public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"Wadhawan, Divneil R" <divneil.r.wadhawan@intel.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>
Cc: "Rothman, Michael A" <michael.a.rothman@intel.com>
Subject: Re: [edk2-devel] [Patch 0/2] Extending the signing algorithms for Authenticated Variables
Date: Wed, 9 Dec 2020 18:49:34 +0000	[thread overview]
Message-ID: <BYAPR11MB32387235D923A6D5BA674752D2CC0@BYAPR11MB3238.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20201209183243.30504-1-divneil.r.wadhawan@intel.com>

Divneil,

Is this intended for a branch in edk2-staging repo using EDK II Code First Process?

I see the following BZ that seems to match:

    https://bugzilla.tianocore.org/show_bug.cgi?id=2875

Please update Subject line to include [edk2-staging/<BranchName>] following EDK II Code First
branch naming conventions.

    https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Code-First-Process

Also add the link to the BZ in all commit messages including Patch #0.  Patch #0 should also
include a Signed-off-by tag and the merged set of Cc tags from all the individual patches.

For this proposed change, how does a caller of the UEFI Variable services know if
SHA384 or SHA512 is supported.  I see the code change updates the variable services 
to support this, but I do not see a detection method for platform FW capabilities.

The proposed spec change changes from *only* SHA256 to SHA256 or larger.  But the code
change only adds SHA384 and SHA512.  Do we want to make the spec change define the 
specific SHA sizes required?
	
Thanks,

Mike


> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wadhawan, Divneil R
> Sent: Wednesday, December 9, 2020 10:33 AM
> To: devel@edk2.groups.io
> Subject: [edk2-devel] [Patch 0/2] Extending the signing algorithms for Authenticated Variables
> 
> Authenticated Variables currently only supports SHA256 as the digest algorithm.
> This patch series extends it to include SHA384 and SHA512. The series is composed
> of 2 patches.
> a. Unit Test for Authenticated Variables
> b. AuthService change to allow SHA384/SHA512 as digest algorithms.
> 
> Divneil Rai Wadhawan (2):
>   MdeModulePkg: Add unit test for Authenticated Variables
>   SecurityPkg: Add support for SHA-384/SHA-512 digest algos
> 
>  .../Variable/RuntimeDxe/UnitTest/AuthVarUnitTest.c | 494 +++++++++++++++++++++
>  .../RuntimeDxe/UnitTest/PkNewRsa2048Sha256.c       | 139 ++++++
>  .../RuntimeDxe/UnitTest/PkNewRsa3072Sha256.c       | 179 ++++++++
>  .../RuntimeDxe/UnitTest/PkNewRsa3072Sha384.c       | 179 ++++++++
>  .../RuntimeDxe/UnitTest/PkNewRsa4096Sha256.c       | 219 +++++++++
>  .../RuntimeDxe/UnitTest/PkNewRsa4096Sha512.c       | 219 +++++++++
>  .../Variable/RuntimeDxe/UnitTest/PkRsa2048Sha256.c | 139 ++++++
>  .../Variable/RuntimeDxe/UnitTest/PkRsa3072Sha256.c | 179 ++++++++
>  .../Variable/RuntimeDxe/UnitTest/PkRsa3072Sha384.c | 179 ++++++++
>  .../Variable/RuntimeDxe/UnitTest/PkRsa4096Sha256.c | 219 +++++++++
>  .../Variable/RuntimeDxe/UnitTest/PkRsa4096Sha512.c | 219 +++++++++
>  SecurityPkg/Library/AuthVariableLib/AuthService.c  |   8 +-
>  AuthVariableDigestUpdate.md                        |  41 ++
>  MdeModulePkg/MdeModulePkg.dsc                      |   4 +
>  .../UnitTest/AuthVarUnitTestUefiShell.inf          |  42 ++
>  15 files changed, 2457 insertions(+), 2 deletions(-)
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/AuthVarUnitTest.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/PkNewRsa2048Sha256.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/PkNewRsa3072Sha256.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/PkNewRsa3072Sha384.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/PkNewRsa4096Sha256.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/PkNewRsa4096Sha512.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/PkRsa2048Sha256.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/PkRsa3072Sha256.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/PkRsa3072Sha384.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/PkRsa4096Sha256.c
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/PkRsa4096Sha512.c
>  create mode 100644 AuthVariableDigestUpdate.md
>  create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/UnitTest/AuthVarUnitTestUefiShell.inf
> 
> --
> 2.16.2.windows.1
> 
> 
> 
> 
> 


      parent reply	other threads:[~2020-12-09 18:49 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-09 18:32 [Patch 0/2] Extending the signing algorithms for Authenticated Variables Wadhawan, Divneil R
2020-12-09 18:32 ` [Patch 1/2] MdeModulePkg: Add unit test " Wadhawan, Divneil R
2020-12-09 20:18   ` [EXTERNAL] [edk2-devel] " Bret Barkelew
2020-12-10  7:56     ` Wadhawan, Divneil R
2020-12-09 18:32 ` [Patch 2/2] SecurityPkg: Add support for SHA-384/SHA-512 digest algos Wadhawan, Divneil R
2020-12-09 20:21   ` [EXTERNAL] [edk2-devel] " Bret Barkelew
2020-12-09 21:46     ` Michael D Kinney
2020-12-09 22:28       ` Yao, Jiewen
2020-12-09 18:49 ` Michael D Kinney [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=BYAPR11MB32387235D923A6D5BA674752D2CC0@BYAPR11MB3238.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox