CryptoStatus = Sha256Init (mHashCtx);
> + ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize);
> + CryptoStatus = mHashInfo[HashAlgId].Init (*(mHashInfo[HashAlgId].HashShaCtx));
> if (!CryptoStatus) {
> return EFI_ABORTED;
> }
> @@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> //
> // '\0' is forced in CertCommonName. No overflow issue
> //
> - CryptoStatus = Sha256Update (
> - mHashCtx,
> + CryptoStatus = mHashInfo[HashAlgId].Update (
> + *(mHashInfo[HashAlgId].HashShaCtx),
> CertCommonName,
> AsciiStrLen (CertCommonName)
> );
> @@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> return EFI_ABORTED;
> }
>
> - CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize);
> + CryptoStatus = mHashInfo[HashAlgId].Update (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize);
> if (!CryptoStatus) {
> return EFI_ABORTED;
> }
>
> - CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
> + CryptoStatus = mHashInfo[HashAlgId].Final (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest);
> if (!CryptoStatus) {
> return EFI_ABORTED;
> }
> @@ -1516,9 +1638,10 @@ DeleteCertsFromDb (
> /**
> Insert signer's certificates for common authenticated variable with VariableName
> and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to
> - time based authenticated variable attributes. CertData is the SHA256 digest of
> + time based authenticated variable attributes. CertData is the SHA digest of
> SignerCert CommonName + TopLevelCert tbsCertificate.
>
> + @param[in] HashAlgId Hash algorithm index.
> @param[in] VariableName Name of authenticated Variable.
> @param[in] VendorGuid Vendor GUID of authenticated Variable.
> @param[in] Attributes Attributes of authenticated variable.
> @@ -1536,6 +1659,7 @@ DeleteCertsFromDb (
> **/
> EFI_STATUS
> InsertCertsToDb (
> + IN UINT8 HashAlgId,
> IN CHAR16 *VariableName,
> IN EFI_GUID *VendorGuid,
> IN UINT32 Attributes,
> @@ -1556,12 +1680,16 @@ InsertCertsToDb (
> UINT32 CertDataSize;
> AUTH_CERT_DB_DATA *Ptr;
> CHAR16 *DbName;
> - UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
> + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX];
>
> if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) || (TopLevelCert == NULL)) {
> return EFI_INVALID_PARAMETER;
> }
>
> + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
> //
> // Get variable "certdb".
> @@ -1618,20 +1746,22 @@ InsertCertsToDb (
> // Construct new data content of variable "certdb" or "certdbv".
> //
> NameSize = (UINT32)StrLen (VariableName);
> - CertDataSize = sizeof (Sha256Digest);
> + CertDataSize = mHashInfo[HashAlgId].HashSize;
> CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + NameSize * sizeof (CHAR16);
> NewCertDbSize = (UINT32)DataSize + CertNodeSize;
> if (NewCertDbSize > mMaxCertDbSize) {
> return EFI_OUT_OF_RESOURCES;
> }
>
> - Status = CalculatePrivAuthVarSignChainSHA256Digest (
> + Status = CalculatePrivAuthVarSignChainSHADigest (
> + HashAlgId,
> SignerCert,
> SignerCertSize,
> TopLevelCert,
> TopLevelCertSize,
> - Sha256Digest
> + ShaDigest
> );
> +
> if (EFI_ERROR (Status)) {
> return Status;
> }
> @@ -1663,7 +1793,7 @@ InsertCertsToDb (
>
> CopyMem (
> (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16),
> - Sha256Digest,
> + ShaDigest,
> CertDataSize
> );
>
> @@ -1790,6 +1920,36 @@ CleanCertsFromDb (
> return Status;
> }
>
> +/**
> + Find hash algorithm index
> +
> + @param[in] SigData Pointer to the PKCS#7 message
> + @param[in] SigDataSize Length of the PKCS#7 message
> +
> + @retval UINT8 Hash Algorithm Index
> +**/
> +UINT8
> +FindHashAlgorithmIndex (
> + IN UINT8 *SigData,
> + IN UINT32 SigDataSize
> +)
> +{
> + UINT8 i;
> +
> + for (i = 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) {
> + if ( ( (SigDataSize >= (13 + mHashInfo[i].OidLength))
> + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
> + && (CompareMem (SigData + 13, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0)))
> + || (( (SigDataSize >= (32 + mHashInfo[i].OidLength)))
> + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
> + && (CompareMem (SigData + 32, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0))))
> + {
> + break;
> + }
> + }
> + return i;
> +}
> +
> /**
> Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
>
> @@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload (
> UINTN CertStackSize;
> UINT8 *CertsInCertDb;
> UINT32 CertsSizeinDb;
> - UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
> + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX];
> EFI_CERT_DATA *CertDataPtr;
> + UINT8 HashAlgId;
>
> //
> // 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain
> @@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload (
>
> //
> // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the
> - // signature. Only a digest algorithm of SHA-256 is accepted.
> + // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is accepted.
> //
> // According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315):
> // SignedData ::= SEQUENCE {
> @@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload (
> //
> // Example generated with: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Manual_process
> //
> + HashAlgId = FindHashAlgorithmIndex (SigData, SigDataSize);
> if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
> - if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue)))
> - && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
> - || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))
> - && ( (SigDataSize >= (32 + sizeof (mSha256OidValue)))
> - && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
> - || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))))
> - {
> + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> return EFI_SECURITY_VIOLATION;
> }
> }
> @@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload (
> goto Exit;
> }
>
> - if (CertsSizeinDb == SHA256_DIGEST_SIZE) {
> + if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) && (CertsSizeinDb == mHashInfo[HashAlgId].HashSize)) {
> //
> // Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb
> //
> CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
> - Status = CalculatePrivAuthVarSignChainSHA256Digest (
> + Status = CalculatePrivAuthVarSignChainSHADigest (
> + HashAlgId,
> CertDataPtr->CertDataBuffer,
> ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
> TopLevelCert,
> TopLevelCertSize,
> - Sha256Digest
> + ShaDigest
> );
> - if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb, CertsSizeinDb) != 0)) {
> + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, CertsSizeinDb) != 0)) {
> goto Exit;
> }
> } else {
> @@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload (
> //
> CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
> Status = InsertCertsToDb (
> + HashAlgId,
> VariableName,
> VendorGuid,
> Attributes,
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> index b202e613bc..f7bf771d55 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> @@ -92,7 +92,9 @@ extern UINT32 mMaxCertDbSize;
> extern UINT32 mPlatformMode;
> extern UINT8 mVendorKeyState;
>
> -extern VOID *mHashCtx;
> +extern VOID *mHashSha256Ctx;
> +extern VOID *mHashSha384Ctx;
> +extern VOID *mHashSha512Ctx;
>
> extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn;
>
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> index dc61ae840c..19e0004699 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> @@ -26,12 +26,14 @@ UINT32 mMaxCertDbSize;
> UINT32 mPlatformMode;
> UINT8 mVendorKeyState;
>
> -EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID };
> +EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID, EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID };
>
> //
> // Hash context pointer
> //
> -VOID *mHashCtx = NULL;
> +VOID *mHashSha256Ctx = NULL;
> +VOID *mHashSha384Ctx = NULL;
> +VOID *mHashSha512Ctx = NULL;
>
> VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
> {
> @@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
> },
> };
>
> -VOID **mAuthVarAddressPointer[9];
> +VOID **mAuthVarAddressPointer[11];
>
> AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn = NULL;
>
> @@ -120,7 +122,6 @@ AuthVariableLibInitialize (
> UINT32 VarAttr;
> UINT8 *Data;
> UINTN DataSize;
> - UINTN CtxSize;
> UINT8 SecureBootMode;
> UINT8 SecureBootEnable;
> UINT8 CustomMode;
> @@ -135,9 +136,18 @@ AuthVariableLibInitialize (
> //
> // Initialize hash context.
> //
> - CtxSize = Sha256GetContextSize ();
> - mHashCtx = AllocateRuntimePool (CtxSize);
> - if (mHashCtx == NULL) {
> + mHashSha256Ctx = AllocateRuntimePool (Sha256GetContextSize ());
> + if (mHashSha256Ctx == NULL) {
> + return EFI_OUT_OF_RESOURCES;
> + }
> +
> + mHashSha384Ctx = AllocateRuntimePool (Sha384GetContextSize ());
> + if (mHashSha384Ctx == NULL) {
> + return EFI_OUT_OF_RESOURCES;
> + }
> +
> + mHashSha512Ctx = AllocateRuntimePool (Sha512GetContextSize ());
> + if (mHashSha512Ctx == NULL) {
> return EFI_OUT_OF_RESOURCES;
> }
>
> @@ -356,14 +366,16 @@ AuthVariableLibInitialize (
> AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry;
> AuthVarLibContextOut->AuthVarEntryCount = ARRAY_SIZE (mAuthVarEntry);
> mAuthVarAddressPointer[0] = (VOID **)&mCertDbStore;
> - mAuthVarAddressPointer[1] = (VOID **)&mHashCtx;
> - mAuthVarAddressPointer[2] = (VOID **)&mAuthVarLibContextIn;
> - mAuthVarAddressPointer[3] = (VOID **)&(mAuthVarLibContextIn->FindVariable),
> - mAuthVarAddressPointer[4] = (VOID **)&(mAuthVarLibContextIn->FindNextVariable),
> - mAuthVarAddressPointer[5] = (VOID **)&(mAuthVarLibContextIn->UpdateVariable),
> - mAuthVarAddressPointer[6] = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer),
> - mAuthVarAddressPointer[7] = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
> - mAuthVarAddressPointer[8] = (VOID **)&(mAuthVarLibContextIn->AtRuntime),
> + mAuthVarAddressPointer[1] = (VOID **)&mHashSha256Ctx;
> + mAuthVarAddressPointer[2] = (VOID **)&mHashSha384Ctx;
> + mAuthVarAddressPointer[3] = (VOID **)&mHashSha512Ctx;
> + mAuthVarAddressPointer[4] = (VOID **)&mAuthVarLibContextIn;
> + mAuthVarAddressPointer[5] = (VOID **)&(mAuthVarLibContextIn->FindVariable),
> + mAuthVarAddressPointer[6] = (VOID **)&(mAuthVarLibContextIn->FindNextVariable),
> + mAuthVarAddressPointer[7] = (VOID **)&(mAuthVarLibContextIn->UpdateVariable),
> + mAuthVarAddressPointer[8] = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer),
> + mAuthVarAddressPointer[9] = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
> + mAuthVarAddressPointer[10] = (VOID **)&(mAuthVarLibContextIn->AtRuntime),
> AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
> AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE (mAuthVarAddressPointer);
>
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 5d8dbd5468..88b2d3c6c1 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1620,7 +1620,7 @@ Done:
> in the security database "db", and no valid signature nor any hash value of the image may
> be reflected in the security database "dbx".
> Otherwise, the image is not signed,
> - The SHA256 hash value of the image must match a record in the security database "db", and
> + The hash value of the image must match a record in the security database "db", and
> not be reflected in the security data base "dbx".
>
> Caution: This function may receive untrusted input.
> @@ -1690,6 +1690,8 @@ DxeImageVerificationHandler (
> EFI_STATUS VarStatus;
> UINT32 VarAttr;
> BOOLEAN IsFound;
> + UINT8 HashAlg;
> + BOOLEAN IsFoundInDatabase;
>
> SignatureList = NULL;
> SignatureListSize = 0;
> @@ -1699,6 +1701,7 @@ DxeImageVerificationHandler (
> Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
> IsVerified = FALSE;
> IsFound = FALSE;
> + IsFoundInDatabase = FALSE;
>
> //
> // Check the image type and get policy setting.
> @@ -1837,40 +1840,50 @@ DxeImageVerificationHandler (
> //
> if ((SecDataDir == NULL) || (SecDataDir->Size == 0)) {
> //
> - // This image is not signed. The SHA256 hash value of the image must match a record in the security database "db",
> + // This image is not signed. The hash value of the image must match a record in the security database "db",
> // and not be reflected in the security data base "dbx".
> //
> - if (!HashPeImage (HASHALG_SHA256)) {
> - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr));
> - goto Failed;
> - }
> + HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
> + while (HashAlg > 0) {
> + HashAlg--;
> + if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {
> + continue;
> + }
> + if (!HashPeImage (HashAlg)) {
> + continue;
> + }
>
> - DbStatus = IsSignatureFoundInDatabase (
> - EFI_IMAGE_SECURITY_DATABASE1,
> - mImageDigest,
> - &mCertType,
> - mImageDigestSize,
> - &IsFound
> - );
> - if (EFI_ERROR (DbStatus) || IsFound) {
> - //
> - // Image Hash is in forbidden database (DBX).
> - //
> - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
> - goto Failed;
> + DbStatus = IsSignatureFoundInDatabase (
> + EFI_IMAGE_SECURITY_DATABASE1,
> + mImageDigest,
> + &mCertType,
> + mImageDigestSize,
> + &IsFound
> + );
> + if (EFI_ERROR (DbStatus) || IsFound) {
> + //
> + // Image Hash is in forbidden database (DBX).
> + //
> + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
> + goto Failed;
> + }
> +
> + DbStatus = IsSignatureFoundInDatabase (
> + EFI_IMAGE_SECURITY_DATABASE,
> + mImageDigest,
> + &mCertType,
> + mImageDigestSize,
> + &IsFound
> + );
> + if (!EFI_ERROR (DbStatus) && IsFound) {
> + //
> + // Image Hash is in allowed database (DB).
> + //
> + IsFoundInDatabase = TRUE;
> + }
> }
>
> - DbStatus = IsSignatureFoundInDatabase (
> - EFI_IMAGE_SECURITY_DATABASE,
> - mImageDigest,
> - &mCertType,
> - mImageDigestSize,
> - &IsFound
> - );
> - if (!EFI_ERROR (DbStatus) && IsFound) {
> - //
> - // Image Hash is in allowed database (DB).
> - //
> + if (IsFoundInDatabase) {
> return EFI_SUCCESS;
> }
>
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> index 1671d5be7c..cb52a16c09 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> @@ -70,6 +70,14 @@
> ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
> gEfiCertRsa2048Guid
>
> + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
> + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
> + gEfiCertRsa3072Guid
> +
> + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
> + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
> + gEfiCertRsa4096Guid
> +
> ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
> ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
> gEfiCertX509Guid
> @@ -82,6 +90,14 @@
> ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
> gEfiCertSha256Guid
>
> + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
> + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
> + gEfiCertSha384Guid
> +
> + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
> + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
> + gEfiCertSha512Guid
> +
> ## SOMETIMES_CONSUMES ## Variable:L"db"
> ## SOMETIMES_PRODUCES ## Variable:L"db"
> ## SOMETIMES_CONSUMES ## Variable:L"dbx"
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> index 0e31502b1b..3de6bf6139 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> @@ -560,7 +560,7 @@ ON_EXIT:
>
> **/
> EFI_STATUS
> -EnrollRsa2048ToKek (
> +EnrollRsaToKek (
> IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
> )
> {
> @@ -603,8 +603,13 @@ EnrollRsa2048ToKek (
>
> ASSERT (KeyBlob != NULL);
> KeyInfo = (CPL_KEY_INFO *)KeyBlob;
> - if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) {
> - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supported.\n"));
> + switch (KeyInfo->KeyLengthInBits / 8) {
> + case WIN_CERT_UEFI_RSA2048_SIZE:
> + case WIN_CERT_UEFI_RSA3072_SIZE:
> + case WIN_CERT_UEFI_RSA4096_SIZE:
> + break;
> + default :
> + DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 and RSA4096 are supported.\n"));
> Status = EFI_UNSUPPORTED;
> goto ON_EXIT;
> }
> @@ -632,7 +637,7 @@ EnrollRsa2048ToKek (
> //
> KekSigListSize = sizeof (EFI_SIGNATURE_LIST)
> + sizeof (EFI_SIGNATURE_DATA) - 1
> - + WIN_CERT_UEFI_RSA2048_SIZE;
> + + KeyLenInBytes;
>
> KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
> if (KekSigList == NULL) {
> @@ -642,17 +647,32 @@ EnrollRsa2048ToKek (
>
> KekSigList->SignatureListSize = sizeof (EFI_SIGNATURE_LIST)
> + sizeof (EFI_SIGNATURE_DATA) - 1
> - + WIN_CERT_UEFI_RSA2048_SIZE;
> + + (UINT32) KeyLenInBytes;
> KekSigList->SignatureHeaderSize = 0;
> - KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 + WIN_CERT_UEFI_RSA2048_SIZE;
> - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> + KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 + (UINT32) KeyLenInBytes;
> + switch (KeyLenInBytes) {
> + case WIN_CERT_UEFI_RSA2048_SIZE:
> + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> + break;
> + case WIN_CERT_UEFI_RSA3072_SIZE:
> + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
> + break;
> + case WIN_CERT_UEFI_RSA4096_SIZE:
> + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
> + break;
> + break;
> + default :
> + DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
> + Status = EFI_UNSUPPORTED;
> + goto ON_EXIT;
> + }
>
> KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_SIGNATURE_LIST));
> CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
> CopyMem (
> KEKSigData->SignatureData,
> KeyBlob + sizeof (CPL_KEY_INFO),
> - WIN_CERT_UEFI_RSA2048_SIZE
> + KeyLenInBytes
> );
>
> //
> @@ -890,7 +910,7 @@ EnrollKeyExchangeKey (
> if (IsDerEncodeCertificate (FilePostFix)) {
> return EnrollX509ToKek (Private);
> } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
> - return EnrollRsa2048ToKek (Private);
> + return EnrollRsaToKek (Private);
> } else {
> //
> // File type is wrong, simply close it
> @@ -1847,7 +1867,7 @@ HashPeImage (
> SectionHeader = NULL;
> Status = FALSE;
>
> - if (HashAlg != HASHALG_SHA256) {
> + if ((HashAlg >= HASHALG_MAX)) {
> return FALSE;
> }
>
> @@ -1856,8 +1876,25 @@ HashPeImage (
> //
> ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
>
> - mImageDigestSize = SHA256_DIGEST_SIZE;
> - mCertType = gEfiCertSha256Guid;
> + switch (HashAlg) {
> + case HASHALG_SHA256:
> + mImageDigestSize = SHA256_DIGEST_SIZE;
> + mCertType = gEfiCertSha256Guid;
> + break;
> +
> + case HASHALG_SHA384:
> + mImageDigestSize = SHA384_DIGEST_SIZE;
> + mCertType = gEfiCertSha384Guid;
> + break;
> +
> + case HASHALG_SHA512:
> + mImageDigestSize = SHA512_DIGEST_SIZE;
> + mCertType = gEfiCertSha512Guid;
> + break;
> +
> + default:
> + return FALSE;
> + }
>
> CtxSize = mHash[HashAlg].GetContextSize ();
>
> @@ -2251,6 +2288,7 @@ EnrollImageSignatureToSigDB (
> UINT32 Attr;
> WIN_CERTIFICATE_UEFI_GUID *GuidCertData;
> EFI_TIME Time;
> + UINT32 HashAlg;
>
> Data = NULL;
> GuidCertData = NULL;
> @@ -2289,8 +2327,20 @@ EnrollImageSignatureToSigDB (
> }
>
> if (mSecDataDir->SizeOfCert == 0) {
> - if (!HashPeImage (HASHALG_SHA256)) {
> - Status = EFI_SECURITY_VIOLATION;
> + Status = EFI_SECURITY_VIOLATION;
> + HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
> + while (HashAlg > 0) {
> + HashAlg--;
> + if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {
> + continue;
> + }
> + if (HashPeImage (HashAlg)) {
> + Status = EFI_SUCCESS;
> + break;
> + }
> + }
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status));
> goto ON_EXIT;
> }
> } else {
> @@ -2589,6 +2639,10 @@ UpdateDeletePage (
> while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
> if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) {
> Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
> + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)) {
> + Help = STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID);
> + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)) {
> + Help = STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID);
> } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
> Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
> } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) {
> @@ -2750,6 +2804,8 @@ DeleteKeyExchangeKey (
> GuidIndex = 0;
> while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
> if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
> + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
> + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
> CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid))
> {
> CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize));
> @@ -2952,6 +3008,8 @@ DeleteSignature (
> GuidIndex = 0;
> while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
> if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
> + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
> + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
> CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||
> CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||
> CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) ||
> @@ -3758,12 +3816,20 @@ LoadSignatureList (
> while ((RemainingSize > 0) && (RemainingSize >= ListWalker->SignatureListSize)) {
> if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) {
> ListType = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
> + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072Guid)) {
> + ListType = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
> + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096Guid)) {
