From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by mx.groups.io with SMTP id smtpd.web12.5369.1619152657715166084 for ; Thu, 22 Apr 2021 21:37:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=nBD5jZjQ; spf=pass (domain: intel.com, ip: 134.134.136.100, mailfrom: jiewen.yao@intel.com) IronPort-SDR: V52mVSVVlEqHRFv0LJjnkIN87NohkE7bSOZKFBNhwJa8YFp3PoGMBW6ArY7VbRUADmnocyj/t8 E7I/r5E9Bebw== X-IronPort-AV: E=McAfee;i="6200,9189,9962"; a="259969994" X-IronPort-AV: E=Sophos;i="5.82,244,1613462400"; d="scan'208";a="259969994" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2021 21:37:35 -0700 IronPort-SDR: edPYeMXEBpJB6Xq+WuljrhbbLSRMZpqBmT7NG+gQWo3sl/InR5TlYjNix6GgkU68fPnwfdki/L iYEi/7wEcOow== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.82,244,1613462400"; d="scan'208";a="453474156" Received: from fmsmsx605.amr.corp.intel.com ([10.18.126.85]) by FMSMGA003.fm.intel.com with ESMTP; 22 Apr 2021 21:37:34 -0700 Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 22 Apr 2021 21:37:34 -0700 Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 22 Apr 2021 21:37:33 -0700 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Thu, 22 Apr 2021 21:37:33 -0700 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.45) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Thu, 22 Apr 2021 21:37:33 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iseBCaDPUxuK/CdaUGS4bnuYcz0pFQzMDLAQlElkGAJRV5ufHI8dNM7S6obmIupp1GHeLxUjfA3n53Z4pdVDd5BeGKPNLQ56yeVldw4V0jrsQ/ENNWWuDTEVdxNFzUxLAMcLaRVU4Id2HkHoieqXglCPs6iKSUypCJ5dZcrdL9jdnwXLj1zFaPWFejifhnJYRz/rg4wiy1BuY3et7D/b8XSJqyYtGEsoLIy8askYAkEZAo61ATQRpcsiWYMHMuB1NgA0wamowrkZEAvXie2mQm5P+SEqaAu0Vl6NmNGkqZXZ3CqKSvQm36kALSsFzB4zn5dWGx61X10FRpH5uwBzeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JlBPro4ZgqpwThuEUoGYdsZTIB3O00ZQKgQOTioWTZs=; b=K4DXRbf5f2RAlJcHsxsSH6DAulE0xg+H2x5oKTQubqu5VEelYH+IlaxYE8QZLXiG17G+fVTEBkBAJga5uC4THBLay12Gop83eQHpttVOUB/qTQ2ek9mloY8F+4/1duMobr9RIvxWnSf5DJpAqVk02Vi8ypzuYi6UL5jJtg4TopOfoSKKVelSEv/Xw8PGxz00SftDGnyqs/scVW92to4WWqRmCYQ29wPUvMq87Aq/KOwvOalZXX7q2eAYuPruG6hNmfRtYM+QOj/2iVqotWmbxNd7pGrn422Le52G2Duj0CD19MoP/4wukAIx+pfM21Fz5iEdL2y9FtMOo3DJLKtI/Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JlBPro4ZgqpwThuEUoGYdsZTIB3O00ZQKgQOTioWTZs=; b=nBD5jZjQMrhs7z7ocMFz/uauQqAp1nk8Koo51vIIfWA332w39oYWS/x8y3WScXPwQThlMSfWfpSuhXCB1PgR7VqebsybDrwwUaw9TlCtmJaual8XmxM/5E3xrnSMlECvw4/6FPqJ+v8UQaCUwKVNVG8OJlN2hOFkbshqOM/p7y4= Received: from BY5PR11MB4166.namprd11.prod.outlook.com (2603:10b6:a03:191::25) by SJ0PR11MB4975.namprd11.prod.outlook.com (2603:10b6:a03:2d0::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.18; Fri, 23 Apr 2021 04:37:32 +0000 Received: from BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::c9d9:1b92:3014:6f17]) by BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::c9d9:1b92:3014:6f17%3]) with mapi id 15.20.4042.024; Fri, 23 Apr 2021 04:37:32 +0000 From: "Yao, Jiewen" To: "Xu, Min M" , "Gao, Jiaqi" , "devel@edk2.groups.io" Subject: Re: [PATCH] SecurityPkg: Add constraints on PK strength Thread-Topic: [PATCH] SecurityPkg: Add constraints on PK strength Thread-Index: AQHXMpYDTTKYMTJYDEWAJES1Xuq+xKq69oiAgAAbloCABkrbgIAAMouQ Date: Fri, 23 Apr 2021 04:37:32 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.197] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b276f051-5190-4094-b401-08d90611828b x-ms-traffictypediagnostic: SJ0PR11MB4975: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:2150; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: cSvWc2Kn29NY1QawMwzp4ktkbZNfvEiUqQ1xXF2YIakCn1SgX2xnD44haTn0lbleq5Ips7UwELJXRPeBIr91RG2BG1VS5jNrsvRff/Nt/1EvoEB6u3LdR0GQKiqGqgyEQuhv7I/lwpwm8nF5z1ha3U3QScnINOg5OGyafY2DEG/yo8TsbIUKE8r3rZ/dEqKgB/yga76k5S0CwPjDexjHETImsfGrTDgZSNYWfgXlLQkebZCbulubh7b6D0CQ9KZ52rTW0/Qy41io1nAa2a3ynadl0zwcba952a2HhQH/BumsOdacp7QYgH2beo3UwOBflEEAufDWushYBv3JrTdepmIQIEkHzSciv7lXp2bgewGtC2gK5VAJl3QQhdVdWP2ZykwQhqee5zxkW5McAeapWjS4Tq6NdP7nXfqoi7q/qX681H5kEpkPSAD03vV5/NXdMwroYyUdh9v7XFDkyAizUHzLlAd4orKI9f13OHm/8Qo7cbdVuPkic3nPAJFQuQqHPOdmf9XELdDLZXEvcC7dLRppmIlWiBLSGp4dFuh1SLmtOyirbT1NRFXgXKO/3MIUZB8IcudtxvtjCMJHC6ihZTS3MGSXoCQgJwpEdWuXMoQO6D90+C25VfGJsAlfPEj/59JAp01ejBF/Y2GlFtAsI3SQ/w5UtgNVOions1A7boX5Z/a9Sni9MGiugC0IJkae x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR11MB4166.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(136003)(346002)(396003)(376002)(39860400002)(186003)(6506007)(55016002)(966005)(316002)(53546011)(9686003)(30864003)(71200400001)(8676002)(86362001)(7696005)(8936002)(5660300002)(38100700002)(19627235002)(26005)(52536014)(15650500001)(110136005)(33656002)(122000001)(76116006)(478600001)(66476007)(66446008)(64756008)(66556008)(66946007)(83380400001)(2906002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?MwPzNnqkgivh/9fbocq/WxwuGe/IvPHHtSmP9bqGG4Zvit6AXepf+q0R+xYq?= =?us-ascii?Q?IS1Dmx1JRlbvu6q/o5o5dsQ6dH1KN6IjSmH90RIff8Em4Sdy21Sk/OOsl8gF?= =?us-ascii?Q?i0MOkbD69Syu2sMr90MhoKlQtY5kuHuHoFrIapypnkb785+dZ+rxv0pDmevX?= =?us-ascii?Q?7j+gwmKbDV1PIWCN4QRrnOjEruPvfEptMfBf9g7b1DR8gdS8fjcrtV/NIIPI?= =?us-ascii?Q?8U4kvk0B/AGhFlofedW85Bi4paPwuLVQRFW21VB0Oyiyu59YaBOUBUYk/Fxj?= =?us-ascii?Q?EnXIfK7Oxce51YshR9T4oC8d7/U33yg+jiRWo1pWeuNpnOOircoVR7Nr7QlQ?= =?us-ascii?Q?GcWlWnn6ylRzDTlJd+YDZ7r4njHlqeJs9EMdR7k7YCcdRHmWgOokpdDWAjp+?= =?us-ascii?Q?on7Q/8nS+qeqfksE2mTstgQ03/Xe1lhPkRvOkO4uiKV1jPnJAU0qIEDAv71S?= =?us-ascii?Q?8guj3/eJP0Rg0ZFabG180gEW54KExutTFaKywaIiRSxaVPaB4cjRofQ7SwMC?= =?us-ascii?Q?ytcKLlAL1N8ZFFRFBF+cks4eFzMPE5vagTLktpkV4v8m1ZKekuEkdjpfELpV?= =?us-ascii?Q?Rr25hFAJvQvMjxgbwGZ2d5sUEVNwjmoQJk/odc8G+2zxF0jF6QWllabVVjZd?= =?us-ascii?Q?5w69KggXQu05VBqd0GzfZCgZ3tuq+aXIIxjE+8dRGYyMsykTA2HFgE71bbIw?= =?us-ascii?Q?BYiiUdZJ7yHpHdoWM3qSsG/EHpzbAg4mvvEkmP3acoAJwWmnq9qK2lXnkIlA?= =?us-ascii?Q?Li9IBDQby5bwClxJwdBQC/4xlrXljjb2BmEE0/uRvStyXDcDeEtuEBp/wg6v?= =?us-ascii?Q?Mmgu6Bfj/eRxGWwUEMI/U80iAKwb++UDAolVG2WXZYkxS10F4Zkab/4V6c5q?= =?us-ascii?Q?1cKfBi+d3DLqAZoVxi9XCC0KV3GFh73cY1xxxi8VsPhZCXxiqkIfpG7xJa3A?= =?us-ascii?Q?QurtYUV9u2i+PNGLjuxBhviSk938abBLW3rcCfqy8gapQ5u9d9+R6BvNCYvk?= =?us-ascii?Q?82IpRCFetTyPNMX2oJI+5wvpwduYE1RXMH360bWMjIEwgCDjJWkDhCu9zSkO?= =?us-ascii?Q?WuEZHucfUHqi+nzFWnHAQpa0QcF0xYdmfNbwKRbz2lKZlzQtrFdip3pL3Rgb?= =?us-ascii?Q?YqDTAcWOfzIEbtj1qw/UHn11otX0SD54DTzgYSZsN9EwtaqIHvsuKV9Z/rFt?= =?us-ascii?Q?Jvs4QKjLVjzMAy10FiPAQ0FfPBUUYYjuv6CXOC2j1/544BPG8jYb1vIvJ0jp?= =?us-ascii?Q?oAEyvUDCbd7aeaAiDARVkMRv8pnD3YTZ8zAz4UPOg5QjbOE+D/u30INwzdse?= =?us-ascii?Q?fPyI2iMrwAQJ+zp0f/cXWPHr?