From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id C14E874003E for ; Thu, 7 Sep 2023 01:57:36 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=EvhF12gL6OOtS4vjbehPwmSA4nmUmcoKXwEBF4ai5pQ=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1694051855; v=1; b=LQdrxb1wL9r770ESkKKhxZ35sjQ6OHy5uQ4cWWaIbRkA7k0o7tF4Jazawt15QYxfj2pY8zfY HWt96wVRnc9Cj60fxFoRSgGnXACLwUBvWWm9ICyEBdlya6wuiwlicrU3BnqvgVKYJv2UZBPeFPz iC/2AcLRRxlLc/fhHu75Jp1w= X-Received: by 127.0.0.2 with SMTP id TP5HYY7687511xBZdXB709hH; Wed, 06 Sep 2023 18:57:35 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.100]) by mx.groups.io with SMTP id smtpd.web11.4581.1694051854465424102 for ; Wed, 06 Sep 2023 18:57:34 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10825"; a="443619512" X-IronPort-AV: E=Sophos;i="6.02,233,1688454000"; d="scan'208";a="443619512" X-Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Sep 2023 18:57:31 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10825"; a="744921045" X-IronPort-AV: E=Sophos;i="6.02,233,1688454000"; d="scan'208";a="744921045" X-Received: from shwdesssddpdwei.ccr.corp.intel.com ([10.239.157.28]) by fmsmga007.fm.intel.com with ESMTP; 06 Sep 2023 18:57:24 -0700 From: "Sheng Wei" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Zeyi Chen , Fiona Wang , Xiaoyu Lu , Guomin Jiang , Michael D Kinney Subject: [edk2-devel] [PATCH V9 0/2] Support RSA4096 and RSA3072 Date: Thu, 7 Sep 2023 09:57:17 +0800 Message-Id: <20230907015720.2120-1-w.sheng@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,w.sheng@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: iRFoJBLFk4eDokEMHSSViJ4ix7686176AA= Content-Transfer-Encoding: 8bit X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=LQdrxb1w; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Patch V9: Refine coding format for file AuthService.c Patch V8: Update the patch comments for CryptoPkg. Comment should be <76 characters in each line. Refine coding format. Patch V7: Drop raw RSA3072 and RSA4096. Only use gEfiCertX509Guid for RSA3072 and RSA4096 Do the positive tests and the negative tests below. And got all the expected results. Patch V6: Remove the changes in MdePkg. The changes of patch v6 are in CryptoPkg and SecurityPkg. Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK. This signature type is used to check the supported signature and show the strings. Patch V5: Using define KEY_TYPE_RSASSA to replace the magic number. Patch V4: Determine the RSA algorithm by a supported algorithm list. Patch V3: Select SHA algorithm automaticly for a unsigned efi image. Patch V2: Determine the SHA algorithm by a supported algorithm list. Create SHA context for each algorithm. Test Case: 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI shell. 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI shell. 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI shell. 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell Test Result: Pass Negative Test Case: 1) Enroll a RSA2048 Cert, execute an unsigned efi image. 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image. 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image. 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi image. Test Result: Get "Access Denied" when try to execute the efi image. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Zeyi Chen Cc: Fiona Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Michael D Kinney Sheng Wei (2): CryptoPkg/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify SecurityPkg/SecureBoot: Support RSA4096 and RSA3072 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- .../Library/AuthVariableLib/AuthService.c | 225 +++++++++++++++--- .../AuthVariableLib/AuthServiceInternal.h | 4 +- .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- .../DxeImageVerificationLib.c | 74 +++--- .../SecureBootConfigDxe.inf | 8 + .../SecureBootConfigImpl.c | 52 +++- .../SecureBootConfigImpl.h | 7 + .../SecureBootConfigStrings.uni | 2 + 9 files changed, 331 insertions(+), 86 deletions(-) -- 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#108352): https://edk2.groups.io/g/devel/message/108352 Mute This Topic: https://groups.io/mt/101207366/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-