> + ListType = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
> } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)) {
> ListType = STRING_TOKEN (STR_LIST_TYPE_X509);
> } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)) {
> ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1);
> } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Guid)) {
> ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256);
> + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Guid)) {
> + ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384);
> + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Guid)) {
> + ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512);
> } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha256Guid)) {
> ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
> } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha384Guid)) {
> @@ -4001,6 +4067,14 @@ FormatHelpInfo (
> ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
> DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
> IsCert = TRUE;
> + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)) {
> + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
> + DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
> + IsCert = TRUE;
> + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)) {
> + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
> + DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
> + IsCert = TRUE;
> } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) {
> ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509);
> DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
> @@ -4011,6 +4085,12 @@ FormatHelpInfo (
> } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid)) {
> ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256);
> DataSize = 32;
> + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid)) {
> + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384);
> + DataSize = 48;
> + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid)) {
> + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512);
> + DataSize = 64;
> } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Guid)) {
> ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
> DataSize = 32;
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
> index 37c66f1b95..ae50d929a7 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
> @@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel;
> #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
>
> #define WIN_CERT_UEFI_RSA2048_SIZE 256
> +#define WIN_CERT_UEFI_RSA3072_SIZE 384
> +#define WIN_CERT_UEFI_RSA4096_SIZE 512
>
> //
> // Support hash types
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
> index 0d01701de7..1b48acc800 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
> @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US "Read the public key of KEK from file"
> #string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer"
> #string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US "RSA2048_SHA256_GUID"
> +#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US "RSA3072_SHA384_GUID"
> +#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US "RSA4096_SHA512_GUID"
> #string STR_CERT_TYPE_PCKS7_GUID #language en-US "PKCS7_GUID"
> #string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_GUID"
> #string STR_CERT_TYPE_SHA256_GUID #language en-US "SHA256_GUID"
> @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SHA512_GUID"
>
> #string STR_LIST_TYPE_RSA2048_SHA256 #language en-US "RSA2048_SHA256"
> +#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US "RSA3072_SHA384"
> +#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US "RSA4096_SHA512"
> #string STR_LIST_TYPE_X509 #language en-US "X509"
> #string STR_LIST_TYPE_SHA1 #language en-US "SHA1"
> #string STR_LIST_TYPE_SHA256 #language en-US "SHA256"
> +#string STR_LIST_TYPE_SHA384 #language en-US "SHA384"
> +#string STR_LIST_TYPE_SHA512 #language en-US "SHA512"
> #string STR_LIST_TYPE_X509_SHA256 #language en-US "X509_SHA256"
> #string STR_LIST_TYPE_X509_SHA384 #language en-US "X509_SHA384"
> #string STR_LIST_TYPE_X509_SHA512 #language en-US "X509_SHA512"
> --
> 2.26.2.windows.1
>
>
>
>
>
>
prev parent reply other threads:[~2023-07-06 7:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-06 6:36 [PATCH v3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
2023-07-06 7:28 ` Gary Lin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230706072844.5h6gry4hmu5r7bla@GaryLaptop \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox