From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 88824D8080A for ; Mon, 7 Aug 2023 11:49:16 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=rWqVSfLe9+u3r7czZp8+KbhMvhl1cU2YHB6Mp4q8HNU=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1691408954; v=1; b=fxhjkcvkcln72x6AkNHTVQAgzgElVDNecQjpu9F6PeKmmb0HQChualOKGhLgGNSbuRhnZVuL r/wGz3CsBOVYDUx7yMYKNZ1KNxvHHEuaizvBNcKYBRTw4yt6drA3K1gVIeY/MUOd6r9+oDmEB23 6pQ9GwVoxmPushoK+U2ZcRI8= X-Received: by 127.0.0.2 with SMTP id GibAYY7687511x3UVjptKr45; Mon, 07 Aug 2023 04:49:14 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web10.32438.1691408954073629610 for ; Mon, 07 Aug 2023 04:49:14 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10794"; a="369424241" X-IronPort-AV: E=Sophos;i="6.01,261,1684825200"; d="scan'208";a="369424241" X-Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Aug 2023 04:49:13 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10794"; a="734076246" X-IronPort-AV: E=Sophos;i="6.01,261,1684825200"; d="scan'208";a="734076246" X-Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by fmsmga007.fm.intel.com with ESMTP; 07 Aug 2023 04:49:13 -0700 X-Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Mon, 7 Aug 2023 04:49:13 -0700 X-Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Mon, 7 Aug 2023 04:49:12 -0700 X-Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27 via Frontend Transport; Mon, 7 Aug 2023 04:49:12 -0700 X-Received: from NAM04-BN8-obe.outbound.protection.outlook.com (104.47.74.41) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.27; Mon, 7 Aug 2023 04:49:05 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Oe1anzj5lKqeASKi6x3he8Gqy/q+XbDONEuTJxd3zicAYUbe4h0QrwY3IRCCjVzxUSpmao7n5eGNKg7te7+4sZooQ+52d/ksFtbWLUIlqLth9bjdbchkjaCvrYXYrApHC7sOgmEMRKn+qAEFgBQaNv2PQvtW6uRHOjYN372ufujpeF6EnOkln8q4GDaJkR+EbJY6MmC7pzfV6llr7xlDFFDLaUxNMaMyUbUQdqHSjT+pZnsADbDIH6T+5uooMUXimlNT2+wumTBDhqamkHnabtyyvwE4nlhlQLGQSOo6tzPuV0OwfV7t3rWsGP47fx+eEgZHvuHGJpdAkMEbdOI0qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4N5tx6McbGyjcehF/eGoOwn8IZOQrJ/UhIOU5PEcT9A=; b=ap4k2Ddrn9sawmZOjZaXB2W4+s/HKXzbKuXXD7Shkw5g0Fb0Akek60raqrC7RtedyGLYQCME9/G0yyrwYGNBy6wQziKjq/Jy4ocul3GNkilhvRXtQHZoxvr4AELHgLegVoG1Z/CITMOlFNjMiHyH0VJRK2f+cOBHLpjL/CNrx7vUrplcJO9bsKDynnPVB4VSCSYyYyuPEP2vMD6/HmQ/qSYRkxGxTSC9QiMnsgbMDD24LPOEpNIaipVIt0vGpESsA1Bs/R/xX3pYdn9BwNYZih13lnspQEzEBT2Nc+QE5DHWT+eT3NWBRPHKyYKr9Y+rPIbhThpuOeN0rBpJn+NK3w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by SA1PR11MB8543.namprd11.prod.outlook.com (2603:10b6:806:3ac::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6652.27; Mon, 7 Aug 2023 11:49:03 +0000 X-Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::fdf8:dc0e:db69:f35b]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::fdf8:dc0e:db69:f35b%4]) with mapi id 15.20.6652.026; Mon, 7 Aug 2023 11:49:03 +0000 From: "Yao, Jiewen" To: "Sheng, W" , "devel@edk2.groups.io" CC: "Wang, Jian J" , "Xu, Min M" , "Chen, Zeyi" , "Wang, Fiona" , "Lu, Xiaoyu1" , "Jiang, Guomin" , "Kinney, Michael D" Subject: Re: [edk2-devel] [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384 Thread-Topic: [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384 Thread-Index: AQHZyQ7/LgjN0yX6w0SzveX+VprCyq/etyvw Date: Mon, 7 Aug 2023 11:49:03 +0000 Message-ID: References: <20230807091007.306-1-w.sheng@intel.com> In-Reply-To: <20230807091007.306-1-w.sheng@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|SA1PR11MB8543:EE_ x-ms-office365-filtering-correlation-id: 874ebf57-45b9-40c8-72d6-08db973c4c10 