From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 94B417803CC for ; Tue, 25 Jul 2023 06:05:39 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=L/Kwmk+Llie82Tf4kL9vv1/anHkN4O8icOlFVFpPu5E=; c=relaxed/simple; d=groups.io; h=X-Received:X-Received:X-IronPort-AV:X-IronPort-AV:X-Received:X-ExtLoop1:X-IronPort-AV:X-IronPort-AV:X-Received:X-Received:X-Received:X-Received:ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:X-Received:X-Received:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator:x-ms-publictraffictype:x-ms-traffictypediagnostic:x-ms-office365-filtering-correlation-id:x-ms-exchange-senderadcheck:x-ms-exchange-antispam-relay:x-microsoft-antispam-message-info:x-ms-exchange-antispam-messagedata-chunkcount:x-ms-exchange-antispam-messagedata-0:MIME-Version:X-MS-Exchange-CrossTenant-AuthAs:X-MS-Exchange-CrossTenant-AuthSource:X-MS-Exchange-CrossTenant-Network-Message-Id:X-MS-Exchange-CrossTenant-originalarrivaltime:X-MS-Exchange-CrossTenant-fromentityheader:X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype:X-MS-Exchange-CrossTenant-userprincipalname:X-MS-Exchange-Transport-CrossTenantHeaders Stamped:X-OriginatorOrg:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:X-Gm-Message-State:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1690265138; v=1; b=CRO/cuxVuKFtXl3McqfEXuupa2mreGkP+388WUkikALx5hVPbYDRxa6l2xN3N8a/PtPCPH+l Ixik7AyV/xXOjn8iOGnzE01qJE92jSlI3fpOTvfLFPeOk3XKkK01PZvHPyrgj1UVchI7EaVvpoN EANEiWITppYV66ND8cPZ71m4= X-Received: by 127.0.0.2 with SMTP id UizrYY7687511xoMpTbMkwZP; Mon, 24 Jul 2023 23:05:38 -0700 X-Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web10.14485.1690265136547318579 for ; Mon, 24 Jul 2023 23:05:37 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10781"; a="357628365" X-IronPort-AV: E=Sophos;i="6.01,229,1684825200"; d="scan'208";a="357628365" X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jul 2023 23:05:35 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10781"; a="972533988" X-IronPort-AV: E=Sophos;i="6.01,229,1684825200"; d="scan'208";a="972533988" X-Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by fmsmga006.fm.intel.com with ESMTP; 24 Jul 2023 23:05:35 -0700 X-Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Mon, 24 Jul 2023 23:05:34 -0700 X-Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27 via Frontend Transport; Mon, 24 Jul 2023 23:05:34 -0700 X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.175) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.27; Mon, 24 Jul 2023 23:05:34 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fLZeGN1LmZ2xCjrQl3j1MIdI9/paar18ZgWO/4o/H3r2xN+1To2mJOG+poQ0TiT+4t6jrQhgnOv1OwtIKu+kQTnxDgmfxcurpUccF466HBPpmOq9g2A0gR3p9k+mzMBkla0ybuVtpV0hc8HJoK2qgwUvIgAHgP14PSmTSCtdClR3zkKIwMRaaBwkv39wHV/raTI0zJ7IMXkeg2Q47ElsKQC2J9fJA8r/5qXKzqq5q8BNfgNjMLmNQLePlA2bd4JAkLIJ6Ib8GJ4jNCpkZo+y4beizH2dlZRFrMdPhagnD8cRwSDh1PChwgUOtWrWlzjNHa6T+xyB5ksAlX+5T5TGKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GrJCMHhOrlpJ1mlFTRVaYuCvE08TfrnY9Hb9p9qeJe8=; b=Ghagk+o5hk5eHUykHXfILmdm3M3E2bXG/KliG+uhdMzMB8NxyONVLDzrg+vNj9T1pDZ+hJtw+k7n2XscRTIGhZl76SHgDMZIs+u08f7Cifqh7dTzXUUczeWy+9bf8Fn2gPGKs68abMyciQ19Q4zr07bcLmgJv1OB8TN1gwfFpLb3jQdRU45QyX8E5mkDdKV0lTuA/K0f6+eq4l4hZQ+Z/JhRzh8nF7GawvfrHiZg6/eN+rstw6ldRcFYAMgZAtyaYhfwxPZ7iZEC43PWfdYsWmVCtknI0fXRtQifSKQ8ZDChE/7buFSrELZoy4umdHKGqGqOFynQwob/sY4rvTkCaw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by PH0PR11MB4982.namprd11.prod.outlook.com (2603:10b6:510:37::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6609.32; Tue, 25 Jul 2023 06:05:31 +0000 X-Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::8557:2ebb:bf92:1be8]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::8557:2ebb:bf92:1be8%6]) with mapi id 15.20.6609.032; Tue, 25 Jul 2023 06:05:31 +0000 From: "Yao, Jiewen" To: "Sheng, W" , "devel@edk2.groups.io" CC: "Wang, Jian J" , "Xu, Min M" , "Chen, Zeyi" , "Wang, Fiona" Subject: Re: [edk2-devel] [PATCH v4] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Thread-Topic: [PATCH v4] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Thread-Index: AQHZr+DNl8za4+/quE24xPFTUFDPv6/KGQ2w Date: Tue, 25 Jul 2023 06:05:31 +0000 Message-ID: References: <20230706080626.1667-1-w.sheng@intel.com> In-Reply-To: <20230706080626.1667-1-w.sheng@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|PH0PR11MB4982:EE_ x-ms-office365-filtering-correlation-id: 2dab5567-05b2-4294-e7e1-08db8cd526dd x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: Ra3Q5XsRV3QtFeHDNut93ePTZaFJ5FgTA51r9NB+BkeLDXkfce+9MP21v7NwKFVOFtnm8MPCJwv5u+FUSJI8bFAZInKdTMKR3QEEoVx39QRSPXVkQ5zkmuRCvPnCg7Mrzt4O/rM4EtHbNODS/fEWHVjOys1XYGUHJ8yVbKhK3MuohU5lx38aaKfkJdMX2ohBSSRIDCe4tw8XciXl7FGfSee8UJsH0h6wL5ywE4kyvYMYsJnCHSfmGHMK0L22gjfJUvozDBZ27NejxE6R8Uv8XcVEJRAg2m1aXoiRq+VzlB8Ip2PStfPAfVJp2Ktr7MDyosH/dUa728hfy5TJA4GdKUMsQzXJVVIbngXCPy3AR5MKdUaD9e97nyEYV8989U/FoJZ07JxwI50dumLZCwJ70raCfBSCdzdhXWK7/hfEINmeDFJK4vEX6rj7x1VwGC65nyUsak0bTxF1wQkrM/2sp7swEMsQc80phS8Z+aK2GoRGGRcGK6pY1KQlyMZ9hMSo8EWS//VfSQ9hq7BDiPHsbJZdbounZFy3mecAmnYZYC1DuRGhHwrjYs38FwdyUpJ1EpxsAuBZWMUiIkLSYNyaWZ4canbPuU/MwCKSM8X4Eu8snjUL5eLaOV7RDEIypOo0KdL1x0inbBDroQATB8NDSysfFlaxsSiUWV+NUIf3l/Q= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?ZJn2ZCy1i84iOO60Mn+zvYSCNUDpFWx70l138JSI7mWDEtxjdXdpfL6Ktbgx?= =?us-ascii?Q?S0DUjeue8BF4LoqYVO7u+hj4jvb9pDC3oIK1iBseleamvnpNRvhHiob5j6iB?= =?us-ascii?Q?g2YDoaTJBgyBD8PMoVhOm2rLvy+KFRLidJgKWpfXIcesoznCPJWlvS8J9+Cw?= =?us-ascii?Q?pbcfzt5CuFYyoZ6iLZ5rUBohkRQBlLkTzBNPskx9KTu1NRfXuq6HV+BDKeSj?= =?us-ascii?Q?MQ+97k6iOVwiI8ONq6e9n5LieZKtWvDgh0BG8m2D6PQAvs3MFxB88Iri7HTU?= =?us-ascii?Q?ne3CYZu4IDMKGLHzmJXNv9SDPLMnNXZ0M98tZppG7BO4kzrQgBv2ks5BFLV2?= =?us-ascii?Q?ern3o+S5RfccT17tiEq/xbeeJxDdgMT5JXwe08TnFIu37OsiLGD2MMhWatbz?= =?us-ascii?Q?/QKv02YonC/gHps5mis09l9TY+n+3tHhNJe+dm7rrZbOzRIC7vlqLB2hM1/H?= =?us-ascii?Q?BjZ+eNxt0f3g/+i/8MnrplU7hv6qZmuAAJpjOPTFZFrGQ/DjxPOq47u2UgO9?= =?us-ascii?Q?MqainFq7aYUx0k6UzCe8IwQrIwIW/ZZxa3BLvb3x0lWyp3d9wqv1F0XLSXNW?= =?us-ascii?Q?hzjlPkH4ontq+XX6K8NfwfGExvTtchrTtjG+IpSJRocBmE+GsFD0kMmpesOR?= =?us-ascii?Q?AH6Jghr+Lg6j173XP7++aafe7iprlrv4oWes3WgT4e1ZXG5oUhytz46gawnL?= =?us-ascii?Q?Iz73hEofw3o12xabIXWxdHFKmID14BPscb9PhXJEPB3ZleCAZUy1zj3AC4PE?= =?us-ascii?Q?kLd6VqT2wE9YetdcEzpL/C5vE2kJfnijFJydFMbCuZkarCz6Rhu5cWEY27Oj?= =?us-ascii?Q?6UOwymlS64MPHKbLbmdO4LnqkRtW5jBa2RouLMdILz5jBmgq0pTRUdDF9SGs?= =?us-ascii?Q?diJSkVyEkMVBi0mZH2krAHP9VVh1QEUK4mRaGGrDK6vIrz9wWVJH1K/ih/Dr?= =?us-ascii?Q?5HJEiUdALHvzWs/eiZ8R21uNlisY1VGkvIjo3nh4DDRWos0XnNJm8wnSnCtK?= =?us-ascii?Q?v/pbwwgchc5wZp4Qclk+YyDtiFuZZ2NMM0HKea0w2R77IL4+1u8mYg9O7/JY?= =?us-ascii?Q?0W3o+bwRbuYGQei0t/Zn5jJmQBSPJt9JbPiLEY2qWUAHEcENXxLR5Su1b+xS?= =?us-ascii?Q?JYqzGxUK5cF9tquWq323YxXCo0lVr5yO26OOhJUK/d1xNiasDBG4Qu8UtvaI?= =?us-ascii?Q?bjqVLlwUxzrm5ctyyid4cA3VF/Y52XhmFQqQpOQcgXYsclUyoUpl3Sv3IeqP?= =?us-ascii?Q?qTG3VLOD3/7chiLUwE5xMIu3JfzP0eGSixABw+ScZol877caXzilod13h45N?= =?us-ascii?Q?9zxkhtByXobbfOnQ/YSOz/HWNVT+Y1c9MPECfOV4eNa8Bz/+jI9giyQXwSBE?= =?us-ascii?Q?T2vLGnB27tTvvNLb1KBvxKMlvToHHanIJ93yuDbCgfP5J4EBvnBbNgvYeQpw?= =?us-ascii?Q?CsXzPvm1o0MIeG3y/ZNYMDYWaejzVTxmeP+GcUAgkcUGo3P/FoOX5FLBo9KB?= =?us-ascii?Q?BQcio6qvH5JPfxjYyQz81YG4eUw5r0tVWQspcXjk/5133yuPIOoKegqBJarh?= =?us-ascii?Q?eZF1Ca1qMoRlCPoOOGAIRjpYCEhDQTNE5QH1M5HC?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2dab5567-05b2-4294-e7e1-08db8cd526dd X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2023 06:05:31.0520 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: IB1P613SQTqXKHL6NUAYrbQhMHDtevLENxaMzbvHaclX/JSTWg923P0c15kFym0st7WrC+Dac2KBftBfkdxxnQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4982 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: VOCHTBICHgO6PrY7UHlVSeBTx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b="CRO/cuxV"; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Thanks for the update, Wei. >From process perspective, please always do following: 1) Please describe what is the difference between this version and previous= version. As such, we can know what is delta and we can focus on the delta. 2) Please describe what test has been done for this specific version. Such = as unit test, integration test, etc. 3) Please split the patch based upon package. The reason is that we need di= fferent reviewer for each package. For the patch, I have below comment: 1) Please don't use magic number. Please always define MACRO for better mai= ntenance. + if (KeyInfo->KeyType =3D=3D 0) { Please use "if (KeyInfo->KeyType =3D=3D KEY_TYPE_RSASSA) {" Thank you Yao, Jiewen > -----Original Message----- > From: Sheng, W > Sent: Thursday, July 6, 2023 4:06 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Wang, Jian J ; > Xu, Min M ; Chen, Zeyi ; Wang, > Fiona > Subject: [PATCH v4] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3413 >=20 > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Min Xu > Cc: Zeyi Chen > Cc: Fiona Wang > Signed-off-by: Sheng Wei > --- > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- > MdePkg/Include/Guid/ImageAuthentication.h | 26 +++ > MdePkg/MdePkg.dec | 2 + > .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++--- > .../AuthVariableLib/AuthServiceInternal.h | 4 +- > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- > .../DxeImageVerificationLib.c | 73 +++--- > .../SecureBootConfigDxe.inf | 16 ++ > .../SecureBootConfigImpl.c | 114 +++++++-- > .../SecureBootConfigImpl.h | 2 + > .../SecureBootConfigStrings.uni | 6 + > 11 files changed, 416 insertions(+), 92 deletions(-) >=20 > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > index 027dbb6842..944bcf8d38 100644 > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > @@ -591,7 +591,8 @@ ImageTimestampVerify ( > // Register & Initialize necessary digest algorithms for PKCS#7 Handli= ng. >=20 > // >=20 > if ((EVP_add_digest (EVP_md5 ()) =3D=3D 0) || (EVP_add_digest (EVP_sha= 1 ()) =3D=3D 0) > || >=20 > - (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || ((EVP_add_digest_alia= s > (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0)) >=20 > + (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || (EVP_add_digest (EVP_= sha384 ()) > =3D=3D 0) || >=20 > + (EVP_add_digest (EVP_sha512 ()) =3D=3D 0) || ((EVP_add_digest_alia= s > (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0)) >=20 > { >=20 > return FALSE; >=20 > } >=20 > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h > b/MdePkg/Include/Guid/ImageAuthentication.h > index fe83596571..c8ea2c14fb 100644 > --- a/MdePkg/Include/Guid/ImageAuthentication.h > +++ b/MdePkg/Include/Guid/ImageAuthentication.h > @@ -144,6 +144,30 @@ typedef struct { > 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb= 3, 0xb6} > \ >=20 > } >=20 >=20 >=20 > +/// >=20 > +/// This identifies a signature containing an RSA-3072 key. The key (onl= y the > modulus >=20 > +/// since the public key exponent is known to be 0x10001) shall be store= d in big- > endian >=20 > +/// order. >=20 > +/// The SignatureHeader size shall always be 0. The SignatureSize shall = always be > 16 (size >=20 > +/// of SignatureOwner component) + 384 bytes. >=20 > +/// >=20 > +#define EFI_CERT_RSA3072_GUID \ >=20 > + { \ >=20 > + 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xe= e, > 0x92 } \ >=20 > + } >=20 > + >=20 > +/// >=20 > +/// This identifies a signature containing an RSA-4096 key. The key (onl= y the > modulus >=20 > +/// since the public key exponent is known to be 0x10001) shall be store= d in big- > endian >=20 > +/// order. >=20 > +/// The SignatureHeader size shall always be 0. The SignatureSize shall = always be > 16 (size >=20 > +/// of SignatureOwner component) + 512 bytes. >=20 > +/// >=20 > +#define EFI_CERT_RSA4096_GUID \ >=20 > + { \ >=20 > + 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x9= 8, > 0x2c } \ >=20 > + } >=20 > + >=20 > /// >=20 > /// This identifies a signature containing a RSA-2048 signature of a SHA= -256 hash. > The >=20 > /// SignatureHeader size shall always be 0. The SignatureSize shall alwa= ys be 16 > (size of >=20 > @@ -330,6 +354,8 @@ typedef struct { > extern EFI_GUID gEfiImageSecurityDatabaseGuid; >=20 > extern EFI_GUID gEfiCertSha256Guid; >=20 > extern EFI_GUID gEfiCertRsa2048Guid; >=20 > +extern EFI_GUID gEfiCertRsa3072Guid; >=20 > +extern EFI_GUID gEfiCertRsa4096Guid; >=20 > extern EFI_GUID gEfiCertRsa2048Sha256Guid; >=20 > extern EFI_GUID gEfiCertSha1Guid; >=20 > extern EFI_GUID gEfiCertRsa2048Sha1Guid; >=20 > diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec > index d6c4179b2a..c88e88fa6b 100644 > --- a/MdePkg/MdePkg.dec > +++ b/MdePkg/MdePkg.dec > @@ -571,6 +571,8 @@ > gEfiImageSecurityDatabaseGuid =3D { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3= , 0xbc, > 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }} >=20 > gEfiCertSha256Guid =3D { 0xc1c41626, 0x504c, 0x4092, {0xac= , 0xa9, 0x41, > 0xf9, 0x36, 0x93, 0x43, 0x28 }} >=20 > gEfiCertRsa2048Guid =3D { 0x3c5766e8, 0x269c, 0x4e34, {0xaa= , 0x14, 0xed, > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }} >=20 > + gEfiCertRsa3072Guid =3D { 0xedd320c2, 0xb057, 0x4b8e, {0xad= , 0x46, 0x2c, > 0x9b, 0x85, 0x89, 0xee, 0x92 }} >=20 > + gEfiCertRsa4096Guid =3D { 0xb23e89a6, 0x8c8b, 0x4412, {0x85= , 0x73, > 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }} >=20 > gEfiCertRsa2048Sha256Guid =3D { 0xe2b36190, 0x879b, 