From: "Chen, Zeyi" <zeyi.chen@intel.com>
To: "Sheng, W" <w.sheng@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"Yao, Jiewen" <jiewen.yao@intel.com>
Cc: "Wang, Jian J" <jian.j.wang@intel.com>,
"Xu, Min M" <min.m.xu@intel.com>,
"Wang, Fiona" <fiona.wang@intel.com>,
"Lu, Xiaoyu1" <xiaoyu1.lu@intel.com>,
"Jiang, Guomin" <guomin.jiang@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
"Yu, Ling" <ling.yu@intel.com>
Subject: Re: [edk2-devel] [PATCH V7 0/2] Support RSA4096 and RSA3072
Date: Wed, 6 Sep 2023 01:55:37 +0000 [thread overview]
Message-ID: <DM6PR11MB4490F145D8EB825057D8E9BFEEEFA@DM6PR11MB4490.namprd11.prod.outlook.com> (raw)
In-Reply-To: <PH0PR11MB4870A8BA471236EC668E7B93E1E6A@PH0PR11MB4870.namprd11.prod.outlook.com>
Hi Wei,
We finished some related secureboot tests with the IFWI you provided. Tests are PASS.
Test point:
Enabled secure boot successfully without issue.
Can support RSA3072 and RSA4096.
Still support original keys/files.
Best Regards,
Zeyi
-----Original Message-----
From: Sheng, W <w.sheng@intel.com>
Sent: Wednesday, August 30, 2023 4:02 PM
To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Yu, Ling <ling.yu@intel.com>
Subject: RE: [edk2-devel] [PATCH V7 0/2] Support RSA4096 and RSA3072
Hi Jiewen,
Do you have any comments on the patch V7?
The 2 patches are for CryptoPkg and SecurityPky.
Could you help to review/merge the patches?
Thank you.
BR
Sheng Wei
> -----Original Message-----
> From: Sheng, W
> Sent: Tuesday, August 22, 2023 1:59 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M
> <min.m.xu@intel.com>; Chen, Zeyi <Zeyi.Chen@intel.com>; Wang, Fiona
> <fiona.wang@intel.com>; Lu,
> Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> <Guomin.Jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Sheng, W <w.sheng@intel.com>
> Subject: RE: [edk2-devel] [PATCH V7 0/2] Support RSA4096 and RSA3072
>
> Hi Jiewen,
> I update the patch V6 to V7, drop raw RSA3K and RSA4K. The change is
> in SecurityPkg.
> And I did all the tests which are listed in the cover letter. I got
> the expected results.
> Could you help to review/merge this V7 patch for secure boot feature ?
> Thank you.
> BR
> Sheng Wei
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sheng
> > Wei
> > Sent: 2023年8月10日 10:24
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu,
> > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > <guomin.jiang@intel.com>; Kinney, Michael D
> > <michael.d.kinney@intel.com>
> > Subject: [edk2-devel] [PATCH V7 0/2] Support RSA4096 and RSA3072
> >
> > Patch V7:
> > Drop raw RSA3072 and RSA4096. Only use gEfiCertX509Guid for RSA3072
> > and
> > RSA4096 Do the positive tests and the negative tests below. And got
> > all the expected results.
> >
> > Patch V6:
> > Remove the changes in MdePkg.
> > The changes of patch v6 are in CryptoPkg and SecurityPkg.
> > Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
> > This signature type is used to check the supported signature and
> > show the strings.
> >
> > Patch V5:
> > Using define KEY_TYPE_RSASSA to replace the magic number.
> >
> > Patch V4:
> > Determine the RSA algorithm by a supported algorithm list.
> >
> > Patch V3:
> > Select SHA algorithm automaticly for a unsigned efi image.
> >
> > Patch V2:
> > Determine the SHA algorithm by a supported algorithm list.
> > Create SHA context for each algorithm.
> >
> > Test Case:
> > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image
> > under UEFI shell.
> > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image
> > under UEFI shell.
> > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image
> > under UEFI shell.
> > 4. Enroll an unsigned efi image, execute the unsigned efi image
> > under UEFI shell
> >
> > Test Result:
> > Pass
> >
> > Negative Test Case:
> > 1) Enroll a RSA2048 Cert, execute an unsigned efi image.
> > 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
> > 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
> > 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096
> > signed efi image.
> >
> > Test Result:
> > Get "Access Denied" when try to execute the efi image.
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Min Xu <min.m.xu@intel.com>
> > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > Cc: Fiona Wang <fiona.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> >
> > Sheng Wei (2):
> > CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
> > ImageTimestampVerify
> > SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> >
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +-
> > .../Library/AuthVariableLib/AuthService.c | 218 +++++++++++++++---
> > .../AuthVariableLib/AuthServiceInternal.h | 4 +-
> > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++--
> > .../DxeImageVerificationLib.c | 73 +++---
> > .../SecureBootConfigDxe.inf | 8 +
> > .../SecureBootConfigImpl.c | 50 +++-
> > .../SecureBootConfigImpl.h | 7 +
> > .../SecureBootConfigStrings.uni | 2 +
> > 9 files changed, 324 insertions(+), 83 deletions(-)
> >
> > --
> > 2.26.2.windows.1
> >
> >
> >
> >
> >
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108331): https://edk2.groups.io/g/devel/message/108331
Mute This Topic: https://groups.io/mt/100656918/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2023-09-06 15:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1779E466B0A8FFE7.8497@groups.io>
2023-08-22 5:59 ` [edk2-devel] [PATCH V7 0/2] Support RSA4096 and RSA3072 Sheng Wei
2023-08-30 8:02 ` Sheng Wei
2023-09-06 1:55 ` Chen, Zeyi [this message]
2023-09-06 2:53 ` Yao, Jiewen
2023-08-10 2:24 Sheng Wei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM6PR11MB4490F145D8EB825057D8E9BFEEEFA@DM6PR11MB4490.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox