From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.184585.1673915058044495796 for ; Mon, 16 Jan 2023 16:24:18 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=WcecE8md; spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1673915058; x=1705451058; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=3BMUQi84OEsbJVFL/dozg9Ttdwqi/Lii7r6B6O11vq4=; b=WcecE8mdxXT1ZRel/qEXbvMBQ4MbdbNOdlLxMSSs0MXf+XyQ+w7dLELt sJY6y1w5XwHviJ/3v1bafu7HYxDHhExCM3QZuVuhtw3+sNrA/73fydhiY yp7HlJPit6J1sHeiiCE1nUHOHe+Urc6oWJeyDk7iYe45mzBea4U3Ro0cQ 10bJldFbqIiSu296FrlbCiT1RPUSRWHfagHsjmVy1jARpeOLpeoAHcPWI 9aECFwin7kFNV48bKvgM4o67NMTuefsxTyKnuBrrcQSXYzMLHn3qGovyI T+swTmBUDzsrFfD2gMDNJSXfyxKKk14f9G1VWXGUsWJdiTv+DrD8k6VEc g==; X-IronPort-AV: E=McAfee;i="6500,9779,10592"; a="304266786" X-IronPort-AV: E=Sophos;i="5.97,222,1669104000"; d="scan'208";a="304266786" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jan 2023 16:24:17 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10592"; a="904464513" X-IronPort-AV: E=Sophos;i="5.97,222,1669104000"; d="scan'208";a="904464513" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by fmsmga006.fm.intel.com with ESMTP; 16 Jan 2023 16:24:17 -0800 Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Mon, 16 Jan 2023 16:24:17 -0800 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Mon, 16 Jan 2023 16:24:16 -0800 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16 via Frontend Transport; Mon, 16 Jan 2023 16:24:16 -0800 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (104.47.56.43) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Mon, 16 Jan 2023 16:24:16 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EFHTorcYsq9E5uXuQCVwGW4NcGw7baFBpHCE2t/0pllQCib0/tKfb7sWAWAuMl9kE25xj6Q0M0bPeuTUzPg0g12ChfAnJaeAfd+uy7brcuxLuWuao1f75x0MOomTGJBmreW2uPcQhWcIfcdX+qxE2j2MyQSEVY91BWroe42W1SLqnCUbV2pMb5ByMeBfWSGYsr3n/GpAoE1P3vPYln4Wj12Uehz/iAl2UgmQSFaGSQ9itXGlWIe/nMSliarjUPDmqq5A2VlsBnnLlTGCKf6xjZORUvA7WzjytMYSdRgb+/4pPXxFvO5tTtqndp3g9Y/P6nr+IGR7aAiu4NixXISZHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3BMUQi84OEsbJVFL/dozg9Ttdwqi/Lii7r6B6O11vq4=; b=OyJSGh2zrbigwPBgSdWHjUuty7Sf9Z0mkqHgQKVfnfUI9MhGgoEyO5g3GSYCSX8bY5zHAWeMyLBlY3ekN4WfeKwUN2ePlgsrc5DieWku7lRhWgAkuC0z5hHokSMSsnVVQeZ8SBsGFKLDPuYB8dSFA6UvgU35xSUZgO5lhL4WbJIi2M/F5iN2lLfn52DY00DkUtZ+uPwONRFCio1aObl/KgY8IY9SHRXY3hn1Juk6dUcvSDwnKz6zvq1HQRykdxxzw55zk/NkdbTHudTIOLFxt1D9n1rNEtD4QESnZg4K+/+mEXQbo4D3tpRwgX0JC1tCaOLGGh8ijLJIvs0BhnU5pA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by CO1PR11MB4948.namprd11.prod.outlook.com (2603:10b6:303:9b::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13; Tue, 17 Jan 2023 00:24:15 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::5f56:1bdc:2eae:c041]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::5f56:1bdc:2eae:c041%7]) with mapi id 15.20.6002.013; Tue, 17 Jan 2023 00:24:15 +0000 From: "Yao, Jiewen" To: Jan Bobek CC: "devel@edk2.groups.io" , Jeff Brasen , Girish Mahadevan , "Wang, Jian J" , "Xu, Min M" Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present Thread-Topic: [edk2-devel] [PATCH 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present Thread-Index: AQHZD01vUaLeD/My8km5SQQat2zlp66NZyqAgAPbmBCAEJKkgIAAHsMQ Date: Tue, 17 Jan 2023 00:24:14 +0000 Message-ID: References: <872cc00fa231a6a5a1edbe6d56082e44c38a0c0f.1670026872.git.jbobek@nvidia.com> <87y1raoofs.fsf@nvidia.com> <87pmbvz219.fsf@nvidia.com> <87k01mxgdw.fsf@nvidia.com> In-Reply-To: <87k01mxgdw.fsf@nvidia.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|CO1PR11MB4948:EE_ x-ms-office365-filtering-correlation-id: 086c4e2d-2db5-4636-426b-08daf82129eb x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: BhrShE0eVID9fBd+w6KKL9PHPzbzFeiXlrHQyFsCmPFnIYqxgnCd/FQ5qB3FuhoQF/ZmId1OZkZU2H+oNRHO6vfcrvVaXEG5rGu0u2Gzv4wwg1Q4UHSHFcNl81mEWtJ6iWb4/KJnpm/j3/tAyApnTkCWhOuj8FvPztAumajqyjHyw2BDFzVo+hKqP2/vLQIOgfiDYnp2m4eL/Vulx8iDse1n19u5Mfg9RxWObgWg1t2jXH94ar40IvhHMTdwSpWsrEJSq6WHM0hFp07injGU0xXaKwAIDTwRhVDfiB5LF5hGs107QwQatmt+/4M92HGgTSm3e0DbNZXqINjKgpMBlnLrgwq6TfQj4zrArzVqANv2JPa4fPjDvb57YKSV6ui6fQLJr52wbNxMKEcnoseDi4js+7woE8YA1bOYA8gZUgBqCjCbEfyOTNW8IebPSampZjxUXho+Yw3odsgHlYM1NMk7PEtNxiP2JfNzFNLuWkd0SGOfDUkYhWO3acuWw4/Do9jZvNiDsLcrYMVAPzx86s4nzqHXkc6kzBUK9Q70jTDzbfQFc3nbyI+meEiGxlokHLX+EW3UDGGf9vVb9qAJTmvmCFvgTqCUv2EayYkqp5BSE5zgDLxtuhDx2ppdos8i5YGZGOgCDOL14NPUi98GYq5ytwY+k2Xm+uAUeMZ0zGVJ/pYhaxKrgfx5P+Ww8z9gdN0k5VIHuNHYhGKR8QScs1kzFJPBe9RjO4MdUxcwnvohkFiLcuMLp+Ho1tXPkNMCVJHTjiwJEl9Nc+ozVs/PGQ== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(366004)(346002)(136003)(376002)(39850400004)(396003)(451199015)(55016003)(33656002)(7696005)(71200400001)(478600001)(966005)(54906003)(9686003)(186003)(26005)(107886003)(53546011)(6506007)(15650500001)(2906002)(52536014)(41300700001)(8936002)(5660300002)(316002)(6916009)(4326008)(8676002)(66946007)(66556008)(66476007)(66446008)(64756008)(76116006)(122000001)(38070700005)(38100700002)(82960400001)(86362001)(83380400001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?ujyQp0Ibl7QnEO2DmodH4+Q3a2Otq/9Tu/nPEc8Rb/Q6GlkNG+WFXhFB4T+B?= =?us-ascii?Q?LHiodeuzuPW/Wu5NAJnQHpr3XzDjIIxgnFj3X3igmQcr8gZ2pT45wvY2bD/3?= =?us-ascii?Q?WwO1y1NAF0ssqynz6DraYksT4AhYlEWIrnxxuKZrEo5Rfokqssmh6K6BUJOy?= =?us-ascii?Q?8yLnK3EBgEJ0kVKWgMNMUbJuzucgrDePLiIzIYeKWNZELiCqdKmTU/EkrXve?= =?us-ascii?Q?qFekTFBNzvNdSAalwRyqdu6kfOzJeJ3P/WINrdj6V09jh8JCqAfOfywFnn1j?= =?us-ascii?Q?Cj8zkcodGqEHAj/dUuDeT3oxl/+xfHCH950GldNzXaflrOFilhFZe3Cany44?= =?us-ascii?Q?EtCg7GujSeu6ypJg66lv18jUFDwBtbZvI2nglJdB9bCNtG1dex8OZLbBcVWY?= =?us-ascii?Q?3AKTYd50uJLr98a6mMP2q/U7LY2yC7BHXBDSbx84ZyI5Ce+cSMoADt/7FJbw?= =?us-ascii?Q?1UTzTE+J8hk75tFlUq90kHp8mrfU1386hKboJxp31Zn5HkiflRn6OJe7EpCk?= =?us-ascii?Q?FAsMnB+hZJXMWJPm92zY9G/fN/iwazAIQhNocBqQC12Ftd8dVhK5hZQhvzbS?= =?us-ascii?Q?OMK5Bkr4X5AQvTTBBzYCQ9XVAGN7rqXtAySRpUQ7F5w7igoVD6A8+mMEbQzj?= =?us-ascii?Q?ExmcNl3AzgoQUI2K6T76UEOnWp8f1nnnoc320CjilfuZATODtq6LI33RBqx6?= =?us-ascii?Q?dChue293wVbUG0+worUVZasjiWfJzDTCeeycub1Y1SC1OSw/zs6mZpMxBFnm?= =?us-ascii?Q?CkJ73YzzkAXndFNhFGGmIcuALrAxKhNrZMoq/lTGeqboXrYO+0cOuWT9zOCM?= =?us-ascii?Q?+AicBw2syhVjB43izCR4pGQsiw8AOJidvgZGvbTlzQlIKexXqPw6L9hY2dmf?= =?us-ascii?Q?46V6Z44ZIsmlBbv1l5wrA0X1cmJPtUeWSGKEDilBzsmwLrqmoKL2QaMxA2FL?= =?us-ascii?Q?PHdiwFJrfmm6coA/6mkA9HbmkIE1C8mU6DPja5zbCWDyJf4LiGjh7jo5U2WE?= =?us-ascii?Q?8Jt8oTFB7AxkDomYCGF0ETCOMpdsy43yCGjq5ZGniYUDHlvw7+v0OmXbFCrk?= =?us-ascii?Q?TBY7Y1foqI+6o+5T2+RN7deCTMwG+i2YL00Iha0H1FSsNoHnODv1CcalcBLa?= =?us-ascii?Q?NRuA81AWso4P+dAMlftKQQ3nq73CD5SLwGaRk7iifOGIopiBLbulbDQ+4t25?= =?us-ascii?Q?e2h+Iz90sfQH4DYCUrMM3eRv4KWG848VjgQY22B6rU+W+YFzNIMgk+NY5I48?= =?us-ascii?Q?xA3cxPgcSi6nQ04q6cy1fSHDnmdBTmB/b38gRUvgSpB/0MxTj1OIGeh+Liyz?= =?us-ascii?Q?LTbaWxeK5sf+ojRNDNk5TqCETKkTiMIsCz1huVneF1zZGYDQZMdf6I0lXBoO?= =?us-ascii?Q?VPOfjXEynvqvd/esmZsGHMFXtwXlYMBUAx9XIVk4kchFm566wcbswecfC5XH?= =?us-ascii?Q?Lab0wZnCeZKtSWPAlWrqeADXT4Wawpb1O9/ySWwEHrTbKIaHHp9jjrOYWvuE?= =?us-ascii?Q?CNbBUrcBzu+kRdmWvqAJ5rtHhy+RsktgUg/5NTkKSRIWkYmCI7RTUDhlBwqs?= =?us-ascii?Q?bTdQeXwDCgtMirGX5W4rIHBHgI5HnHK0V302Zmxv?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 086c4e2d-2db5-4636-426b-08daf82129eb X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jan 2023 00:24:14.6614 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: WCF5vCzlagNdqqcFb9srqPL6m50LZ5Wf1pm9Z4nht3VYYGQTKffr7ajx2E8PDhY8r8bq5rAUA+kHKEZC/t//1w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB4948 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I linked email with Bugzilla. Either email or Bugzilla is OK for the discus= sion. Personally, I don't understand one thing. If EDKII causes such failure, how the archlinux validates the correctness o= f the tool and document in [3] ? Or are they using a different UEFI implementation? Thank you Yao, Jiewen > -----Original Message----- > From: Jan Bobek > Sent: Tuesday, January 17, 2023 6:30 AM > To: Yao, Jiewen > Cc: devel@edk2.groups.io; Jeff Brasen ; Girish > Mahadevan ; Wang, Jian J > ; Xu, Min M > Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/AuthVariableLib: Check > SHA-256 OID with ContentInfo present >=20 > > Hi > > That is good catch! > > My apology to miss it before. > > > > 1) Please file a bugzilla (https://bugzilla.tianocore.org/) to record t= he issue > and associate to the patch. >=20 > Filed bug 4305 [1]. Sorry for the delay, I didn't get my bugzilla > credentials until late last week. >=20 > > 2) Would you please share with us that how you discover the issue? > > For example, any real use case to include ContentInfo? If yes, please s= hare > a URL. > > Or this is just a purely spec compliance fix ? > > > > 3) Please describe how you validate the fix. > > If possible, would you please share your test case? >=20 > I believe both of these answered / included in the bug description. >=20 > > 4) Since the new code is handling ContentInfo structure is present, I b= elieve > we need also check if the ContentInfo structure is valid. > > For example: > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > c SignedData.contentInfo.contentType shall be set to id-data > > d SignedData.contentInfo.content shall be absent > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > What do you think? >=20 > I think you're talking about the ContentInfo structure that's part of > the SignedData structure, but the real problem is with ContentInfo > structure that _wraps_ the SignedData structure. More info in the bug > description. >=20 > Also, is it customary to continue the discussion here on edk2-devel or > in the bug comments on bugzilla? >=20 > -Jan >=20 > References: > 1. https://bugzilla.tianocore.org/show_bug.cgi?id=3D4305