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4166.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b276f051-5190-4094-b401-08d90611828b X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2021 04:37:32.2980 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Mwt4HNyuLTtw+ptRd06xwIbv7Og/d2ekNWHnLsBAYc78EHaVAKZTRm/xgQLcwlWupzGF6sPdeVofFmDYrFI3Zw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB4975 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Acked-by: Jiewen Yao > -----Original Message----- > From: Xu, Min M > Sent: Friday, April 23, 2021 9:36 AM > To: Gao, Jiaqi ; devel@edk2.groups.io > Cc: Yao, Jiewen > Subject: RE: [PATCH] SecurityPkg: Add constraints on PK strength >=20 > This patch is good to me. > Reviewed-by: Min Xu >=20 > > -----Original Message----- > > From: Gao, Jiaqi > > Sent: Monday, April 19, 2021 9:31 AM > > To: Xu, Min M ; devel@edk2.groups.io > > Cc: Yao, Jiewen > > Subject: RE: [PATCH] SecurityPkg: Add constraints on PK strength > > > > Hi, > > > > The patch has been built and tested with several toolchains: > > 1. GCC5 on Linux, both DEBUG and RELEASE. > > 2. VS2017 on Windows, both DEBUG and RELEASE. > > 3. VS2019 on Windows, both DEBUG and RELEASE. > > > > To make sure the program can cope with various input, test cases consis= t of > > different PK certificate enrollment , which are: > > 1. Platform Keys (PKs) with RSA public key length less than 2048 bits, = include > > RSA-512 and RSA-1024, etc. These kind of certificates were rejected dur= ing > user > > enrollment. > > 2. PKs with RSA public key length equal to or greater than 2048 bits, i= nclude > RSA- > > 2048, RSA-3072 and RSA-4096, etc. These kind of certificates were > successfully > > enrolled. > > 3. PKs which are not DER encoded, such as PEM encoded certificates > > with .cer/.der/.crt file suffix. > > 4. Empty PKs. > > 5. Empty inputs. > > > > All the test cases were performed as expected. Test cases with unqualif= ied > key > > strength pop up the prompt of unqualified key, and the others with > unsupported > > encode format or illegal input act as previous program. > > > > > > Best Regards, > > Jiaqi > > > > -----Original Message----- > > From: Xu, Min M > > Sent: Monday, April 19, 2021 7:52 AM > > To: Gao, Jiaqi ; devel@edk2.groups.io > > Cc: Yao, Jiewen > > Subject: RE: [PATCH] SecurityPkg: Add constraints on PK strength > > > > Have you tested the patch? Would you please post the test result in the > mail > > thread? > > Thanks. > > > > > -----Original Message----- > > > From: Gao, Jiaqi > > > Sent: Friday, April 16, 2021 3:56 PM > > > To: devel@edk2.groups.io > > > Cc: Gao, Jiaqi ; Xu, Min M ; > > > Yao, Jiewen > > > Subject: [PATCH] SecurityPkg: Add constraints on PK strength > > > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3293 > > > > > > Add constraints on the key strength of enrolled platform key(PK), > > > which must be greater than or equal to 2048 bit.PK key strength is > > > required by Intel SDL and MSFT, etc. This limitation prevents user fr= om > using > > weak keys as PK. > > > > > > The original code to check the certificate file type is placed in a > > > new function CheckX509Certificate(), which checks if the X.509 > > > certificate meets the requirements of encode type, RSA-Key strengh, e= tc. > > > > > > Cc: Min Xu > > > Cc: Jiewen Yao > > > Signed-off-by: Jiaqi Gao > > > --- > > > .../SecureBootConfigImpl.c | 165 +++++++++++++++-= -- > > > .../SecureBootConfigImpl.h | 21 +++ > > > 2 files changed, 160 insertions(+), 26 deletions(-) > > > > > > diff --git > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > > igI > > > mpl.c > > > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > > igI > > > mpl.c > > > index 4f01a2ed67..1304e21266 100644 > > > --- > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > > igI > > > mpl.c > > > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot > > > +++ Co > > > +++ nfigImpl.c > > > @@ -90,6 +90,22 @@ CHAR16* mDerEncodedSuffix[] =3D { }; > > > CHAR16* mSupportX509Suffix =3D L"*.cer/der/crt"; > > > > > > +// > > > +// Prompt strings during certificate enrollment. > > > +// > > > +CHAR16* mX509EnrollPromptTitle[] =3D { > > > + L"", > > > + L"ERROR: Unsupported file type!", > > > + L"ERROR: Unsupported certificate!", > > > + NULL > > > +}; > > > +CHAR16* mX509EnrollPromptString[] =3D { > > > + L"", > > > + L"Only DER encoded certificate file (*.cer/der/crt) is supported."= , > > > + L"Public key length should be equal to or greater than 2048 bits."= , > > > + NULL > > > +}; > > > + > > > SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData =3D NULL; > > > > > > /** > > > @@ -383,6 +399,102 @@ SetSecureBootMode ( > > > ); > > > } > > > > > > +/** > > > + This code checks if the encode type and key strength of X.509 > > > + certificate is qualified. > > > + > > > + @param[in] X509FileContext FileContext of X.509 certificate s= toring > > > + file. > > > + @param[out] Error Error type checked in the certific= ate. > > > + > > > + @return EFI_SUCCESS The certificate checked successful= ly. > > > + @return EFI_INVALID_PARAMETER The parameter is invalid. > > > + @return EFI_OUT_OF_RESOURCES Memory allocation failed. > > > + > > > +**/ > > > +EFI_STATUS > > > +CheckX509Certificate ( > > > + IN SECUREBOOT_FILE_CONTEXT* X509FileContext, > > > + OUT ENROLL_KEY_ERROR* Error > > > +) > > > +{ > > > + EFI_STATUS Status; > > > + UINT16* FilePostFix; > > > + UINTN NameLength; > > > + UINT8* X509Data; > > > + UINTN X509DataSize; > > > + void* X509PubKey; > > > + UINTN PubKeyModSize; > > > + > > > + if (X509FileContext->FileName =3D=3D NULL) { > > > + *Error =3D Unsupported_Type; > > > + return EFI_INVALID_PARAMETER; > > > + } > > > + > > > + X509Data =3D NULL; > > > + X509DataSize =3D 0; > > > + X509PubKey =3D NULL; > > > + PubKeyModSize =3D 0; > > > + > > > + // > > > + // Parse the file's postfix. Only support DER encoded X.509 certif= icate > files. > > > + // > > > + NameLength =3D StrLen (X509FileContext->FileName); if (NameLength= <=3D > > > + 4) { > > > + DEBUG ((DEBUG_ERROR, "Wrong X509 NameLength\n")); > > > + *Error =3D Unsupported_Type; > > > + return EFI_INVALID_PARAMETER; > > > + } > > > + FilePostFix =3D X509FileContext->FileName + NameLength - 4; if > > > + (!IsDerEncodeCertificate (FilePostFix)) { > > > + DEBUG ((DEBUG_ERROR, "Unsupported file type, only DER encoded > > > certificate (%s) is supported.\n", mSupportX509Suffix)); > > > + *Error =3D Unsupported_Type; > > > + return EFI_INVALID_PARAMETER; > > > + } > > > + DEBUG ((DEBUG_INFO, "FileName=3D %s\n", X509FileContext->FileName)= ); > > > + DEBUG ((DEBUG_INFO, "FilePostFix =3D %s\n", FilePostFix)); > > > + > > > + // > > > + // Read the certificate file content // Status =3D ReadFileConte= nt > > > + (X509FileContext->FHandle, (VOID**) &X509Data, &X509DataSize, 0); i= f > > > + (EFI_ERROR (Status)) { > > > + DEBUG ((DEBUG_ERROR, "Error occured while reading the file.\n"))= ; > > > + goto ON_EXIT; > > > + } > > > + > > > + // > > > + // Parse the public key context. > > > + // > > > + if (RsaGetPublicKeyFromX509 (X509Data, X509DataSize, &X509PubKey) > > > + =3D=3D > > > FALSE) { > > > + DEBUG ((DEBUG_ERROR, "Error occured while parsing the pubkey fro= m > > > certificate.\n")); > > > + Status =3D EFI_INVALID_PARAMETER; > > > + *Error =3D Unsupported_Type; > > > + goto ON_EXIT; > > > + } > > > + > > > + // > > > + // Parse Module size of public key using interface provided by > > > + CryptoPkg, which is // actually the size of public key. > > > + // > > > + if (X509PubKey !=3D NULL) { > > > + RsaGetKey (X509PubKey, RsaKeyN, NULL, &PubKeyModSize); > > > + if (PubKeyModSize < CER_PUBKEY_MIN_SIZE) { > > > + DEBUG ((DEBUG_ERROR, "Unqualified PK size, key size should be > > > + equal to > > > or greater than 2048 bits.\n")); > > > + Status =3D EFI_INVALID_PARAMETER; > > > + *Error =3D Unqualified_Key; > > > + } > > > + RsaFree (X509PubKey); > > > + } > > > + > > > + ON_EXIT: > > > + if (X509Data !=3D NULL) { > > > + FreePool (X509Data); > > > + } > > > + > > > + return Status; > > > +} > > > + > > > /** > > > Generate the PK signature list from the X509 Certificate storing > > > file (.cer) > > > > > > @@ -461,7 +573,10 @@ ON_EXIT: > > > > > > The SignatureOwner GUID will be the same with PK's vendorguid. > > > > > > - @param[in] PrivateData The module's private data. > > > + @param[in] PrivateData The module's private data. > > > + @param[out] Error Point to the error code which indicates= the > > > + error during enroll process. > > > + > > > > > > @retval EFI_SUCCESS New PK enrolled successfully. > > > @retval EFI_INVALID_PARAMETER The parameter is invalid. > > > @@ -477,12 +592,6 @@ EnrollPlatformKey ( > > > UINT32 Attr; > > > UINTN DataSize; > > > EFI_SIGNATURE_LIST *PkCert; > > > - UINT16* FilePostFix; > > > - UINTN NameLength; > > > - > > > - if (Private->FileContext->FileName =3D=3D NULL) { > > > - return EFI_INVALID_PARAMETER; > > > - } > > > > > > PkCert =3D NULL; > > > > > > @@ -491,21 +600,6 @@ EnrollPlatformKey ( > > > return Status; > > > } > > > > > > - // > > > - // Parse the file's postfix. Only support DER encoded X.509 certif= icate > files. > > > - // > > > - NameLength =3D StrLen (Private->FileContext->FileName); > > > - if (NameLength <=3D 4) { > > > - return EFI_INVALID_PARAMETER; > > > - } > > > - FilePostFix =3D Private->FileContext->FileName + NameLength - 4; > > > - if (!IsDerEncodeCertificate(FilePostFix)) { > > > - DEBUG ((EFI_D_ERROR, "Unsupported file type, only DER encoded > > > certificate (%s) is supported.", mSupportX509Suffix)); > > > - return EFI_INVALID_PARAMETER; > > > - } > > > - DEBUG ((EFI_D_INFO, "FileName=3D %s\n", > > > Private->FileContext->FileName)); > > > - DEBUG ((EFI_D_INFO, "FilePostFix =3D %s\n", FilePostFix)); > > > - > > > // > > > // Prase the selected PK file and generate PK certificate list. > > > // > > > @@ -4300,12 +4394,14 @@ SecureBootCallback ( > > > UINT16 *FilePostFix; > > > SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; > > > BOOLEAN GetBrowserDataResult; > > > + ENROLL_KEY_ERROR EnrollKeyErrorCode; > > > > > > Status =3D EFI_SUCCESS; > > > SecureBootEnable =3D NULL; > > > SecureBootMode =3D NULL; > > > SetupMode =3D NULL; > > > File =3D NULL; > > > + EnrollKeyErrorCode =3D None_Error; > > > > > > if ((This =3D=3D NULL) || (Value =3D=3D NULL) || (ActionRequest = =3D=3D NULL)) { > > > return EFI_INVALID_PARAMETER; > > > @@ -4718,18 +4814,35 @@ SecureBootCallback ( > > > } > > > break; > > > case KEY_VALUE_SAVE_AND_EXIT_PK: > > > - Status =3D EnrollPlatformKey (Private); > > > + // > > > + // Check the suffix, encode type and the key strength of PK ce= rtificate. > > > + // > > > + Status =3D CheckX509Certificate (Private->FileContext, > > &EnrollKeyErrorCode); > > > + if (EFI_ERROR (Status)) { > > > + if (EnrollKeyErrorCode !=3D None_Error && EnrollKeyErrorCode= < > > > Enroll_Error_Max) { > > > + CreatePopUp ( > > > + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, > > > + &Key, > > > + mX509EnrollPromptTitle[EnrollKeyErrorCode], > > > + mX509EnrollPromptString[EnrollKeyErrorCode], > > > + NULL > > > + ); > > > + break; > > > + } > > > + } else { > > > + Status =3D EnrollPlatformKey (Private); > > > + } > > > if (EFI_ERROR (Status)) { > > > UnicodeSPrint ( > > > PromptString, > > > sizeof (PromptString), > > > - L"Only DER encoded certificate file (%s) is supported.", > > > - mSupportX509Suffix > > > + L"Error status: %x.", > > > + Status > > > ); > > > CreatePopUp ( > > > EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, > > > &Key, > > > - L"ERROR: Unsupported file type!", > > > + L"ERROR: Enrollment failed!", > > > PromptString, > > > NULL > > > ); > > > diff --git > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > > igI > > > mpl.h > > > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > > igI > > > mpl.h > > > index 1fafae07ac..268f015e8e 100644 > > > --- > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > > igI > > > mpl.h > > > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot > > > +++ Co > > > +++ nfigImpl.h > > > @@ -93,6 +93,27 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; > > > #define HASHALG_RAW 0x00000004 > > > #define HASHALG_MAX 0x00000004 > > > > > > +// > > > +// Certificate public key minimum size (bytes) // > > > +#define CER_PUBKEY_MIN_SIZE 256 > > > + > > > +// > > > +// Types of errors may occur during certificate enrollment. > > > +// > > > +typedef enum { > > > + None_Error =3D 0, > > > + // > > > + // Unsupported_type indicates the certificate type is not supporte= d. > > > + // > > > + Unsupported_Type, > > > + // > > > + // Unqualified_key indicates the key strength of certificate is no= t > > > + // strong enough. > > > + // > > > + Unqualified_Key, > > > + Enroll_Error_Max > > > +}ENROLL_KEY_ERROR; > > > > > > typedef struct { > > > UINTN Signature; > > > -- > > > 2.31.1.windows.1