From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web09.2407.1618795877416873388 for ; Sun, 18 Apr 2021 18:31:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=JDcSr/Jq; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: jiaqi.gao@intel.com) IronPort-SDR: xPLs9IKs9XlDT0CPspB61BeUMnEQ17cXbjmJ9cLbH3NoPdpexR8dsUSV0b9sB+OD2bZ5LR5UQu VJ1RE3sElQIg== X-IronPort-AV: E=McAfee;i="6200,9189,9958"; a="194811961" X-IronPort-AV: E=Sophos;i="5.82,232,1613462400"; d="scan'208";a="194811961" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Apr 2021 18:31:15 -0700 IronPort-SDR: 1nIHJRn/KShG3MwIdOu95L3ZOpwzaqBklcKmy0gopgmpEsX/ISFgU/0Hl5ooj1jyheYCrcIw2E IuwTztJCu79Q== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.82,232,1613462400"; d="scan'208";a="523272197" Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by fmsmga001.fm.intel.com with ESMTP; 18 Apr 2021 18:31:13 -0700 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Sun, 18 Apr 2021 18:31:13 -0700 Received: from fmsmsx603.amr.corp.intel.com (10.18.126.83) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Sun, 18 Apr 2021 18:31:12 -0700 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Sun, 18 Apr 2021 18:31:12 -0700 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.109) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Sun, 18 Apr 2021 18:30:58 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OtywR0vEjeGXazA+Le9YokTkm8iYkzIzwrLsovCV+lU6tk+ciYA58urWLTrNTGKKZmnK8dsz3FVQ5Uob8fyiwirlVtHLSJ8i1CQQc3BXl9q01lGL6CBSj/II2xjN944dopFs7s3vhXF4jq1QTllKu8+3IZCx6dTcnUkuRi4fO1DIywmH68L/yKCGYaoHZG5o0PRVimUvxD3gO+0UbAXD7fbPYMBqe1yq9R72bs+QbH9MMpQOZJRJxftxhWb9OwX2tpsifTQhxzcHOsJY11DOjEu0Rl1WKBtRl5fiVFlsQTWjtQvxew8e8g66AixiLarcE+Bl+tsP67CcKf4QHYUnpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/W6klx1LlN55T2EHyV/ac+xzfvkNYmoCa6qdI7ISQtg=; b=mFRj6SwBwc6l2a/SHpCXdAxL5bVj+XSz86ZBy0Ma4OmgY7xj7PbG4iwPmkFQb3JvW/LvsFW/ZlSI31PFCsL/0KRgqOMVpgMmxYQ/gK0kNHhBT5QaqLbrKbmgNWj0wDlfz+VrhzOV0eMqSIdAqwuMsyVl0IzctNZCsYfnIZ+16pku1LtvUbwrQ0EwSqiZQKOO3ZyRq2s7wONdiJjKvX6Sc/25zcVrszsddqHOwQaS92Oka1eybhOAqtGYJkYgpArMjAmnnQPFB7HGSEPfHqsN3QDHWP3dfy4TJRTOHQ/DVlbdz7657xd0pdMB9I99bAcG/oQs8ZagzWUklDdYqfDhUg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/W6klx1LlN55T2EHyV/ac+xzfvkNYmoCa6qdI7ISQtg=; b=JDcSr/Jq+Rs8TFgLW5lcVLn1AZks2P50rPkgkHQtLsnLYS0xlDcQns3oNbK/fUdvkM6hMeoqBseKFqYRS91gtY81grbUOOjh3/YU1+zj9iQBo9vcTaIP6+w1OEOIENInIC72cxjeVFG86Yq/+wuAj242/s+9KZ26vNKx27rKcCE= Received: from DM5PR11MB2059.namprd11.prod.outlook.com (10.168.102.21) by DM4PR11MB5326.namprd11.prod.outlook.com (13.101.57.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.19; Mon, 19 Apr 2021 01:30:57 +0000 Received: from DM5PR11MB2059.namprd11.prod.outlook.com ([fe80::fdb7:3b95:ccda:9665]) by DM5PR11MB2059.namprd11.prod.outlook.com ([fe80::fdb7:3b95:ccda:9665%5]) with mapi id 15.20.4042.024; Mon, 19 Apr 2021 01:30:57 +0000 From: "Gao, Jiaqi" To: "Xu, Min M" , "devel@edk2.groups.io" CC: "Yao, Jiewen" Subject: Re: [PATCH] SecurityPkg: Add constraints on PK strength Thread-Topic: [PATCH] SecurityPkg: Add constraints on PK strength Thread-Index: AQHXMpR6tslmVDMCWEKvZN3vGB/Xjaq69ouAgAAThEA= Date: Mon, 19 Apr 2021 01:30:57 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.5.1.3 dlp-reaction: no-action authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.215] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 46d808d1-ca4c-444f-e712-08d902d2c825 x-ms-traffictypediagnostic: DM4PR11MB5326: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:2657; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: T9FAdOVE8hHnxGeJO20xOv33cqLiHZcV4pnHCsimHQCcQGZQgAQ8zJK4hmjCtZ4gF8YMEHW0WExxpcOAAjJn5u+/7dJgWfjJoUuoQVupc84/sN9lNYiTe9L49TTG0E9D2ptWws5wjMfgH8JkBB32I1lgd5EnFYDHVNoxER584RfKW2x2sjo5w0J2kLrY1JnR2OB7RBEc+Ld7ubeWOubMg1sDhU+2cSnPAlW6Jpux9Nhc1dK7C7236FcDEm+SAXuDGi/vbP2KJQfMd/ARdI8TzTdG8bnhjYESigHHsSk0EK/iQOrc0ie6zyejANjvNNTtVxAV9Z/k4QVvKYpntXtQg7pIx3t7fIVJfONGpBwv2g66G92oeZ1PHS79aJeaxTDnkiG/7TOW8Z4OUKDxFd+W6ukLDKaMY9vA5KfKH1cd3rgQzPnclG4B5ded/stJSkNPmErbyroeDIH3OF8Nl0sQawAsRMgcVZ/21nc7KNv8eae8kjs/nMw9ioLeKM0b8LtOQ/2khXqpEATrkL06C1QyOZl+EEBwJ5WBAIrQkWrCUVoZV3BGPc/QOaJ6+mRQwfNctH0YV9aLOaeA7PU1yLteyF+waXmw0NCrqjTEfiDgTeiNVtFpEF6gQD+Z4bXzZP8V5SM3nxkkYOnkSplYnzdjWz9Ek64gT3iLt00PI6CV3s0rv3iKxwH9DKbntenVHox/ x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR11MB2059.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(346002)(366004)(136003)(376002)(396003)(26005)(186003)(966005)(52536014)(8936002)(15650500001)(478600001)(83380400001)(2906002)(122000001)(38100700002)(66946007)(33656002)(86362001)(71200400001)(30864003)(9686003)(107886003)(66446008)(8676002)(7696005)(55016002)(6506007)(53546011)(110136005)(4326008)(316002)(5660300002)(64756008)(76116006)(66556008)(66476007)(19627235002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?nfEa4ULte7DS7GCreavOhJtvfGd22CH6XQIGmOV9ArRoHTgp1ZelITCMWK/7?= =?us-ascii?Q?BnqT8/EmBJwFgdp4kO7mhW9vyrm1luVtblxXqypDIyIKNd6zWxfA6cSFFH9F?= =?us-ascii?Q?VoQ6GVFWtaIhbGw79rN1CvsDRtSSmbBKwA6bRtjH4O1hq3c8zyqgr2hbIu3L?= =?us-ascii?Q?2J0u4SXG9UctfJOU5Vyy3iQM+kjAberUXbzzj0pZdNXlJxt4vqFmGsV1ib9Q?= =?us-ascii?Q?510+9ho7Cgp9lSLEmVbL8PmGBnFhyvNPL/5kc6L3SuA6WfwY6StBgXnUu/SR?= =?us-ascii?Q?V2bpveXMm8bfuq/m1EAUBGXGmt1JPCyZTpXgOFz9HizfyJl1+a1rk/Ik2ZdJ?= =?us-ascii?Q?jXtGRIWglfrvZBjfcres0ekXnks/cUPnwhYRHC++wjeGQg2d31CJ8VgRfldJ?= =?us-ascii?Q?2tmEhdetv8JeCGCR6mKnu5fz7MMfHR1T+7JFHzmIPCI7+GaOL1mkaR3bOuPC?= =?us-ascii?Q?ynaHCFAS9Nm4m9ht6wrzU7tIy9WpxaQ7hhwJG9QtzZRKqU+YnhqP6GOS6Z8q?= =?us-ascii?Q?r5tY0MLWHpEPhRryHD/ENnORqnCGKAdgbwL/1N05JJOqcx0EmVQD81+f05G2?= =?us-ascii?Q?/MpojhfcqMjsttm5a2IqBiQ6GGhq56PziM+lpHzLweP/ekJWObuDooGDlUd1?= =?us-ascii?Q?gXDYR3oiIx/aE0NkDXjCopIHqYnE9dFy3vS+X7RVhE0HM87mJlZXtKi/di77?= =?us-ascii?Q?XWhbmlaQdFyEJZgQW+x9DWqOCTKmYO5a8jxzJ58gAgt0gaO3p4PIeo0eU/DZ?= =?us-ascii?Q?uUx8tIVHyIxl7eMiIet4GNg6lCaROoM/dJ4djcNtfMBb/ml7FgQcK4NOAyHO?= =?us-ascii?Q?0ZgcAQ5gRy+IVH5GV9Y7CkwiOpLVpHKmDpSQS2hv/T91ZxHmxl+mpUWC50uM?= =?us-ascii?Q?aEmAFqT22UEfHrSZx7afxzxXUBGuSJNKQcljbCzcubTtENtIqJw7GMUSuYKA?= =?us-ascii?Q?zlUH4L7j5FObfVzRDw2JbqRQZXh19jYXohToHoccGZZfvENjjGfP/JnHVGid?= =?us-ascii?Q?ogww1bVmU/XiK1WFezIaMRXAvpxNBmrx8oIzAMp3dyFHX54H7A9qASuEIetH?= =?us-ascii?Q?WswLk0I09Hu3pAPeDaA8x/P7hqKgPMjVgkbAdoa9D8tmfVOJzd0DXnTC3Fk9?= =?us-ascii?Q?EJD9AaPBRMEmCFDF/96rAYNoHQKmXUfWwr7EyyJV55lcB2XyujdHElz7MVZh?= =?us-ascii?Q?CzP4zEvzxYl0Ty/1xpFatFgkENSy78S/l3JyzRIVmu8Ta47HCZXUUul/914J?= =?us-ascii?Q?7xK8ujfC9KoDaKR08UnUl/AFXdyIf291KtOHLB22DY/fjnT+9NfYFvMJJvE7?= =?us-ascii?Q?amPg3ykOadrQhBD872TZrGas?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM5PR11MB2059.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 46d808d1-ca4c-444f-e712-08d902d2c825 X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Apr 2021 01:30:57.2921 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: HogT+zvESLW3dbC03SePmPxq0tGFVpd4maDt2bcd5EJk5H7RL/iGWtZMSZ7hf+3Ld7nYKNmbckU+mn2iQ0p8SQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5326 Return-Path: jiaqi.gao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, The patch has been built and tested with several toolchains: 1. GCC5 on Linux, both DEBUG and RELEASE. 2. VS2017 on Windows, both DEBUG and RELEASE. 3. VS2019 on Windows, both DEBUG and RELEASE. To make sure the program can cope with various input, test cases consist of= different PK certificate enrollment , which are: 1. Platform Keys (PKs) with RSA public key length less than 2048 bits, incl= ude RSA-512 and RSA-1024, etc. These kind of certificates were rejected dur= ing user enrollment. 2. PKs with RSA public key length equal to or greater than 2048 bits, inclu= de RSA-2048, RSA-3072 and RSA-4096, etc. These kind of certificates were su= ccessfully enrolled. 3. PKs which are not DER encoded, such as PEM encoded certificates with .ce= r/.der/.crt file suffix. 4. Empty PKs. 5. Empty inputs. All the test cases were performed as expected. Test cases with unqualified = key strength pop up the prompt of unqualified key, and the others with unsu= pported encode format or illegal input act as previous program.=20 Best Regards, Jiaqi -----Original Message----- From: Xu, Min M =20 Sent: Monday, April 19, 2021 7:52 AM To: Gao, Jiaqi ; devel@edk2.groups.io Cc: Yao, Jiewen Subject: RE: [PATCH] SecurityPkg: Add constraints on PK strength Have you tested the patch? Would you please post the test result in the mai= l thread? Thanks. > -----Original Message----- > From: Gao, Jiaqi > Sent: Friday, April 16, 2021 3:56 PM > To: devel@edk2.groups.io > Cc: Gao, Jiaqi ; Xu, Min M ;=20 > Yao, Jiewen > Subject: [PATCH] SecurityPkg: Add constraints on PK strength >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3293 >=20 > Add constraints on the key strength of enrolled platform key(PK),=20 > which must be greater than or equal to 2048 bit.PK key strength is=20 > required by Intel SDL and MSFT, etc. This limitation prevents user from u= sing weak keys as PK. >=20 > The original code to check the certificate file type is placed in a=20 > new function CheckX509Certificate(), which checks if the X.509=20 > certificate meets the requirements of encode type, RSA-Key strengh, etc. >=20 > Cc: Min Xu > Cc: Jiewen Yao > Signed-off-by: Jiaqi Gao > --- > .../SecureBootConfigImpl.c | 165 +++++++++++++++--- > .../SecureBootConfigImpl.h | 21 +++ > 2 files changed, 160 insertions(+), 26 deletions(-) >=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > igI > mpl.c > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > igI > mpl.c > index 4f01a2ed67..1304e21266 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > igI > mpl.c > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot > +++ Co > +++ nfigImpl.c > @@ -90,6 +90,22 @@ CHAR16* mDerEncodedSuffix[] =3D { }; > CHAR16* mSupportX509Suffix =3D L"*.cer/der/crt"; >=20 > +// > +// Prompt strings during certificate enrollment. > +// > +CHAR16* mX509EnrollPromptTitle[] =3D { > + L"", > + L"ERROR: Unsupported file type!", > + L"ERROR: Unsupported certificate!", > + NULL > +}; > +CHAR16* mX509EnrollPromptString[] =3D { > + L"", > + L"Only DER encoded certificate file (*.cer/der/crt) is supported.", > + L"Public key length should be equal to or greater than 2048 bits.", > + NULL > +}; > + > SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData =3D NULL; >=20 > /** > @@ -383,6 +399,102 @@ SetSecureBootMode ( > ); > } >=20 > +/** > + This code checks if the encode type and key strength of X.509 > + certificate is qualified. > + > + @param[in] X509FileContext FileContext of X.509 certificate stori= ng > + file. > + @param[out] Error Error type checked in the certificate. > + > + @return EFI_SUCCESS The certificate checked successfully. > + @return EFI_INVALID_PARAMETER The parameter is invalid. > + @return EFI_OUT_OF_RESOURCES Memory allocation failed. > + > +**/ > +EFI_STATUS > +CheckX509Certificate ( > + IN SECUREBOOT_FILE_CONTEXT* X509FileContext, > + OUT ENROLL_KEY_ERROR* Error > +) > +{ > + EFI_STATUS Status; > + UINT16* FilePostFix; > + UINTN NameLength; > + UINT8* X509Data; > + UINTN X509DataSize; > + void* X509PubKey; > + UINTN PubKeyModSize; > + > + if (X509FileContext->FileName =3D=3D NULL) { > + *Error =3D Unsupported_Type; > + return EFI_INVALID_PARAMETER; > + } > + > + X509Data =3D NULL; > + X509DataSize =3D 0; > + X509PubKey =3D NULL; > + PubKeyModSize =3D 0; > + > + // > + // Parse the file's postfix. Only support DER encoded X.509 certificat= e files. > + // > + NameLength =3D StrLen (X509FileContext->FileName); if (NameLength <= =3D > + 4) { > + DEBUG ((DEBUG_ERROR, "Wrong X509 NameLength\n")); > + *Error =3D Unsupported_Type; > + return EFI_INVALID_PARAMETER; > + } > + FilePostFix =3D X509FileContext->FileName + NameLength - 4; if=20 > + (!IsDerEncodeCertificate (FilePostFix)) { > + DEBUG ((DEBUG_ERROR, "Unsupported file type, only DER encoded > certificate (%s) is supported.\n", mSupportX509Suffix)); > + *Error =3D Unsupported_Type; > + return EFI_INVALID_PARAMETER; > + } > + DEBUG ((DEBUG_INFO, "FileName=3D %s\n", X509FileContext->FileName));=20 > + DEBUG ((DEBUG_INFO, "FilePostFix =3D %s\n", FilePostFix)); > + > + // > + // Read the certificate file content // Status =3D ReadFileContent=20 > + (X509FileContext->FHandle, (VOID**) &X509Data, &X509DataSize, 0); =20 > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Error occured while reading the file.\n")); > + goto ON_EXIT; > + } > + > + // > + // Parse the public key context. > + // > + if (RsaGetPublicKeyFromX509 (X509Data, X509DataSize, &X509PubKey)=20 > + =3D=3D > FALSE) { > + DEBUG ((DEBUG_ERROR, "Error occured while parsing the pubkey from > certificate.\n")); > + Status =3D EFI_INVALID_PARAMETER; > + *Error =3D Unsupported_Type; > + goto ON_EXIT; > + } > + > + // > + // Parse Module size of public key using interface provided by=20 > + CryptoPkg, which is // actually the size of public key. > + // > + if (X509PubKey !=3D NULL) { > + RsaGetKey (X509PubKey, RsaKeyN, NULL, &PubKeyModSize); > + if (PubKeyModSize < CER_PUBKEY_MIN_SIZE) { > + DEBUG ((DEBUG_ERROR, "Unqualified PK size, key size should be=20 > + equal to > or greater than 2048 bits.\n")); > + Status =3D EFI_INVALID_PARAMETER; > + *Error =3D Unqualified_Key; > + } > + RsaFree (X509PubKey); > + } > + > + ON_EXIT: > + if (X509Data !=3D NULL) { > + FreePool (X509Data); > + } > + > + return Status; > +} > + > /** > Generate the PK signature list from the X509 Certificate storing=20 > file (.cer) >=20 > @@ -461,7 +573,10 @@ ON_EXIT: >=20 > The SignatureOwner GUID will be the same with PK's vendorguid. >=20 > - @param[in] PrivateData The module's private data. > + @param[in] PrivateData The module's private data. > + @param[out] Error Point to the error code which indicates the > + error during enroll process. > + >=20 > @retval EFI_SUCCESS New PK enrolled successfully. > @retval EFI_INVALID_PARAMETER The parameter is invalid. > @@ -477,12 +592,6 @@ EnrollPlatformKey ( > UINT32 Attr; > UINTN DataSize; > EFI_SIGNATURE_LIST *PkCert; > - UINT16* FilePostFix; > - UINTN NameLength; > - > - if (Private->FileContext->FileName =3D=3D NULL) { > - return EFI_INVALID_PARAMETER; > - } >=20 > PkCert =3D NULL; >=20 > @@ -491,21 +600,6 @@ EnrollPlatformKey ( > return Status; > } >=20 > - // > - // Parse the file's postfix. Only support DER encoded X.509 certificat= e files. > - // > - NameLength =3D StrLen (Private->FileContext->FileName); > - if (NameLength <=3D 4) { > - return EFI_INVALID_PARAMETER; > - } > - FilePostFix =3D Private->FileContext->FileName + NameLength - 4; > - if (!IsDerEncodeCertificate(FilePostFix)) { > - DEBUG ((EFI_D_ERROR, "Unsupported file type, only DER encoded > certificate (%s) is supported.", mSupportX509Suffix)); > - return EFI_INVALID_PARAMETER; > - } > - DEBUG ((EFI_D_INFO, "FileName=3D %s\n",=20 > Private->FileContext->FileName)); > - DEBUG ((EFI_D_INFO, "FilePostFix =3D %s\n", FilePostFix)); > - > // > // Prase the selected PK file and generate PK certificate list. > // > @@ -4300,12 +4394,14 @@ SecureBootCallback ( > UINT16 *FilePostFix; > SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; > BOOLEAN GetBrowserDataResult; > + ENROLL_KEY_ERROR EnrollKeyErrorCode; >=20 > Status =3D EFI_SUCCESS; > SecureBootEnable =3D NULL; > SecureBootMode =3D NULL; > SetupMode =3D NULL; > File =3D NULL; > + EnrollKeyErrorCode =3D None_Error; >=20 > if ((This =3D=3D NULL) || (Value =3D=3D NULL) || (ActionRequest =3D=3D= NULL)) { > return EFI_INVALID_PARAMETER; > @@ -4718,18 +4814,35 @@ SecureBootCallback ( > } > break; > case KEY_VALUE_SAVE_AND_EXIT_PK: > - Status =3D EnrollPlatformKey (Private); > + // > + // Check the suffix, encode type and the key strength of PK certif= icate. > + // > + Status =3D CheckX509Certificate (Private->FileContext, &EnrollKeyE= rrorCode); > + if (EFI_ERROR (Status)) { > + if (EnrollKeyErrorCode !=3D None_Error && EnrollKeyErrorCode < > Enroll_Error_Max) { > + CreatePopUp ( > + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, > + &Key, > + mX509EnrollPromptTitle[EnrollKeyErrorCode], > + mX509EnrollPromptString[EnrollKeyErrorCode], > + NULL > + ); > + break; > + } > + } else { > + Status =3D EnrollPlatformKey (Private); > + } > if (EFI_ERROR (Status)) { > UnicodeSPrint ( > PromptString, > sizeof (PromptString), > - L"Only DER encoded certificate file (%s) is supported.", > - mSupportX509Suffix > + L"Error status: %x.", > + Status > ); > CreatePopUp ( > EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, > &Key, > - L"ERROR: Unsupported file type!", > + L"ERROR: Enrollment failed!", > PromptString, > NULL > ); > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > igI > mpl.h > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > igI > mpl.h > index 1fafae07ac..268f015e8e 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > igI > mpl.h > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot > +++ Co > +++ nfigImpl.h > @@ -93,6 +93,27 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; > #define HASHALG_RAW 0x00000004 > #define HASHALG_MAX 0x00000004 >=20 > +// > +// Certificate public key minimum size (bytes) // > +#define CER_PUBKEY_MIN_SIZE 256 > + > +// > +// Types of errors may occur during certificate enrollment. > +// > +typedef enum { > + None_Error =3D 0, > + // > + // Unsupported_type indicates the certificate type is not supported. > + // > + Unsupported_Type, > + // > + // Unqualified_key indicates the key strength of certificate is not > + // strong enough. > + // > + Unqualified_Key, > + Enroll_Error_Max > +}ENROLL_KEY_ERROR; >=20 > typedef struct { > UINTN Signature; > -- > 2.31.1.windows.1