public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH v3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
@ 2023-07-06  6:36 Sheng Wei
  2023-07-06  7:28 ` [edk2-devel] " Gary Lin
  0 siblings, 1 reply; 2+ messages in thread
From: Sheng Wei @ 2023-07-06  6:36 UTC (permalink / raw)
  To: devel; +Cc: Jiewen Yao, Jian J Wang, Min Xu, Zeyi Chen, Fiona Wang

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Signed-off-by: Sheng Wei <w.sheng@intel.com>
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
 MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
 MdePkg/MdePkg.dec                             |   2 +
 .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
 .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
 .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
 .../DxeImageVerificationLib.c                 |  73 +++---
 .../SecureBootConfigDxe.inf                   |  16 ++
 .../SecureBootConfigImpl.c                    | 108 +++++++--
 .../SecureBootConfigImpl.h                    |   2 +
 .../SecureBootConfigStrings.uni               |   6 +
 11 files changed, 410 insertions(+), 92 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index 027dbb6842..944bcf8d38 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -591,7 +591,8 @@ ImageTimestampVerify (
   // Register & Initialize necessary digest algorithms for PKCS#7 Handling.
   //
   if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1 ()) == 0) ||
-      (EVP_add_digest (EVP_sha256 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
+      (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest (EVP_sha384 ()) == 0) ||
+      (EVP_add_digest (EVP_sha512 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
   {
     return FALSE;
   }
diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Guid/ImageAuthentication.h
index fe83596571..c8ea2c14fb 100644
--- a/MdePkg/Include/Guid/ImageAuthentication.h
+++ b/MdePkg/Include/Guid/ImageAuthentication.h
@@ -144,6 +144,30 @@ typedef struct {
     0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
   }
 
+///
+/// This identifies a signature containing an RSA-3072 key. The key (only the modulus
+/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
+/// order.
+/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
+/// of SignatureOwner component) + 384 bytes.
+///
+#define EFI_CERT_RSA3072_GUID \
+  { \
+    0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \
+  }
+
+///
+/// This identifies a signature containing an RSA-4096 key. The key (only the modulus
+/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
+/// order.
+/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
+/// of SignatureOwner component) + 512 bytes.
+///
+#define EFI_CERT_RSA4096_GUID \
+  { \
+    0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \
+  }
+
 ///
 /// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash.  The
 /// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of
@@ -330,6 +354,8 @@ typedef struct {
 extern EFI_GUID  gEfiImageSecurityDatabaseGuid;
 extern EFI_GUID  gEfiCertSha256Guid;
 extern EFI_GUID  gEfiCertRsa2048Guid;
+extern EFI_GUID  gEfiCertRsa3072Guid;
+extern EFI_GUID  gEfiCertRsa4096Guid;
 extern EFI_GUID  gEfiCertRsa2048Sha256Guid;
 extern EFI_GUID  gEfiCertSha1Guid;
 extern EFI_GUID  gEfiCertRsa2048Sha1Guid;
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index d6c4179b2a..c88e88fa6b 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -571,6 +571,8 @@
   gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}
   gEfiCertSha256Guid             = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }}
   gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}
+  gEfiCertRsa3072Guid            = { 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}
+  gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }}
   gEfiCertRsa2048Sha256Guid      = { 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
   gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe,  0x1, 0x49, 0x66, 0x31, 0xbd }}
   gEfiCertRsa2048Sha1Guid        = { 0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index d81c581d78..4c268a85cd 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Protocol/VariablePolicy.h>
 #include <Library/VariablePolicyLib.h>
 
+#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
+
+/**
+  Retrieves the size, in bytes, of the context buffer required for hash operations.
+
+  If this interface is not supported, then return zero.
+
+  @return  The size, in bytes, of the context buffer required for hash operations.
+  @retval  0   This interface is not supported.
+
+**/
+typedef
+UINTN
+(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
+  VOID
+  );
+
+/**
+  Initializes user-supplied memory pointed by Sha1Context as hash context for
+  subsequent use.
+
+  If HashContext is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[out]  HashContext  Pointer to Hashcontext being initialized.
+
+  @retval TRUE   Hash context initialization succeeded.
+  @retval FALSE  Hash context initialization failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_INIT)(
+  OUT  VOID  *HashContext
+  );
+
+/**
+  Digests the input data and updates Hash context.
+
+  This function performs Hash digest on a data buffer of the specified size.
+  It can be called multiple times to compute the digest of long or discontinuous data streams.
+  Hash context should be already correctly initialized by HashInit(), and should not be finalized
+  by HashFinal(). Behavior with invalid context is undefined.
+
+  If HashContext is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in, out]  HashContext  Pointer to the Hash context.
+  @param[in]       Data         Pointer to the buffer containing the data to be hashed.
+  @param[in]       DataSize     Size of Data buffer in bytes.
+
+  @retval TRUE   SHA-1 data digest succeeded.
+  @retval FALSE  SHA-1 data digest failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_UPDATE)(
+  IN OUT  VOID        *HashContext,
+  IN      CONST VOID  *Data,
+  IN      UINTN       DataSize
+  );
+
+/**
+  Completes computation of the Hash digest value.
+
+  This function completes hash computation and retrieves the digest value into
+  the specified memory. After this function has been called, the Hash context cannot
+  be used again.
+  Hash context should be already correctly initialized by HashInit(), and should not be
+  finalized by HashFinal(). Behavior with invalid Hash context is undefined.
+
+  If HashContext is NULL, then return FALSE.
+  If HashValue is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in, out]  HashContext  Pointer to the Hash context.
+  @param[out]      HashValue    Pointer to a buffer that receives the Hash digest
+                                value.
+
+  @retval TRUE   Hash digest computation succeeded.
+  @retval FALSE  Hash digest computation failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_FINAL)(
+  IN OUT  VOID   *HashContext,
+  OUT     UINT8  *HashValue
+  );
+
+typedef struct {
+  UINT32                       HashSize;
+  EFI_HASH_GET_CONTEXT_SIZE    GetContextSize;
+  EFI_HASH_INIT                Init;
+  EFI_HASH_UPDATE              Update;
+  EFI_HASH_FINAL               Final;
+  VOID                         **HashShaCtx;
+  UINT8                        *OidValue;
+  UINTN                        OidLength;
+} EFI_HASH_INFO;
+
 //
 // Public Exponent of RSA Key.
 //
 CONST UINT8  mRsaE[] = { 0x01, 0x00, 0x01 };
 
-CONST UINT8  mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
+UINT8  mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
+UINT8  mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 };
+UINT8  mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 };
+
+EFI_HASH_INFO  mHashInfo[] = {
+  {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9},
+  {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9},
+  {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9},
+};
 
 //
 // Requirement for different signature type which have been defined in UEFI spec.
@@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM  mSupportSigItem[] = {
   // {SigType,                       SigHeaderSize,   SigDataSize  }
   { EFI_CERT_SHA256_GUID,         0, 32            },
   { EFI_CERT_RSA2048_GUID,        0, 256           },
+  { EFI_CERT_RSA3072_GUID,        0, 384           },
+  { EFI_CERT_RSA4096_GUID,        0, 512           },
   { EFI_CERT_RSA2048_SHA256_GUID, 0, 256           },
   { EFI_CERT_SHA1_GUID,           0, 20            },
   { EFI_CERT_RSA2048_SHA1_GUID,   0, 256           },
@@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp (
 }
 
 /**
-  Calculate SHA256 digest of SignerCert CommonName + ToplevelCert tbsCertificate
+  Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertificate
   SignerCert and ToplevelCert are inside the signer certificate chain.
 
+  @param[in]  HashAlgId           Hash algorithm index
   @param[in]  SignerCert          A pointer to SignerCert data.
   @param[in]  SignerCertSize      Length of SignerCert data.
   @param[in]  TopLevelCert        A pointer to TopLevelCert data.
   @param[in]  TopLevelCertSize    Length of TopLevelCert data.
-  @param[out] Sha256Digest       Sha256 digest calculated.
+  @param[out] ShaDigest           Sha digest calculated.
 
   @return EFI_ABORTED          Digest process failed.
-  @return EFI_SUCCESS          SHA256 Digest is successfully calculated.
+  @return EFI_SUCCESS          SHA Digest is successfully calculated.
 
 **/
 EFI_STATUS
-CalculatePrivAuthVarSignChainSHA256Digest (
+CalculatePrivAuthVarSignChainSHADigest (
+  IN     UINT8  HashAlgId,
   IN     UINT8  *SignerCert,
   IN     UINTN  SignerCertSize,
   IN     UINT8  *TopLevelCert,
   IN     UINTN  TopLevelCertSize,
-  OUT    UINT8  *Sha256Digest
+  OUT    UINT8  *ShaDigest
   )
 {
   UINT8       *TbsCert;
@@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest (
   BOOLEAN     CryptoStatus;
   EFI_STATUS  Status;
 
+  if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
+    DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__, HashAlgId));
+    return EFI_ABORTED;
+  }
+
   CertCommonNameSize = sizeof (CertCommonName);
 
   //
@@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
   //
   // Digest SignerCert CN + TopLevelCert tbsCertificate
   //
-  ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE);
-  CryptoStatus = Sha256Init (mHashCtx);
+  ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize);
+  CryptoStatus = mHashInfo[HashAlgId].Init (*(mHashInfo[HashAlgId].HashShaCtx));
   if (!CryptoStatus) {
     return EFI_ABORTED;
   }
@@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
   //
   // '\0' is forced in CertCommonName. No overflow issue
   //
-  CryptoStatus = Sha256Update (
-                   mHashCtx,
+  CryptoStatus = mHashInfo[HashAlgId].Update (
+                   *(mHashInfo[HashAlgId].HashShaCtx),
                    CertCommonName,
                    AsciiStrLen (CertCommonName)
                    );
@@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest (
     return EFI_ABORTED;
   }
 
-  CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize);
+  CryptoStatus = mHashInfo[HashAlgId].Update (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize);
   if (!CryptoStatus) {
     return EFI_ABORTED;
   }
 
-  CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
+  CryptoStatus = mHashInfo[HashAlgId].Final (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest);
   if (!CryptoStatus) {
     return EFI_ABORTED;
   }
@@ -1516,9 +1638,10 @@ DeleteCertsFromDb (
 /**
   Insert signer's certificates for common authenticated variable with VariableName
   and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to
-  time based authenticated variable attributes. CertData is the SHA256 digest of
+  time based authenticated variable attributes. CertData is the SHA digest of
   SignerCert CommonName + TopLevelCert tbsCertificate.
 
+  @param[in]  HashAlgId         Hash algorithm index.
   @param[in]  VariableName      Name of authenticated Variable.
   @param[in]  VendorGuid        Vendor GUID of authenticated Variable.
   @param[in]  Attributes        Attributes of authenticated variable.
@@ -1536,6 +1659,7 @@ DeleteCertsFromDb (
 **/
 EFI_STATUS
 InsertCertsToDb (
+  IN     UINT8     HashAlgId,
   IN     CHAR16    *VariableName,
   IN     EFI_GUID  *VendorGuid,
   IN     UINT32    Attributes,
@@ -1556,12 +1680,16 @@ InsertCertsToDb (
   UINT32             CertDataSize;
   AUTH_CERT_DB_DATA  *Ptr;
   CHAR16             *DbName;
-  UINT8              Sha256Digest[SHA256_DIGEST_SIZE];
+  UINT8              ShaDigest[SHA_DIGEST_SIZE_MAX];
 
   if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) || (TopLevelCert == NULL)) {
     return EFI_INVALID_PARAMETER;
   }
 
+  if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
+    return EFI_INVALID_PARAMETER;
+  }
+
   if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
     //
     // Get variable "certdb".
@@ -1618,20 +1746,22 @@ InsertCertsToDb (
   // Construct new data content of variable "certdb" or "certdbv".
   //
   NameSize      = (UINT32)StrLen (VariableName);
-  CertDataSize  = sizeof (Sha256Digest);
+  CertDataSize  = mHashInfo[HashAlgId].HashSize;
   CertNodeSize  = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + NameSize * sizeof (CHAR16);
   NewCertDbSize = (UINT32)DataSize + CertNodeSize;
   if (NewCertDbSize > mMaxCertDbSize) {
     return EFI_OUT_OF_RESOURCES;
   }
 
-  Status = CalculatePrivAuthVarSignChainSHA256Digest (
+  Status = CalculatePrivAuthVarSignChainSHADigest (
+             HashAlgId,
              SignerCert,
              SignerCertSize,
              TopLevelCert,
              TopLevelCertSize,
-             Sha256Digest
+             ShaDigest
              );
+
   if (EFI_ERROR (Status)) {
     return Status;
   }
@@ -1663,7 +1793,7 @@ InsertCertsToDb (
 
   CopyMem (
     (UINT8 *)Ptr +  sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16),
-    Sha256Digest,
+    ShaDigest,
     CertDataSize
     );
 
@@ -1790,6 +1920,36 @@ CleanCertsFromDb (
   return Status;
 }
 
+/**
+  Find hash algorithm index
+
+  @param[in]  SigData      Pointer to the PKCS#7 message
+  @param[in]  SigDataSize  Length of the PKCS#7 message
+
+  @retval UINT8        Hash Algorithm Index
+**/
+UINT8
+FindHashAlgorithmIndex (
+  IN     UINT8         *SigData,
+  IN     UINT32        SigDataSize
+)
+{
+  UINT8 i;
+
+  for (i = 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) {
+    if (  (  (SigDataSize >= (13 + mHashInfo[i].OidLength))
+          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
+            && (CompareMem (SigData + 13, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0)))
+      || ((  (SigDataSize >= (32 +  mHashInfo[i].OidLength)))
+        && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
+          && (CompareMem (SigData + 32, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0))))
+    {
+      break;
+    }
+  }
+  return i;
+}
+
 /**
   Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
 
@@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload (
   UINTN                          CertStackSize;
   UINT8                          *CertsInCertDb;
   UINT32                         CertsSizeinDb;
-  UINT8                          Sha256Digest[SHA256_DIGEST_SIZE];
+  UINT8                          ShaDigest[SHA_DIGEST_SIZE_MAX];
   EFI_CERT_DATA                  *CertDataPtr;
+  UINT8                          HashAlgId;
 
   //
   // 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain
@@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload (
 
   //
   // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the
-  // signature. Only a digest algorithm of SHA-256 is accepted.
+  // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is accepted.
   //
   //    According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315):
   //        SignedData ::= SEQUENCE {
@@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload (
   //
   // Example generated with: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Manual_process
   //
+  HashAlgId = FindHashAlgorithmIndex (SigData, SigDataSize);
   if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
-    if (  (  (SigDataSize >= (13 + sizeof (mSha256OidValue)))
-          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
-             || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))
-       && (  (SigDataSize >= (32 + sizeof (mSha256OidValue)))
-          && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
-             || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))))
-    {
+    if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
       return EFI_SECURITY_VIOLATION;
     }
   }
@@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload (
         goto Exit;
       }
 
-      if (CertsSizeinDb == SHA256_DIGEST_SIZE) {
+      if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) && (CertsSizeinDb == mHashInfo[HashAlgId].HashSize)) {
         //
         // Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb
         //
         CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
-        Status      = CalculatePrivAuthVarSignChainSHA256Digest (
+        Status      = CalculatePrivAuthVarSignChainSHADigest (
+                        HashAlgId,
                         CertDataPtr->CertDataBuffer,
                         ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
                         TopLevelCert,
                         TopLevelCertSize,
-                        Sha256Digest
+                        ShaDigest
                         );
-        if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb, CertsSizeinDb) != 0)) {
+        if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, CertsSizeinDb) != 0)) {
           goto Exit;
         }
       } else {
@@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload (
       //
       CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
       Status      = InsertCertsToDb (
+                      HashAlgId,
                       VariableName,
                       VendorGuid,
                       Attributes,
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
index b202e613bc..f7bf771d55 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@@ -92,7 +92,9 @@ extern UINT32  mMaxCertDbSize;
 extern UINT32  mPlatformMode;
 extern UINT8   mVendorKeyState;
 
-extern VOID  *mHashCtx;
+extern VOID  *mHashSha256Ctx;
+extern VOID  *mHashSha384Ctx;
+extern VOID  *mHashSha512Ctx;
 
 extern AUTH_VAR_LIB_CONTEXT_IN  *mAuthVarLibContextIn;
 
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index dc61ae840c..19e0004699 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -26,12 +26,14 @@ UINT32  mMaxCertDbSize;
 UINT32  mPlatformMode;
 UINT8   mVendorKeyState;
 
-EFI_GUID  mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID };
+EFI_GUID  mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID, EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID };
 
 //
 // Hash context pointer
 //
-VOID  *mHashCtx = NULL;
+VOID  *mHashSha256Ctx = NULL;
+VOID  *mHashSha384Ctx = NULL;
+VOID  *mHashSha512Ctx = NULL;
 
 VARIABLE_ENTRY_PROPERTY  mAuthVarEntry[] = {
   {
@@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY  mAuthVarEntry[] = {
   },
 };
 
-VOID  **mAuthVarAddressPointer[9];
+VOID  **mAuthVarAddressPointer[11];
 
 AUTH_VAR_LIB_CONTEXT_IN  *mAuthVarLibContextIn = NULL;
 
@@ -120,7 +122,6 @@ AuthVariableLibInitialize (
   UINT32      VarAttr;
   UINT8       *Data;
   UINTN       DataSize;
-  UINTN       CtxSize;
   UINT8       SecureBootMode;
   UINT8       SecureBootEnable;
   UINT8       CustomMode;
@@ -135,9 +136,18 @@ AuthVariableLibInitialize (
   //
   // Initialize hash context.
   //
-  CtxSize  = Sha256GetContextSize ();
-  mHashCtx = AllocateRuntimePool (CtxSize);
-  if (mHashCtx == NULL) {
+  mHashSha256Ctx = AllocateRuntimePool (Sha256GetContextSize ());
+  if (mHashSha256Ctx == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  mHashSha384Ctx = AllocateRuntimePool (Sha384GetContextSize ());
+  if (mHashSha384Ctx == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  mHashSha512Ctx = AllocateRuntimePool (Sha512GetContextSize ());
+  if (mHashSha512Ctx == NULL) {
     return EFI_OUT_OF_RESOURCES;
   }
 
@@ -356,14 +366,16 @@ AuthVariableLibInitialize (
   AuthVarLibContextOut->AuthVarEntry        = mAuthVarEntry;
   AuthVarLibContextOut->AuthVarEntryCount   = ARRAY_SIZE (mAuthVarEntry);
   mAuthVarAddressPointer[0]                 = (VOID **)&mCertDbStore;
-  mAuthVarAddressPointer[1]                 = (VOID **)&mHashCtx;
-  mAuthVarAddressPointer[2]                 = (VOID **)&mAuthVarLibContextIn;
-  mAuthVarAddressPointer[3]                 = (VOID **)&(mAuthVarLibContextIn->FindVariable),
-  mAuthVarAddressPointer[4]                 = (VOID **)&(mAuthVarLibContextIn->FindNextVariable),
-  mAuthVarAddressPointer[5]                 = (VOID **)&(mAuthVarLibContextIn->UpdateVariable),
-  mAuthVarAddressPointer[6]                 = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer),
-  mAuthVarAddressPointer[7]                 = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
-  mAuthVarAddressPointer[8]                 = (VOID **)&(mAuthVarLibContextIn->AtRuntime),
+  mAuthVarAddressPointer[1]                 = (VOID **)&mHashSha256Ctx;
+  mAuthVarAddressPointer[2]                 = (VOID **)&mHashSha384Ctx;
+  mAuthVarAddressPointer[3]                 = (VOID **)&mHashSha512Ctx;
+  mAuthVarAddressPointer[4]                 = (VOID **)&mAuthVarLibContextIn;
+  mAuthVarAddressPointer[5]                 = (VOID **)&(mAuthVarLibContextIn->FindVariable),
+  mAuthVarAddressPointer[6]                 = (VOID **)&(mAuthVarLibContextIn->FindNextVariable),
+  mAuthVarAddressPointer[7]                 = (VOID **)&(mAuthVarLibContextIn->UpdateVariable),
+  mAuthVarAddressPointer[8]                 = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer),
+  mAuthVarAddressPointer[9]                 = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
+  mAuthVarAddressPointer[10]                 = (VOID **)&(mAuthVarLibContextIn->AtRuntime),
   AuthVarLibContextOut->AddressPointer      = mAuthVarAddressPointer;
   AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE (mAuthVarAddressPointer);
 
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 5d8dbd5468..88b2d3c6c1 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1620,7 +1620,7 @@ Done:
       in the security database "db", and no valid signature nor any hash value of the image may
       be reflected in the security database "dbx".
     Otherwise, the image is not signed,
-      The SHA256 hash value of the image must match a record in the security database "db", and
+      The hash value of the image must match a record in the security database "db", and
       not be reflected in the security data base "dbx".
 
   Caution: This function may receive untrusted input.
@@ -1690,6 +1690,8 @@ DxeImageVerificationHandler (
   EFI_STATUS                    VarStatus;
   UINT32                        VarAttr;
   BOOLEAN                       IsFound;
+  UINT8                         HashAlg;
+  BOOLEAN                       IsFoundInDatabase;
 
   SignatureList     = NULL;
   SignatureListSize = 0;
@@ -1699,6 +1701,7 @@ DxeImageVerificationHandler (
   Action            = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
   IsVerified        = FALSE;
   IsFound           = FALSE;
+  IsFoundInDatabase = FALSE;
 
   //
   // Check the image type and get policy setting.
@@ -1837,40 +1840,50 @@ DxeImageVerificationHandler (
   //
   if ((SecDataDir == NULL) || (SecDataDir->Size == 0)) {
     //
-    // This image is not signed. The SHA256 hash value of the image must match a record in the security database "db",
+    // This image is not signed. The hash value of the image must match a record in the security database "db",
     // and not be reflected in the security data base "dbx".
     //
-    if (!HashPeImage (HASHALG_SHA256)) {
-      DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr));
-      goto Failed;
-    }
+    HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
+    while (HashAlg > 0) {
+      HashAlg--;
+      if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {
+        continue;
+      }
+      if (!HashPeImage (HashAlg)) {
+        continue;
+      }
 
-    DbStatus = IsSignatureFoundInDatabase (
-                 EFI_IMAGE_SECURITY_DATABASE1,
-                 mImageDigest,
-                 &mCertType,
-                 mImageDigestSize,
-                 &IsFound
-                 );
-    if (EFI_ERROR (DbStatus) || IsFound) {
-      //
-      // Image Hash is in forbidden database (DBX).
-      //
-      DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
-      goto Failed;
+      DbStatus = IsSignatureFoundInDatabase (
+                   EFI_IMAGE_SECURITY_DATABASE1,
+                   mImageDigest,
+                   &mCertType,
+                   mImageDigestSize,
+                   &IsFound
+                   );
+      if (EFI_ERROR (DbStatus) || IsFound) {
+        //
+        // Image Hash is in forbidden database (DBX).
+        //
+        DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
+        goto Failed;
+      }
+
+      DbStatus = IsSignatureFoundInDatabase (
+                   EFI_IMAGE_SECURITY_DATABASE,
+                   mImageDigest,
+                   &mCertType,
+                   mImageDigestSize,
+                   &IsFound
+                   );
+      if (!EFI_ERROR (DbStatus) && IsFound) {
+        //
+        // Image Hash is in allowed database (DB).
+        //
+        IsFoundInDatabase = TRUE;
+      }
     }
 
-    DbStatus = IsSignatureFoundInDatabase (
-                 EFI_IMAGE_SECURITY_DATABASE,
-                 mImageDigest,
-                 &mCertType,
-                 mImageDigestSize,
-                 &IsFound
-                 );
-    if (!EFI_ERROR (DbStatus) && IsFound) {
-      //
-      // Image Hash is in allowed database (DB).
-      //
+    if (IsFoundInDatabase) {
       return EFI_SUCCESS;
     }
 
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 1671d5be7c..cb52a16c09 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -70,6 +70,14 @@
   ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
   gEfiCertRsa2048Guid
 
+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
+  gEfiCertRsa3072Guid
+
+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
+  gEfiCertRsa4096Guid
+
   ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
   ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
   gEfiCertX509Guid
@@ -82,6 +90,14 @@
   ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
   gEfiCertSha256Guid
 
+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
+  gEfiCertSha384Guid
+
+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
+  gEfiCertSha512Guid
+
   ## SOMETIMES_CONSUMES      ## Variable:L"db"
   ## SOMETIMES_PRODUCES      ## Variable:L"db"
   ## SOMETIMES_CONSUMES      ## Variable:L"dbx"
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 0e31502b1b..3de6bf6139 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -560,7 +560,7 @@ ON_EXIT:
 
 **/
 EFI_STATUS
-EnrollRsa2048ToKek (
+EnrollRsaToKek (
   IN SECUREBOOT_CONFIG_PRIVATE_DATA  *Private
   )
 {
@@ -603,8 +603,13 @@ EnrollRsa2048ToKek (
 
   ASSERT (KeyBlob != NULL);
   KeyInfo = (CPL_KEY_INFO *)KeyBlob;
-  if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) {
-    DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supported.\n"));
+  switch (KeyInfo->KeyLengthInBits / 8) {
+  case WIN_CERT_UEFI_RSA2048_SIZE:
+  case WIN_CERT_UEFI_RSA3072_SIZE:
+  case WIN_CERT_UEFI_RSA4096_SIZE:
+    break;
+  default :
+    DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 and RSA4096 are supported.\n"));
     Status = EFI_UNSUPPORTED;
     goto ON_EXIT;
   }
@@ -632,7 +637,7 @@ EnrollRsa2048ToKek (
   //
   KekSigListSize = sizeof (EFI_SIGNATURE_LIST)
                    + sizeof (EFI_SIGNATURE_DATA) - 1
-                   + WIN_CERT_UEFI_RSA2048_SIZE;
+                   + KeyLenInBytes;
 
   KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
   if (KekSigList == NULL) {
@@ -642,17 +647,32 @@ EnrollRsa2048ToKek (
 
   KekSigList->SignatureListSize = sizeof (EFI_SIGNATURE_LIST)
                                   + sizeof (EFI_SIGNATURE_DATA) - 1
-                                  + WIN_CERT_UEFI_RSA2048_SIZE;
+                                  + (UINT32) KeyLenInBytes;
   KekSigList->SignatureHeaderSize = 0;
-  KekSigList->SignatureSize       = sizeof (EFI_SIGNATURE_DATA) - 1 + WIN_CERT_UEFI_RSA2048_SIZE;
-  CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
+  KekSigList->SignatureSize       = sizeof (EFI_SIGNATURE_DATA) - 1 + (UINT32) KeyLenInBytes;
+  switch (KeyLenInBytes) {
+  case WIN_CERT_UEFI_RSA2048_SIZE:
+    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
+    break;
+  case WIN_CERT_UEFI_RSA3072_SIZE:
+    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
+    break;
+  case WIN_CERT_UEFI_RSA4096_SIZE:
+    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
+    break;
+    break;
+  default :
+    DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
+    Status = EFI_UNSUPPORTED;
+    goto ON_EXIT;
+  }
 
   KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_SIGNATURE_LIST));
   CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
   CopyMem (
     KEKSigData->SignatureData,
     KeyBlob + sizeof (CPL_KEY_INFO),
-    WIN_CERT_UEFI_RSA2048_SIZE
+    KeyLenInBytes
     );
 
   //
@@ -890,7 +910,7 @@ EnrollKeyExchangeKey (
   if (IsDerEncodeCertificate (FilePostFix)) {
     return EnrollX509ToKek (Private);
   } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
-    return EnrollRsa2048ToKek (Private);
+    return EnrollRsaToKek (Private);
   } else {
     //
     // File type is wrong, simply close it
@@ -1847,7 +1867,7 @@ HashPeImage (
   SectionHeader = NULL;
   Status        = FALSE;
 
-  if (HashAlg != HASHALG_SHA256) {
+  if ((HashAlg >= HASHALG_MAX)) {
     return FALSE;
   }
 
@@ -1856,8 +1876,25 @@ HashPeImage (
   //
   ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
 
-  mImageDigestSize = SHA256_DIGEST_SIZE;
-  mCertType        = gEfiCertSha256Guid;
+   switch (HashAlg) {
+    case HASHALG_SHA256:
+      mImageDigestSize = SHA256_DIGEST_SIZE;
+      mCertType        = gEfiCertSha256Guid;
+      break;
+
+    case HASHALG_SHA384:
+      mImageDigestSize = SHA384_DIGEST_SIZE;
+      mCertType        = gEfiCertSha384Guid;
+      break;
+
+    case HASHALG_SHA512:
+      mImageDigestSize = SHA512_DIGEST_SIZE;
+      mCertType        = gEfiCertSha512Guid;
+      break;
+
+    default:
+      return FALSE;
+  }
 
   CtxSize = mHash[HashAlg].GetContextSize ();
 
@@ -2251,6 +2288,7 @@ EnrollImageSignatureToSigDB (
   UINT32                     Attr;
   WIN_CERTIFICATE_UEFI_GUID  *GuidCertData;
   EFI_TIME                   Time;
+  UINT32                     HashAlg;
 
   Data         = NULL;
   GuidCertData = NULL;
@@ -2289,8 +2327,20 @@ EnrollImageSignatureToSigDB (
   }
 
   if (mSecDataDir->SizeOfCert == 0) {
-    if (!HashPeImage (HASHALG_SHA256)) {
-      Status =  EFI_SECURITY_VIOLATION;
+    Status = EFI_SECURITY_VIOLATION;
+    HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
+    while (HashAlg > 0) {
+      HashAlg--;
+      if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {
+        continue;
+      }
+      if (HashPeImage (HashAlg)) {
+        Status = EFI_SUCCESS;
+        break;
+      }
+    }
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status));
       goto ON_EXIT;
     }
   } else {
@@ -2589,6 +2639,10 @@ UpdateDeletePage (
   while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
     if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) {
       Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
+    } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)) {
+      Help = STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID);
+    } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)) {
+      Help = STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID);
     } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
       Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
     } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) {
@@ -2750,6 +2804,8 @@ DeleteKeyExchangeKey (
   GuidIndex      = 0;
   while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
     if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
+        CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
+        CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
         CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid))
     {
       CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize));
@@ -2952,6 +3008,8 @@ DeleteSignature (
   GuidIndex    = 0;
   while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
     if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
+        CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
+        CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
         CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||
         CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||
         CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) ||
@@ -3758,12 +3816,20 @@ LoadSignatureList (
   while ((RemainingSize > 0) && (RemainingSize >= ListWalker->SignatureListSize)) {
     if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) {
       ListType = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072Guid)) {
+      ListType = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096Guid)) {
+      ListType = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)) {
       ListType = STRING_TOKEN (STR_LIST_TYPE_X509);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)) {
       ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Guid)) {
       ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Guid)) {
+      ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Guid)) {
+      ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha256Guid)) {
       ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha384Guid)) {
@@ -4001,6 +4067,14 @@ FormatHelpInfo (
     ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
     DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
     IsCert     = TRUE;
+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)) {
+    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
+    DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
+    IsCert     = TRUE;
+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)) {
+    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
+    DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
+    IsCert     = TRUE;
   } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) {
     ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509);
     DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
@@ -4011,6 +4085,12 @@ FormatHelpInfo (
   } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid)) {
     ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256);
     DataSize   = 32;
+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid)) {
+    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384);
+    DataSize   = 48;
+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid)) {
+    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512);
+    DataSize   = 64;
   } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Guid)) {
     ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
     DataSize   = 32;
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
index 37c66f1b95..ae50d929a7 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
@@ -82,6 +82,8 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
 #define MAX_DIGEST_SIZE  SHA512_DIGEST_SIZE
 
 #define WIN_CERT_UEFI_RSA2048_SIZE  256
+#define WIN_CERT_UEFI_RSA3072_SIZE  384
+#define WIN_CERT_UEFI_RSA4096_SIZE  512
 
 //
 // Support hash types
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
index 0d01701de7..1b48acc800 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP    #language en-US "Read the public key of KEK from file"
 #string STR_FILE_EXPLORER_TITLE                   #language en-US "File Explorer"
 #string STR_CERT_TYPE_RSA2048_SHA256_GUID         #language en-US "RSA2048_SHA256_GUID"
+#string STR_CERT_TYPE_RSA3072_SHA384_GUID         #language en-US "RSA3072_SHA384_GUID"
+#string STR_CERT_TYPE_RSA4096_SHA512_GUID         #language en-US "RSA4096_SHA512_GUID"
 #string STR_CERT_TYPE_PCKS7_GUID                  #language en-US "PKCS7_GUID"
 #string STR_CERT_TYPE_SHA1_GUID                   #language en-US "SHA1_GUID"
 #string STR_CERT_TYPE_SHA256_GUID                 #language en-US "SHA256_GUID"
@@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #string STR_CERT_TYPE_X509_SHA512_GUID            #language en-US "X509_SHA512_GUID"
 
 #string STR_LIST_TYPE_RSA2048_SHA256              #language en-US "RSA2048_SHA256"
+#string STR_LIST_TYPE_RSA3072_SHA384              #language en-US "RSA3072_SHA384"
+#string STR_LIST_TYPE_RSA4096_SHA512              #language en-US "RSA4096_SHA512"
 #string STR_LIST_TYPE_X509                        #language en-US "X509"
 #string STR_LIST_TYPE_SHA1                        #language en-US "SHA1"
 #string STR_LIST_TYPE_SHA256                      #language en-US "SHA256"
+#string STR_LIST_TYPE_SHA384                      #language en-US "SHA384"
+#string STR_LIST_TYPE_SHA512                      #language en-US "SHA512"
 #string STR_LIST_TYPE_X509_SHA256                 #language en-US "X509_SHA256"
 #string STR_LIST_TYPE_X509_SHA384                 #language en-US "X509_SHA384"
 #string STR_LIST_TYPE_X509_SHA512                 #language en-US "X509_SHA512"
-- 
2.26.2.windows.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [edk2-devel] [PATCH v3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
  2023-07-06  6:36 [PATCH v3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
@ 2023-07-06  7:28 ` Gary Lin
  0 siblings, 0 replies; 2+ messages in thread
From: Gary Lin @ 2023-07-06  7:28 UTC (permalink / raw)
  To: devel, w.sheng; +Cc: Jiewen Yao, Jian J Wang, Min Xu, Zeyi Chen, Fiona Wang

On Thu, Jul 06, 2023 at 02:36:54PM +0800, Sheng Wei via groups.io wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413
> 
The title, "Support RSA 512 and RSA 384", looks very strange. I assume
it should be "Support SHA 512 and SHA 384"?

Gary Lin

> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Signed-off-by: Sheng Wei <w.sheng@intel.com>
> ---
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
>  MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
>  MdePkg/MdePkg.dec                             |   2 +
>  .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
>  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
>  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
>  .../DxeImageVerificationLib.c                 |  73 +++---
>  .../SecureBootConfigDxe.inf                   |  16 ++
>  .../SecureBootConfigImpl.c                    | 108 +++++++--
>  .../SecureBootConfigImpl.h                    |   2 +
>  .../SecureBootConfigStrings.uni               |   6 +
>  11 files changed, 410 insertions(+), 92 deletions(-)
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> index 027dbb6842..944bcf8d38 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> @@ -591,7 +591,8 @@ ImageTimestampVerify (
>    // Register & Initialize necessary digest algorithms for PKCS#7 Handling.
>    //
>    if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1 ()) == 0) ||
> -      (EVP_add_digest (EVP_sha256 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
> +      (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest (EVP_sha384 ()) == 0) ||
> +      (EVP_add_digest (EVP_sha512 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
>    {
>      return FALSE;
>    }
> diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Guid/ImageAuthentication.h
> index fe83596571..c8ea2c14fb 100644
> --- a/MdePkg/Include/Guid/ImageAuthentication.h
> +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> @@ -144,6 +144,30 @@ typedef struct {
>      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
>    }
>  
> +///
> +/// This identifies a signature containing an RSA-3072 key. The key (only the modulus
> +/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
> +/// order.
> +/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
> +/// of SignatureOwner component) + 384 bytes.
> +///
> +#define EFI_CERT_RSA3072_GUID \
> +  { \
> +    0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \
> +  }
> +
> +///
> +/// This identifies a signature containing an RSA-4096 key. The key (only the modulus
> +/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
> +/// order.
> +/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
> +/// of SignatureOwner component) + 512 bytes.
> +///
> +#define EFI_CERT_RSA4096_GUID \
> +  { \
> +    0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \
> +  }
> +
>  ///
>  /// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash.  The
>  /// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of
> @@ -330,6 +354,8 @@ typedef struct {
>  extern EFI_GUID  gEfiImageSecurityDatabaseGuid;
>  extern EFI_GUID  gEfiCertSha256Guid;
>  extern EFI_GUID  gEfiCertRsa2048Guid;
> +extern EFI_GUID  gEfiCertRsa3072Guid;
> +extern EFI_GUID  gEfiCertRsa4096Guid;
>  extern EFI_GUID  gEfiCertRsa2048Sha256Guid;
>  extern EFI_GUID  gEfiCertSha1Guid;
>  extern EFI_GUID  gEfiCertRsa2048Sha1Guid;
> diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
> index d6c4179b2a..c88e88fa6b 100644
> --- a/MdePkg/MdePkg.dec
> +++ b/MdePkg/MdePkg.dec
> @@ -571,6 +571,8 @@
>    gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}
>    gEfiCertSha256Guid             = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }}
>    gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}
> +  gEfiCertRsa3072Guid            = { 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}
> +  gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }}
>    gEfiCertRsa2048Sha256Guid      = { 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
>    gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe,  0x1, 0x49, 0x66, 0x31, 0xbd }}
>    gEfiCertRsa2048Sha1Guid        = { 0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> index d81c581d78..4c268a85cd 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #include <Protocol/VariablePolicy.h>
>  #include <Library/VariablePolicyLib.h>
>  
> +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
> +
> +/**
> +  Retrieves the size, in bytes, of the context buffer required for hash operations.
> +
> +  If this interface is not supported, then return zero.
> +
> +  @return  The size, in bytes, of the context buffer required for hash operations.
> +  @retval  0   This interface is not supported.
> +
> +**/
> +typedef
> +UINTN
> +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
> +  VOID
> +  );
> +
> +/**
> +  Initializes user-supplied memory pointed by Sha1Context as hash context for
> +  subsequent use.
> +
> +  If HashContext is NULL, then return FALSE.
> +  If this interface is not supported, then return FALSE.
> +
> +  @param[out]  HashContext  Pointer to Hashcontext being initialized.
> +
> +  @retval TRUE   Hash context initialization succeeded.
> +  @retval FALSE  Hash context initialization failed.
> +  @retval FALSE  This interface is not supported.
> +
> +**/
> +typedef
> +BOOLEAN
> +(EFIAPI *EFI_HASH_INIT)(
> +  OUT  VOID  *HashContext
> +  );
> +
> +/**
> +  Digests the input data and updates Hash context.
> +
> +  This function performs Hash digest on a data buffer of the specified size.
> +  It can be called multiple times to compute the digest of long or discontinuous data streams.
> +  Hash context should be already correctly initialized by HashInit(), and should not be finalized
> +  by HashFinal(). Behavior with invalid context is undefined.
> +
> +  If HashContext is NULL, then return FALSE.
> +  If this interface is not supported, then return FALSE.
> +
> +  @param[in, out]  HashContext  Pointer to the Hash context.
> +  @param[in]       Data         Pointer to the buffer containing the data to be hashed.
> +  @param[in]       DataSize     Size of Data buffer in bytes.
> +
> +  @retval TRUE   SHA-1 data digest succeeded.
> +  @retval FALSE  SHA-1 data digest failed.
> +  @retval FALSE  This interface is not supported.
> +
> +**/
> +typedef
> +BOOLEAN
> +(EFIAPI *EFI_HASH_UPDATE)(
> +  IN OUT  VOID        *HashContext,
> +  IN      CONST VOID  *Data,
> +  IN      UINTN       DataSize
> +  );
> +
> +/**
> +  Completes computation of the Hash digest value.
> +
> +  This function completes hash computation and retrieves the digest value into
> +  the specified memory. After this function has been called, the Hash context cannot
> +  be used again.
> +  Hash context should be already correctly initialized by HashInit(), and should not be
> +  finalized by HashFinal(). Behavior with invalid Hash context is undefined.
> +
> +  If HashContext is NULL, then return FALSE.
> +  If HashValue is NULL, then return FALSE.
> +  If this interface is not supported, then return FALSE.
> +
> +  @param[in, out]  HashContext  Pointer to the Hash context.
> +  @param[out]      HashValue    Pointer to a buffer that receives the Hash digest
> +                                value.
> +
> +  @retval TRUE   Hash digest computation succeeded.
> +  @retval FALSE  Hash digest computation failed.
> +  @retval FALSE  This interface is not supported.
> +
> +**/
> +typedef
> +BOOLEAN
> +(EFIAPI *EFI_HASH_FINAL)(
> +  IN OUT  VOID   *HashContext,
> +  OUT     UINT8  *HashValue
> +  );
> +
> +typedef struct {
> +  UINT32                       HashSize;
> +  EFI_HASH_GET_CONTEXT_SIZE    GetContextSize;
> +  EFI_HASH_INIT                Init;
> +  EFI_HASH_UPDATE              Update;
> +  EFI_HASH_FINAL               Final;
> +  VOID                         **HashShaCtx;
> +  UINT8                        *OidValue;
> +  UINTN                        OidLength;
> +} EFI_HASH_INFO;
> +
>  //
>  // Public Exponent of RSA Key.
>  //
>  CONST UINT8  mRsaE[] = { 0x01, 0x00, 0x01 };
>  
> -CONST UINT8  mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
> +UINT8  mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
> +UINT8  mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 };
> +UINT8  mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 };
> +
> +EFI_HASH_INFO  mHashInfo[] = {
> +  {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9},
> +  {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9},
> +  {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9},
> +};
>  
>  //
>  // Requirement for different signature type which have been defined in UEFI spec.
> @@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM  mSupportSigItem[] = {
>    // {SigType,                       SigHeaderSize,   SigDataSize  }
>    { EFI_CERT_SHA256_GUID,         0, 32            },
>    { EFI_CERT_RSA2048_GUID,        0, 256           },
> +  { EFI_CERT_RSA3072_GUID,        0, 384           },
> +  { EFI_CERT_RSA4096_GUID,        0, 512           },
>    { EFI_CERT_RSA2048_SHA256_GUID, 0, 256           },
>    { EFI_CERT_SHA1_GUID,           0, 20            },
>    { EFI_CERT_RSA2048_SHA1_GUID,   0, 256           },
> @@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp (
>  }
>  
>  /**
> -  Calculate SHA256 digest of SignerCert CommonName + ToplevelCert tbsCertificate
> +  Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertificate
>    SignerCert and ToplevelCert are inside the signer certificate chain.
>  
> +  @param[in]  HashAlgId           Hash algorithm index
>    @param[in]  SignerCert          A pointer to SignerCert data.
>    @param[in]  SignerCertSize      Length of SignerCert data.
>    @param[in]  TopLevelCert        A pointer to TopLevelCert data.
>    @param[in]  TopLevelCertSize    Length of TopLevelCert data.
> -  @param[out] Sha256Digest       Sha256 digest calculated.
> +  @param[out] ShaDigest           Sha digest calculated.
>  
>    @return EFI_ABORTED          Digest process failed.
> -  @return EFI_SUCCESS          SHA256 Digest is successfully calculated.
> +  @return EFI_SUCCESS          SHA Digest is successfully calculated.
>  
>  **/
>  EFI_STATUS
> -CalculatePrivAuthVarSignChainSHA256Digest (
> +CalculatePrivAuthVarSignChainSHADigest (
> +  IN     UINT8  HashAlgId,
>    IN     UINT8  *SignerCert,
>    IN     UINTN  SignerCertSize,
>    IN     UINT8  *TopLevelCert,
>    IN     UINTN  TopLevelCertSize,
> -  OUT    UINT8  *Sha256Digest
> +  OUT    UINT8  *ShaDigest
>    )
>  {
>    UINT8       *TbsCert;
> @@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest (
>    BOOLEAN     CryptoStatus;
>    EFI_STATUS  Status;
>  
> +  if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> +    DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__, HashAlgId));
> +    return EFI_ABORTED;
> +  }
> +
>    CertCommonNameSize = sizeof (CertCommonName);
>  
>    //
> @@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
>    //
>    // Digest SignerCert CN + TopLevelCert tbsCertificate
>    //
> -  ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE);
> -  CryptoStatus = Sha256Init (mHashCtx);
> +  ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize);
> +  CryptoStatus = mHashInfo[HashAlgId].Init (*(mHashInfo[HashAlgId].HashShaCtx));
>    if (!CryptoStatus) {
>      return EFI_ABORTED;
>    }
> @@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
>    //
>    // '\0' is forced in CertCommonName. No overflow issue
>    //
> -  CryptoStatus = Sha256Update (
> -                   mHashCtx,
> +  CryptoStatus = mHashInfo[HashAlgId].Update (
> +                   *(mHashInfo[HashAlgId].HashShaCtx),
>                     CertCommonName,
>                     AsciiStrLen (CertCommonName)
>                     );
> @@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest (
>      return EFI_ABORTED;
>    }
>  
> -  CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize);
> +  CryptoStatus = mHashInfo[HashAlgId].Update (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize);
>    if (!CryptoStatus) {
>      return EFI_ABORTED;
>    }
>  
> -  CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
> +  CryptoStatus = mHashInfo[HashAlgId].Final (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest);
>    if (!CryptoStatus) {
>      return EFI_ABORTED;
>    }
> @@ -1516,9 +1638,10 @@ DeleteCertsFromDb (
>  /**
>    Insert signer's certificates for common authenticated variable with VariableName
>    and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to
> -  time based authenticated variable attributes. CertData is the SHA256 digest of
> +  time based authenticated variable attributes. CertData is the SHA digest of
>    SignerCert CommonName + TopLevelCert tbsCertificate.
>  
> +  @param[in]  HashAlgId         Hash algorithm index.
>    @param[in]  VariableName      Name of authenticated Variable.
>    @param[in]  VendorGuid        Vendor GUID of authenticated Variable.
>    @param[in]  Attributes        Attributes of authenticated variable.
> @@ -1536,6 +1659,7 @@ DeleteCertsFromDb (
>  **/
>  EFI_STATUS
>  InsertCertsToDb (
> +  IN     UINT8     HashAlgId,
>    IN     CHAR16    *VariableName,
>    IN     EFI_GUID  *VendorGuid,
>    IN     UINT32    Attributes,
> @@ -1556,12 +1680,16 @@ InsertCertsToDb (
>    UINT32             CertDataSize;
>    AUTH_CERT_DB_DATA  *Ptr;
>    CHAR16             *DbName;
> -  UINT8              Sha256Digest[SHA256_DIGEST_SIZE];
> +  UINT8              ShaDigest[SHA_DIGEST_SIZE_MAX];
>  
>    if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) || (TopLevelCert == NULL)) {
>      return EFI_INVALID_PARAMETER;
>    }
>  
> +  if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> +    return EFI_INVALID_PARAMETER;
> +  }
> +
>    if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
>      //
>      // Get variable "certdb".
> @@ -1618,20 +1746,22 @@ InsertCertsToDb (
>    // Construct new data content of variable "certdb" or "certdbv".
>    //
>    NameSize      = (UINT32)StrLen (VariableName);
> -  CertDataSize  = sizeof (Sha256Digest);
> +  CertDataSize  = mHashInfo[HashAlgId].HashSize;
>    CertNodeSize  = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + NameSize * sizeof (CHAR16);
>    NewCertDbSize = (UINT32)DataSize + CertNodeSize;
>    if (NewCertDbSize > mMaxCertDbSize) {
>      return EFI_OUT_OF_RESOURCES;
>    }
>  
> -  Status = CalculatePrivAuthVarSignChainSHA256Digest (
> +  Status = CalculatePrivAuthVarSignChainSHADigest (
> +             HashAlgId,
>               SignerCert,
>               SignerCertSize,
>               TopLevelCert,
>               TopLevelCertSize,
> -             Sha256Digest
> +             ShaDigest
>               );
> +
>    if (EFI_ERROR (Status)) {
>      return Status;
>    }
> @@ -1663,7 +1793,7 @@ InsertCertsToDb (
>  
>    CopyMem (
>      (UINT8 *)Ptr +  sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16),
> -    Sha256Digest,
> +    ShaDigest,
>      CertDataSize
>      );
>  
> @@ -1790,6 +1920,36 @@ CleanCertsFromDb (
>    return Status;
>  }
>  
> +/**
> +  Find hash algorithm index
> +
> +  @param[in]  SigData      Pointer to the PKCS#7 message
> +  @param[in]  SigDataSize  Length of the PKCS#7 message
> +
> +  @retval UINT8        Hash Algorithm Index
> +**/
> +UINT8
> +FindHashAlgorithmIndex (
> +  IN     UINT8         *SigData,
> +  IN     UINT32        SigDataSize
> +)
> +{
> +  UINT8 i;
> +
> +  for (i = 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) {
> +    if (  (  (SigDataSize >= (13 + mHashInfo[i].OidLength))
> +          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
> +            && (CompareMem (SigData + 13, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0)))
> +      || ((  (SigDataSize >= (32 +  mHashInfo[i].OidLength)))
> +        && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
> +          && (CompareMem (SigData + 32, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0))))
> +    {
> +      break;
> +    }
> +  }
> +  return i;
> +}
> +
>  /**
>    Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
>  
> @@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload (
>    UINTN                          CertStackSize;
>    UINT8                          *CertsInCertDb;
>    UINT32                         CertsSizeinDb;
> -  UINT8                          Sha256Digest[SHA256_DIGEST_SIZE];
> +  UINT8                          ShaDigest[SHA_DIGEST_SIZE_MAX];
>    EFI_CERT_DATA                  *CertDataPtr;
> +  UINT8                          HashAlgId;
>  
>    //
>    // 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain
> @@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload (
>  
>    //
>    // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the
> -  // signature. Only a digest algorithm of SHA-256 is accepted.
> +  // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is accepted.
>    //
>    //    According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315):
>    //        SignedData ::= SEQUENCE {
> @@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload (
>    //
>    // Example generated with: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Manual_process
>    //
> +  HashAlgId = FindHashAlgorithmIndex (SigData, SigDataSize);
>    if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
> -    if (  (  (SigDataSize >= (13 + sizeof (mSha256OidValue)))
> -          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
> -             || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))
> -       && (  (SigDataSize >= (32 + sizeof (mSha256OidValue)))
> -          && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
> -             || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))))
> -    {
> +    if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
>        return EFI_SECURITY_VIOLATION;
>      }
>    }
> @@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload (
>          goto Exit;
>        }
>  
> -      if (CertsSizeinDb == SHA256_DIGEST_SIZE) {
> +      if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) && (CertsSizeinDb == mHashInfo[HashAlgId].HashSize)) {
>          //
>          // Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb
>          //
>          CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
> -        Status      = CalculatePrivAuthVarSignChainSHA256Digest (
> +        Status      = CalculatePrivAuthVarSignChainSHADigest (
> +                        HashAlgId,
>                          CertDataPtr->CertDataBuffer,
>                          ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
>                          TopLevelCert,
>                          TopLevelCertSize,
> -                        Sha256Digest
> +                        ShaDigest
>                          );
> -        if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb, CertsSizeinDb) != 0)) {
> +        if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, CertsSizeinDb) != 0)) {
>            goto Exit;
>          }
>        } else {
> @@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload (
>        //
>        CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
>        Status      = InsertCertsToDb (
> +                      HashAlgId,
>                        VariableName,
>                        VendorGuid,
>                        Attributes,
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> index b202e613bc..f7bf771d55 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> @@ -92,7 +92,9 @@ extern UINT32  mMaxCertDbSize;
>  extern UINT32  mPlatformMode;
>  extern UINT8   mVendorKeyState;
>  
> -extern VOID  *mHashCtx;
> +extern VOID  *mHashSha256Ctx;
> +extern VOID  *mHashSha384Ctx;
> +extern VOID  *mHashSha512Ctx;
>  
>  extern AUTH_VAR_LIB_CONTEXT_IN  *mAuthVarLibContextIn;
>  
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> index dc61ae840c..19e0004699 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> @@ -26,12 +26,14 @@ UINT32  mMaxCertDbSize;
>  UINT32  mPlatformMode;
>  UINT8   mVendorKeyState;
>  
> -EFI_GUID  mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID };
> +EFI_GUID  mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID, EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID };
>  
>  //
>  // Hash context pointer
>  //
> -VOID  *mHashCtx = NULL;
> +VOID  *mHashSha256Ctx = NULL;
> +VOID  *mHashSha384Ctx = NULL;
> +VOID  *mHashSha512Ctx = NULL;
>  
>  VARIABLE_ENTRY_PROPERTY  mAuthVarEntry[] = {
>    {
> @@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY  mAuthVarEntry[] = {
>    },
>  };
>  
> -VOID  **mAuthVarAddressPointer[9];
> +VOID  **mAuthVarAddressPointer[11];
>  
>  AUTH_VAR_LIB_CONTEXT_IN  *mAuthVarLibContextIn = NULL;
>  
> @@ -120,7 +122,6 @@ AuthVariableLibInitialize (
>    UINT32      VarAttr;
>    UINT8       *Data;
>    UINTN       DataSize;
> -  UINTN       CtxSize;
>    UINT8       SecureBootMode;
>    UINT8       SecureBootEnable;
>    UINT8       CustomMode;
> @@ -135,9 +136,18 @@ AuthVariableLibInitialize (
>    //
>    // Initialize hash context.
>    //
> -  CtxSize  = Sha256GetContextSize ();
> -  mHashCtx = AllocateRuntimePool (CtxSize);
> -  if (mHashCtx == NULL) {
> +  mHashSha256Ctx = AllocateRuntimePool (Sha256GetContextSize ());
> +  if (mHashSha256Ctx == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  mHashSha384Ctx = AllocateRuntimePool (Sha384GetContextSize ());
> +  if (mHashSha384Ctx == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  mHashSha512Ctx = AllocateRuntimePool (Sha512GetContextSize ());
> +  if (mHashSha512Ctx == NULL) {
>      return EFI_OUT_OF_RESOURCES;
>    }
>  
> @@ -356,14 +366,16 @@ AuthVariableLibInitialize (
>    AuthVarLibContextOut->AuthVarEntry        = mAuthVarEntry;
>    AuthVarLibContextOut->AuthVarEntryCount   = ARRAY_SIZE (mAuthVarEntry);
>    mAuthVarAddressPointer[0]                 = (VOID **)&mCertDbStore;
> -  mAuthVarAddressPointer[1]                 = (VOID **)&mHashCtx;
> -  mAuthVarAddressPointer[2]                 = (VOID **)&mAuthVarLibContextIn;
> -  mAuthVarAddressPointer[3]                 = (VOID **)&(mAuthVarLibContextIn->FindVariable),
> -  mAuthVarAddressPointer[4]                 = (VOID **)&(mAuthVarLibContextIn->FindNextVariable),
> -  mAuthVarAddressPointer[5]                 = (VOID **)&(mAuthVarLibContextIn->UpdateVariable),
> -  mAuthVarAddressPointer[6]                 = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer),
> -  mAuthVarAddressPointer[7]                 = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
> -  mAuthVarAddressPointer[8]                 = (VOID **)&(mAuthVarLibContextIn->AtRuntime),
> +  mAuthVarAddressPointer[1]                 = (VOID **)&mHashSha256Ctx;
> +  mAuthVarAddressPointer[2]                 = (VOID **)&mHashSha384Ctx;
> +  mAuthVarAddressPointer[3]                 = (VOID **)&mHashSha512Ctx;
> +  mAuthVarAddressPointer[4]                 = (VOID **)&mAuthVarLibContextIn;
> +  mAuthVarAddressPointer[5]                 = (VOID **)&(mAuthVarLibContextIn->FindVariable),
> +  mAuthVarAddressPointer[6]                 = (VOID **)&(mAuthVarLibContextIn->FindNextVariable),
> +  mAuthVarAddressPointer[7]                 = (VOID **)&(mAuthVarLibContextIn->UpdateVariable),
> +  mAuthVarAddressPointer[8]                 = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer),
> +  mAuthVarAddressPointer[9]                 = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
> +  mAuthVarAddressPointer[10]                 = (VOID **)&(mAuthVarLibContextIn->AtRuntime),
>    AuthVarLibContextOut->AddressPointer      = mAuthVarAddressPointer;
>    AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE (mAuthVarAddressPointer);
>  
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 5d8dbd5468..88b2d3c6c1 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1620,7 +1620,7 @@ Done:
>        in the security database "db", and no valid signature nor any hash value of the image may
>        be reflected in the security database "dbx".
>      Otherwise, the image is not signed,
> -      The SHA256 hash value of the image must match a record in the security database "db", and
> +      The hash value of the image must match a record in the security database "db", and
>        not be reflected in the security data base "dbx".
>  
>    Caution: This function may receive untrusted input.
> @@ -1690,6 +1690,8 @@ DxeImageVerificationHandler (
>    EFI_STATUS                    VarStatus;
>    UINT32                        VarAttr;
>    BOOLEAN                       IsFound;
> +  UINT8                         HashAlg;
> +  BOOLEAN                       IsFoundInDatabase;
>  
>    SignatureList     = NULL;
>    SignatureListSize = 0;
> @@ -1699,6 +1701,7 @@ DxeImageVerificationHandler (
>    Action            = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
>    IsVerified        = FALSE;
>    IsFound           = FALSE;
> +  IsFoundInDatabase = FALSE;
>  
>    //
>    // Check the image type and get policy setting.
> @@ -1837,40 +1840,50 @@ DxeImageVerificationHandler (
>    //
>    if ((SecDataDir == NULL) || (SecDataDir->Size == 0)) {
>      //
> -    // This image is not signed. The SHA256 hash value of the image must match a record in the security database "db",
> +    // This image is not signed. The hash value of the image must match a record in the security database "db",
>      // and not be reflected in the security data base "dbx".
>      //
> -    if (!HashPeImage (HASHALG_SHA256)) {
> -      DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr));
> -      goto Failed;
> -    }
> +    HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
> +    while (HashAlg > 0) {
> +      HashAlg--;
> +      if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {
> +        continue;
> +      }
> +      if (!HashPeImage (HashAlg)) {
> +        continue;
> +      }
>  
> -    DbStatus = IsSignatureFoundInDatabase (
> -                 EFI_IMAGE_SECURITY_DATABASE1,
> -                 mImageDigest,
> -                 &mCertType,
> -                 mImageDigestSize,
> -                 &IsFound
> -                 );
> -    if (EFI_ERROR (DbStatus) || IsFound) {
> -      //
> -      // Image Hash is in forbidden database (DBX).
> -      //
> -      DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
> -      goto Failed;
> +      DbStatus = IsSignatureFoundInDatabase (
> +                   EFI_IMAGE_SECURITY_DATABASE1,
> +                   mImageDigest,
> +                   &mCertType,
> +                   mImageDigestSize,
> +                   &IsFound
> +                   );
> +      if (EFI_ERROR (DbStatus) || IsFound) {
> +        //
> +        // Image Hash is in forbidden database (DBX).
> +        //
> +        DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
> +        goto Failed;
> +      }
> +
> +      DbStatus = IsSignatureFoundInDatabase (
> +                   EFI_IMAGE_SECURITY_DATABASE,
> +                   mImageDigest,
> +                   &mCertType,
> +                   mImageDigestSize,
> +                   &IsFound
> +                   );
> +      if (!EFI_ERROR (DbStatus) && IsFound) {
> +        //
> +        // Image Hash is in allowed database (DB).
> +        //
> +        IsFoundInDatabase = TRUE;
> +      }
>      }
>  
> -    DbStatus = IsSignatureFoundInDatabase (
> -                 EFI_IMAGE_SECURITY_DATABASE,
> -                 mImageDigest,
> -                 &mCertType,
> -                 mImageDigestSize,
> -                 &IsFound
> -                 );
> -    if (!EFI_ERROR (DbStatus) && IsFound) {
> -      //
> -      // Image Hash is in allowed database (DB).
> -      //
> +    if (IsFoundInDatabase) {
>        return EFI_SUCCESS;
>      }
>  
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> index 1671d5be7c..cb52a16c09 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> @@ -70,6 +70,14 @@
>    ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
>    gEfiCertRsa2048Guid
>  
> +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
> +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
> +  gEfiCertRsa3072Guid
> +
> +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
> +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
> +  gEfiCertRsa4096Guid
> +
>    ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
>    ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
>    gEfiCertX509Guid
> @@ -82,6 +90,14 @@
>    ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
>    gEfiCertSha256Guid
>  
> +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
> +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
> +  gEfiCertSha384Guid
> +
> +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
> +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
> +  gEfiCertSha512Guid
> +
>    ## SOMETIMES_CONSUMES      ## Variable:L"db"
>    ## SOMETIMES_PRODUCES      ## Variable:L"db"
>    ## SOMETIMES_CONSUMES      ## Variable:L"dbx"
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> index 0e31502b1b..3de6bf6139 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> @@ -560,7 +560,7 @@ ON_EXIT:
>  
>  **/
>  EFI_STATUS
> -EnrollRsa2048ToKek (
> +EnrollRsaToKek (
>    IN SECUREBOOT_CONFIG_PRIVATE_DATA  *Private
>    )
>  {
> @@ -603,8 +603,13 @@ EnrollRsa2048ToKek (
>  
>    ASSERT (KeyBlob != NULL);
>    KeyInfo = (CPL_KEY_INFO *)KeyBlob;
> -  if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) {
> -    DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supported.\n"));
> +  switch (KeyInfo->KeyLengthInBits / 8) {
> +  case WIN_CERT_UEFI_RSA2048_SIZE:
> +  case WIN_CERT_UEFI_RSA3072_SIZE:
> +  case WIN_CERT_UEFI_RSA4096_SIZE:
> +    break;
> +  default :
> +    DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 and RSA4096 are supported.\n"));
>      Status = EFI_UNSUPPORTED;
>      goto ON_EXIT;
>    }
> @@ -632,7 +637,7 @@ EnrollRsa2048ToKek (
>    //
>    KekSigListSize = sizeof (EFI_SIGNATURE_LIST)
>                     + sizeof (EFI_SIGNATURE_DATA) - 1
> -                   + WIN_CERT_UEFI_RSA2048_SIZE;
> +                   + KeyLenInBytes;
>  
>    KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
>    if (KekSigList == NULL) {
> @@ -642,17 +647,32 @@ EnrollRsa2048ToKek (
>  
>    KekSigList->SignatureListSize = sizeof (EFI_SIGNATURE_LIST)
>                                    + sizeof (EFI_SIGNATURE_DATA) - 1
> -                                  + WIN_CERT_UEFI_RSA2048_SIZE;
> +                                  + (UINT32) KeyLenInBytes;
>    KekSigList->SignatureHeaderSize = 0;
> -  KekSigList->SignatureSize       = sizeof (EFI_SIGNATURE_DATA) - 1 + WIN_CERT_UEFI_RSA2048_SIZE;
> -  CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> +  KekSigList->SignatureSize       = sizeof (EFI_SIGNATURE_DATA) - 1 + (UINT32) KeyLenInBytes;
> +  switch (KeyLenInBytes) {
> +  case WIN_CERT_UEFI_RSA2048_SIZE:
> +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> +    break;
> +  case WIN_CERT_UEFI_RSA3072_SIZE:
> +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
> +    break;
> +  case WIN_CERT_UEFI_RSA4096_SIZE:
> +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
> +    break;
> +    break;
> +  default :
> +    DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
> +    Status = EFI_UNSUPPORTED;
> +    goto ON_EXIT;
> +  }
>  
>    KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_SIGNATURE_LIST));
>    CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
>    CopyMem (
>      KEKSigData->SignatureData,
>      KeyBlob + sizeof (CPL_KEY_INFO),
> -    WIN_CERT_UEFI_RSA2048_SIZE
> +    KeyLenInBytes
>      );
>  
>    //
> @@ -890,7 +910,7 @@ EnrollKeyExchangeKey (
>    if (IsDerEncodeCertificate (FilePostFix)) {
>      return EnrollX509ToKek (Private);
>    } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
> -    return EnrollRsa2048ToKek (Private);
> +    return EnrollRsaToKek (Private);
>    } else {
>      //
>      // File type is wrong, simply close it
> @@ -1847,7 +1867,7 @@ HashPeImage (
>    SectionHeader = NULL;
>    Status        = FALSE;
>  
> -  if (HashAlg != HASHALG_SHA256) {
> +  if ((HashAlg >= HASHALG_MAX)) {
>      return FALSE;
>    }
>  
> @@ -1856,8 +1876,25 @@ HashPeImage (
>    //
>    ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
>  
> -  mImageDigestSize = SHA256_DIGEST_SIZE;
> -  mCertType        = gEfiCertSha256Guid;
> +   switch (HashAlg) {
> +    case HASHALG_SHA256:
> +      mImageDigestSize = SHA256_DIGEST_SIZE;
> +      mCertType        = gEfiCertSha256Guid;
> +      break;
> +
> +    case HASHALG_SHA384:
> +      mImageDigestSize = SHA384_DIGEST_SIZE;
> +      mCertType        = gEfiCertSha384Guid;
> +      break;
> +
> +    case HASHALG_SHA512:
> +      mImageDigestSize = SHA512_DIGEST_SIZE;
> +      mCertType        = gEfiCertSha512Guid;
> +      break;
> +
> +    default:
> +      return FALSE;
> +  }
>  
>    CtxSize = mHash[HashAlg].GetContextSize ();
>  
> @@ -2251,6 +2288,7 @@ EnrollImageSignatureToSigDB (
>    UINT32                     Attr;
>    WIN_CERTIFICATE_UEFI_GUID  *GuidCertData;
>    EFI_TIME                   Time;
> +  UINT32                     HashAlg;
>  
>    Data         = NULL;
>    GuidCertData = NULL;
> @@ -2289,8 +2327,20 @@ EnrollImageSignatureToSigDB (
>    }
>  
>    if (mSecDataDir->SizeOfCert == 0) {
> -    if (!HashPeImage (HASHALG_SHA256)) {
> -      Status =  EFI_SECURITY_VIOLATION;
> +    Status = EFI_SECURITY_VIOLATION;
> +    HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
> +    while (HashAlg > 0) {
> +      HashAlg--;
> +      if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {
> +        continue;
> +      }
> +      if (HashPeImage (HashAlg)) {
> +        Status = EFI_SUCCESS;
> +        break;
> +      }
> +    }
> +    if (EFI_ERROR (Status)) {
> +      DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status));
>        goto ON_EXIT;
>      }
>    } else {
> @@ -2589,6 +2639,10 @@ UpdateDeletePage (
>    while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
>      if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) {
>        Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
> +    } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)) {
> +      Help = STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID);
> +    } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)) {
> +      Help = STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID);
>      } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
>        Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
>      } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) {
> @@ -2750,6 +2804,8 @@ DeleteKeyExchangeKey (
>    GuidIndex      = 0;
>    while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
>      if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
> +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
> +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
>          CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid))
>      {
>        CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize));
> @@ -2952,6 +3008,8 @@ DeleteSignature (
>    GuidIndex    = 0;
>    while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
>      if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
> +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
> +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
>          CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||
>          CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||
>          CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) ||
> @@ -3758,12 +3816,20 @@ LoadSignatureList (
>    while ((RemainingSize > 0) && (RemainingSize >= ListWalker->SignatureListSize)) {
>      if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) {
>        ListType = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
> +    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072Guid)) {
> +      ListType = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
> +    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096Guid)) {
> +      ListType = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
>      } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)) {
>        ListType = STRING_TOKEN (STR_LIST_TYPE_X509);
>      } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)) {
>        ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1);
>      } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Guid)) {
>        ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256);
> +    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Guid)) {
> +      ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384);
> +    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Guid)) {
> +      ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512);
>      } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha256Guid)) {
>        ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
>      } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha384Guid)) {
> @@ -4001,6 +4067,14 @@ FormatHelpInfo (
>      ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
>      DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
>      IsCert     = TRUE;
> +  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)) {
> +    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
> +    DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
> +    IsCert     = TRUE;
> +  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)) {
> +    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
> +    DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
> +    IsCert     = TRUE;
>    } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) {
>      ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509);
>      DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
> @@ -4011,6 +4085,12 @@ FormatHelpInfo (
>    } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid)) {
>      ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256);
>      DataSize   = 32;
> +  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid)) {
> +    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384);
> +    DataSize   = 48;
> +  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid)) {
> +    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512);
> +    DataSize   = 64;
>    } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Guid)) {
>      ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
>      DataSize   = 32;
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
> index 37c66f1b95..ae50d929a7 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
> @@ -82,6 +82,8 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
>  #define MAX_DIGEST_SIZE  SHA512_DIGEST_SIZE
>  
>  #define WIN_CERT_UEFI_RSA2048_SIZE  256
> +#define WIN_CERT_UEFI_RSA3072_SIZE  384
> +#define WIN_CERT_UEFI_RSA4096_SIZE  512
>  
>  //
>  // Support hash types
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
> index 0d01701de7..1b48acc800 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
> @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP    #language en-US "Read the public key of KEK from file"
>  #string STR_FILE_EXPLORER_TITLE                   #language en-US "File Explorer"
>  #string STR_CERT_TYPE_RSA2048_SHA256_GUID         #language en-US "RSA2048_SHA256_GUID"
> +#string STR_CERT_TYPE_RSA3072_SHA384_GUID         #language en-US "RSA3072_SHA384_GUID"
> +#string STR_CERT_TYPE_RSA4096_SHA512_GUID         #language en-US "RSA4096_SHA512_GUID"
>  #string STR_CERT_TYPE_PCKS7_GUID                  #language en-US "PKCS7_GUID"
>  #string STR_CERT_TYPE_SHA1_GUID                   #language en-US "SHA1_GUID"
>  #string STR_CERT_TYPE_SHA256_GUID                 #language en-US "SHA256_GUID"
> @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #string STR_CERT_TYPE_X509_SHA512_GUID            #language en-US "X509_SHA512_GUID"
>  
>  #string STR_LIST_TYPE_RSA2048_SHA256              #language en-US "RSA2048_SHA256"
> +#string STR_LIST_TYPE_RSA3072_SHA384              #language en-US "RSA3072_SHA384"
> +#string STR_LIST_TYPE_RSA4096_SHA512              #language en-US "RSA4096_SHA512"
>  #string STR_LIST_TYPE_X509                        #language en-US "X509"
>  #string STR_LIST_TYPE_SHA1                        #language en-US "SHA1"
>  #string STR_LIST_TYPE_SHA256                      #language en-US "SHA256"
> +#string STR_LIST_TYPE_SHA384                      #language en-US "SHA384"
> +#string STR_LIST_TYPE_SHA512                      #language en-US "SHA512"
>  #string STR_LIST_TYPE_X509_SHA256                 #language en-US "X509_SHA256"
>  #string STR_LIST_TYPE_X509_SHA384                 #language en-US "X509_SHA384"
>  #string STR_LIST_TYPE_X509_SHA512                 #language en-US "X509_SHA512"
> -- 
> 2.26.2.windows.1
> 
> 
> 
> 
> 
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-07-06  7:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-06  6:36 [PATCH v3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
2023-07-06  7:28 ` [edk2-devel] " Gary Lin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox