Do we need wait UEFI spec update for SHA-384/512 before we commit to EDK2? If this patch series is for *EDK2-staging*, Acked-by: Jiewen Yao From: Kinney, Michael D Sent: Thursday, December 10, 2020 5:47 AM To: Bret Barkelew ; devel@edk2.groups.io; Wadhawan, Divneil R ; Kinney, Michael D Cc: Yao, Jiewen ; Wang, Jian J ; Xu, Min M Subject: RE: [EXTERNAL] [edk2-devel] [Patch 2/2] SecurityPkg: Add support for SHA-384/SHA-512 digest algos Hi Bret, I think these patches are intended for an edk2-staging branch following Code First Process. Not root of edk2 repo. Though unit tests for auth variables in their current form could be something that could be considered for edk2 repo now and add the unit tests for SHA extensions to edk2-staging. Mike From: Bret Barkelew > Sent: Wednesday, December 9, 2020 12:21 PM To: devel@edk2.groups.io; Wadhawan, Divneil R > Cc: Yao, Jiewen >; Wang, Jian J >; Xu, Min M >; Kinney, Michael D > Subject: RE: [EXTERNAL] [edk2-devel] [Patch 2/2] SecurityPkg: Add support for SHA-384/SHA-512 digest algos What’s with the Markdown file being added to the root directory? Is that a mistake or part of a different release process? Thanks! - Bret From: Wadhawan, Divneil R via groups.io Sent: Wednesday, December 9, 2020 10:33 AM To: devel@edk2.groups.io Cc: Yao, Jiewen; Jian J Wang; Min Xu; Kinney, Michael D Subject: [EXTERNAL] [edk2-devel] [Patch 2/2] SecurityPkg: Add support for SHA-384/SHA-512 digest algos o Existing implementation of Authenticated Variables only support SHA-256 digest algorithms in signing scheme. o This has been extended to support SHA-384 and SHA-512 algorithms Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Min Xu > Cc: Michael D Kinney > Signed-off-by: Divneil Rai Wadhawan > --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 8 +++-- AuthVariableDigestUpdate.md | 41 +++++++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 AuthVariableDigestUpdate.md diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 4fb609504d..8f024c42a8 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -35,6 +35,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 }; CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 }; +CONST UINT8 mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 }; +CONST UINT8 mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 }; // // Requirement for different signature type which have been defined in UEFI spec. @@ -1901,7 +1903,7 @@ VerifyTimeBasedPayload ( // // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the - // signature. Only a digest algorithm of SHA-256 is accepted. + // signature. Digest algorithm of SHA-256, SHA-384, SHA-512 are accepted. // // According to PKCS#7 Definition: // SignedData ::= SEQUENCE { @@ -1916,7 +1918,9 @@ VerifyTimeBasedPayload ( if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { if (SigDataSize >= (13 + sizeof (mSha256OidValue))) { if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) || - (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) { + ((CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0) && + (CompareMem (SigData + 13, &mSha384OidValue, sizeof (mSha384OidValue)) != 0) && + (CompareMem (SigData + 13, &mSha512OidValue, sizeof (mSha512OidValue)) != 0))) { return EFI_SECURITY_VIOLATION; } } diff --git a/AuthVariableDigestUpdate.md b/AuthVariableDigestUpdate.md new file mode 100644 index 0000000000..10992845a4 --- /dev/null +++ b/AuthVariableDigestUpdate.md @@ -0,0 +1,41 @@ +# Title: Digest Algorithm flexibility in Authenticated Variable signatures + +# Status: Draft + +# Document: UEFI Specification Version 2.8 + +# License + +SPDX-License-Identifier: CC-BY-4.0 + +# Submitter: [TianoCore Community](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.tianocore.org%2F&data=04%7C01%7CBret.Barkelew%40microsoft.com%7C5b6eb98d1288493a5f7f08d89c70f78b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637431356285650012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7mtSkIFgxu5iIg519YwkxjFfx6DeXOVJT67j58dHSK4%3D&reserved=0) + +# Summary of the change +EFI_VARIABLE_AUTHENTICATION_2 specifies the SignedData.digestAlgorithms to be always +SHA256. The implication is that the signing algorithm can use RSA keys greater than +2048 bits, but the digest algorithm remains SHA256. The proposed change is to allow +digest algorithm to be greater than SHA256. + +# Benefits of the change +This brings agility to the signing mechanism of Authenticated variables by allowing +it to sign a larger digest. + +# Impact of the change +There is no impact on the existing Authenticated variables. + +# Detailed description of the change [normative updates] + +Bold text indicates the proposed change + +8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor +When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is set, then the Data buffer shall begin with an instance of a complete (and serialized) ... + +Construct a DER-encoded PKCS #7 version 1.5 SignedData (see [RFC2315]) with the signed content as follows: + +a. SignedData.version shall be set to 1 + +b. SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the signature. Only a digest algorithm greater than or equal to SHA-256 is accepted. + + +# Special Instructions +NA -- 2.16.2.windows.1