From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web11.33278.1599446187710395064 for ; Sun, 06 Sep 2020 19:36:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=eZIprpd1; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: zhichao.gao@intel.com) IronPort-SDR: /XL16nbJyYNrxXCOGXFA7ToCPdXmxcvMOvbIQ9pQHpDmBGXFF3A8C5ttLgi2RG4BnzCTiUCNZ7 r3psQ2oHxTTg== X-IronPort-AV: E=McAfee;i="6000,8403,9736"; a="157958196" X-IronPort-AV: E=Sophos;i="5.76,400,1592895600"; d="scan'208";a="157958196" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Sep 2020 19:36:26 -0700 IronPort-SDR: OIWJW/+tUkd8MERwg/vPIpe41jLMQLwPJism6rC6D2Alt/KmzSGQgh7H6dTw75+Bis43tukgZV kaOaNKbVN86Q== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.76,400,1592895600"; d="scan'208";a="303566987" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by orsmga006.jf.intel.com with ESMTP; 06 Sep 2020 19:36:26 -0700 Received: from fmsmsx604.amr.corp.intel.com (10.18.126.84) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Sun, 6 Sep 2020 19:36:25 -0700 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Sun, 6 Sep 2020 19:36:25 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.177) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Sun, 6 Sep 2020 19:36:25 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KyIz81x6cb6+hn0EUH6wQqyH4ixKL5RqctkOz3ct12PC0/VA4NZtiyDvpjzwlZqLnbyQqGWb9vmt0eTVe03nRQ8R0FPivIYAujT9kQU24wmLfwOppNgSABls+tW/60EfWWhBu+3nQiAqBe0g9epQxgE3MClIMFK+keHF3rgbHcAiEXXEHDib3VHcAdqfg+OjqOGlFRLw0ngrpWJk85wpXEzJGYjv6tuOXZAxp1Rj3VkkpxlCCrpwrIYGqByvxNDswECOz5VBXD4WemiERLfCIuQfCRo2odNFdDTJ0KEujguJZ85cKWJ8TN9Qo+zys1JAtkOeCMcYEqnv0BhSf5AdeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BiXHkJd3rnwq0P0OTRpqNsHuPnBJQyvNovLbsq4UM5g=; b=QlUeIjDHQUvgYOHDFg/ysf8TBsZghTDMaRrQtRorZMs65xWHdi9wMb4IAs5n4m9QVO15U4sMFLSKF5d4ODOcrDgSaadafYu0alh2bG+qdXOHS+GSWqXGQWcnjSdBFE1uD5A1raKXiVEa2wiSissUIsEUOzwWyayFgPQ7zmN4c7li/wvf0XC6BRW4gNoNtnv47+3/jI6PmnBziKOPh0xxoB4i+Cyq1AxDjKGgmnqNylBE47r4Y+/eZS5LATUHCNRIfHOvQ9j1gKn2viJxbtUUFs7OQcM1G3xPB5xqq7+FuqEA3UgzZulgZvDNqRW+KPbZ41McKzsO6cZd+MjUtCMgsA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BiXHkJd3rnwq0P0OTRpqNsHuPnBJQyvNovLbsq4UM5g=; b=eZIprpd1KLMra+ZLOsNLPJ07hS/ewdFlpBCjmEt2p7w6ki9tqSfyXkE7s3nllZAUX1cCrNqY7Ra8LgmH/cOd95mfFMdq2GquOyT5/h0xIS5Y6vaRtZKXaKoQS52fSpguBPIwIbu7WLL2DwlUNuN74wS7IyQbs1E6GyRRNz51H5k= Received: from DM6PR11MB4425.namprd11.prod.outlook.com (2603:10b6:5:1d9::31) by DM6PR11MB3881.namprd11.prod.outlook.com (2603:10b6:5:199::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Mon, 7 Sep 2020 02:36:24 +0000 Received: from DM6PR11MB4425.namprd11.prod.outlook.com ([fe80::8dc1:7146:874:83f7]) by DM6PR11MB4425.namprd11.prod.outlook.com ([fe80::8dc1:7146:874:83f7%6]) with mapi id 15.20.3348.019; Mon, 7 Sep 2020 02:36:24 +0000 From: "Gao, Zhichao" To: "Yao, Jiewen" , "devel@edk2.groups.io" CC: "Wang, Jian J" , "Xu, Min M" , "Zhang, Qi1" Subject: Re: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Disable SHA1 base on MACRO Thread-Topic: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Disable SHA1 base on MACRO Thread-Index: AQHWhL1pxBLsNEh7FMAt3/j+GqHpvalcdL7Q Date: Mon, 7 Sep 2020 02:36:24 +0000 Message-ID: References: <20200831051317.11532-1-zhichao.gao@intel.com> <16325EB1DAFF59F3.20857@groups.io> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.194] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2812096d-e714-4228-2298-08d852d6d048 x-ms-traffictypediagnostic: DM6PR11MB3881: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 15Gw1Q2iZl6cuH11J3yr7YxLhEn3pMiIylA5LqY75d/MMFHVHOo3pf/KmwYwWYWCEuFPTCgToLeaZE5IqbCpdAkwUm9D1XhLan9TapZBgPLPMvt/FTs8mGrAmYHTUNRiR1pNJZT7cxKlPHl+XnXA5S7L0556ZXHED9bhBb9+mpIun0bhINFsG4dsBzrzQg8oz7ppVUqpfZ3eWWrrbBc3++76izTZxdMENoVbUABDLHmYXMuQ3rTS6SXx1SBvqeGb2TuQYu6c0dPUJtBe6rrXCrqlpLZXF0F/CMKWRVvjX5SS6Pj4u/+jdglz4QkA3BoAn7xvSJWAvO3+wmZSGHbf8U2qXXakTWQBOyRdzWbsmYLVHeQTpaFCn+dnogpL0Xu2vl6EdVHjIsMkBMAzJu6p5Q== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB4425.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(376002)(39860400002)(366004)(136003)(396003)(966005)(53546011)(15650500001)(8936002)(110136005)(4326008)(7696005)(8676002)(26005)(6506007)(66946007)(66476007)(83380400001)(478600001)(71200400001)(55016002)(76116006)(5660300002)(2906002)(186003)(52536014)(316002)(33656002)(54906003)(66446008)(86362001)(66556008)(107886003)(9686003)(64756008);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: uxiw8QLbSwG4yK6Y423e1ReQMVLKPdZiXiqZTsPpXSTRJ7zsiK2r2cVgPTPyD/NhN1AsRJNkkQ8mmxOWqCmzSbYmAEey1PpwoMqkqjXDn76RVBDJ7+ikkrSNb5Y31K1NnmkG5pUNJ3AbLP0g2Ywtc8KxVDNnoPrT3XOIc1biDKgNKPnmx+U4AjVu3G11dNv1ntqICZL0ccHnnS5Qd5mDD6OcRE0GcbUOioa2w0zaXUcu4ZBMdJzb5aKqBGwQUgNE+Ao7NEjUCKF01VF8vFGRRtB6MnJNNfVuv4U09QzkJIr2WeIqu8ASosjzJRvki/2petVcHr1Zv9Xc6BG7eEvMh5XhNqrBaWvFGuqRRb0EBN6qZ/YQRU97mnaIB8t32cZh/mQSxtPdSmoCpy2/F4OijiugAb69AKxhsNJUfls2NlhHQSdzPkTNuoZekbksY/WCvfYZVItxxMHH30MAThql1B0SlulzxMklFll2Np3oT2zvnid1zjYY7YjUp5PiRVTTN0nCejc5acKzUONgnxKngVqay6yRtYeKoz1J/sHq91eNt1NP1QHQViYaPzFfrIL7X8cHM+7YMR6x+Ck6RX9HmZNNkJ6hf9rF6DNWwMQT8AEF/k+RAQnIJ1RgD8zoOXirFHs05KUb7qTAFYo0rpKT5Q== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4425.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2812096d-e714-4228-2298-08d852d6d048 X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2020 02:36:24.2453 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 3D1+Kv75JBqIoWvV1vdnUrX8XrOuazn/3PoWkyN0UkYZdoQxk7pDpbFoFwwyIOpVxy5hCwK3Q58lOVWJE+91rg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3881 Return-Path: zhichao.gao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Jiewen, There are still some use case in the SecurityPkg. Such as TPM1.2. After th= e security package can build with the disable MACRO, we can remove all the = content of SHA1. For now many platforms keep using the TPM1.2, I am not sure when the TPM1.= 2 would be dropped from the SecurityPkg. Thanks, Zhichao > -----Original Message----- > From: Yao, Jiewen > Sent: Monday, September 7, 2020 10:20 AM > To: devel@edk2.groups.io; Yao, Jiewen ; Gao, Zhich= ao > > Cc: Wang, Jian J ; Xu, Min M = ; > Zhang, Qi1 > Subject: RE: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: D= isable > SHA1 base on MACRO >=20 > Hi Zhichao > Thanks for the patch. > I gave Reviewed-by because the Bugzilla only mentioned > DxeImageVerificationLib. >=20 > As a full solution to remove SHA1 from SecureBoot, I think we should als= o > remove SHA1 from AuthVariableLib. >=20 > Any plan on that? >=20 > Thank you > Yao Jiewen >=20 > > -----Original Message----- > > From: devel@edk2.groups.io On Behalf Of Yao, > > Jiewen > > Sent: Monday, September 7, 2020 10:16 AM > > To: Gao, Zhichao ; devel@edk2.groups.io > > Cc: Wang, Jian J ; Xu, Min M > > ; Zhang, Qi1 > > Subject: Re: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: > > Disable > > SHA1 base on MACRO > > > > Reviewed-by: Jiewen Yao > > > > > -----Original Message----- > > > From: Gao, Zhichao > > > Sent: Monday, August 31, 2020 1:13 PM > > > To: devel@edk2.groups.io > > > Cc: Yao, Jiewen ; Wang, Jian J > > ; > > > Xu, Min M ; Zhang, Qi1 > > > Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Disable SHA1 > > > base on MACRO > > > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2943 > > > > > > Disable SHA1 base on the MACRO DISABLE_SHA1_DEPRECATED_INTERFACES. > > > SHA1 is deprecated function and the MACRO is used to remove the > > > whole implementation of the SHA1. For the platforms that do not need > > > SHA1 for security, the MACRO should works for > > > DxeImageVerificationLib as well. > > > > > > Signed-off-by: Zhichao Gao > > > Cc: Jiewen Yao > > > Cc: Jian J Wang > > > Cc: Min Xu > > > Cc: Qi Zhang > > > --- > > > .../DxeImageVerificationLib/DxeImageVerificationLib.c | 6 +++= +++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git > > > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi > > > b.c > > > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi > > > b.c > > > index b08fe24e85..7871220140 100644 > > > --- > > > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi > > > b.c > > > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati > > > +++ onLib.c > > > @@ -59,7 +59,11 @@ UINT8 mHashOidValue[] =3D { > > > }; > > > > > > HASH_TABLE mHash[] =3D { > > > +#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES > > > { L"SHA1", 20, &mHashOidValue[0], 5, Sha1GetContextSize, Sha= 1Init, > > > Sha1Update, Sha1Final }, > > > +#else > > > + { L"SHA1", 20, &mHashOidValue[0], 5, NULL, NUL= L, NULL, > > > NULL }, > > > +#endif > > > { L"SHA224", 28, &mHashOidValue[5], 9, NULL, NUL= L, NULL, > > > NULL }, > > > { L"SHA256", 32, &mHashOidValue[14], 9, Sha256GetContextSize, > > > Sha256Init, Sha256Update, Sha256Final}, > > > { L"SHA384", 48, &mHashOidValue[23], 9, Sha384GetContextSize, > > > Sha384Init, Sha384Update, Sha384Final}, @@ -315,10 +319,12 @@ > > > HashPeImage ( > > > ZeroMem (mImageDigest, MAX_DIGEST_SIZE); > > > > > > switch (HashAlg) { > > > +#ifndef DISABLE_SHA1_DEPRECATED_INTERFACES > > > case HASHALG_SHA1: > > > mImageDigestSize =3D SHA1_DIGEST_SIZE; > > > mCertType =3D gEfiCertSha1Guid; > > > break; > > > +#endif > > > > > > case HASHALG_SHA256: > > > mImageDigestSize =3D SHA256_DIGEST_SIZE; > > > -- > > > 2.21.0.windows.1 > > > > > >=20