From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+107611+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 25F7D9415DA
	for <rebecca@openfw.io>; Mon,  7 Aug 2023 09:10:16 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=ml9aL05clil7eAlxuJL5poa5uagEqs5IDyH4eCt9CC4=;
 c=relaxed/simple; d=groups.io;
 h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding;
 s=20140610; t=1691399414; v=1;
 b=jFU9yojev0yDgb16dmtpO06VKlta87NvyC7AfImYrwS9cu0u6lvmsWRsaz6bCoV9HiTiV7+5
 +JAGPKWJ1cEKYuxbYE/Z/UjezIZ3I/b0MJVPFM2U2jD9QiKFkugx4NrZmtJlYR80XkxE+kccKM1
 pV4FqjSbx7PKKAMrJJJm5GrY=
X-Received: by 127.0.0.2 with SMTP id KsoHYY7687511x4xWmWQvXX9; Mon, 07 Aug 2023 02:10:14 -0700
X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.120])
 by mx.groups.io with SMTP id smtpd.web10.30191.1691399414045121247
 for <devel@edk2.groups.io>;
 Mon, 07 Aug 2023 02:10:14 -0700
X-IronPort-AV: E=McAfee;i="6600,9927,10794"; a="369399175"
X-IronPort-AV: E=Sophos;i="6.01,261,1684825200"; 
   d="scan'208";a="369399175"
X-Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Aug 2023 02:10:13 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10794"; a="854597548"
X-IronPort-AV: E=Sophos;i="6.01,261,1684825200"; 
   d="scan'208";a="854597548"
X-Received: from shwdesssddpdwei.ccr.corp.intel.com ([10.239.157.28])
  by orsmga004.jf.intel.com with ESMTP; 07 Aug 2023 02:10:10 -0700
From: "Sheng Wei" <w.sheng@intel.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Zeyi Chen <zeyi.chen@intel.com>,
	Fiona Wang <fiona.wang@intel.com>,
	Xiaoyu Lu <xiaoyu1.lu@intel.com>,
	Guomin Jiang <guomin.jiang@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>
Subject: [edk2-devel] [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384
Date: Mon,  7 Aug 2023 17:10:05 +0800
Message-Id: <20230807091007.306-1-w.sheng@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,w.sheng@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: pRDoONaZAsxGPrnSv5zELrJBx7686176AA=
Content-Transfer-Encoding: 8bit
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=jFU9yoje;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

Patch V6:
Remove the changes in MdePkg.
The changes of patch v6 are in CryptoPkg and SecurityPkg.
Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
This signature type is used to check the supported signature and show the strings.

Patch V5:
Using define KEY_TYPE_RSASSA to replace the magic number.

Patch V4:
Determine the RSA algorithm by a supported algorithm list.

Patch V3:
Select SHA algorithm automaticly for a unsigned efi image.

Patch V2:
Determine the SHA algorithm by a supported algorithm list.
Create SHA context for each algorithm.

Test Case:
1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI shell. 
2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI shell. 
3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI shell. 
4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell

Test Result:
Pass

Negative Test Case:
1) Enroll a RSA2048 Cert, execute an unsigned efi image.
2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi image.

Test Result:
Get "Access Denied" when try to execute the efi image.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>

Sheng Wei (2):
  CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
    ImageTimestampVerify
  SecurityPkg/SecureBoot: Support RSA 512 and RSA 384

 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
 .../Library/AuthVariableLib/AuthService.c     | 218 +++++++++++++++---
 .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
 .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
 .../DxeImageVerificationLib.c                 |  73 +++---
 .../SecureBootConfigDxe.inf                   |   8 +
 .../SecureBootConfigImpl.c                    |  91 ++++++--
 .../SecureBootConfigImpl.h                    |   7 +
 .../SecureBootConfigStrings.uni               |   2 +
 9 files changed, 356 insertions(+), 92 deletions(-)

-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107611): https://edk2.groups.io/g/devel/message/107611
Mute This Topic: https://groups.io/mt/100596018/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-