Re: [edk2-devel] [PATCH V9 0/2] Support RSA4096 and RSA3072

["Yao, Jiewen" <jiewen.yao@intel.com>]

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

Merged https://github.com/tianocore/edk2/pull/4798

> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Thursday, September 7, 2023 9:57 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang,
> Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang,
> Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>
> Subject: [PATCH V9 0/2] Support RSA4096 and RSA3072
> 
> Patch V9:
> Refine coding format for file AuthService.c
> 
> Patch V8:
> Update the patch comments for CryptoPkg.
> Comment should be <76 characters in each line.
> Refine coding format.
> 
> Patch V7:
> Drop raw RSA3072 and RSA4096. Only use gEfiCertX509Guid for RSA3072 and
> RSA4096
> Do the positive tests and the negative tests below. And got all the expected
> results.
> 
> Patch V6:
> Remove the changes in MdePkg.
> The changes of patch v6 are in CryptoPkg and SecurityPkg.
> Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
> This signature type is used to check the supported signature and show the strings.
> 
> Patch V5:
> Using define KEY_TYPE_RSASSA to replace the magic number.
> 
> Patch V4:
> Determine the RSA algorithm by a supported algorithm list.
> 
> Patch V3:
> Select SHA algorithm automaticly for a unsigned efi image.
> 
> Patch V2:
> Determine the SHA algorithm by a supported algorithm list.
> Create SHA context for each algorithm.
> 
> Test Case:
> 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI
> shell.
> 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI
> shell.
> 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI
> shell.
> 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell
> 
> Test Result:
> Pass
> 
> Negative Test Case:
> 1) Enroll a RSA2048 Cert, execute an unsigned efi image.
> 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
> 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
> 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi
> image.
> 
> Test Result:
> Get "Access Denied" when try to execute the efi image.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> 
> Sheng Wei (2):
>   CryptoPkg/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify
>   SecurityPkg/SecureBoot: Support RSA4096 and RSA3072
> 
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
>  .../Library/AuthVariableLib/AuthService.c     | 225 +++++++++++++++---
>  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
>  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
>  .../DxeImageVerificationLib.c                 |  74 +++---
>  .../SecureBootConfigDxe.inf                   |   8 +
>  .../SecureBootConfigImpl.c                    |  52 +++-
>  .../SecureBootConfigImpl.h                    |   7 +
>  .../SecureBootConfigStrings.uni               |   2 +
>  9 files changed, 331 insertions(+), 86 deletions(-)
> 
> --
> 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108360): https://edk2.groups.io/g/devel/message/108360
Mute This Topic: https://groups.io/mt/101207366/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-