Re: [edk2-devel] [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384

["Yao, Jiewen" <jiewen.yao@intel.com>]

> Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.

=======
  switch (KeyLenInBytes) {
  case WIN_CERT_UEFI_RSA2048_SIZE:
    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
    break;
  case WIN_CERT_UEFI_RSA3072_SIZE:
  case WIN_CERT_UEFI_RSA4096_SIZE:
    CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
    break;
  default :
    DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
    Status = EFI_UNSUPPORTED;
    goto ON_EXIT;
  }
=======

Sorry that I am not clear on this. I don't mean to use gEfiCertX509Guid to support raw RSA3K or 4K.
I mean to use *drop* raw RSA3K or 4k. And Only use gEfiCertX509Guid for RSA3K or 4K. You don't need to change EnrollRsa2048ToKek().
Please just support RSA3K or 4K in EnrollX509ToKek(), and add test case to validate that.

===========
  if (IsDerEncodeCertificate (FilePostFix)) {
    return EnrollX509ToKek (Private);
  } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
    return EnrollRsa2048ToKek (Private);
  } else {
===========

Thank you
Yao, Jiewen


> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Monday, August 7, 2023 5:10 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang,
> Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang,
> Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>
> Subject: [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384
> 
> Patch V6:
> Remove the changes in MdePkg.
> The changes of patch v6 are in CryptoPkg and SecurityPkg.
> Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
> This signature type is used to check the supported signature and show the strings.
> 
> Patch V5:
> Using define KEY_TYPE_RSASSA to replace the magic number.
> 
> Patch V4:
> Determine the RSA algorithm by a supported algorithm list.
> 
> Patch V3:
> Select SHA algorithm automaticly for a unsigned efi image.
> 
> Patch V2:
> Determine the SHA algorithm by a supported algorithm list.
> Create SHA context for each algorithm.
> 
> Test Case:
> 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI
> shell.
> 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI
> shell.
> 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI
> shell.
> 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell
> 
> Test Result:
> Pass
> 
> Negative Test Case:
> 1) Enroll a RSA2048 Cert, execute an unsigned efi image.
> 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
> 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
> 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi
> image.
> 
> Test Result:
> Get "Access Denied" when try to execute the efi image.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> 
> Sheng Wei (2):
>   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
>     ImageTimestampVerify
>   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> 
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
>  .../Library/AuthVariableLib/AuthService.c     | 218 +++++++++++++++---
>  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
>  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
>  .../DxeImageVerificationLib.c                 |  73 +++---
>  .../SecureBootConfigDxe.inf                   |   8 +
>  .../SecureBootConfigImpl.c                    |  91 ++++++--
>  .../SecureBootConfigImpl.h                    |   7 +
>  .../SecureBootConfigStrings.uni               |   2 +
>  9 files changed, 356 insertions(+), 92 deletions(-)
> 
> --
> 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107617): https://edk2.groups.io/g/devel/message/107617
Mute This Topic: https://groups.io/mt/100596018/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-