0x4a3d, {0xad= , 0x8d, > 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }} >=20 > gEfiCertSha1Guid =3D { 0x826ca512, 0xcf10, 0x4ac9, {0xb1= , 0x87, 0xbe, > 0x1, 0x49, 0x66, 0x31, 0xbd }} >=20 > gEfiCertRsa2048Sha1Guid =3D { 0x67f8444f, 0x8743, 0x48f1, {0xa3= , 0x28, > 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }} >=20 > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c > b/SecurityPkg/Library/AuthVariableLib/AuthService.c > index d81c581d78..4c268a85cd 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c > @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include >=20 > #include >=20 >=20 >=20 > +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE >=20 > + >=20 > +/** >=20 > + Retrieves the size, in bytes, of the context buffer required for hash = operations. >=20 > + >=20 > + If this interface is not supported, then return zero. >=20 > + >=20 > + @return The size, in bytes, of the context buffer required for hash o= perations. >=20 > + @retval 0 This interface is not supported. >=20 > + >=20 > +**/ >=20 > +typedef >=20 > +UINTN >=20 > +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)( >=20 > + VOID >=20 > + ); >=20 > + >=20 > +/** >=20 > + Initializes user-supplied memory pointed by Sha1Context as hash contex= t for >=20 > + subsequent use. >=20 > + >=20 > + If HashContext is NULL, then return FALSE. >=20 > + If this interface is not supported, then return FALSE. >=20 > + >=20 > + @param[out] HashContext Pointer to Hashcontext being initialized. >=20 > + >=20 > + @retval TRUE Hash context initialization succeeded. >=20 > + @retval FALSE Hash context initialization failed. >=20 > + @retval FALSE This interface is not supported. >=20 > + >=20 > +**/ >=20 > +typedef >=20 > +BOOLEAN >=20 > +(EFIAPI *EFI_HASH_INIT)( >=20 > + OUT VOID *HashContext >=20 > + ); >=20 > + >=20 > +/** >=20 > + Digests the input data and updates Hash context. >=20 > + >=20 > + This function performs Hash digest on a data buffer of the specified s= ize. >=20 > + It can be called multiple times to compute the digest of long or disco= ntinuous > data streams. >=20 > + Hash context should be already correctly initialized by HashInit(), an= d should > not be finalized >=20 > + by HashFinal(). Behavior with invalid context is undefined. >=20 > + >=20 > + If HashContext is NULL, then return FALSE. >=20 > + If this interface is not supported, then return FALSE. >=20 > + >=20 > + @param[in, out] HashContext Pointer to the Hash context. >=20 > + @param[in] Data Pointer to the buffer containing the dat= a to be > hashed. >=20 > + @param[in] DataSize Size of Data buffer in bytes. >=20 > + >=20 > + @retval TRUE SHA-1 data digest succeeded. >=20 > + @retval FALSE SHA-1 data digest failed. >=20 > + @retval FALSE This interface is not supported. >=20 > + >=20 > +**/ >=20 > +typedef >=20 > +BOOLEAN >=20 > +(EFIAPI *EFI_HASH_UPDATE)( >=20 > + IN OUT VOID *HashContext, >=20 > + IN CONST VOID *Data, >=20 > + IN UINTN DataSize >=20 > + ); >=20 > + >=20 > +/** >=20 > + Completes computation of the Hash digest value. >=20 > + >=20 > + This function completes hash computation and retrieves the digest valu= e into >=20 > + the specified memory. After this function has been called, the Hash co= ntext > cannot >=20 > + be used again. >=20 > + Hash context should be already correctly initialized by HashInit(), an= d should > not be >=20 > + finalized by HashFinal(). Behavior with invalid Hash context is undefi= ned. >=20 > + >=20 > + If HashContext is NULL, then return FALSE. >=20 > + If HashValue is NULL, then return FALSE. >=20 > + If this interface is not supported, then return FALSE. >=20 > + >=20 > + @param[in, out] HashContext Pointer to the Hash context. >=20 > + @param[out] HashValue Pointer to a buffer that receives the Ha= sh digest >=20 > + value. >=20 > + >=20 > + @retval TRUE Hash digest computation succeeded. >=20 > + @retval FALSE Hash digest computation failed. >=20 > + @retval FALSE This interface is not supported. >=20 > + >=20 > +**/ >=20 > +typedef >=20 > +BOOLEAN >=20 > +(EFIAPI *EFI_HASH_FINAL)( >=20 > + IN OUT VOID *HashContext, >=20 > + OUT UINT8 *HashValue >=20 > + ); >=20 > + >=20 > +typedef struct { >=20 > + UINT32 HashSize; >=20 > + EFI_HASH_GET_CONTEXT_SIZE GetContextSize; >=20 > + EFI_HASH_INIT Init; >=20 > + EFI_HASH_UPDATE Update; >=20 > + EFI_HASH_FINAL Final; >=20 > + VOID **HashShaCtx; >=20 > + UINT8 *OidValue; >=20 > + UINTN OidLength; >=20 > +} EFI_HASH_INFO; >=20 > + >=20 > // >=20 > // Public Exponent of RSA Key. >=20 > // >=20 > CONST UINT8 mRsaE[] =3D { 0x01, 0x00, 0x01 }; >=20 >=20 >=20 > -CONST UINT8 mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,= 0x04, > 0x02, 0x01 }; >=20 > +UINT8 mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,= 0x02, > 0x01 }; >=20 > +UINT8 mSha384OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,= 0x02, > 0x02 }; >=20 > +UINT8 mSha512OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,= 0x02, > 0x03 }; >=20 > + >=20 > +EFI_HASH_INFO mHashInfo[] =3D { >=20 > + {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, > Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9}, >=20 > + {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, > Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9}, >=20 > + {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, > Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9}, >=20 > +}; >=20 >=20 >=20 > // >=20 > // Requirement for different signature type which have been defined in U= EFI > spec. >=20 > @@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] =3D { > // {SigType, SigHeaderSize, SigDataSize } >=20 > { EFI_CERT_SHA256_GUID, 0, 32 }, >=20 > { EFI_CERT_RSA2048_GUID, 0, 256 }, >=20 > + { EFI_CERT_RSA3072_GUID, 0, 384 }, >=20 > + { EFI_CERT_RSA4096_GUID, 0, 512 }, >=20 > { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 }, >=20 > { EFI_CERT_SHA1_GUID, 0, 20 }, >=20 > { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 }, >=20 > @@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp ( > } >=20 >=20 >=20 > /** >=20 > - Calculate SHA256 digest of SignerCert CommonName + ToplevelCert > tbsCertificate >=20 > + Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertif= icate >=20 > SignerCert and ToplevelCert are inside the signer certificate chain. >=20 >=20 >=20 > + @param[in] HashAlgId Hash algorithm index >=20 > @param[in] SignerCert A pointer to SignerCert data. >=20 > @param[in] SignerCertSize Length of SignerCert data. >=20 > @param[in] TopLevelCert A pointer to TopLevelCert data. >=20 > @param[in] TopLevelCertSize Length of TopLevelCert data. >=20 > - @param[out] Sha256Digest Sha256 digest calculated. >=20 > + @param[out] ShaDigest Sha digest calculated. >=20 >=20 >=20 > @return EFI_ABORTED Digest process failed. >=20 > - @return EFI_SUCCESS SHA256 Digest is successfully calculated. >=20 > + @return EFI_SUCCESS SHA Digest is successfully calculated. >=20 >=20 >=20 > **/ >=20 > EFI_STATUS >=20 > -CalculatePrivAuthVarSignChainSHA256Digest ( >=20 > +CalculatePrivAuthVarSignChainSHADigest ( >=20 > + IN UINT8 HashAlgId, >=20 > IN UINT8 *SignerCert, >=20 > IN UINTN SignerCertSize, >=20 > IN UINT8 *TopLevelCert, >=20 > IN UINTN TopLevelCertSize, >=20 > - OUT UINT8 *Sha256Digest >=20 > + OUT UINT8 *ShaDigest >=20 > ) >=20 > { >=20 > UINT8 *TbsCert; >=20 > @@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > BOOLEAN CryptoStatus; >=20 > EFI_STATUS Status; >=20 >=20 >=20 > + if (HashAlgId >=3D (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { >=20 > + DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__, > HashAlgId)); >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > CertCommonNameSize =3D sizeof (CertCommonName); >=20 >=20 >=20 > // >=20 > @@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > // >=20 > // Digest SignerCert CN + TopLevelCert tbsCertificate >=20 > // >=20 > - ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE); >=20 > - CryptoStatus =3D Sha256Init (mHashCtx); >=20 > + ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize); >=20 > + CryptoStatus =3D mHashInfo[HashAlgId].Init > (*(mHashInfo[HashAlgId].HashShaCtx)); >=20 > if (!CryptoStatus) { >=20 > return EFI_ABORTED; >=20 > } >=20 > @@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > // >=20 > // '\0' is forced in CertCommonName. No overflow issue >=20 > // >=20 > - CryptoStatus =3D Sha256Update ( >=20 > - mHashCtx, >=20 > + CryptoStatus =3D mHashInfo[HashAlgId].Update ( >=20 > + *(mHashInfo[HashAlgId].HashShaCtx), >=20 > CertCommonName, >=20 > AsciiStrLen (CertCommonName) >=20 > ); >=20 > @@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > return EFI_ABORTED; >=20 > } >=20 >=20 >=20 > - CryptoStatus =3D Sha256Update (mHashCtx, TbsCert, TbsCertSize); >=20 > + CryptoStatus =3D mHashInfo[HashAlgId].Update > (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize); >=20 > if (!CryptoStatus) { >=20 > return EFI_ABORTED; >=20 > } >=20 >=20 >=20 > - CryptoStatus =3D Sha256Final (mHashCtx, Sha256Digest); >=20 > + CryptoStatus =3D mHashInfo[HashAlgId].Final > (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest); >=20 > if (!CryptoStatus) { >=20 > return EFI_ABORTED; >=20 > } >=20 > @@ -1516,9 +1638,10 @@ DeleteCertsFromDb ( > /** >=20 > Insert signer's certificates for common authenticated variable with > VariableName >=20 > and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according= to >=20 > - time based authenticated variable attributes. CertData is the SHA256 d= igest of >=20 > + time based authenticated variable attributes. CertData is the SHA dige= st of >=20 > SignerCert CommonName + TopLevelCert tbsCertificate. >=20 >=20 >=20 > + @param[in] HashAlgId Hash algorithm index. >=20 > @param[in] VariableName Name of authenticated Variable. >=20 > @param[in] VendorGuid Vendor GUID of authenticated Variable. >=20 > @param[in] Attributes Attributes of authenticated variable. >=20 > @@ -1536,6 +1659,7 @@ DeleteCertsFromDb ( > **/ >=20 > EFI_STATUS >=20 > InsertCertsToDb ( >=20 > + IN UINT8 HashAlgId, >=20 > IN CHAR16 *VariableName, >=20 > IN EFI_GUID *VendorGuid, >=20 > IN UINT32 Attributes, >=20 > @@ -1556,12 +1680,16 @@ InsertCertsToDb ( > UINT32 CertDataSize; >=20 > AUTH_CERT_DB_DATA *Ptr; >=20 > CHAR16 *DbName; >=20 > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; >=20 > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; >=20 >=20 >=20 > if ((VariableName =3D=3D NULL) || (VendorGuid =3D=3D NULL) || (SignerC= ert =3D=3D NULL) || > (TopLevelCert =3D=3D NULL)) { >=20 > return EFI_INVALID_PARAMETER; >=20 > } >=20 >=20 >=20 > + if (HashAlgId >=3D (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { >=20 > + return EFI_INVALID_PARAMETER; >=20 > + } >=20 > + >=20 > if ((Attributes & EFI_VARIABLE_NON_VOLATILE) !=3D 0) { >=20 > // >=20 > // Get variable "certdb". >=20 > @@ -1618,20 +1746,22 @@ InsertCertsToDb ( > // Construct new data content of variable "certdb" or "certdbv". >=20 > // >=20 > NameSize =3D (UINT32)StrLen (VariableName); >=20 > - CertDataSize =3D sizeof (Sha256Digest); >=20 > + CertDataSize =3D mHashInfo[HashAlgId].HashSize; >=20 > CertNodeSize =3D sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + > NameSize * sizeof (CHAR16); >=20 > NewCertDbSize =3D (UINT32)DataSize + CertNodeSize; >=20 > if (NewCertDbSize > mMaxCertDbSize) { >=20 > return EFI_OUT_OF_RESOURCES; >=20 > } >=20 >=20 >=20 > - Status =3D CalculatePrivAuthVarSignChainSHA256Digest ( >=20 > + Status =3D CalculatePrivAuthVarSignChainSHADigest ( >=20 > + HashAlgId, >=20 > SignerCert, >=20 > SignerCertSize, >=20 > TopLevelCert, >=20 > TopLevelCertSize, >=20 > - Sha256Digest >=20 > + ShaDigest >=20 > ); >=20 > + >=20 > if (EFI_ERROR (Status)) { >=20 > return Status; >=20 > } >=20 > @@ -1663,7 +1793,7 @@ InsertCertsToDb ( >=20 >=20 > CopyMem ( >=20 > (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR= 16), >=20 > - Sha256Digest, >=20 > + ShaDigest, >=20 > CertDataSize >=20 > ); >=20 >=20 >=20 > @@ -1790,6 +1920,36 @@ CleanCertsFromDb ( > return Status; >=20 > } >=20 >=20 >=20 > +/** >=20 > + Find hash algorithm index >=20 > + >=20 > + @param[in] SigData Pointer to the PKCS#7 message >=20 > + @param[in] SigDataSize Length of the PKCS#7 message >=20 > + >=20 > + @retval UINT8 Hash Algorithm Index >=20 > +**/ >=20 > +UINT8 >=20 > +FindHashAlgorithmIndex ( >=20 > + IN UINT8 *SigData, >=20 > + IN UINT32 SigDataSize >=20 > +) >=20 > +{ >=20 > + UINT8 i; >=20 > + >=20 > + for (i =3D 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) = { >=20 > + if ( ( (SigDataSize >=3D (13 + mHashInfo[i].OidLength)) >=20 > + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) =3D=3D TWO_BYTE_ENCO= DE) >=20 > + && (CompareMem (SigData + 13, mHashInfo[i].OidValue, > mHashInfo[i].OidLength) =3D=3D 0))) >=20 > + || (( (SigDataSize >=3D (32 + mHashInfo[i].OidLength))) >=20 > + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) =3D=3D TWO_BYTE_ENCOD= E) >=20 > + && (CompareMem (SigData + 32, mHashInfo[i].OidValue, > mHashInfo[i].OidLength) =3D=3D 0)))) >=20 > + { >=20 > + break; >=20 > + } >=20 > + } >=20 > + return i; >=20 > +} >=20 > + >=20 > /** >=20 > Process variable with > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set >=20 >=20 >=20 > @@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload ( > UINTN CertStackSize; >=20 > UINT8 *CertsInCertDb; >=20 > UINT32 CertsSizeinDb; >=20 > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; >=20 > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; >=20 > EFI_CERT_DATA *CertDataPtr; >=20 > + UINT8 HashAlgId; >=20 >=20 >=20 > // >=20 > // 1. TopLevelCert is the top-level issuer certificate in signature Si= gner Cert > Chain >=20 > @@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload ( >=20 >=20 > // >=20 > // SignedData.digestAlgorithms shall contain the digest algorithm used= when > preparing the >=20 > - // signature. Only a digest algorithm of SHA-256 is accepted. >=20 > + // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 i= s > accepted. >=20 > // >=20 > // According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/r= fc2315): >=20 > // SignedData ::=3D SEQUENCE { >=20 > @@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload ( > // >=20 > // Example generated with: > https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Se= cure_ > Boot#Manual_process >=20 > // >=20 > + HashAlgId =3D FindHashAlgorithmIndex (SigData, SigDataSize); >=20 > if ((Attributes & > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) { >=20 > - if ( ( (SigDataSize >=3D (13 + sizeof (mSha256OidValue))) >=20 > - && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE= ) >=20 > - || (CompareMem (SigData + 13, &mSha256OidValue, sizeof > (mSha256OidValue)) !=3D 0))) >=20 > - && ( (SigDataSize >=3D (32 + sizeof (mSha256OidValue))) >=20 > - && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCOD= E) >=20 > - || (CompareMem (SigData + 32, &mSha256OidValue, sizeof > (mSha256OidValue)) !=3D 0)))) >=20 > - { >=20 > + if (HashAlgId >=3D (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { >=20 > return EFI_SECURITY_VIOLATION; >=20 > } >=20 > } >=20 > @@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload ( > goto Exit; >=20 > } >=20 >=20 >=20 > - if (CertsSizeinDb =3D=3D SHA256_DIGEST_SIZE) { >=20 > + if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) && > (CertsSizeinDb =3D=3D mHashInfo[HashAlgId].HashSize)) { >=20 > // >=20 > // Check hash of signer cert CommonName + Top-level issuer tbsCe= rtificate > against data in CertDb >=20 > // >=20 > CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1); >=20 > - Status =3D CalculatePrivAuthVarSignChainSHA256Digest ( >=20 > + Status =3D CalculatePrivAuthVarSignChainSHADigest ( >=20 > + HashAlgId, >=20 > CertDataPtr->CertDataBuffer, >=20 > ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDa= taLength)), >=20 > TopLevelCert, >=20 > TopLevelCertSize, >=20 > - Sha256Digest >=20 > + ShaDigest >=20 > ); >=20 > - if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCert= Db, > CertsSizeinDb) !=3D 0)) { >=20 > + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, > CertsSizeinDb) !=3D 0)) { >=20 > goto Exit; >=20 > } >=20 > } else { >=20 > @@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload ( > // >=20 > CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1); >=20 > Status =3D InsertCertsToDb ( >=20 > + HashAlgId, >=20 > VariableName, >=20 > VendorGuid, >=20 > Attributes, >=20 > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > index b202e613bc..f7bf771d55 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > @@ -92,7 +92,9 @@ extern UINT32 mMaxCertDbSize; > extern UINT32 mPlatformMode; >=20 > extern UINT8 mVendorKeyState; >=20 >=20 >=20 > -extern VOID *mHashCtx; >=20 > +extern VOID *mHashSha256Ctx; >=20 > +extern VOID *mHashSha384Ctx; >=20 > +extern VOID *mHashSha512Ctx; >=20 >=20 >=20 > extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn; >=20 >=20 >=20 > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > index dc61ae840c..19e0004699 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > @@ -26,12 +26,14 @@ UINT32 mMaxCertDbSize; > UINT32 mPlatformMode; >=20 > UINT8 mVendorKeyState; >=20 >=20 >=20 > -EFI_GUID mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, > EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID }; >=20 > +EFI_GUID mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, > EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, > EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID, > EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID }; >=20 >=20 >=20 > // >=20 > // Hash context pointer >=20 > // >=20 > -VOID *mHashCtx =3D NULL; >=20 > +VOID *mHashSha256Ctx =3D NULL; >=20 > +VOID *mHashSha384Ctx =3D NULL; >=20 > +VOID *mHashSha512Ctx =3D NULL; >=20 >=20 >=20 > VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] =3D { >=20 > { >=20 > @@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] =3D { > }, >=20 > }; >=20 >=20 >=20 > -VOID **mAuthVarAddressPointer[9]; >=20 > +VOID **mAuthVarAddressPointer[11]; >=20 >=20 >=20 > AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn =3D NULL; >=20 >=20 >=20 > @@ -120,7 +122,6 @@ AuthVariableLibInitialize ( > UINT32 VarAttr; >=20 > UINT8 *Data; >=20 > UINTN DataSize; >=20 > - UINTN CtxSize; >=20 > UINT8 SecureBootMode; >=20 > UINT8 SecureBootEnable; >=20 > UINT8 CustomMode; >=20 > @@ -135,9 +136,18 @@ AuthVariableLibInitialize ( > // >=20 > // Initialize hash context. >=20 > // >=20 > - CtxSize =3D Sha256GetContextSize (); >=20 > - mHashCtx =3D AllocateRuntimePool (CtxSize); >=20 > - if (mHashCtx =3D=3D NULL) { >=20 > + mHashSha256Ctx =3D AllocateRuntimePool (Sha256GetContextSize ()); >=20 > + if (mHashSha256Ctx =3D=3D NULL) { >=20 > + return EFI_OUT_OF_RESOURCES; >=20 > + } >=20 > + >=20 > + mHashSha384Ctx =3D AllocateRuntimePool (Sha384GetContextSize ()); >=20 > + if (mHashSha384Ctx =3D=3D NULL) { >=20 > + return EFI_OUT_OF_RESOURCES; >=20 > + } >=20 > + >=20 > + mHashSha512Ctx =3D AllocateRuntimePool (Sha512GetContextSize ()); >=20 > + if (mHashSha512Ctx =3D=3D NULL) { >=20 > return EFI_OUT_OF_RESOURCES; >=20 > } >=20 >=20 >=20 > @@ -356,14 +366,16 @@ AuthVariableLibInitialize ( > AuthVarLibContextOut->AuthVarEntry =3D mAuthVarEntry; >=20 > AuthVarLibContextOut->AuthVarEntryCount =3D ARRAY_SIZE (mAuthVarEntr= y); >=20 > mAuthVarAddressPointer[0] =3D (VOID **)&mCertDbStore; >=20 > - mAuthVarAddressPointer[1] =3D (VOID **)&mHashCtx; >=20 > - mAuthVarAddressPointer[2] =3D (VOID **)&mAuthVarLibCon= textIn; >=20 > - mAuthVarAddressPointer[3] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >FindVariable), >=20 > - mAuthVarAddressPointer[4] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >FindNextVariable), >=20 > - mAuthVarAddressPointer[5] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >UpdateVariable), >=20 > - mAuthVarAddressPointer[6] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >GetScratchBuffer), >=20 > - mAuthVarAddressPointer[7] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >CheckRemainingSpaceForConsistency), >=20 > - mAuthVarAddressPointer[8] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >AtRuntime), >=20 > + mAuthVarAddressPointer[1] =3D (VOID **)&mHashSha256Ctx= ; >=20 > + mAuthVarAddressPointer[2] =3D (VOID **)&mHashSha384Ctx= ; >=20 > + mAuthVarAddressPointer[3] =3D (VOID **)&mHashSha512Ctx= ; >=20 > + mAuthVarAddressPointer[4] =3D (VOID **)&mAuthVarLibCon= textIn; >=20 > + mAuthVarAddressPointer[5] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >FindVariable), >=20 > + mAuthVarAddressPointer[6] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >FindNextVariable), >=20 > + mAuthVarAddressPointer[7] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >UpdateVariable), >=20 > + mAuthVarAddressPointer[8] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >GetScratchBuffer), >=20 > + mAuthVarAddressPointer[9] =3D (VOID **)&(mAuthVarLibCo= ntextIn- > >CheckRemainingSpaceForConsistency), >=20 > + mAuthVarAddressPointer[10] =3D (VOID **)&(mAuthVarLibC= ontextIn- > >AtRuntime), >=20 > AuthVarLibContextOut->AddressPointer =3D mAuthVarAddressPointer; >=20 > AuthVarLibContextOut->AddressPointerCount =3D ARRAY_SIZE > (mAuthVarAddressPointer); >=20 >=20 >=20 > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 5d8dbd5468..88b2d3c6c1 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > @@ -1620,7 +1620,7 @@ Done: > in the security database "db", and no valid signature nor any hash= value of the > image may >=20 > be reflected in the security database "dbx". >=20 > Otherwise, the image is not signed, >=20 > - The SHA256 hash value of the image must match a record in the secu= rity > database "db", and >=20 > + The hash value of the image must match a record in the security da= tabase > "db", and >=20 > not be reflected in the security data base "dbx". >=20 >=20 >=20 > Caution: This function may receive untrusted input. >=20 > @@ -1690,6 +1690,8 @@ DxeImageVerificationHandler ( > EFI_STATUS VarStatus; >=20 > UINT32 VarAttr; >=20 > BOOLEAN IsFound; >=20 > + UINT8 HashAlg; >=20 > + BOOLEAN IsFoundInDatabase; >=20 >=20 >=20 > SignatureList =3D NULL; >=20 > SignatureListSize =3D 0; >=20 > @@ -1699,6 +1701,7 @@ DxeImageVerificationHandler ( > Action =3D EFI_IMAGE_EXECUTION_AUTH_UNTESTED; >=20 > IsVerified =3D FALSE; >=20 > IsFound =3D FALSE; >=20 > + IsFoundInDatabase =3D FALSE; >=20 >=20 >=20 > // >=20 > // Check the image type and get policy setting. >=20 > @@ -1837,40 +1840,50 @@ DxeImageVerificationHandler ( > // >=20 > if ((SecDataDir =3D=3D NULL) || (SecDataDir->Size =3D=3D 0)) { >=20 > // >=20 > - // This image is not signed. The SHA256 hash value of the image must= match a > record in the security database "db", >=20 > + // This image is not signed. The hash value of the image must match = a record > in the security database "db", >=20 > // and not be reflected in the security data base "dbx". >=20 > // >=20 > - if (!HashPeImage (HASHALG_SHA256)) { >=20 > - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this = image > using %s.\n", mHashTypeStr)); >=20 > - goto Failed; >=20 > - } >=20 > + HashAlg =3D sizeof (mHash) / sizeof (HASH_TABLE); >=20 > + while (HashAlg > 0) { >=20 > + HashAlg--; >=20 > + if ((mHash[HashAlg].GetContextSize =3D=3D NULL) || (mHash[HashAlg]= .HashInit > =3D=3D NULL) || (mHash[HashAlg].HashUpdate =3D=3D NULL) || > (mHash[HashAlg].HashFinal =3D=3D NULL)) { >=20 > + continue; >=20 > + } >=20 > + if (!HashPeImage (HashAlg)) { >=20 > + continue; >=20 > + } >=20 >=20 >=20 > - DbStatus =3D IsSignatureFoundInDatabase ( >=20 > - EFI_IMAGE_SECURITY_DATABASE1, >=20 > - mImageDigest, >=20 > - &mCertType, >=20 > - mImageDigestSize, >=20 > - &IsFound >=20 > - ); >=20 > - if (EFI_ERROR (DbStatus) || IsFound) { >=20 > - // >=20 > - // Image Hash is in forbidden database (DBX). >=20 > - // >=20 > - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed = and %s > hash of image is forbidden by DBX.\n", mHashTypeStr)); >=20 > - goto Failed; >=20 > + DbStatus =3D IsSignatureFoundInDatabase ( >=20 > + EFI_IMAGE_SECURITY_DATABASE1, >=20 > + mImageDigest, >=20 > + &mCertType, >=20 > + mImageDigestSize, >=20 > + &IsFound >=20 > + ); >=20 > + if (EFI_ERROR (DbStatus) || IsFound) { >=20 > + // >=20 > + // Image Hash is in forbidden database (DBX). >=20 > + // >=20 > + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signe= d > and %s hash of image is forbidden by DBX.\n", mHashTypeStr)); >=20 > + goto Failed; >=20 > + } >=20 > + >=20 > + DbStatus =3D IsSignatureFoundInDatabase ( >=20 > + EFI_IMAGE_SECURITY_DATABASE, >=20 > + mImageDigest, >=20 > + &mCertType, >=20 > + mImageDigestSize, >=20 > + &IsFound >=20 > + ); >=20 > + if (!EFI_ERROR (DbStatus) && IsFound) { >=20 > + // >=20 > + // Image Hash is in allowed database (DB). >=20 > + // >=20 > + IsFoundInDatabase =3D TRUE; >=20 > + } >=20 > } >=20 >=20 >=20 > - DbStatus =3D IsSignatureFoundInDatabase ( >=20 > - EFI_IMAGE_SECURITY_DATABASE, >=20 > - mImageDigest, >=20 > - &mCertType, >=20 > - mImageDigestSize, >=20 > - &IsFound >=20 > - ); >=20 > - if (!EFI_ERROR (DbStatus) && IsFound) { >=20 > - // >=20 > - // Image Hash is in allowed database (DB). >=20 > - // >=20 > + if (IsFoundInDatabase) { >=20 > return EFI_SUCCESS; >=20 > } >=20 >=20 >=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD= x > e.inf > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD= x > e.inf > index 1671d5be7c..cb52a16c09 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD= x > e.inf > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD= x > e.inf > @@ -70,6 +70,14 @@ > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > gEfiCertRsa2048Guid >=20 >=20 >=20 > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type= of the > signature. >=20 > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > + gEfiCertRsa3072Guid >=20 > + >=20 > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type= of the > signature. >=20 > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > + gEfiCertRsa4096Guid >=20 > + >=20 > ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type= of the > signature. >=20 > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > gEfiCertX509Guid >=20 > @@ -82,6 +90,14 @@ > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > gEfiCertSha256Guid >=20 >=20 >=20 > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type= of the > signature. >=20 > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > + gEfiCertSha384Guid >=20 > + >=20 > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type= of the > signature. >=20 > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > + gEfiCertSha512Guid >=20 > + >=20 > ## SOMETIMES_CONSUMES ## Variable:L"db" >=20 > ## SOMETIMES_PRODUCES ## Variable:L"db" >=20 > ## SOMETIMES_CONSUMES ## Variable:L"dbx" >=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI= m > pl.c > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI= m > pl.c > index 0e31502b1b..90268d34d3 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI= m > pl.c > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI= m > pl.c > @@ -560,7 +560,7 @@ ON_EXIT: >=20 >=20 > **/ >=20 > EFI_STATUS >=20 > -EnrollRsa2048ToKek ( >=20 > +EnrollRsaToKek ( >=20 > IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private >=20 > ) >=20 > { >=20 > @@ -603,8 +603,19 @@ EnrollRsa2048ToKek ( >=20 >=20 > ASSERT (KeyBlob !=3D NULL); >=20 > KeyInfo =3D (CPL_KEY_INFO *)KeyBlob; >=20 > - if (KeyInfo->KeyLengthInBits / 8 !=3D WIN_CERT_UEFI_RSA2048_SIZE) { >=20 > - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is > supported.\n")); >=20 > + if (KeyInfo->KeyType =3D=3D 0) { >=20 > + switch (KeyInfo->KeyLengthInBits / 8) { >=20 > + case WIN_CERT_UEFI_RSA2048_SIZE: >=20 > + case WIN_CERT_UEFI_RSA3072_SIZE: >=20 > + case WIN_CERT_UEFI_RSA4096_SIZE: >=20 > + break; >=20 > + default : >=20 > + DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA307= 2 > and RSA4096 are supported.\n")); >=20 > + Status =3D EFI_UNSUPPORTED; >=20 > + goto ON_EXIT; >=20 > + } >=20 > + } else { >=20 > + DEBUG ((DEBUG_ERROR, "Unsupported key type : %d, only 0 is > supported.\n", KeyInfo->KeyType)); >=20 > Status =3D EFI_UNSUPPORTED; >=20 > goto ON_EXIT; >=20 > } >=20 > @@ -632,7 +643,7 @@ EnrollRsa2048ToKek ( > // >=20 > KekSigListSize =3D sizeof (EFI_SIGNATURE_LIST) >=20 > + sizeof (EFI_SIGNATURE_DATA) - 1 >=20 > - + WIN_CERT_UEFI_RSA2048_SIZE; >=20 > + + KeyLenInBytes; >=20 >=20 >=20 > KekSigList =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize)= ; >=20 > if (KekSigList =3D=3D NULL) { >=20 > @@ -642,17 +653,32 @@ EnrollRsa2048ToKek ( >=20 >=20 > KekSigList->SignatureListSize =3D sizeof (EFI_SIGNATURE_LIST) >=20 > + sizeof (EFI_SIGNATURE_DATA) - 1 >=20 > - + WIN_CERT_UEFI_RSA2048_SIZE; >=20 > + + (UINT32) KeyLenInBytes; >=20 > KekSigList->SignatureHeaderSize =3D 0; >=20 > - KekSigList->SignatureSize =3D sizeof (EFI_SIGNATURE_DATA) - 1 + > WIN_CERT_UEFI_RSA2048_SIZE; >=20 > - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); >=20 > + KekSigList->SignatureSize =3D sizeof (EFI_SIGNATURE_DATA) - 1 + = (UINT32) > KeyLenInBytes; >=20 > + switch (KeyLenInBytes) { >=20 > + case WIN_CERT_UEFI_RSA2048_SIZE: >=20 > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); >=20 > + break; >=20 > + case WIN_CERT_UEFI_RSA3072_SIZE: >=20 > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid); >=20 > + break; >=20 > + case WIN_CERT_UEFI_RSA4096_SIZE: >=20 > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid); >=20 > + break; >=20 > + break; >=20 > + default : >=20 > + DEBUG ((DEBUG_ERROR, "Unsupported key length.\n")); >=20 > + Status =3D EFI_UNSUPPORTED; >=20 > + goto ON_EXIT; >=20 > + } >=20 >=20 >=20 > KEKSigData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof > (EFI_SIGNATURE_LIST)); >=20 > CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID); >=20 > CopyMem ( >=20 > KEKSigData->SignatureData, >=20 > KeyBlob + sizeof (CPL_KEY_INFO), >=20 > - WIN_CERT_UEFI_RSA2048_SIZE >=20 > + KeyLenInBytes >=20 > ); >=20 >=20 >=20 > // >=20 > @@ -890,7 +916,7 @@ EnrollKeyExchangeKey ( > if (IsDerEncodeCertificate (FilePostFix)) { >=20 > return EnrollX509ToKek (Private); >=20 > } else if (CompareMem (FilePostFix, L".pbk", 4) =3D=3D 0) { >=20 > - return EnrollRsa2048ToKek (Private); >=20 > + return EnrollRsaToKek (Private); >=20 > } else { >=20 > // >=20 > // File type is wrong, simply close it >=20 > @@ -1847,7 +1873,7 @@ HashPeImage ( > SectionHeader =3D NULL; >=20 > Status =3D FALSE; >=20 >=20 >=20 > - if (HashAlg !=3D HASHALG_SHA256) { >=20 > + if ((HashAlg >=3D HASHALG_MAX)) { >=20 > return FALSE; >=20 > } >=20 >=20 >=20 > @@ -1856,8 +1882,25 @@ HashPeImage ( > // >=20 > ZeroMem (mImageDigest, MAX_DIGEST_SIZE); >=20 >=20 >=20 > - mImageDigestSize =3D SHA256_DIGEST_SIZE; >=20 > - mCertType =3D gEfiCertSha256Guid; >=20 > + switch (HashAlg) { >=20 > + case HASHALG_SHA256: >=20 > + mImageDigestSize =3D SHA256_DIGEST_SIZE; >=20 > + mCertType =3D gEfiCertSha256Guid; >=20 > + break; >=20 > + >=20 > + case HASHALG_SHA384: >=20 > + mImageDigestSize =3D SHA384_DIGEST_SIZE; >=20 > + mCertType =3D gEfiCertSha384Guid; >=20 > + break; >=20 > + >=20 > + case HASHALG_SHA512: >=20 > + mImageDigestSize =3D SHA512_DIGEST_SIZE; >=20 > + mCertType =3D gEfiCertSha512Guid; >=20 > + break; >=20 > + >=20 > + default: >=20 > + return FALSE; >=20 > + } >=20 >=20 >=20 > CtxSize =3D mHash[HashAlg].GetContextSize (); >=20 >=20 >=20 > @@ -2251,6 +2294,7 @@ EnrollImageSignatureToSigDB ( > UINT32 Attr; >=20 > WIN_CERTIFICATE_UEFI_GUID *GuidCertData; >=20 > EFI_TIME Time; >=20 > + UINT32 HashAlg; >=20 >=20 >=20 > Data =3D NULL; >=20 > GuidCertData =3D NULL; >=20 > @@ -2289,8 +2333,20 @@ EnrollImageSignatureToSigDB ( > } >=20 >=20 >=20 > if (mSecDataDir->SizeOfCert =3D=3D 0) { >=20 > - if (!HashPeImage (HASHALG_SHA256)) { >=20 > - Status =3D EFI_SECURITY_VIOLATION; >=20 > + Status =3D EFI_SECURITY_VIOLATION; >=20 > + HashAlg =3D sizeof (mHash) / sizeof (HASH_TABLE); >=20 > + while (HashAlg > 0) { >=20 > + HashAlg--; >=20 > + if ((mHash[HashAlg].GetContextSize =3D=3D NULL) || (mHash[HashAlg]= .HashInit > =3D=3D NULL) || (mHash[HashAlg].HashUpdate =3D=3D NULL) || > (mHash[HashAlg].HashFinal =3D=3D NULL)) { >=20 > + continue; >=20 > + } >=20 > + if (HashPeImage (HashAlg)) { >=20 > + Status =3D EFI_SUCCESS; >=20 > + break; >=20 > + } >=20 > + } >=20 > + if (EFI_ERROR (Status)) { >=20 > + DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status)); >=20 > goto ON_EXIT; >=20 > } >=20 > } else { >=20 > @@ -2589,6 +2645,10 @@ UpdateDeletePage ( > while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureLis= tSize)) { >=20 > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) { >=20 > Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID); >=20 > + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Gu= id)) { >=20 > + Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID); >=20 > + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Gu= id)) { >=20 > + Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID); >=20 > } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)= ) { >=20 > Help =3D STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID); >=20 > } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)= ) { >=20 > @@ -2750,6 +2810,8 @@ DeleteKeyExchangeKey ( > GuidIndex =3D 0; >=20 > while ((KekDataSize > 0) && (KekDataSize >=3D CertList->SignatureListS= ize)) { >=20 > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || >=20 > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) || >=20 > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) || >=20 > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) >=20 > { >=20 > CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + C= ertList- > >SignatureHeaderSize)); >=20 > @@ -2952,6 +3014,8 @@ DeleteSignature ( > GuidIndex =3D 0; >=20 > while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureLis= tSize)) { >=20 > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || >=20 > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) || >=20 > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) || >=20 > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) || >=20 > CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) || >=20 > CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) || >=20 > @@ -3758,12 +3822,20 @@ LoadSignatureList ( > while ((RemainingSize > 0) && (RemainingSize >=3D ListWalker->Signatur= eListSize)) > { >=20 > if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) = { >=20 > ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); >=20 > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072= Guid)) > { >=20 > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); >=20 > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096= Guid)) > { >=20 > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); >=20 > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Gui= d)) { >=20 > ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509); >=20 > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Gui= d)) { >=20 > ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA1); >=20 > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256G= uid)) { >=20 > ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA256); >=20 > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384G= uid)) { >=20 > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA384); >=20 > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512G= uid)) { >=20 > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA512); >=20 > } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertX509Sha256Guid)) { >=20 > ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); >=20 > } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertX509Sha384Guid)) { >=20 > @@ -4001,6 +4073,14 @@ FormatHelpInfo ( > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); >=20 > DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); >=20 > IsCert =3D TRUE; >=20 > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Gui= d)) { >=20 > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); >=20 > + DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); >=20 > + IsCert =3D TRUE; >=20 > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Gui= d)) { >=20 > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); >=20 > + DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); >=20 > + IsCert =3D TRUE; >=20 > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid))= { >=20 > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509); >=20 > DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); >=20 > @@ -4011,6 +4091,12 @@ FormatHelpInfo ( > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid= )) { >=20 > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA256); >=20 > DataSize =3D 32; >=20 > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid= )) { >=20 > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA384); >=20 > + DataSize =3D 48; >=20 > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid= )) { >=20 > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA512); >=20 > + DataSize =3D 64; >=20 > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256= Guid)) > { >=20 > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); >=20 > DataSize =3D 32; >=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI= m > pl.h > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI= m > pl.h > index 37c66f1b95..ae50d929a7 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI= m > pl.h > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI= m > pl.h > @@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; > #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE >=20 >=20 >=20 > #define WIN_CERT_UEFI_RSA2048_SIZE 256 >=20 > +#define WIN_CERT_UEFI_RSA3072_SIZE 384 >=20 > +#define WIN_CERT_UEFI_RSA4096_SIZE 512 >=20 >=20 >=20 > // >=20 > // Support hash types >=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS= tr > ings.uni > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS= tr > ings.uni > index 0d01701de7..1b48acc800 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS= tr > ings.uni > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS= tr > ings.uni > @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US > "Read the public key of KEK from file" >=20 > #string STR_FILE_EXPLORER_TITLE #language en-US "File = Explorer" >=20 > #string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US > "RSA2048_SHA256_GUID" >=20 > +#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US > "RSA3072_SHA384_GUID" >=20 > +#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US > "RSA4096_SHA512_GUID" >=20 > #string STR_CERT_TYPE_PCKS7_GUID #language en-US "PKCS7= _GUID" >=20 > #string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_= GUID" >=20 > #string STR_CERT_TYPE_SHA256_GUID #language en-US > "SHA256_GUID" >=20 > @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US > "X509_SHA512_GUID" >=20 >=20 >=20 > #string STR_LIST_TYPE_RSA2048_SHA256 #language en-US > "RSA2048_SHA256" >=20 > +#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US > "RSA3072_SHA384" >=20 > +#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US > "RSA4096_SHA512" >=20 > #string STR_LIST_TYPE_X509 #language en-US "X509" >=20 > #string STR_LIST_TYPE_SHA1 #language en-US "SHA1" >=20 > #string STR_LIST_TYPE_SHA256 #language en-US "SHA25= 6" >=20 > +#string STR_LIST_TYPE_SHA384 #language en-US "SHA38= 4" >=20 > +#string STR_LIST_TYPE_SHA512 #language en-US "SHA51= 2" >=20 > #string STR_LIST_TYPE_X509_SHA256 #language en-US "X509_= SHA256" >=20 > #string STR_LIST_TYPE_X509_SHA384 #language en-US "X509_= SHA384" >=20 > #string STR_LIST_TYPE_X509_SHA512 #language en-US "X509_= SHA512" >=20 > -- > 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#107218): https://edk2.groups.io/g/devel/message/107218 Mute This Topic: https://groups.io/mt/99981532/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-