From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR04-VI1-obe.outbound.protection.outlook.com (EUR04-VI1-obe.outbound.protection.outlook.com [40.107.8.80]) by mx.groups.io with SMTP id smtpd.web11.16439.1688628540407607545 for ; Thu, 06 Jul 2023 00:29:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@suse.com header.s=selector1 header.b=qiaSfm33; spf=none, err=SPF record not found (domain: suse.com, ip: 40.107.8.80, mailfrom: glin@suse.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lLdxMqoc75IDEPxp715GcYgo8oYNbMbQozXlkuODsmsL+CwhgLCBhkv/E0WDiPh7pFJgHG1TyAUnWqn2ocJs79wPS4qz3Y2lOJ2v3fiP/BRiPcRkuP/CVxtakgcuC/D2SXwhDsssx7FJhQqIcSiWb3FEpAPE/svebh/zTydVzG9hUsfxDLJ8pAfaRipbd5c1/aitylBvb2eKEJ9oNmz6kXEH9BBJOWnu7xI621kzZ1asSt0c7ET1Ronlp6dorvNaBVYEj6qydGCaJAG7QymwG6qZqm2E9VGGSrtomi++nBiw4m1nEp1Bhqp0UcQYAZ7PwlsMiwpGR/7ZrGK6g9qaZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=T8Fdwu40K8U6W4bp6kuAgJGA00irAZ/Lz8nppPYutj4=; b=HhfGcyJGp3hC8VQReVuC6emLHvdd8lPwSkNHv9fDFtiMcOEJdGhjS49tBrrq9MDteUFngEl/Hnasr1P0B4lNRcRXtrAfwHfCRpxNNHX7yi5yBOv6vNMHzSNidIP+mumZncZ1o/1+Fo1wvOQK0jMcCJYwpc6D7oiUHS7uDtqbaPz8hk4GKj8XhpN1XuopxHEvFNsa14ZGn7Zvuy/di3Fi49KwH3tFXl05Z4tit0z1CFlVqnjPGTybMOKlBeRvFJdyVJEB4IzpCnh8XOvlyEzYTycMgifFEL9OXIEnC8RlXIbm4MtpvDRe+OT1di4opmx0oPI/8SxXGgRJfVAVUK5jrg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=T8Fdwu40K8U6W4bp6kuAgJGA00irAZ/Lz8nppPYutj4=; b=qiaSfm33cLo0UIvkmZi5KwuTfPjPbVSgeqL/TwlYHlZlIYchTmRGV2hdJRM+g5N0JKJBsjx+SEVtk6pFpikp5I0EXWclhCRA9gPbyo/UIRbBNBZl/faPuXXYoL3DBB9H4FnXrfWb7+5dp4zILtnkvu72TLJmgC7DQNiTCgYuiCvqLAHGEO6Bg/inLXYotEu1vGSUVotklpYF2qNtyRP7zI3O4lOMjAVKVz7jZdH6ArCPTgfkgkox0qDUmscST+vBAY09/NSlgcWg2pGuW/fe0FISc1o/DARzvl+N9BL9L4tY1N/+JuliZ1JPR+E10zGGAK6BJBiw9l2PAs/RhpdenA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Received: from DBBPR04MB6140.eurprd04.prod.outlook.com (2603:10a6:10:c7::18) by VI1PR04MB9977.eurprd04.prod.outlook.com (2603:10a6:800:1d9::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6544.24; Thu, 6 Jul 2023 07:28:56 +0000 Received: from DBBPR04MB6140.eurprd04.prod.outlook.com ([fe80::164f:862a:b00c:fc7c]) by DBBPR04MB6140.eurprd04.prod.outlook.com ([fe80::164f:862a:b00c:fc7c%4]) with mapi id 15.20.6565.016; Thu, 6 Jul 2023 07:28:56 +0000 Date: Thu, 6 Jul 2023 15:28:44 +0800 From: "Gary Lin" To: devel@edk2.groups.io, w.sheng@intel.com Cc: Jiewen Yao , Jian J Wang , Min Xu , Zeyi Chen , Fiona Wang Subject: Re: [edk2-devel] [PATCH v3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Message-ID: <20230706072844.5h6gry4hmu5r7bla@GaryLaptop> References: <20230706063654.1576-1-w.sheng@intel.com> In-Reply-To: <20230706063654.1576-1-w.sheng@intel.com> X-ClientProxiedBy: TYCP286CA0002.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:26c::6) To DBBPR04MB6140.eurprd04.prod.outlook.com (2603:10a6:10:c7::18) Return-Path: GLin@suse.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DBBPR04MB6140:EE_|VI1PR04MB9977:EE_ X-MS-Office365-Filtering-Correlation-Id: 5ed65290-451c-4f52-ddcb-08db7df2a812 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /7xgy2nbdIrDe60hU0UQYohexAYHFJwrdQily+ij+65WKErwQ3ZwJs89D+GZ0RwpHP05z1PjwZocumJTg6wZOUasdEtaXCxWE7iFkOiuNZt7uLyopbdQ3YzRl/za5M9nPjKXNLa9qF1pkzBmTZUxy+j90ftev98Vld+Hjzooy9PV7S9v74L2jx38QlB0rzkQ+Z3h1Qop9oKoSOwjjEpCjKIP9U7QJlj7gPIfj94HoLCtTu6O5uMWrkEQRjRmEHZcuqi0K6cpK/tcq6Do/Q8JIBTM2kExX2tyTCFvC8gfD+ZP7XOCDbH38DxprD7qbLZmMiCGvmGAynNz3IZcKX8qp//pWdk1VypI9vU0FtNMM3Yi2X7APLb5/4zvH2Cx+NpR5NRxbd0IZEl7zKSPdfNUwBmgI6m5gxyPvlIMwm45GRMgS8dTlWH+Y1hg5pIr8GhtINVPCWwfew/ff5EDzB1Vei67y9HR2TRDqCAvfRE7TshswKhQap/vb40CYM5DEyF8B8H+yuqeTWfepWUfdeWl8STQOGfDMXhK+piFNKbmVWyONHsCwRPSHAVWiw+zTaYrTBkNhKxDoyDBv80QT63mIdUP7sjUNFCN7qF7jmB7UZE= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBBPR04MB6140.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(7916004)(136003)(396003)(366004)(346002)(39860400002)(376002)(451199021)(316002)(66946007)(4326008)(66476007)(478600001)(66556008)(2906002)(8676002)(8936002)(66899021)(5660300002)(15650500001)(83380400001)(41300700001)(30864003)(86362001)(9686003)(966005)(19627235002)(54906003)(6512007)(6666004)(33716001)(6486002)(38100700002)(186003)(26005)(1076003)(6506007)(579004)(44824005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?b/TPccY3sGIgxa9/XOm7o78xZdCbzEiaY8c2PhC+KqSCLs6bygHOFfuOAuBX?= =?us-ascii?Q?F5yZ+3lquZdzTrdFI5Qlo2AqYXc/Werv5xKWKa7ipOKWMn9DMyPVIIqhL5YL?= =?us-ascii?Q?1A6JAoyR7/Wij2UL5FfPnzMHPI1IOSJEISc1sIJQWTpz9PchMXw8TdfIjZrc?= =?us-ascii?Q?mt6s+m9M3mRiUgi34ufj3wbWL8pddIP0XWuxkvDgdXGekn9+b2agwc04ECSy?= =?us-ascii?Q?86019sJ1GNGnB2fGR/AoD5B5EA07Fo731dHfW+d/ndFKoAtg7YcjfernLw4E?= =?us-ascii?Q?xAbZJ0OcuJffkd6puMLHarQcnGCg48t4WnT1lxaVPcDFcH1TNG5KpiQmUpgS?= =?us-ascii?Q?6fXr8k3OITD1YCjhOU89TDVZm9aiET9GrOiAi1codvalPRK0iY7xqr6pHpjJ?= =?us-ascii?Q?4vhOd5N4pKVgDaNoj3R7RAVRBFRi0ie8aVQymvQbRCc/gIP7XHSS87YmtrFX?= =?us-ascii?Q?EpLe0e5v4GMM6Ev9KBSjCam20Ehst+PmW8W7VqyVVdDC6yt6OkWtfM4kihyJ?= =?us-ascii?Q?XoFjgjh/ZISXJc/pUJyPnPkhb0dv7ChcNgmYL8oCc1UYDV9WW0B1xcOtI70P?= =?us-ascii?Q?Gy1aAgAxyV6kETCrtFFzku9T7O2Hkx0omJAMHv/pocE4Qd0uKpYDun5f6SoV?= =?us-ascii?Q?B/ACkJg0UC3MmkndHrWoSrO/55hg5aQcpfWAkg3HPHo+N5iKstEzxGw6pXMo?= =?us-ascii?Q?786mX4cfJESKpnic3ZKS550rdejBk+BJPvdelJU1qMRw1x5Rvb7jBMHWJ9gY?= =?us-ascii?Q?oLmVitD6PmC9rXXCzJDRcL8fdK4i0/anCRX9MwGYr2itvWlZLgXikjgU0GG4?= =?us-ascii?Q?qlalgDRuejXQFWeNw5O3Xwd89y9BoBw/zlPEJFbDuVpO3qA2ubTnU9oRCybn?= =?us-ascii?Q?qxDSMoAj1BaSNq98Z9+wOCSp3NJ35G1T/Txpyczstt1+pxDblseLfyjwF1KE?= =?us-ascii?Q?UQ4CHOs2CQTJ0JNYbdSWSfpy+ZM1TijHoRDTpaGJxCTS7cexlpVX8rBQuSVe?= =?us-ascii?Q?0XavI/5c1z2jnekLc6gBgHCJP5HtkFwagFuQXI44xLqnteRLSMSDBEasgzqc?= =?us-ascii?Q?Yv+H1l7FnjmZ2Aewa6uwJ9CG4+UOtIG2XFTgIKF631mQ8t60ciZsfUV/lWPh?= =?us-ascii?Q?Wgk5NsX8sQrnlawOQI8xdfMHRDKZwjpX0Ob/OKM58cImFQ5Mn9lJaQdKH1hR?= =?us-ascii?Q?BdFZx5Z9LrZja+ctlIbVR6NxcwolM6wyPaP25EmueS5+YXH0NJiRocHs2I/f?= =?us-ascii?Q?pkXz3xxTNy/gUJ+RO525pOL75sXzmMmS3/Dr9RAtkA7qFeXLdCmVJ2eTlfIL?= =?us-ascii?Q?qhOrpIRxoVgdy3Xun4xMoteGjIW/9XqD969xpeSxVNLncrPed1MMl5qgff3j?= =?us-ascii?Q?JnfOcG9WrCZ3nOG7Y4bNB1wTG7cQi19+0HihneaQR1UBx0dGLd0rItbyg7Ap?= =?us-ascii?Q?lxsoA1x9dxGvyqEbXl+IkyuFMNU8DAYpZ1afXXe3NlLA7H1q357iIKyQUy9m?= =?us-ascii?Q?iFKuBbFcsWReGQLHEL42mSsrEDHYwdBKUg64+Jx5iPoP19CkLDU3I/QZLSlE?= =?us-ascii?Q?r5BgaPySkLkBuaLPX5z9X1zvmw/tg0JL7D0/jvn2?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5ed65290-451c-4f52-ddcb-08db7df2a812 X-MS-Exchange-CrossTenant-AuthSource: DBBPR04MB6140.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jul 2023 07:28:56.2419 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9b2dDmzaNVC/xQ98qQtKfG5Xu8GbJDOfhyJw+0riaGyxlWhp6rrGpqi3xBS6+D9y X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB9977 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jul 06, 2023 at 02:36:54PM +0800, Sheng Wei via groups.io wrote: > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413 > The title, "Support RSA 512 and RSA 384", looks very strange. I assume it should be "Support SHA 512 and SHA 384"? Gary Lin > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Min Xu > Cc: Zeyi Chen > Cc: Fiona Wang > Signed-off-by: Sheng Wei > --- > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- > MdePkg/Include/Guid/ImageAuthentication.h | 26 +++ > MdePkg/MdePkg.dec | 2 + > .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++--- > .../AuthVariableLib/AuthServiceInternal.h | 4 +- > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- > .../DxeImageVerificationLib.c | 73 +++--- > .../SecureBootConfigDxe.inf | 16 ++ > .../SecureBootConfigImpl.c | 108 +++++++-- > .../SecureBootConfigImpl.h | 2 + > .../SecureBootConfigStrings.uni | 6 + > 11 files changed, 410 insertions(+), 92 deletions(-) > > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > index 027dbb6842..944bcf8d38 100644 > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > @@ -591,7 +591,8 @@ ImageTimestampVerify ( > // Register & Initialize necessary digest algorithms for PKCS#7 Handling. > // > if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1 ()) == 0) || > - (EVP_add_digest (EVP_sha256 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0)) > + (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest (EVP_sha384 ()) == 0) || > + (EVP_add_digest (EVP_sha512 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0)) > { > return FALSE; > } > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Guid/ImageAuthentication.h > index fe83596571..c8ea2c14fb 100644 > --- a/MdePkg/Include/Guid/ImageAuthentication.h > +++ b/MdePkg/Include/Guid/ImageAuthentication.h > @@ -144,6 +144,30 @@ typedef struct { > 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \ > } > > +/// > +/// This identifies a signature containing an RSA-3072 key. The key (only the modulus > +/// since the public key exponent is known to be 0x10001) shall be stored in big-endian > +/// order. > +/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size > +/// of SignatureOwner component) + 384 bytes. > +/// > +#define EFI_CERT_RSA3072_GUID \ > + { \ > + 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \ > + } > + > +/// > +/// This identifies a signature containing an RSA-4096 key. The key (only the modulus > +/// since the public key exponent is known to be 0x10001) shall be stored in big-endian > +/// order. > +/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size > +/// of SignatureOwner component) + 512 bytes. > +/// > +#define EFI_CERT_RSA4096_GUID \ > + { \ > + 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \ > + } > + > /// > /// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash. The > /// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of > @@ -330,6 +354,8 @@ typedef struct { > extern EFI_GUID gEfiImageSecurityDatabaseGuid; > extern EFI_GUID gEfiCertSha256Guid; > extern EFI_GUID gEfiCertRsa2048Guid; > +extern EFI_GUID gEfiCertRsa3072Guid; > +extern EFI_GUID gEfiCertRsa4096Guid; > extern EFI_GUID gEfiCertRsa2048Sha256Guid; > extern EFI_GUID gEfiCertSha1Guid; > extern EFI_GUID gEfiCertRsa2048Sha1Guid; > diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec > index d6c4179b2a..c88e88fa6b 100644 > --- a/MdePkg/MdePkg.dec > +++ b/MdePkg/MdePkg.dec > @@ -571,6 +571,8 @@ > gEfiImageSecurityDatabaseGuid = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }} > gEfiCertSha256Guid = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }} > gEfiCertRsa2048Guid = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }} > + gEfiCertRsa3072Guid = { 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }} > + gEfiCertRsa4096Guid = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }} > gEfiCertRsa2048Sha256Guid = { 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }} > gEfiCertSha1Guid = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }} > gEfiCertRsa2048Sha1Guid = { 0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }} > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c > index d81c581d78..4c268a85cd 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c > @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include > #include > > +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE > + > +/** > + Retrieves the size, in bytes, of the context buffer required for hash operations. > + > + If this interface is not supported, then return zero. > + > + @return The size, in bytes, of the context buffer required for hash operations. > + @retval 0 This interface is not supported. > + > +**/ > +typedef > +UINTN > +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)( > + VOID > + ); > + > +/** > + Initializes user-supplied memory pointed by Sha1Context as hash context for > + subsequent use. > + > + If HashContext is NULL, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[out] HashContext Pointer to Hashcontext being initialized. > + > + @retval TRUE Hash context initialization succeeded. > + @retval FALSE Hash context initialization failed. > + @retval FALSE This interface is not supported. > + > +**/ > +typedef > +BOOLEAN > +(EFIAPI *EFI_HASH_INIT)( > + OUT VOID *HashContext > + ); > + > +/** > + Digests the input data and updates Hash context. > + > + This function performs Hash digest on a data buffer of the specified size. > + It can be called multiple times to compute the digest of long or discontinuous data streams. > + Hash context should be already correctly initialized by HashInit(), and should not be finalized > + by HashFinal(). Behavior with invalid context is undefined. > + > + If HashContext is NULL, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[in, out] HashContext Pointer to the Hash context. > + @param[in] Data Pointer to the buffer containing the data to be hashed. > + @param[in] DataSize Size of Data buffer in bytes. > + > + @retval TRUE SHA-1 data digest succeeded. > + @retval FALSE SHA-1 data digest failed. > + @retval FALSE This interface is not supported. > + > +**/ > +typedef > +BOOLEAN > +(EFIAPI *EFI_HASH_UPDATE)( > + IN OUT VOID *HashContext, > + IN CONST VOID *Data, > + IN UINTN DataSize > + ); > + > +/** > + Completes computation of the Hash digest value. > + > + This function completes hash computation and retrieves the digest value into > + the specified memory. After this function has been called, the Hash context cannot > + be used again. > + Hash context should be already correctly initialized by HashInit(), and should not be > + finalized by HashFinal(). Behavior with invalid Hash context is undefined. > + > + If HashContext is NULL, then return FALSE. > + If HashValue is NULL, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[in, out] HashContext Pointer to the Hash context. > + @param[out] HashValue Pointer to a buffer that receives the Hash digest > + value. > + > + @retval TRUE Hash digest computation succeeded. > + @retval FALSE Hash digest computation failed. > + @retval FALSE This interface is not supported. > + > +**/ > +typedef > +BOOLEAN > +(EFIAPI *EFI_HASH_FINAL)( > + IN OUT VOID *HashContext, > + OUT UINT8 *HashValue > + ); > + > +typedef struct { > + UINT32 HashSize; > + EFI_HASH_GET_CONTEXT_SIZE GetContextSize; > + EFI_HASH_INIT Init; > + EFI_HASH_UPDATE Update; > + EFI_HASH_FINAL Final; > + VOID **HashShaCtx; > + UINT8 *OidValue; > + UINTN OidLength; > +} EFI_HASH_INFO; > + > // > // Public Exponent of RSA Key. > // > CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 }; > > -CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 }; > +UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 }; > +UINT8 mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 }; > +UINT8 mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 }; > + > +EFI_HASH_INFO mHashInfo[] = { > + {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9}, > + {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9}, > + {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9}, > +}; > > // > // Requirement for different signature type which have been defined in UEFI spec. > @@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] = { > // {SigType, SigHeaderSize, SigDataSize } > { EFI_CERT_SHA256_GUID, 0, 32 }, > { EFI_CERT_RSA2048_GUID, 0, 256 }, > + { EFI_CERT_RSA3072_GUID, 0, 384 }, > + { EFI_CERT_RSA4096_GUID, 0, 512 }, > { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 }, > { EFI_CERT_SHA1_GUID, 0, 20 }, > { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 }, > @@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp ( > } > > /** > - Calculate SHA256 digest of SignerCert CommonName + ToplevelCert tbsCertificate > + Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertificate > SignerCert and ToplevelCert are inside the signer certificate chain. > > + @param[in] HashAlgId Hash algorithm index > @param[in] SignerCert A pointer to SignerCert data. > @param[in] SignerCertSize Length of SignerCert data. > @param[in] TopLevelCert A pointer to TopLevelCert data. > @param[in] TopLevelCertSize Length of TopLevelCert data. > - @param[out] Sha256Digest Sha256 digest calculated. > + @param[out] ShaDigest Sha digest calculated. > > @return EFI_ABORTED Digest process failed. > - @return EFI_SUCCESS SHA256 Digest is successfully calculated. > + @return EFI_SUCCESS SHA Digest is successfully calculated. > > **/ > EFI_STATUS > -CalculatePrivAuthVarSignChainSHA256Digest ( > +CalculatePrivAuthVarSignChainSHADigest ( > + IN UINT8 HashAlgId, > IN UINT8 *SignerCert, > IN UINTN SignerCertSize, > IN UINT8 *TopLevelCert, > IN UINTN TopLevelCertSize, > - OUT UINT8 *Sha256Digest > + OUT UINT8 *ShaDigest > ) > { > UINT8 *TbsCert; > @@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > BOOLEAN CryptoStatus; > EFI_STATUS Status; > > + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { > + DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__, HashAlgId)); > + return EFI_ABORTED; > + } > + > CertCommonNameSize = sizeof (CertCommonName); > > // > @@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > // > // Digest SignerCert CN + TopLevelCert tbsCertificate > // > - ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE); > - CryptoStatus = Sha256Init (mHashCtx); > + ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize); > + CryptoStatus = mHashInfo[HashAlgId].Init (*(mHashInfo[HashAlgId].HashShaCtx)); > if (!CryptoStatus) { > return EFI_ABORTED; > } > @@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > // > // '\0' is forced in CertCommonName. No overflow issue > // > - CryptoStatus = Sha256Update ( > - mHashCtx, > + CryptoStatus = mHashInfo[HashAlgId].Update ( > + *(mHashInfo[HashAlgId].HashShaCtx), > CertCommonName, > AsciiStrLen (CertCommonName) > ); > @@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > return EFI_ABORTED; > } > > - CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize); > + CryptoStatus = mHashInfo[HashAlgId].Update (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize); > if (!CryptoStatus) { > return EFI_ABORTED; > } > > - CryptoStatus = Sha256Final (mHashCtx, Sha256Digest); > + CryptoStatus = mHashInfo[HashAlgId].Final (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest); > if (!CryptoStatus) { > return EFI_ABORTED; > } > @@ -1516,9 +1638,10 @@ DeleteCertsFromDb ( > /** > Insert signer's certificates for common authenticated variable with VariableName > and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to > - time based authenticated variable attributes. CertData is the SHA256 digest of > + time based authenticated variable attributes. CertData is the SHA digest of > SignerCert CommonName + TopLevelCert tbsCertificate. > > + @param[in] HashAlgId Hash algorithm index. > @param[in] VariableName Name of authenticated Variable. > @param[in] VendorGuid Vendor GUID of authenticated Variable. > @param[in] Attributes Attributes of authenticated variable. > @@ -1536,6 +1659,7 @@ DeleteCertsFromDb ( > **/ > EFI_STATUS > InsertCertsToDb ( > + IN UINT8 HashAlgId, > IN CHAR16 *VariableName, > IN EFI_GUID *VendorGuid, > IN UINT32 Attributes, > @@ -1556,12 +1680,16 @@ InsertCertsToDb ( > UINT32 CertDataSize; > AUTH_CERT_DB_DATA *Ptr; > CHAR16 *DbName; > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; > > if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) || (TopLevelCert == NULL)) { > return EFI_INVALID_PARAMETER; > } > > + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { > + return EFI_INVALID_PARAMETER; > + } > + > if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) { > // > // Get variable "certdb". > @@ -1618,20 +1746,22 @@ InsertCertsToDb ( > // Construct new data content of variable "certdb" or "certdbv". > // > NameSize = (UINT32)StrLen (VariableName); > - CertDataSize = sizeof (Sha256Digest); > + CertDataSize = mHashInfo[HashAlgId].HashSize; > CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + NameSize * sizeof (CHAR16); > NewCertDbSize = (UINT32)DataSize + CertNodeSize; > if (NewCertDbSize > mMaxCertDbSize) { > return EFI_OUT_OF_RESOURCES; > } > > - Status = CalculatePrivAuthVarSignChainSHA256Digest ( > + Status = CalculatePrivAuthVarSignChainSHADigest ( > + HashAlgId, > SignerCert, > SignerCertSize, > TopLevelCert, > TopLevelCertSize, > - Sha256Digest > + ShaDigest > ); > + > if (EFI_ERROR (Status)) { > return Status; > } > @@ -1663,7 +1793,7 @@ InsertCertsToDb ( > > CopyMem ( > (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16), > - Sha256Digest, > + ShaDigest, > CertDataSize > ); > > @@ -1790,6 +1920,36 @@ CleanCertsFromDb ( > return Status; > } > > +/** > + Find hash algorithm index > + > + @param[in] SigData Pointer to the PKCS#7 message > + @param[in] SigDataSize Length of the PKCS#7 message > + > + @retval UINT8 Hash Algorithm Index > +**/ > +UINT8 > +FindHashAlgorithmIndex ( > + IN UINT8 *SigData, > + IN UINT32 SigDataSize > +) > +{ > + UINT8 i; > + > + for (i = 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) { > + if ( ( (SigDataSize >= (13 + mHashInfo[i].OidLength)) > + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE) > + && (CompareMem (SigData + 13, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0))) > + || (( (SigDataSize >= (32 + mHashInfo[i].OidLength))) > + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE) > + && (CompareMem (SigData + 32, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0)))) > + { > + break; > + } > + } > + return i; > +} > + > /** > Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set > > @@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload ( > UINTN CertStackSize; > UINT8 *CertsInCertDb; > UINT32 CertsSizeinDb; > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; > EFI_CERT_DATA *CertDataPtr; > + UINT8 HashAlgId; > > // > // 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain > @@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload ( > > // > // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the > - // signature. Only a digest algorithm of SHA-256 is accepted. > + // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is accepted. > // > // According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315): > // SignedData ::= SEQUENCE { > @@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload ( > // > // Example generated with: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Manual_process > // > + HashAlgId = FindHashAlgorithmIndex (SigData, SigDataSize); > if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { > - if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue))) > - && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) > - || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))) > - && ( (SigDataSize >= (32 + sizeof (mSha256OidValue))) > - && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) > - || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))) > - { > + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { > return EFI_SECURITY_VIOLATION; > } > } > @@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload ( > goto Exit; > } > > - if (CertsSizeinDb == SHA256_DIGEST_SIZE) { > + if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) && (CertsSizeinDb == mHashInfo[HashAlgId].HashSize)) { > // > // Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb > // > CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1); > - Status = CalculatePrivAuthVarSignChainSHA256Digest ( > + Status = CalculatePrivAuthVarSignChainSHADigest ( > + HashAlgId, > CertDataPtr->CertDataBuffer, > ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)), > TopLevelCert, > TopLevelCertSize, > - Sha256Digest > + ShaDigest > ); > - if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb, CertsSizeinDb) != 0)) { > + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, CertsSizeinDb) != 0)) { > goto Exit; > } > } else { > @@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload ( > // > CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1); > Status = InsertCertsToDb ( > + HashAlgId, > VariableName, > VendorGuid, > Attributes, > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > index b202e613bc..f7bf771d55 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > @@ -92,7 +92,9 @@ extern UINT32 mMaxCertDbSize; > extern UINT32 mPlatformMode; > extern UINT8 mVendorKeyState; > > -extern VOID *mHashCtx; > +extern VOID *mHashSha256Ctx; > +extern VOID *mHashSha384Ctx; > +extern VOID *mHashSha512Ctx; > > extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn; > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > index dc61ae840c..19e0004699 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > @@ -26,12 +26,14 @@ UINT32 mMaxCertDbSize; > UINT32 mPlatformMode; > UINT8 mVendorKeyState; > > -EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID }; > +EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID, EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID }; > > // > // Hash context pointer > // > -VOID *mHashCtx = NULL; > +VOID *mHashSha256Ctx = NULL; > +VOID *mHashSha384Ctx = NULL; > +VOID *mHashSha512Ctx = NULL; > > VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = { > { > @@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = { > }, > }; > > -VOID **mAuthVarAddressPointer[9]; > +VOID **mAuthVarAddressPointer[11]; > > AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn = NULL; > > @@ -120,7 +122,6 @@ AuthVariableLibInitialize ( > UINT32 VarAttr; > UINT8 *Data; > UINTN DataSize; > - UINTN CtxSize; > UINT8 SecureBootMode; > UINT8 SecureBootEnable; > UINT8 CustomMode; > @@ -135,9 +136,18 @@ AuthVariableLibInitialize ( > // > // Initialize hash context. > // > - CtxSize = Sha256GetContextSize (); > - mHashCtx = AllocateRuntimePool (CtxSize); > - if (mHashCtx == NULL) { > + mHashSha256Ctx = AllocateRuntimePool (Sha256GetContextSize ()); > + if (mHashSha256Ctx == NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + mHashSha384Ctx = AllocateRuntimePool (Sha384GetContextSize ()); > + if (mHashSha384Ctx == NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + mHashSha512Ctx = AllocateRuntimePool (Sha512GetContextSize ()); > + if (mHashSha512Ctx == NULL) { > return EFI_OUT_OF_RESOURCES; > } > > @@ -356,14 +366,16 @@ AuthVariableLibInitialize ( > AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry; > AuthVarLibContextOut->AuthVarEntryCount = ARRAY_SIZE (mAuthVarEntry); > mAuthVarAddressPointer[0] = (VOID **)&mCertDbStore; > - mAuthVarAddressPointer[1] = (VOID **)&mHashCtx; > - mAuthVarAddressPointer[2] = (VOID **)&mAuthVarLibContextIn; > - mAuthVarAddressPointer[3] = (VOID **)&(mAuthVarLibContextIn->FindVariable), > - mAuthVarAddressPointer[4] = (VOID **)&(mAuthVarLibContextIn->FindNextVariable), > - mAuthVarAddressPointer[5] = (VOID **)&(mAuthVarLibContextIn->UpdateVariable), > - mAuthVarAddressPointer[6] = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer), > - mAuthVarAddressPointer[7] = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency), > - mAuthVarAddressPointer[8] = (VOID **)&(mAuthVarLibContextIn->AtRuntime), > + mAuthVarAddressPointer[1] = (VOID **)&mHashSha256Ctx; > + mAuthVarAddressPointer[2] = (VOID **)&mHashSha384Ctx; > + mAuthVarAddressPointer[3] = (VOID **)&mHashSha512Ctx; > + mAuthVarAddressPointer[4] = (VOID **)&mAuthVarLibContextIn; > + mAuthVarAddressPointer[5] = (VOID **)&(mAuthVarLibContextIn->FindVariable), > + mAuthVarAddressPointer[6] = (VOID **)&(mAuthVarLibContextIn->FindNextVariable), > + mAuthVarAddressPointer[7] = (VOID **)&(mAuthVarLibContextIn->UpdateVariable), > + mAuthVarAddressPointer[8] = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer), > + mAuthVarAddressPointer[9] = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency), > + mAuthVarAddressPointer[10] = (VOID **)&(mAuthVarLibContextIn->AtRuntime), > AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer; > AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE (mAuthVarAddressPointer); > > diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 5d8dbd5468..88b2d3c6c1 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -1620,7 +1620,7 @@ Done: > in the security database "db", and no valid signature nor any hash value of the image may > be reflected in the security database "dbx". > Otherwise, the image is not signed, > - The SHA256 hash value of the image must match a record in the security database "db", and > + The hash value of the image must match a record in the security database "db", and > not be reflected in the security data base "dbx". > > Caution: This function may receive untrusted input. > @@ -1690,6 +1690,8 @@ DxeImageVerificationHandler ( > EFI_STATUS VarStatus; > UINT32 VarAttr; > BOOLEAN IsFound; > + UINT8 HashAlg; > + BOOLEAN IsFoundInDatabase; > > SignatureList = NULL; > SignatureListSize = 0; > @@ -1699,6 +1701,7 @@ DxeImageVerificationHandler ( > Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED; > IsVerified = FALSE; > IsFound = FALSE; > + IsFoundInDatabase = FALSE; > > // > // Check the image type and get policy setting. > @@ -1837,40 +1840,50 @@ DxeImageVerificationHandler ( > // > if ((SecDataDir == NULL) || (SecDataDir->Size == 0)) { > // > - // This image is not signed. The SHA256 hash value of the image must match a record in the security database "db", > + // This image is not signed. The hash value of the image must match a record in the security database "db", > // and not be reflected in the security data base "dbx". > // > - if (!HashPeImage (HASHALG_SHA256)) { > - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr)); > - goto Failed; > - } > + HashAlg = sizeof (mHash) / sizeof (HASH_TABLE); > + while (HashAlg > 0) { > + HashAlg--; > + if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) { > + continue; > + } > + if (!HashPeImage (HashAlg)) { > + continue; > + } > > - DbStatus = IsSignatureFoundInDatabase ( > - EFI_IMAGE_SECURITY_DATABASE1, > - mImageDigest, > - &mCertType, > - mImageDigestSize, > - &IsFound > - ); > - if (EFI_ERROR (DbStatus) || IsFound) { > - // > - // Image Hash is in forbidden database (DBX). > - // > - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr)); > - goto Failed; > + DbStatus = IsSignatureFoundInDatabase ( > + EFI_IMAGE_SECURITY_DATABASE1, > + mImageDigest, > + &mCertType, > + mImageDigestSize, > + &IsFound > + ); > + if (EFI_ERROR (DbStatus) || IsFound) { > + // > + // Image Hash is in forbidden database (DBX). > + // > + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr)); > + goto Failed; > + } > + > + DbStatus = IsSignatureFoundInDatabase ( > + EFI_IMAGE_SECURITY_DATABASE, > + mImageDigest, > + &mCertType, > + mImageDigestSize, > + &IsFound > + ); > + if (!EFI_ERROR (DbStatus) && IsFound) { > + // > + // Image Hash is in allowed database (DB). > + // > + IsFoundInDatabase = TRUE; > + } > } > > - DbStatus = IsSignatureFoundInDatabase ( > - EFI_IMAGE_SECURITY_DATABASE, > - mImageDigest, > - &mCertType, > - mImageDigestSize, > - &IsFound > - ); > - if (!EFI_ERROR (DbStatus) && IsFound) { > - // > - // Image Hash is in allowed database (DB). > - // > + if (IsFoundInDatabase) { > return EFI_SUCCESS; > } > > diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > index 1671d5be7c..cb52a16c09 100644 > --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > @@ -70,6 +70,14 @@ > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. > gEfiCertRsa2048Guid > > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. > + gEfiCertRsa3072Guid > + > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. > + gEfiCertRsa4096Guid > + > ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. > gEfiCertX509Guid > @@ -82,6 +90,14 @@ > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. > gEfiCertSha256Guid > > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. > + gEfiCertSha384Guid > + > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. > + gEfiCertSha512Guid > + > ## SOMETIMES_CONSUMES ## Variable:L"db" > ## SOMETIMES_PRODUCES ## Variable:L"db" > ## SOMETIMES_CONSUMES ## Variable:L"dbx" > diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c > index 0e31502b1b..3de6bf6139 100644 > --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c > @@ -560,7 +560,7 @@ ON_EXIT: > > **/ > EFI_STATUS > -EnrollRsa2048ToKek ( > +EnrollRsaToKek ( > IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private > ) > { > @@ -603,8 +603,13 @@ EnrollRsa2048ToKek ( > > ASSERT (KeyBlob != NULL); > KeyInfo = (CPL_KEY_INFO *)KeyBlob; > - if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) { > - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supported.\n")); > + switch (KeyInfo->KeyLengthInBits / 8) { > + case WIN_CERT_UEFI_RSA2048_SIZE: > + case WIN_CERT_UEFI_RSA3072_SIZE: > + case WIN_CERT_UEFI_RSA4096_SIZE: > + break; > + default : > + DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 and RSA4096 are supported.\n")); > Status = EFI_UNSUPPORTED; > goto ON_EXIT; > } > @@ -632,7 +637,7 @@ EnrollRsa2048ToKek ( > // > KekSigListSize = sizeof (EFI_SIGNATURE_LIST) > + sizeof (EFI_SIGNATURE_DATA) - 1 > - + WIN_CERT_UEFI_RSA2048_SIZE; > + + KeyLenInBytes; > > KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize); > if (KekSigList == NULL) { > @@ -642,17 +647,32 @@ EnrollRsa2048ToKek ( > > KekSigList->SignatureListSize = sizeof (EFI_SIGNATURE_LIST) > + sizeof (EFI_SIGNATURE_DATA) - 1 > - + WIN_CERT_UEFI_RSA2048_SIZE; > + + (UINT32) KeyLenInBytes; > KekSigList->SignatureHeaderSize = 0; > - KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 + WIN_CERT_UEFI_RSA2048_SIZE; > - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); > + KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 + (UINT32) KeyLenInBytes; > + switch (KeyLenInBytes) { > + case WIN_CERT_UEFI_RSA2048_SIZE: > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); > + break; > + case WIN_CERT_UEFI_RSA3072_SIZE: > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid); > + break; > + case WIN_CERT_UEFI_RSA4096_SIZE: > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid); > + break; > + break; > + default : > + DEBUG ((DEBUG_ERROR, "Unsupported key length.\n")); > + Status = EFI_UNSUPPORTED; > + goto ON_EXIT; > + } > > KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_SIGNATURE_LIST)); > CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID); > CopyMem ( > KEKSigData->SignatureData, > KeyBlob + sizeof (CPL_KEY_INFO), > - WIN_CERT_UEFI_RSA2048_SIZE > + KeyLenInBytes > ); > > // > @@ -890,7 +910,7 @@ EnrollKeyExchangeKey ( > if (IsDerEncodeCertificate (FilePostFix)) { > return EnrollX509ToKek (Private); > } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) { > - return EnrollRsa2048ToKek (Private); > + return EnrollRsaToKek (Private); > } else { > // > // File type is wrong, simply close it > @@ -1847,7 +1867,7 @@ HashPeImage ( > SectionHeader = NULL; > Status = FALSE; > > - if (HashAlg != HASHALG_SHA256) { > + if ((HashAlg >= HASHALG_MAX)) { > return FALSE; > } > > @@ -1856,8 +1876,25 @@ HashPeImage ( > // > ZeroMem (mImageDigest, MAX_DIGEST_SIZE); > > - mImageDigestSize = SHA256_DIGEST_SIZE; > - mCertType = gEfiCertSha256Guid; > + switch (HashAlg) { > + case HASHALG_SHA256: > + mImageDigestSize = SHA256_DIGEST_SIZE; > + mCertType = gEfiCertSha256Guid; > + break; > + > + case HASHALG_SHA384: > + mImageDigestSize = SHA384_DIGEST_SIZE; > + mCertType = gEfiCertSha384Guid; > + break; > + > + case HASHALG_SHA512: > + mImageDigestSize = SHA512_DIGEST_SIZE; > + mCertType = gEfiCertSha512Guid; > + break; > + > + default: > + return FALSE; > + } > > CtxSize = mHash[HashAlg].GetContextSize (); > > @@ -2251,6 +2288,7 @@ EnrollImageSignatureToSigDB ( > UINT32 Attr; > WIN_CERTIFICATE_UEFI_GUID *GuidCertData; > EFI_TIME Time; > + UINT32 HashAlg; > > Data = NULL; > GuidCertData = NULL; > @@ -2289,8 +2327,20 @@ EnrollImageSignatureToSigDB ( > } > > if (mSecDataDir->SizeOfCert == 0) { > - if (!HashPeImage (HASHALG_SHA256)) { > - Status = EFI_SECURITY_VIOLATION; > + Status = EFI_SECURITY_VIOLATION; > + HashAlg = sizeof (mHash) / sizeof (HASH_TABLE); > + while (HashAlg > 0) { > + HashAlg--; > + if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) { > + continue; > + } > + if (HashPeImage (HashAlg)) { > + Status = EFI_SUCCESS; > + break; > + } > + } > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status)); > goto ON_EXIT; > } > } else { > @@ -2589,6 +2639,10 @@ UpdateDeletePage ( > while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) { > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) { > Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID); > + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)) { > + Help = STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID); > + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)) { > + Help = STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID); > } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { > Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID); > } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) { > @@ -2750,6 +2804,8 @@ DeleteKeyExchangeKey ( > GuidIndex = 0; > while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) { > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) || > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) || > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) > { > CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize)); > @@ -2952,6 +3008,8 @@ DeleteSignature ( > GuidIndex = 0; > while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) { > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) || > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) || > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) || > CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) || > CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) || > @@ -3758,12 +3816,20 @@ LoadSignatureList ( > while ((RemainingSize > 0) && (RemainingSize >= ListWalker->SignatureListSize)) { > if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) { > ListType = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072Guid)) { > + ListType = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096Guid)) { > + ListType = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)) { > ListType = STRING_TOKEN (STR_LIST_TYPE_X509); > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)) { > ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1); > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Guid)) { > ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256); > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Guid)) { > + ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384); > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Guid)) { > + ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512); > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha256Guid)) { > ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha384Guid)) { > @@ -4001,6 +4067,14 @@ FormatHelpInfo ( > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); > DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID); > IsCert = TRUE; > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)) { > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); > + DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID); > + IsCert = TRUE; > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)) { > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); > + DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID); > + IsCert = TRUE; > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) { > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509); > DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID); > @@ -4011,6 +4085,12 @@ FormatHelpInfo ( > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid)) { > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256); > DataSize = 32; > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid)) { > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384); > + DataSize = 48; > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid)) { > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512); > + DataSize = 64; > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Guid)) { > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); > DataSize = 32; > diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h > index 37c66f1b95..ae50d929a7 100644 > --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h > @@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; > #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE > > #define WIN_CERT_UEFI_RSA2048_SIZE 256 > +#define WIN_CERT_UEFI_RSA3072_SIZE 384 > +#define WIN_CERT_UEFI_RSA4096_SIZE 512 > > // > // Support hash types > diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni > index 0d01701de7..1b48acc800 100644 > --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni > @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US "Read the public key of KEK from file" > #string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer" > #string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US "RSA2048_SHA256_GUID" > +#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US "RSA3072_SHA384_GUID" > +#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US "RSA4096_SHA512_GUID" > #string STR_CERT_TYPE_PCKS7_GUID #language en-US "PKCS7_GUID" > #string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_GUID" > #string STR_CERT_TYPE_SHA256_GUID #language en-US "SHA256_GUID" > @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SHA512_GUID" > > #string STR_LIST_TYPE_RSA2048_SHA256 #language en-US "RSA2048_SHA256" > +#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US "RSA3072_SHA384" > +#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US "RSA4096_SHA512" > #string STR_LIST_TYPE_X509 #language en-US "X509" > #string STR_LIST_TYPE_SHA1 #language en-US "SHA1" > #string STR_LIST_TYPE_SHA256 #language en-US "SHA256" > +#string STR_LIST_TYPE_SHA384 #language en-US "SHA384" > +#string STR_LIST_TYPE_SHA512 #language en-US "SHA512" > #string STR_LIST_TYPE_X509_SHA256 #language en-US "X509_SHA256" > #string STR_LIST_TYPE_X509_SHA384 #language en-US "X509_SHA384" > #string STR_LIST_TYPE_X509_SHA512 #language en-US "X509_SHA512" > -- > 2.26.2.windows.1 > > > > > >