From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (NAM04-BN8-obe.outbound.protection.outlook.com [40.107.100.86]) by mx.groups.io with SMTP id smtpd.web11.185247.1673916020685019743 for ; Mon, 16 Jan 2023 16:40:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@nvidia.com header.s=selector2 header.b=QQmJjSeQ; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: nvidia.com, ip: 40.107.100.86, mailfrom: jbobek@nvidia.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eXedYr3F7gwLitKX6wYJ7dTCht7yvtt1MAOBDcyOyAFVxIE+/1QgxnuqDRRevzhqk5XMopqqi55FuO/mxQ41EFyVdoa+hkCbHjygsJtC8hJSwBM6uoKtJc7iI5/KA81t6mSsKnCeHVd7PE9Ufdkfo4MG5oxgxZ36XYPbVbAqrA4cxvC3cOD847LU7TqrKPA72zuZGUVce4LdZ17Da2ZoC3mCfayeP/dnL425N1s3STZPGH1Joaabn6YdRjuAj+S+WFDCvLFWWbm48zeoNoIQc75uCNJLoydbCarUDwHu5jhhp9aFjQxyhzWt/fB4LuvqaDMj0AF/ze/UU244TRHZEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kuiOKIxcjU25gAL+6EzRidi+NtQ08mNXHo434Q9Vt/8=; b=bH4gklnCGgLFHVw6o3WJ2Bpu+lMKYtdNYUDghA0DK44RBcK/zWflEsBJgLT1tnfAiK73/EUQ7PalexIm9QWU6xs2fcKMsbfsXhr8LMJm8F7c39tjwv8gvFOjKRJI7QSfw1L+2WwLFHx4gev+Oi5QTZf4JM29w8qNxawpJhPFnOiV/CFxjQOKvd5+KQUuEotBgVuXtvXynq2qmfIjVL6UprS+OwNWa6R8FH6e2PreMT28NctlVqFEA09F+8Rsu0L/yt9p8GhOtoqfeHuGjIZUCuKAeRmoP/VSZ1PDv1qsV7QxLmu5b5bAdJWY+gKvR/9Mjp8EJWwzSQxqEt1KLxLYSw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=intel.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kuiOKIxcjU25gAL+6EzRidi+NtQ08mNXHo434Q9Vt/8=; b=QQmJjSeQ/Vus8QtUVnxt7GsC6Lk91MdVvZrG37JnYu79mpjE3gaVSjPWDyE8yW/ou+pfVckZnFgq5wNpYESldWs6OyTWRRcFFrlSIIj/sKw05x9zLN9DtG9OC8+HAHkk1gqxs1A/4MmbXX71zG8mDAZ8v/inoRa7PUlj+9kQX0PMq6TQqZSo9rqr2buY5CVuJ6ItORAnhsFqmzw12TL4Bsg1s+EyInlibHxae+IsDIZetGNE0RaWsa8/WssyHIhcf53YLIshbmZVfVBK5vqeQgpI03GlJPpCbT7zIfVWBwMbRc/wALlzSqMaIwAGII6CUlZPqix9e747uPwLjMtECA== Received: from MW4PR03CA0114.namprd03.prod.outlook.com (2603:10b6:303:b7::29) by DS0PR12MB7971.namprd12.prod.outlook.com (2603:10b6:8:14e::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13; Tue, 17 Jan 2023 00:40:16 +0000 Received: from CO1NAM11FT110.eop-nam11.prod.protection.outlook.com (2603:10b6:303:b7:cafe::a0) by MW4PR03CA0114.outlook.office365.com (2603:10b6:303:b7::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.19 via Frontend Transport; Tue, 17 Jan 2023 00:40:16 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by CO1NAM11FT110.mail.protection.outlook.com (10.13.175.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Tue, 17 Jan 2023 00:40:16 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Mon, 16 Jan 2023 16:40:07 -0800 Received: from localhost (10.126.230.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Mon, 16 Jan 2023 16:40:07 -0800 References: <872cc00fa231a6a5a1edbe6d56082e44c38a0c0f.1670026872.git.jbobek@nvidia.com> <87y1raoofs.fsf@nvidia.com> <87pmbvz219.fsf@nvidia.com> <87k01mxgdw.fsf@nvidia.com> User-agent: mu4e 1.4.15; emacs 27.1 From: "Jan Bobek" To: "Yao, Jiewen" CC: "devel@edk2.groups.io" , Jeff Brasen , Girish Mahadevan , "Wang, Jian J" , "Xu, Min M" Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present In-Reply-To: Date: Mon, 16 Jan 2023 17:40:05 -0700 Message-ID: <87edruxaca.fsf@nvidia.com> MIME-Version: 1.0 Return-Path: jbobek@nvidia.com X-Originating-IP: [10.126.230.37] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT110:EE_|DS0PR12MB7971:EE_ X-MS-Office365-Filtering-Correlation-Id: 96e599e5-7c84-424d-f735-08daf8236740 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Mg92Dp+pMQk5vm8mD0hg29nbkW9RkE4NQzIO3GNFr5mYq8CxoIIV63thAVC1L8NvPFZFPqeSqSyGjDq/HuKd39PSURZsrO6IWjoB/QB9HBxiERn+ftf65eg/fHwEE191MIQJ2GZ6/vSbnuhnA8TZs+1m2G5soRXGUs1tag80GxTGok8JjCshXMBQy09WOS2YmhinGQ6WeUbPXnPFVJsKxQ6j/nwPlXgKY/0jrvvwWG8BEJQEZncemHTtWUoKUGzbOpRcMRvQ7NW7+Pc1FhrpFRuAOdK2hWSvJA7OXGBNaK8kPGniGzwz/YMd/8cBCFpiqjWpuHzzvzSXbvK3inWFhXQ0G/X1wpsPBlJbMLGGYif+YqytdSZlKBXZ8dB49HE/v+LaFSaCQ0G6fz8T9f4svIBbWWKdqAF+yPBFIDXv71BL0lqNEM9Vnr644kzYSmk0c5MoL27ttMXoms1X++Ti597cHmIJlOAQKkJohCfaZy4yvwRqlc7XLfanexvJHy70RYa+V6dcNqD11Q/FPrq9OHh5Y8aJBjbiVpEB+hNbRgRH4h6Y4TKArS3+DrZd3QX39b/aS5mKaCTOkVu4Z3jPIEx0lWjCRJqfYsp9vygYByw7fnoeQwRAMd+YG/rvknWZOelT+tELlvq8q621ddBU7buqw/bWb2uPdtfqT85Ybf14CASgS+82uNJHq3KjyZxkUyaStvK2zLLK9oA6rGq+YdZrgImbJHH2ZIPwpGT5EhjOY+RWpZUUcWT0a9ok/DoQvTVDKhNYRKb67ba1aZZyUWFi6CRtwUhMltJhL6TmD/A= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(376002)(346002)(39860400002)(136003)(396003)(451199015)(36840700001)(40470700004)(46966006)(36860700001)(82740400003)(7636003)(83380400001)(5660300002)(6916009)(86362001)(356005)(2906002)(4326008)(15650500001)(8936002)(70586007)(8676002)(70206006)(82310400005)(478600001)(40480700001)(336012)(16526019)(186003)(26005)(53546011)(426003)(47076005)(2616005)(54906003)(316002)(40460700003)(966005)(41300700001)(36756003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jan 2023 00:40:16.4638 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 96e599e5-7c84-424d-f735-08daf8236740 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT110.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB7971 Content-Type: text/plain > I linked email with Bugzilla. Either email or Bugzilla is OK for the > discussion. Sounds good. > Personally, I don't understand one thing. > If EDKII causes such failure, how the archlinux validates the correctness of the tool and document in [3] ? > > Or are they using a different UEFI implementation? My understanding is that Archlinux assumes a standard-compliant UEFI implementation. A Linux distribution doesn't typically provide UEFI implementation; it's up to your platform vendor (e.g. laptop manufacturer) to provide one. If the vendor wanted to use EDK2 as a basis for their (typically proprietary) UEFI implementation, they would need to address this issue one way or the other on their own. -Jan >> -----Original Message----- >> From: Jan Bobek >> Sent: Tuesday, January 17, 2023 6:30 AM >> To: Yao, Jiewen >> Cc: devel@edk2.groups.io; Jeff Brasen ; Girish >> Mahadevan ; Wang, Jian J >> ; Xu, Min M >> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/AuthVariableLib: Check >> SHA-256 OID with ContentInfo present >> >> > Hi >> > That is good catch! >> > My apology to miss it before. >> > >> > 1) Please file a bugzilla (https://bugzilla.tianocore.org/) to record the issue >> and associate to the patch. >> >> Filed bug 4305 [1]. Sorry for the delay, I didn't get my bugzilla >> credentials until late last week. >> >> > 2) Would you please share with us that how you discover the issue? >> > For example, any real use case to include ContentInfo? If yes, please share >> a URL. >> > Or this is just a purely spec compliance fix ? >> > >> > 3) Please describe how you validate the fix. >> > If possible, would you please share your test case? >> >> I believe both of these answered / included in the bug description. >> >> > 4) Since the new code is handling ContentInfo structure is present, I believe >> we need also check if the ContentInfo structure is valid. >> > For example: >> > ============ >> > c SignedData.contentInfo.contentType shall be set to id-data >> > d SignedData.contentInfo.content shall be absent >> > ============ >> > What do you think? >> >> I think you're talking about the ContentInfo structure that's part of >> the SignedData structure, but the real problem is with ContentInfo >> structure that _wraps_ the SignedData structure. More info in the bug >> description. >> >> Also, is it customary to continue the discussion here on edk2-devel or >> in the bug comments on bugzilla? >> >> -Jan >> >> References: >> 1. https://bugzilla.tianocore.org/show_bug.cgi?id=4305