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: l7MpeC53IW7mnAtZehj9Ql0RTAk6jMrp7T36DR1fWLLij6vpqq6DGqFWMR9F+MSDdmAu6/GyG1gAKHR9aq840+tjr9tpcQ+XbFoEA1cha+xrvyR8+wJ4ZCOuQ60D1LkJ0IaGshxy0+L7DVXly06aWXaHuLN1rurWomOlHC13Uo06KgPIqgQGMTcUF73Q6RLraZ3JrUv/UQTExbL8OvbxKCcVQo8Z6DJfS2Y93yDOxIwu0AdpOSX/JFXer20pLcPE5IA6LPE/5boFuWOLCQuNYFXM0AM8pdPUzZ4vk+mx4olVRKpesC+QNXj6wSYiRb1Y2ffFGRt5D3rWqObv66tkwCQCcNo8/ob3/Hcg2Anub5WOxZP3wdx0vsRQN9+9xxdh+m36/fAtCdLA2vv+zHvhnkAh3KRPXoKR2Zi7gBJbaw77Tq6gsFmGwjCtq5C5x5UBZ3wDwTZ6QR1LEkzRI6URHMuh95leUA2zCuOSxzH+DEvN5OE+7digIGxuPRbYJqTausuPG+CxhmAKBxxTJDojv8489IZ47Bmu4Q9b7YZLFDvvJJhA2lJxdppX3FOFfNlECijceS5o2gA6nHcZaJ4jOYxVHDpV9PK/C4IwIyYeSg51RrJjwIqKTHYnmyA2tRi8 x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?EjndocmR2NMPtq1AFLHcKm/KaH/05hjh8jYivZgOY1F9NbmlYWPOVeaj8Jf5?= =?us-ascii?Q?gYYq3hbL0LKPNYcaJkqmnfhkiJ1WuUysHAzfwAwq5BlPrPjqAgB3wO0LHXnN?= =?us-ascii?Q?dk4rlj/4QNIo27PC/G25uB9jm5OdacR10CCRfsVL0ajed1++mZAt3cIsCDxt?= =?us-ascii?Q?FsGKnmdXwUDwtrk60vabzvtxTx+Pwo2WE/2bzE3osaRChUoXSL/3oHo59ask?= =?us-ascii?Q?Go3pRMyfQE/ZhJj9ylrLfLxryRQR0J8pGsFuECq0k0sQnzaxrNfjmBQhP7Xd?= =?us-ascii?Q?rfbW5JdP8iZrO4oCAxpuet3Uo/9TX7cGvaFaurD5pgxvYcwzmClyCry0OxuR?= =?us-ascii?Q?yhtjQAuqMp73Xww+dLK+pBUDk+9sWKw+LLI1QW3eg0yIT5iulZyh1PmHOGTR?= =?us-ascii?Q?Gz0pL+nhroilWoXubVahORD/vzE7jJwP54EJDLqASv7K2qspX3xffPP76Yw7?= =?us-ascii?Q?iR/MyPx39U8JzF8wQZ23UX9nEjEYhJRIopMstKLmi3BOJkypIazILk9c5fJB?= =?us-ascii?Q?gqhTieyydwoOb+qwMApH+lAnPyqkb3cXkWck15Fg/yFRQGptEb/syw0QMQ8k?= =?us-ascii?Q?VgfaGIBckc7TKYtETdL4m8MR8ajZ75r6fMHxR7FzRtNyLvlUT8q4Up+qmXsG?= =?us-ascii?Q?e6rwmYdMzKt7vJDXuzNdFsVvlQvMp+KNw6ccpDG4vYLIv586DfPYF58rCA2J?= =?us-ascii?Q?7XJ++KOXAEH3VkKwG7aKt8JgNB+zoE8hmS4RBztXVQxjiu4SLAagLl8nFmp+?= =?us-ascii?Q?75G6yP0UU2C2KortAwAf8M1p7ualSGlRd9tW01j0iUZSJq45eoh+moyp5gaF?= =?us-ascii?Q?BWrtawv+DLgYbZqMFU+F6mdV5lrqbPOwxUVTnEAgk48EIbbMNjZr5MNCzmEF?= =?us-ascii?Q?ZuCKWV2Z8GsK9Y59QsUBGWD36/nnD2UYcdB+4gfL0iTPdxkTcwFYnHCkeSc9?= =?us-ascii?Q?A3aF9OKYaCwbOYAXcOcx5mu19iMZk/6gdia5DV2/TEX6+QJBZvB150YSM+Y+?= =?us-ascii?Q?PSeduTW+5SqLd3WlpjHSauXPq50fo1NPphINdgumXzykVjcKVq0tBHH8c5s5?= =?us-ascii?Q?OEwTccTeMCpVyEaTdVdwnd10kq6W15zyhGuCDkhkfoUJWNbHy4Fw2wQnB3K2?= =?us-ascii?Q?Y+8fytOhUAM9vUSj1NefMpBKkKu5lmef23KsUWKG/UgK9yZW9xSHYEJQbIoP?= =?us-ascii?Q?9xRXwgpkYrOkMfzto5SNePcTgvb/0pnqs9FOGu8fOuWjxxqIaxptWBLWzfMN?= =?us-ascii?Q?kVdrcVu1pIygva4XjD40a2Q6mEuF79Kzh6AE8gqp+Ev9LZhQb0YWqgczTZOd?= =?us-ascii?Q?+WVvANAN76WGj1d6HeIOyOY1gf4bnjIOnQxtZh3MeAM8Wfik57WV1lmBXz5N?= =?us-ascii?Q?SEE7rejO36oLhUvtKg4chfVsae/wx5FFzDH9U6JxvOb8KwoSi5UhlepnFeOi?= =?us-ascii?Q?fC6PIBjN2rLr56JXd1Indqq3tMi7Ci5L/f0Yb0/LkRIP0gpGnxVv7c3YD3Tm?= =?us-ascii?Q?dqObrdLsW9YTA/WTgFMAOzvqNQf7d0e36rUeW/hfc0qco27JedoJsaV9BScW?= =?us-ascii?Q?y1sM5kPdD1C49CwzLWNto6wVypbykL/H+ETzaGkC?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 874ebf57-45b9-40c8-72d6-08db973c4c10 X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Aug 2023 11:49:03.2733 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 3j94HIUYXbz88uNGXNnAwDeElughZmHG065SDHyfKKWV0YrA1cR8bpyK82sZdsTjc4W43/xO38OTl88BFI4s5w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR11MB8543 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: dOxlEdrl2bDoRQTwppR2LR0Yx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=fxhjkcvk; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}") > Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK. =3D=3D=3D=3D=3D=3D=3D switch (KeyLenInBytes) { case WIN_CERT_UEFI_RSA2048_SIZE: CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); break; case WIN_CERT_UEFI_RSA3072_SIZE: case WIN_CERT_UEFI_RSA4096_SIZE: CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid); break; default : DEBUG ((DEBUG_ERROR, "Unsupported key length.\n")); Status =3D EFI_UNSUPPORTED; goto ON_EXIT; } =3D=3D=3D=3D=3D=3D=3D Sorry that I am not clear on this. I don't mean to use gEfiCertX509Guid to = support raw RSA3K or 4K. I mean to use *drop* raw RSA3K or 4k. And Only use gEfiCertX509Guid for RSA= 3K or 4K. You don't need to change EnrollRsa2048ToKek(). Please just support RSA3K or 4K in EnrollX509ToKek(), and add test case to = validate that. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D if (IsDerEncodeCertificate (FilePostFix)) { return EnrollX509ToKek (Private); } else if (CompareMem (FilePostFix, L".pbk", 4) =3D=3D 0) { return EnrollRsa2048ToKek (Private); } else { =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Thank you Yao, Jiewen > -----Original Message----- > From: Sheng, W > Sent: Monday, August 7, 2023 5:10 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Wang, Jian J ; > Xu, Min M ; Chen, Zeyi ; Wang, > Fiona ; Lu, Xiaoyu1 ; Jiang, > Guomin ; Kinney, Michael D > > Subject: [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384 >=20 > Patch V6: > Remove the changes in MdePkg. > The changes of patch v6 are in CryptoPkg and SecurityPkg. > Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK. > This signature type is used to check the supported signature and show the= strings. >=20 > Patch V5: > Using define KEY_TYPE_RSASSA to replace the magic number. >=20 > Patch V4: > Determine the RSA algorithm by a supported algorithm list. >=20 > Patch V3: > Select SHA algorithm automaticly for a unsigned efi image. >=20 > Patch V2: > Determine the SHA algorithm by a supported algorithm list. > Create SHA context for each algorithm. >=20 > Test Case: > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under U= EFI > shell. > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under U= EFI > shell. > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under U= EFI > shell. > 4. Enroll an unsigned efi image, execute the unsigned efi image under UEF= I shell >=20 > Test Result: > Pass >=20 > Negative Test Case: > 1) Enroll a RSA2048 Cert, execute an unsigned efi image. > 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image. > 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image. > 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed e= fi > image. >=20 > Test Result: > Get "Access Denied" when try to execute the efi image. >=20 > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Min Xu > Cc: Zeyi Chen > Cc: Fiona Wang > Cc: Xiaoyu Lu > Cc: Guomin Jiang > Cc: Michael D Kinney >=20 > Sheng Wei (2): > CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to > ImageTimestampVerify > SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 >=20 > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- > .../Library/AuthVariableLib/AuthService.c | 218 +++++++++++++++--- > .../AuthVariableLib/AuthServiceInternal.h | 4 +- > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- > .../DxeImageVerificationLib.c | 73 +++--- > .../SecureBootConfigDxe.inf | 8 + > .../SecureBootConfigImpl.c | 91 ++++++-- > .../SecureBootConfigImpl.h | 7 + > .../SecureBootConfigStrings.uni | 2 + > 9 files changed, 356 insertions(+), 92 deletions(-) >=20 > -- > 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#107617): https://edk2.groups.io/g/devel/message/107617 Mute This Topic: https://groups.io/mt/100596018/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-