From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web12.33510.1599447338176878379 for ; Sun, 06 Sep 2020 19:55:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=bJvSDufs; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: jiewen.yao@intel.com) IronPort-SDR: XwEWtDOqPhfpjb5Rp2tRvachMm6v5kjhWFa2gdf5F8HMTK/PNc3ZnMHPhgPdKkuzqCW2S38p3m rNgrONlJAqLA== X-IronPort-AV: E=McAfee;i="6000,8403,9736"; a="145654938" X-IronPort-AV: E=Sophos;i="5.76,400,1592895600"; d="scan'208";a="145654938" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Sep 2020 19:55:36 -0700 IronPort-SDR: 8zch8eixEM7nAIoviyZ9Fs9VXeOnKGYuKWfyS+SHxuIDPGoMlnDJYUd93IHnRd64EF3hMzNnlx dK80Uss4iMMQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.76,400,1592895600"; d="scan'208";a="299300526" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by orsmga003.jf.intel.com with ESMTP; 06 Sep 2020 19:55:36 -0700 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Sun, 6 Sep 2020 19:55:36 -0700 Received: from fmsmsx607.amr.corp.intel.com (10.18.126.87) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Sun, 6 Sep 2020 19:55:35 -0700 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx607.amr.corp.intel.com (10.18.126.87) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Sun, 6 Sep 2020 19:55:35 -0700 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.176) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Sun, 6 Sep 2020 19:55:35 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RLhL3q0+ofTZnpVMTwKKRzGzm181TUHBqAndY9xxdrk8xOVm2jz76cg+bxR80fcvjHoi/jvDznqA8+Vhk42Sv+E5bfdEcvRD03GReYGneiIqr4FSeg4bpX/g1pjCbGBEn4S1XsAbC536vsNz3HUibmKQ1Bm43+msSAHY4dYPC6J2wytVmeKys60mVBPU688dzZiFXoWOCeVFNiHXz/rX6fbMcPbuap4MB/dKSU6GK1/u4jdSka7C5JTHabyBDYh9g5tJITgbnpLRaTBxKh0e+BIuQw9g/tNSA17n29Ytl9M4gSdY7yVdSModB8QhgYjk3RU99wyvc0qtJicVowC/CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=njR1GZO+rbqJsAA8HWykmtDoTngS9wxCywounSv57ZE=; b=Dt3pGS4NeLyFOvXZEuJuI0EhczrENKQYXwTHpytSglAFpl45tjUtTVwFm7xlNL5d2oyb5VDJ7PIQbU0xe+E1CLWNx35uoLbKss/U+BOsftrKE/RRbG0vok70yoRkJiWQlmqtdOCeLqpQdHHlSC2bIofqG9bC2SH/Yf+hVhmfKCVEsXFHZFzeOybW8DFpZMaDD4w1b9Ykba8BAwDEWDJkcu4m8r0NL7uM1UWvJIPb31mQqgRaRClx6ybV63KSDGAVXy5udXTjGavpW0D+UtLTmZ7uGV8ErX8MQf+PlVfaKs59iaEaLw21B8PQqqqUFlurhniINCku8/aS3kUQ7QeEPQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=njR1GZO+rbqJsAA8HWykmtDoTngS9wxCywounSv57ZE=; b=bJvSDufsVr1e13haVN1L9KYm8ugHT3jZji1VuOSsDHs0sEdfkH7sthuDIRSHLMuUGYT/6RlHtll6fSUISDEDviuWh2JGQmsTee33Bs5BsVWZsTVLlKWUE6rhAtm/sYMCq2pXyEI/1yc8eoVijE6xFv4V/HcNcSmfCz/0IxM+a6E= Received: from CY4PR11MB1288.namprd11.prod.outlook.com (2603:10b6:903:23::8) by CY4PR11MB0053.namprd11.prod.outlook.com (2603:10b6:910:77::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.23; Mon, 7 Sep 2020 02:55:34 +0000 Received: from CY4PR11MB1288.namprd11.prod.outlook.com ([fe80::163:9209:a92d:812]) by CY4PR11MB1288.namprd11.prod.outlook.com ([fe80::163:9209:a92d:812%6]) with mapi id 15.20.3348.019; Mon, 7 Sep 2020 02:55:34 +0000 From: "Yao, Jiewen" To: "Gao, Zhichao" , "devel@edk2.groups.io" CC: "Wang, Jian J" , "Xu, Min M" , "Zhang, Qi1" Subject: Re: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Disable SHA1 base on MACRO Thread-Topic: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Disable SHA1 base on MACRO Thread-Index: AQHWf1V5WJ1VXDyUuEiHFNn+kDyDxalcerMwgAAAszCAAAVKAIAABHlQ Date: Mon, 7 Sep 2020 02:55:33 +0000 Message-ID: References: <20200831051317.11532-1-zhichao.gao@intel.com> <16325EB1DAFF59F3.20857@groups.io> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.222] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 0cbb7406-3b16-41c5-4893-08d852d97d84 x-ms-traffictypediagnostic: CY4PR11MB0053: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: VLFeKB/NsI9A+oh1IglqieZgAV6n60p+eGBQIpgr7aZ2OaR3Qax8/TQkx4P4Qa8FqMWicSAdFZkFTCrNTxh/6LR4R04twgoNixI1v8lgSbPfhU3qr3t2VkhCv9Fa34BK+UoZ4iNkLmbXFk1LWJJKMlrVTRPI45Sxt51UTRQ7RMtCNbK5q+mUff+5mJT7tE+P5R8M1D42czi8JMNKIijAc7OUsEu+PmIvKIL8zL8hNBicq7/dB1ol2xoi2GDPSvg/6XC+JaEj1MrEyWioH2xkN/xH70S52+jo8cr2OjUcD/JxjpxkZhlqZyMsUkDZwnbw1iri3e8crmgb49R8ouPT2JvMskf7l33nChGC0kbFOWAgCfsDB+GQM0EDiBtTTINpWDdaw9GrTtkYf2fIZW+peA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CY4PR11MB1288.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(376002)(396003)(39860400002)(346002)(110136005)(4326008)(8936002)(316002)(5660300002)(2906002)(7696005)(71200400001)(966005)(83380400001)(26005)(6506007)(53546011)(55016002)(54906003)(15650500001)(8676002)(186003)(107886003)(66556008)(66476007)(66446008)(64756008)(66946007)(33656002)(478600001)(9686003)(76116006)(52536014)(86362001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: 5G+kVZLke+otUS7nUvrMi7KJPbv6cd38uaft4qzSHfo7F6BNOQiq8IPR5PX+VFSwLFpW9Rvg8S7NvE6Qkoq/xGUNx2JN6zJD51SkgeX0QprVHOH0E5sYl8IRkX+5lwK5Cdn0LjqVrG3tP0b8zpbS7Rnot5k1neitOgfZN6X562LCDpb+TN3lZ19DFlApDTBiXQLIBXLP4FgCLT4ypHom+CyZo2AoKgLKkI/QFAKhV2ZDhPuHTbJ9SO1m6DupK9m/sjX+Hn0ii0FmO+k/z0ErsMDORURZQV19Yeww2wBFnRso2MccqhSs+ufa5RieoVjriRQk5dclFymKqMTCWJ6yjslzId5q0lZu4XcnHnMwrcqblvIfUTETICrqabUNycCWQozex35JybfETWSgP84ZhsYIizBlfpcduOOaN4Uc/zG2MwUQBxQJKA+uv0F9uWPIQMxLr+tw6ulcP6em+jpGU1TSdGzHDP9oeD1b7EvgS0lj5SXxn/Rz3xuqwrSYUjw/TOSWcU9M5KTGzP5BYQbSLvP7ISjAenFtcDxdDeH5nP1lHQcYoEOE06ppjeWPe8wbWbDBP1KNN9bywDfyCRar43E0GMTLQkSj/PVURoD2WuYI9xHA59T4jOyNM2ycTRp3DheWXIPWR0B6aQYl0mBagQ== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CY4PR11MB1288.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0cbb7406-3b16-41c5-4893-08d852d97d84 X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2020 02:55:33.8158 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: D6ObqHQoZKbOKbcG0IeTvU+qBxXia/T8IXIBjT+jPqB6COoldemn1drXOXizJvHLgcWMCVwo5uQzKbf6Tk0+7A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB0053 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I don't mean TPM1.2. I means UEFI secure boot - https://github.com/tianocore/edk2/tree/master/S= ecurityPkg/Library/AuthVariableLib For example: {EFI_CERT_SHA1_GUID, 0, 20 }, {EFI_CERT_RSA2048_SHA1_GUID, 0, 256 }, EFI_GUID mSignatureSupport[] =3D {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID= , EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID}; I believe we should give DISABLE_SHA1_DEPRECATED_INTERFACES around them, r= ight? > -----Original Message----- > From: Gao, Zhichao > Sent: Monday, September 7, 2020 10:36 AM > To: Yao, Jiewen ; devel@edk2.groups.io > Cc: Wang, Jian J ; Xu, Min M = ; > Zhang, Qi1 > Subject: RE: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: D= isable > SHA1 base on MACRO >=20 > Hi Jiewen, >=20 > There are still some use case in the SecurityPkg. Such as TPM1.2. After = the > security package can build with the disable MACRO, we can remove all the > content of SHA1. > For now many platforms keep using the TPM1.2, I am not sure when the TPM= 1.2 > would be dropped from the SecurityPkg. >=20 > Thanks, > Zhichao >=20 > > -----Original Message----- > > From: Yao, Jiewen > > Sent: Monday, September 7, 2020 10:20 AM > > To: devel@edk2.groups.io; Yao, Jiewen ; Gao, > Zhichao > > > > Cc: Wang, Jian J ; Xu, Min M ; > > Zhang, Qi1 > > Subject: RE: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: > Disable > > SHA1 base on MACRO > > > > Hi Zhichao > > Thanks for the patch. > > I gave Reviewed-by because the Bugzilla only mentioned > > DxeImageVerificationLib. > > > > As a full solution to remove SHA1 from SecureBoot, I think we should a= lso > > remove SHA1 from AuthVariableLib. > > > > Any plan on that? > > > > Thank you > > Yao Jiewen > > > > > -----Original Message----- > > > From: devel@edk2.groups.io On Behalf Of Yao, > > > Jiewen > > > Sent: Monday, September 7, 2020 10:16 AM > > > To: Gao, Zhichao ; devel@edk2.groups.io > > > Cc: Wang, Jian J ; Xu, Min M > > > ; Zhang, Qi1 > > > Subject: Re: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLi= b: > > > Disable > > > SHA1 base on MACRO > > > > > > Reviewed-by: Jiewen Yao > > > > > > > -----Original Message----- > > > > From: Gao, Zhichao > > > > Sent: Monday, August 31, 2020 1:13 PM > > > > To: devel@edk2.groups.io > > > > Cc: Yao, Jiewen ; Wang, Jian J > > > ; > > > > Xu, Min M ; Zhang, Qi1 > > > > Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Disable SHA1 > > > > base on MACRO > > > > > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2943 > > > > > > > > Disable SHA1 base on the MACRO > DISABLE_SHA1_DEPRECATED_INTERFACES. > > > > SHA1 is deprecated function and the MACRO is used to remove the > > > > whole implementation of the SHA1. For the platforms that do not ne= ed > > > > SHA1 for security, the MACRO should works for > > > > DxeImageVerificationLib as well. > > > > > > > > Signed-off-by: Zhichao Gao > > > > Cc: Jiewen Yao > > > > Cc: Jian J Wang > > > > Cc: Min Xu > > > > Cc: Qi Zhang > > > > --- > > > > .../DxeImageVerificationLib/DxeImageVerificationLib.c | 6 += +++++ > > > > 1 file changed, 6 insertions(+) > > > > > > > > diff --git > > > > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerification= Li > > > > b.c > > > > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerification= Li > > > > b.c > > > > index b08fe24e85..7871220140 100644 > > > > --- > > > > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerification= Li > > > > b.c > > > > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerifica= ti > > > > +++ onLib.c > > > > @@ -59,7 +59,11 @@ UINT8 mHashOidValue[] =3D { > > > > }; > > > > > > > > HASH_TABLE mHash[] =3D { > > > > +#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES > > > > { L"SHA1", 20, &mHashOidValue[0], 5, Sha1GetContextSize, S= ha1Init, > > > > Sha1Update, Sha1Final }, > > > > +#else > > > > + { L"SHA1", 20, &mHashOidValue[0], 5, NULL, N= ULL, NULL, > > > > NULL }, > > > > +#endif > > > > { L"SHA224", 28, &mHashOidValue[5], 9, NULL, N= ULL, NULL, > > > > NULL }, > > > > { L"SHA256", 32, &mHashOidValue[14], 9, Sha256GetContextSize, > > > > Sha256Init, Sha256Update, Sha256Final}, > > > > { L"SHA384", 48, &mHashOidValue[23], 9, Sha384GetContextSize, > > > > Sha384Init, Sha384Update, Sha384Final}, @@ -315,10 +319,12 @@ > > > > HashPeImage ( > > > > ZeroMem (mImageDigest, MAX_DIGEST_SIZE); > > > > > > > > switch (HashAlg) { > > > > +#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES > > > > case HASHALG_SHA1: > > > > mImageDigestSize =3D SHA1_DIGEST_SIZE; > > > > mCertType =3D gEfiCertSha1Guid; > > > > break; > > > > +#endif > > > > > > > > case HASHALG_SHA256: > > > > mImageDigestSize =3D SHA256_DIGEST_SIZE; > > > > -- > > > > 2.21.0.windows.1 > > > > > > > > >=20