From: zhihao.li@intel.com
To: "devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"Wu, Hao A" <hao.a.wu@intel.com>,
"Lu, XiaoyuX" <xiaoyux.lu@intel.com>,
"Jiang, Guomin" <guomin.jiang@intel.com>,
"gaoliming@byosoft.com.cn" <gaoliming@byosoft.com.cn>,
"Fu, Siyuan" <siyuan.fu@intel.com>,
"Wu, Yidong" <yidong.wu@intel.com>,
"Li, Aaron" <aaron.li@intel.com>
Subject: [edk2-devel] [RFC] Add parallel hash feature into CryptoPkg.BaseCryptLib
Date: Thu, 2 Sep 2021 01:37:30 +0000 [thread overview]
Message-ID: <DM6PR11MB47383E27080850C75524643AF9CE9@DM6PR11MB4738.namprd11.prod.outlook.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2781 bytes --]
Hi, everyone.
We want to add new hash algorithm-cSHAKE256/ParallelHash256 defined by NIST SP 800-185-into BaseCryptLib of CryptoPkg. This feature can be applied for digital authentication functions like Capsule Update. It utilizes multi-processor to calculate the image digest in parallel for update capsule authentication so that lessen the time of capsule authentication.
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3596
[Background]
The intention of this change is to improve the capsule authentication performance.
Currently, the image is calculated to a hash value (usually by SHA-256), then the hash value be signed by a certificate. The header, certificate, and image binary be sealed to the capsule. In authentication phase, the program should calculate the hash using image binary in capsule and then perform authentication procedures.
[Proposal]
Now, we propose a new authentication flow, which firstly pre-calculates the ParallelHash256 digest of the image binary in parallel with multi-processors, then use the ParallelHash256 digest (instead of original image binary) in subsequent SHA-256 hash for sign/authentication.
Since the big size image be compressed to the ParallelHash256 digest that only have 256 bytes, the time of SHA-256 running would be less.
[Required Changes]
Mainly in CryptoPkg, MdeModulePkg, SecurityPkg:
1. CryptoPkg: need to add the new hash algorithm named cSHAKE256/ParallelHash256 in BaseCrypLib. The ParallelHash function will consume CPU MP Service Protocol, not sure if this is allowed in BaseCryptLib?
2. MdeMoudulePkg: Add new authenticate function AuthenticateFmpImageWithParallelhash() to FmpAuthenticationLib. This is because original AuthenticateFmpImage() interface only have 4 parameters while the new have 5 parameters. The 5th parameter is ParallelHash256 digest raised above. We try to do the parallel hash before authentication and transfer the result to AuthenticateFmpImage function as parameter. So that we can do only once parallel hash externally in the case of multiple authentication which saves more time.
3. SecurityPkg: Add new function named FmpAuthenticatedHandlerPkcs7WithParallelhash() and AuthenticateFmpImageWithParallelhash() to FmpAuthenticationLibPkcs7. This is because original interfaces not have the formal parameter (ParallelHash256 digest) we need. We try to do the parallel hash before authentication and transfer the result to AuthenticateFmpImage and FmpAuthenticatedHandlerPkcs7 function as parameter. So that we can do only once parallel hash externally in the case of multiple authentication which saves more time.
Please let me know if you have any comment or concern on this proposed change.
Thanks for your time and feedback!
Best regards,
Zhihao
[-- Attachment #2: Type: text/html, Size: 6955 bytes --]
next reply other threads:[~2021-09-02 1:37 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-02 1:37 zhihao.li [this message]
2021-09-02 15:50 ` [edk2-devel] [RFC] Add parallel hash feature into CryptoPkg.BaseCryptLib Michael D Kinney
2021-09-02 23:16 ` Andrew Fish
2021-09-03 1:01 ` Yao, Jiewen
2021-09-03 6:57 ` Li, Zhihao
2021-09-03 7:06 ` Yao, Jiewen
2021-09-03 8:43 ` Li, Zhihao
2021-09-09 9:48 ` Li, Zhihao
2021-09-09 10:04 ` Yao, Jiewen
2021-09-14 4:02 ` Li, Zhihao
2021-09-15 0:55 ` Yao, Jiewen
2021-09-03 7:47 ` Ethin Probst
2021-09-03 11:29 ` Li, Zhihao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM6PR11MB47383E27080850C75524643AF9CE9@DM6PR11MB4738.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox