From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web11.6123.1687418799308999376 for ; Thu, 22 Jun 2023 00:26:39 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=ULO7Nq3x; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1687418799; x=1718954799; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=rFgArRIxM66DgolWedCh4pByjgGmV9JIvRpznT/bx2w=; b=ULO7Nq3xjQGZgHjCO619Bw5HENoiJi6WHe2xcQUrOaIDmJjMCW6ca6hD OgcFXlgy9R/Kl9eM4nfIPcT5YCDoLa+Y+4BZsxYa0BwrlQvd3YZ57peEy 7viAgH17ZU1/8XQSCtTFGG45n4+Dd+1H3DcmZ4iGoQ4w7Y8eP0EoiPard HtXM4SIV589EPo1v+KrzIcaMGVeBvQBkIf482ZK9FKtv0lA9ldr5TMZpl jgUpVT8FslWg1wE8KbxTeCIKj772PB8V6BUKpNL0K7+F8VZkVQdoOyxrE 9T59LvU20E25JPZsl5JfueHXUI6hfbu9Cv+HlPeT+HukC4zHviY7TJ8/L w==; X-IronPort-AV: E=McAfee;i="6600,9927,10748"; a="362949985" X-IronPort-AV: E=Sophos;i="6.00,262,1681196400"; d="scan'208";a="362949985" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Jun 2023 00:22:29 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10748"; a="692139625" X-IronPort-AV: E=Sophos;i="6.00,262,1681196400"; d="scan'208";a="692139625" Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by orsmga006.jf.intel.com with ESMTP; 22 Jun 2023 00:22:29 -0700 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 22 Jun 2023 00:22:27 -0700 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23 via Frontend Transport; Thu, 22 Jun 2023 00:22:27 -0700 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.170) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.23; Thu, 22 Jun 2023 00:22:26 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DEd4n43XRm+fX0j01WosLaqtDKUgxpR9q+DpYqLeUHeAuvQw4J1YN5H4+LmZggsdFjigW6z+wyHeLYJowPjZHN3QxwfmqYIG+MpQZqWYlUBhlF3TWaRAepeGKP1AR4PZlPwNBSrtsxNMfEQcFvBXPVntyXAPASSzk2GhVond+ySUL13r+dCdgeVxsNJD9vlUBe6iDHyRFKOXpeLvjLd/ngKg6+EsW7VgMIYQ7+1IisV8DcYcvsLJ6+oAudQzUUMbnVei/XQRzx9il0lySeMGifSU0T35Zgs5GMjUkERmn6z4JTpLsCKlBn0wMoIf/nmvJTfYU0+H8ZXuB1rVenf9aQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4jOxY5Y7Y8EHG59TkdG1LMXK7CDc1YPDMmVNqVfPwws=; b=daa+rad3EkQwpB6NAklqozgnrzgJzMY0NPNhXOcKDHmua3Ql0lSidFqRZLyJScn3+WZGvDrq+rM6jgq11aBoxnonQDs4cn9O7wu7KGb/phB0Z/qAlbP9ntwf6I+GJNJVzDGyXF5WYY4gsIjsMFXK4oxDT/xpufI4NjBnWPP/oKXc61FeELkkxY/GZA8uNgbrtlgRByAUodXWezMNmif3j9k/qGRKcQJa+I5gt5AGSKCAybtvWz51awrmAW5LWXU1n+b5lQePvQ0UmOLT51gdAoyIMTDbDG+UcVBwOmrt5iix0mQ1vLfelB28yqOwf5zSpsEYtEu/QJLQMSKcFbAcRw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by SJ0PR11MB5895.namprd11.prod.outlook.com (2603:10b6:a03:42b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.24; Thu, 22 Jun 2023 07:22:18 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::3caa:6866:1037:5388]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::3caa:6866:1037:5388%7]) with mapi id 15.20.6521.024; Thu, 22 Jun 2023 07:22:18 +0000 From: "Yao, Jiewen" To: "Sheng, W" , "devel@edk2.groups.io" CC: "Wang, Jian J" , "Xu, Min M" , "Chen, Zeyi" , "Wang, Fiona" Subject: Re: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Thread-Topic: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Thread-Index: AQHZjskJ013VdJPEo0+BUvJoerQ0VK+WlClQ Date: Thu, 22 Jun 2023 07:22:17 +0000 Message-ID: References: <20230525052316.512-1-w.sheng@intel.com> In-Reply-To: <20230525052316.512-1-w.sheng@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|SJ0PR11MB5895:EE_ x-ms-office365-filtering-correlation-id: 5d38d57e-e782-4447-2a2e-08db72f16954 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: PiBVe85ryBgomCRgsY4VW2yOMvWLMwNX84Eka4qzwG404rv3bOIwWK31g7vtD3Wusv1r/sDcyJEC7d9qFH9L+Jw5JPdvinuVZ2h/aj2arb4fuVGpHdimHnO2fLNM0zB44urYDy8I+qO6U73z1RIGs4KoEalwo9WL9+b012F5UpcEjbnB3OhpyNXC04rHVYS7e4LNSyyNMHwYcoiIFIZ1Agds0maMvXQmUrTScdsqWJsU6GE4M6buB5BkeGTXrVK6pd1s4BzBqVKO0Wk48NnMdtkhs0NfDpI5frThQfMxJLJOTkzS2FKq0adteOsbll7x3nNJISsHcb97JbhiB4TXxBCBliOE83o0nnCIZxPE5n6F+fHj/9YoVDJEbMt7f2JT2YwM0E5NEm4FqvkwWYgwHXCk5asatkyA8N4SUdofAinbx9QB8TbTfUBwobWJUY8ix3Cjmh7IvPaH8mDA+c+0HmPTDyvJfsdhzP+NS5VAnXjoJq3lyvxVV9IF6VOXUUh1oi+L96fKFQ5nKccFX5yjGY51Re+a+vJcnkNwv7mm8UQFw4k5tZcNpnPsbqkiXgKAcc9iw0xyELG+mPIwglc3eoJg5qyVaw3EqSlQmW4B2SM= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(366004)(376002)(136003)(346002)(39860400002)(396003)(451199021)(82960400001)(9686003)(30864003)(53546011)(5660300002)(186003)(71200400001)(15650500001)(52536014)(6506007)(478600001)(7696005)(122000001)(38070700005)(2906002)(38100700002)(8936002)(107886003)(8676002)(41300700001)(55016003)(66946007)(66556008)(66476007)(110136005)(54906003)(83380400001)(33656002)(966005)(316002)(64756008)(66446008)(86362001)(19627235002)(4326008)(76116006)(579004)(559001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?44GOzFjhK922L1FJgIC3/uREcVCeqfhxwq9b+Y0sRupJCuLFnz9htBxQEA5L?= =?us-ascii?Q?fIPXNSsu98UngcM16pSGNWdiL3iFXBRVeBU6KJ7LGk3yjLTCoa8V7xjCPi3m?= =?us-ascii?Q?PQ7oZVpakt2OTVH7KLwR5HTStEFNZ6ev9qNEYXNymwFRmdzy5/d0Xyur92yR?= =?us-ascii?Q?2AYuAccrdKJJrXcah3BnGZyf/HQo/VkJIttcv50A6OkZX3RfmarPfF2Xy887?= =?us-ascii?Q?3b/Taiwa/1Xcb3iz6hq1uuX6XEjC+V5oGmZ9Y+rpPD5DlCakyXeJO2vZWm94?= =?us-ascii?Q?pkjDWyAaeQ8Y0tHBV4uHX5+/o11m/25AOOUj+SQLzf9hVptOa3DqG+ReGiM2?= =?us-ascii?Q?Xqu3Bxm/bf3nAzoS85VoRclJFPkVQWdxaG2QYKsQivrAWn+iawq0LvnC2LS4?= =?us-ascii?Q?J1LsrxFjxlhJY33FNU55ucOe5EBPWvgjI3gM/UcJT753D5ZIUQfpmRUze26b?= =?us-ascii?Q?osPc2n/pnoQaQoVY63Qqxx4Ml+5r1hRlft1FeqHS+slqwnfGtb+ytfkfk69Q?= =?us-ascii?Q?UuhrZNmSC/u1TFvMix/lTm2pCbnfQTDYOmnY9MuFG2nfaZ+tzmTcQCoeXPP0?= =?us-ascii?Q?Qm+Exyn+XIC9HASP+mQwQ9Kz6Qw4pref4bb96fjqRATX/YCFVDVESsaGftE1?= =?us-ascii?Q?yHMTyIoxcCZuUE7QpHPgJHMpfyu9cnOao/MziwwpcjJlGchJo47Ki2srQJMK?= =?us-ascii?Q?+gZdWUyfNjuO/WUDDJCc0HBAQ3ypY3Kni02uYL+rx5bEzb9YcYlJ8j+Az+2+?= =?us-ascii?Q?UWn1zz8V0iYPh48JZtXaid+BXyYOL0SvQNN2g5ldK5bnlADRwemPFvfMxPO9?= =?us-ascii?Q?wezSmF/mfauST3u7P+1L0DQvg0nfhKyVP6tVGUo05T6W/XYM6vDVubQlu54H?= =?us-ascii?Q?BlsMQcNp4Kw2fjiI1lr37j43pJJHobxewRoQU6HINwY+Kxsd4Qa+w+MmvB6f?= =?us-ascii?Q?gMgxtKxiIZhtVmABMl1zG/+CqmB9yHFKMvYMUV1naJTDtvNbBUz/XdR+nak0?= =?us-ascii?Q?5UuIipO4TtWOKKHoITmpdCRkuau346qbAT7oMRu+4BzUCArC2zj9Fqw/+dUs?= =?us-ascii?Q?zXah/xHqHhV7kpw5ETcGPdOrJhhCywgGjPYGxwVfMfaPPnckSukEHzyQoteC?= =?us-ascii?Q?VhdwC9dti4mncIv+CNwhqQ1cy4948RQ36SqpBfOFYx8EWj+c4n5/43x10mL7?= =?us-ascii?Q?tFe0poNxvODn2GWb0o1MdF4bQpjiLawitezWw/7uHxM63ngR6KvjEBEqYk6x?= =?us-ascii?Q?ScHx4ErmXnr+rtI9NPJYr23WW4Qy/stwNGwWxe9Xy3jXXw1HVsx1CHvqqS0Z?= =?us-ascii?Q?aLSM0YdOxVcNl5AT4WRy2ZVErs17q8ost4Rq0MTnvZz6Q/gK+LeGPnA1AhgH?= =?us-ascii?Q?S7JERon2tKgGGBUfxhmMAzuQkTPnAgKThGGsRdK77OtZcmWXbLUWjkSHuyEF?= =?us-ascii?Q?DR2sx9jJ2+0KbMi/oEmQKcWa8UFDwLnEHMr4FMs+Ikl7He2pJrldriRwuvNq?= =?us-ascii?Q?YGV2zunzrfErRtmiuAtPKTmV+FtD3L288GvxU1z57/2oowQycevcggaYow?= =?us-ascii?Q?=3D=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5d38d57e-e782-4447-2a2e-08db72f16954 X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2023 07:22:18.2564 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: lPcy1QDfV10+hrdKRIt8Ddvgf3oD/oRTyz8jW6TxnpricyvjRsQ9nSsMvbVqgIkwN2lsAaYoWr65kK1bBnSiPw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5895 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thank you very much to contribute this patch. Here is my feedback. 1) I don't believe that you cannot use digest size to determine the algorit= hm, because different hash algorithm may have same time. E.g. SHA256 and SH= A3_256. + if (DigestSize =3D=3D SHA256_DIGEST_SIZE) { + Status =3D CalculatePrivAuthVarSignChainSHA256Digest ( + SignerCert, + SignerCertSize, + TopLevelCert, + TopLevelCertSize, + ShaDigest + ); 2) I don't believe that you cannot assuming CtxSize of SHA512 is bigger tha= n SHA256. I think we may need create context for each algo. @@ -135,7 +135,7 @@ AuthVariableLibInitialize ( // // Initialize hash context. // - CtxSize =3D Sha256GetContextSize (); + CtxSize =3D Sha512GetContextSize (); mHashCtx =3D AllocateRuntimePool (CtxSize); if (mHashCtx =3D=3D NULL) { 3) I believe we should use 0 for SHA256 and ASSERT in default. + switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) { + case 1: + DEBUG ((DEBUG_INFO, "%a use SHA384", __func__)); + HashAlg =3D HASHALG_SHA384; + break; + case 2: + DEBUG ((DEBUG_INFO, "%a use SHA512", __func__)); + HashAlg =3D HASHALG_SHA512; + break; + default: + DEBUG ((DEBUG_INFO, "%a use SHA256", __func__)); + HashAlg =3D HASHALG_SHA256; + break; + } 4) I am not sure why we need this PCD. Why cannot we support all of hash al= go? + ## Indicates default hash algorithm in Secure Boot + # 0 - Use SHA256 + # 1 - Use SHA384 + # 2 - Use SHA512 + # @Prompt Secure Boot default hash algorithm + gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg|0|UINT8|0x0001= 0040 5) I don't believe that you can use size to determine the algorithm. We nee= d a more robust way, such as algorithm ID. + switch (KeyLenInBytes) { + case WIN_CERT_UEFI_RSA2048_SIZE: + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); + break; + case WIN_CERT_UEFI_RSA3072_SIZE: + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid); + break; + case WIN_CERT_UEFI_RSA4096_SIZE: + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid); + break; + break; Thank you Yao, Jiewen > -----Original Message----- > From: Sheng, W > Sent: Thursday, May 25, 2023 1:23 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Wang, Jian J ; > Xu, Min M ; Chen, Zeyi ; Wang, > Fiona > Subject: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3413 >=20 > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Min Xu > Cc: Zeyi Chen > Cc: Fiona Wang > Signed-off-by: Sheng Wei > --- > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- > MdePkg/Include/Guid/ImageAuthentication.h | 26 ++ > MdePkg/MdePkg.dec | 2 + > .../Library/AuthVariableLib/AuthService.c | 272 ++++++++++++++++-- > .../Library/AuthVariableLib/AuthVariableLib.c | 4 +- > .../DxeImageVerificationLib.c | 35 ++- > .../DxeImageVerificationLib.inf | 1 + > SecurityPkg/SecurityPkg.dec | 7 + > .../SecureBootConfigDxe.inf | 19 ++ > .../SecureBootConfigImpl.c | 122 +++++++- > .../SecureBootConfigImpl.h | 2 + > .../SecureBootConfigStrings.uni | 6 + > 12 files changed, 463 insertions(+), 36 deletions(-) >=20 > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > index 027dbb6842..944bcf8d38 100644 > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > @@ -591,7 +591,8 @@ ImageTimestampVerify ( > // Register & Initialize necessary digest algorithms for PKCS#7 Handli= ng. >=20 > // >=20 > if ((EVP_add_digest (EVP_md5 ()) =3D=3D 0) || (EVP_add_digest (EVP_sha= 1 ()) =3D=3D 0) > || >=20 > - (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || ((EVP_add_digest_alia= s > (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0)) >=20 > + (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || (EVP_add_digest (EVP_= sha384 ()) > =3D=3D 0) || >=20 > + (EVP_add_digest (EVP_sha512 ()) =3D=3D 0) || ((EVP_add_digest_alia= s > (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0)) >=20 > { >=20 > return FALSE; >=20 > } >=20 > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h > b/MdePkg/Include/Guid/ImageAuthentication.h > index fe83596571..c8ea2c14fb 100644 > --- a/MdePkg/Include/Guid/ImageAuthentication.h > +++ b/MdePkg/Include/Guid/ImageAuthentication.h > @@ -144,6 +144,30 @@ typedef struct { > 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb= 3, > 0xb6} \ >=20 > } >=20 >=20 >=20 > +/// >=20 > +/// This identifies a signature containing an RSA-3072 key. The key (onl= y the > modulus >=20 > +/// since the public key exponent is known to be 0x10001) shall be store= d in big- > endian >=20 > +/// order. >=20 > +/// The SignatureHeader size shall always be 0. The SignatureSize shall = always > be 16 (size >=20 > +/// of SignatureOwner component) + 384 bytes. >=20 > +/// >=20 > +#define EFI_CERT_RSA3072_GUID \ >=20 > + { \ >=20 > + 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xe= e, > 0x92 } \ >=20 > + } >=20 > + >=20 > +/// >=20 > +/// This identifies a signature containing an RSA-4096 key. The key (onl= y the > modulus >=20 > +/// since the public key exponent is known to be 0x10001) shall be store= d in big- > endian >=20 > +/// order. >=20 > +/// The SignatureHeader size shall always be 0. The SignatureSize shall = always > be 16 (size >=20 > +/// of SignatureOwner component) + 512 bytes. >=20 > +/// >=20 > +#define EFI_CERT_RSA4096_GUID \ >=20 > + { \ >=20 > + 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x9= 8, > 0x2c } \ >=20 > + } >=20 > + >=20 > /// >=20 > /// This identifies a signature containing a RSA-2048 signature of a SHA= -256 > hash. The >=20 > /// SignatureHeader size shall always be 0. The SignatureSize shall alwa= ys be 16 > (size of >=20 > @@ -330,6 +354,8 @@ typedef struct { > extern EFI_GUID gEfiImageSecurityDatabaseGuid; >=20 > extern EFI_GUID gEfiCertSha256Guid; >=20 > extern EFI_GUID gEfiCertRsa2048Guid; >=20 > +extern EFI_GUID gEfiCertRsa3072Guid; >=20 > +extern EFI_GUID gEfiCertRsa4096Guid; >=20 > extern EFI_GUID gEfiCertRsa2048Sha256Guid; >=20 > extern EFI_GUID gEfiCertSha1Guid; >=20 > extern EFI_GUID gEfiCertRsa2048Sha1Guid; >=20 > diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec > index 80b6559053..782f6d184d 100644 > --- a/MdePkg/MdePkg.dec > +++ b/MdePkg/MdePkg.dec > @@ -562,6 +562,8 @@ > gEfiImageSecurityDatabaseGuid =3D { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3= , 0xbc, > 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }} >=20 > gEfiCertSha256Guid =3D { 0xc1c41626, 0x504c, 0x4092, {0xac= , 0xa9, 0x41, > 0xf9, 0x36, 0x93, 0x43, 0x28 }} >=20 > gEfiCertRsa2048Guid =3D { 0x3c5766e8, 0x269c, 0x4e34, {0xaa= , 0x14, 0xed, > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }} >=20 > + gEfiCertRsa3072Guid =3D { 0xedd320c2, 0xb057, 0x4b8e, {0xad= , 0x46, > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }} >=20 > + gEfiCertRsa4096Guid =3D { 0xb23e89a6, 0x8c8b, 0x4412, {0x85= , 0x73, > 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }} >=20 > gEfiCertRsa2048Sha256Guid =3D { 0xe2b36190, 0x879b, 0x4a3d, {0xad= , 0x8d, > 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }} >=20 > gEfiCertSha1Guid =3D { 0x826ca512, 0xcf10, 0x4ac9, {0xb1= , 0x87, 0xbe, > 0x1, 0x49, 0x66, 0x31, 0xbd }} >=20 > gEfiCertRsa2048Sha1Guid =3D { 0x67f8444f, 0x8743, 0x48f1, {0xa3= , 0x28, > 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }} >=20 > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c > b/SecurityPkg/Library/AuthVariableLib/AuthService.c > index 452ed491ea..288e44a359 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c > @@ -29,12 +29,16 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include >=20 > #include >=20 >=20 >=20 > +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE >=20 > + >=20 > // >=20 > // Public Exponent of RSA Key. >=20 > // >=20 > CONST UINT8 mRsaE[] =3D { 0x01, 0x00, 0x01 }; >=20 >=20 >=20 > CONST UINT8 mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,= 0x04, > 0x02, 0x01 }; >=20 > +CONST UINT8 mSha384OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, > 0x04, 0x02, 0x02 }; >=20 > +CONST UINT8 mSha512OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, > 0x04, 0x02, 0x03 }; >=20 >=20 >=20 > // >=20 > // Requirement for different signature type which have been defined in U= EFI > spec. >=20 > @@ -44,6 +48,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] =3D { > // {SigType, SigHeaderSize, SigDataSize } >=20 > { EFI_CERT_SHA256_GUID, 0, 32 }, >=20 > { EFI_CERT_RSA2048_GUID, 0, 256 }, >=20 > + { EFI_CERT_RSA3072_GUID, 0, 384 }, >=20 > + { EFI_CERT_RSA4096_GUID, 0, 512 }, >=20 > { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 }, >=20 > { EFI_CERT_SHA1_GUID, 0, 20 }, >=20 > { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 }, >=20 > @@ -1172,6 +1178,172 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > return EFI_SUCCESS; >=20 > } >=20 >=20 >=20 > +/** >=20 > + Calculate SHA38 digest of SignerCert CommonName + ToplevelCert > tbsCertificate >=20 > + SignerCert and ToplevelCert are inside the signer certificate chain. >=20 > + >=20 > + @param[in] SignerCert A pointer to SignerCert data. >=20 > + @param[in] SignerCertSize Length of SignerCert data. >=20 > + @param[in] TopLevelCert A pointer to TopLevelCert data. >=20 > + @param[in] TopLevelCertSize Length of TopLevelCert data. >=20 > + @param[out] Sha384Digest Sha384 digest calculated. >=20 > + >=20 > + @return EFI_ABORTED Digest process failed. >=20 > + @return EFI_SUCCESS SHA384 Digest is successfully calculated. >=20 > + >=20 > +**/ >=20 > +EFI_STATUS >=20 > +CalculatePrivAuthVarSignChainSHA384Digest ( >=20 > + IN UINT8 *SignerCert, >=20 > + IN UINTN SignerCertSize, >=20 > + IN UINT8 *TopLevelCert, >=20 > + IN UINTN TopLevelCertSize, >=20 > + OUT UINT8 *Sha384Digest >=20 > + ) >=20 > +{ >=20 > + UINT8 *TbsCert; >=20 > + UINTN TbsCertSize; >=20 > + CHAR8 CertCommonName[128]; >=20 > + UINTN CertCommonNameSize; >=20 > + BOOLEAN CryptoStatus; >=20 > + EFI_STATUS Status; >=20 > + >=20 > + CertCommonNameSize =3D sizeof (CertCommonName); >=20 > + >=20 > + // >=20 > + // Get SignerCert CommonName >=20 > + // >=20 > + Status =3D X509GetCommonName (SignerCert, SignerCertSize, > CertCommonName, &CertCommonNameSize); >=20 > + if (EFI_ERROR (Status)) { >=20 > + DEBUG ((DEBUG_INFO, "%a Get SignerCert CommonName failed with > status %x\n", __FUNCTION__, Status)); >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + // >=20 > + // Get TopLevelCert tbsCertificate >=20 > + // >=20 > + if (!X509GetTBSCert (TopLevelCert, TopLevelCertSize, &TbsCert, > &TbsCertSize)) { >=20 > + DEBUG ((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate failed!\n"= , > __FUNCTION__)); >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + // >=20 > + // Digest SignerCert CN + TopLevelCert tbsCertificate >=20 > + // >=20 > + ZeroMem (Sha384Digest, SHA384_DIGEST_SIZE); >=20 > + CryptoStatus =3D Sha384Init (mHashCtx); >=20 > + if (!CryptoStatus) { >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + // >=20 > + // '\0' is forced in CertCommonName. No overflow issue >=20 > + // >=20 > + CryptoStatus =3D Sha384Update ( >=20 > + mHashCtx, >=20 > + CertCommonName, >=20 > + AsciiStrLen (CertCommonName) >=20 > + ); >=20 > + if (!CryptoStatus) { >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + CryptoStatus =3D Sha384Update (mHashCtx, TbsCert, TbsCertSize); >=20 > + if (!CryptoStatus) { >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + CryptoStatus =3D Sha384Final (mHashCtx, Sha384Digest); >=20 > + if (!CryptoStatus) { >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + return EFI_SUCCESS; >=20 > +} >=20 > + >=20 > +/** >=20 > + Calculate SHA512 digest of SignerCert CommonName + ToplevelCert > tbsCertificate >=20 > + SignerCert and ToplevelCert are inside the signer certificate chain. >=20 > + >=20 > + @param[in] SignerCert A pointer to SignerCert data. >=20 > + @param[in] SignerCertSize Length of SignerCert data. >=20 > + @param[in] TopLevelCert A pointer to TopLevelCert data. >=20 > + @param[in] TopLevelCertSize Length of TopLevelCert data. >=20 > + @param[out] Sha512Digest Sha512 digest calculated. >=20 > + >=20 > + @return EFI_ABORTED Digest process failed. >=20 > + @return EFI_SUCCESS SHA512 Digest is successfully calculated. >=20 > + >=20 > +**/ >=20 > +EFI_STATUS >=20 > +CalculatePrivAuthVarSignChainSHA512Digest ( >=20 > + IN UINT8 *SignerCert, >=20 > + IN UINTN SignerCertSize, >=20 > + IN UINT8 *TopLevelCert, >=20 > + IN UINTN TopLevelCertSize, >=20 > + OUT UINT8 *Sha512Digest >=20 > + ) >=20 > +{ >=20 > + UINT8 *TbsCert; >=20 > + UINTN TbsCertSize; >=20 > + CHAR8 CertCommonName[128]; >=20 > + UINTN CertCommonNameSize; >=20 > + BOOLEAN CryptoStatus; >=20 > + EFI_STATUS Status; >=20 > + >=20 > + CertCommonNameSize =3D sizeof (CertCommonName); >=20 > + >=20 > + // >=20 > + // Get SignerCert CommonName >=20 > + // >=20 > + Status =3D X509GetCommonName (SignerCert, SignerCertSize, > CertCommonName, &CertCommonNameSize); >=20 > + if (EFI_ERROR (Status)) { >=20 > + DEBUG ((DEBUG_INFO, "%a Get SignerCert CommonName failed with > status %x\n", __FUNCTION__, Status)); >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + // >=20 > + // Get TopLevelCert tbsCertificate >=20 > + // >=20 > + if (!X509GetTBSCert (TopLevelCert, TopLevelCertSize, &TbsCert, > &TbsCertSize)) { >=20 > + DEBUG ((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate failed!\n"= , > __FUNCTION__)); >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + // >=20 > + // Digest SignerCert CN + TopLevelCert tbsCertificate >=20 > + // >=20 > + ZeroMem (Sha512Digest, SHA512_DIGEST_SIZE); >=20 > + CryptoStatus =3D Sha512Init (mHashCtx); >=20 > + if (!CryptoStatus) { >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + // >=20 > + // '\0' is forced in CertCommonName. No overflow issue >=20 > + // >=20 > + CryptoStatus =3D Sha512Update ( >=20 > + mHashCtx, >=20 > + CertCommonName, >=20 > + AsciiStrLen (CertCommonName) >=20 > + ); >=20 > + if (!CryptoStatus) { >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + CryptoStatus =3D Sha512Update (mHashCtx, TbsCert, TbsCertSize); >=20 > + if (!CryptoStatus) { >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + CryptoStatus =3D Sha512Final (mHashCtx, Sha512Digest); >=20 > + if (!CryptoStatus) { >=20 > + return EFI_ABORTED; >=20 > + } >=20 > + >=20 > + return EFI_SUCCESS; >=20 > +} >=20 > + >=20 > /** >=20 > Find matching signer's certificates for common authenticated variable >=20 > by corresponding VariableName and VendorGuid from "certdb" or "certdbv= ". >=20 > @@ -1526,6 +1698,7 @@ DeleteCertsFromDb ( > @param[in] SignerCertSize Length of signer certificate. >=20 > @param[in] TopLevelCert Top-level certificate data. >=20 > @param[in] TopLevelCertSize Length of top-level certificate. >=20 > + @param[in] DigestSize Digest Size. >=20 >=20 >=20 > @retval EFI_INVALID_PARAMETER Any input parameter is invalid. >=20 > @retval EFI_ACCESS_DENIED An AUTH_CERT_DB_DATA entry with same > VariableName >=20 > @@ -1542,7 +1715,8 @@ InsertCertsToDb ( > IN UINT8 *SignerCert, >=20 > IN UINTN SignerCertSize, >=20 > IN UINT8 *TopLevelCert, >=20 > - IN UINTN TopLevelCertSize >=20 > + IN UINTN TopLevelCertSize, >=20 > + IN UINT32 DigestSize >=20 > ) >=20 > { >=20 > EFI_STATUS Status; >=20 > @@ -1556,7 +1730,7 @@ InsertCertsToDb ( > UINT32 CertDataSize; >=20 > AUTH_CERT_DB_DATA *Ptr; >=20 > CHAR16 *DbName; >=20 > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; >=20 > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; >=20 >=20 >=20 > if ((VariableName =3D=3D NULL) || (VendorGuid =3D=3D NULL) || (SignerC= ert =3D=3D NULL) > || (TopLevelCert =3D=3D NULL)) { >=20 > return EFI_INVALID_PARAMETER; >=20 > @@ -1618,20 +1792,41 @@ InsertCertsToDb ( > // Construct new data content of variable "certdb" or "certdbv". >=20 > // >=20 > NameSize =3D (UINT32)StrLen (VariableName); >=20 > - CertDataSize =3D sizeof (Sha256Digest); >=20 > + CertDataSize =3D DigestSize; >=20 > CertNodeSize =3D sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + > NameSize * sizeof (CHAR16); >=20 > NewCertDbSize =3D (UINT32)DataSize + CertNodeSize; >=20 > if (NewCertDbSize > mMaxCertDbSize) { >=20 > return EFI_OUT_OF_RESOURCES; >=20 > } >=20 >=20 >=20 > - Status =3D CalculatePrivAuthVarSignChainSHA256Digest ( >=20 > - SignerCert, >=20 > - SignerCertSize, >=20 > - TopLevelCert, >=20 > - TopLevelCertSize, >=20 > - Sha256Digest >=20 > - ); >=20 > + if (DigestSize =3D=3D SHA256_DIGEST_SIZE) { >=20 > + Status =3D CalculatePrivAuthVarSignChainSHA256Digest ( >=20 > + SignerCert, >=20 > + SignerCertSize, >=20 > + TopLevelCert, >=20 > + TopLevelCertSize, >=20 > + ShaDigest >=20 > + ); >=20 > + } else if (DigestSize =3D=3D SHA384_DIGEST_SIZE) { >=20 > + Status =3D CalculatePrivAuthVarSignChainSHA384Digest ( >=20 > + SignerCert, >=20 > + SignerCertSize, >=20 > + TopLevelCert, >=20 > + TopLevelCertSize, >=20 > + ShaDigest >=20 > + ); >=20 > + } else if (DigestSize =3D=3D SHA512_DIGEST_SIZE) { >=20 > + Status =3D CalculatePrivAuthVarSignChainSHA512Digest ( >=20 > + SignerCert, >=20 > + SignerCertSize, >=20 > + TopLevelCert, >=20 > + TopLevelCertSize, >=20 > + ShaDigest >=20 > + ); >=20 > + } else { >=20 > + return EFI_UNSUPPORTED; >=20 > + } >=20 > + >=20 > if (EFI_ERROR (Status)) { >=20 > return Status; >=20 > } >=20 > @@ -1663,7 +1858,7 @@ InsertCertsToDb ( >=20 >=20 > CopyMem ( >=20 > (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR= 16), >=20 > - Sha256Digest, >=20 > + ShaDigest, >=20 > CertDataSize >=20 > ); >=20 >=20 >=20 > @@ -1857,7 +2052,7 @@ VerifyTimeBasedPayload ( > UINTN CertStackSize; >=20 > UINT8 *CertsInCertDb; >=20 > UINT32 CertsSizeinDb; >=20 > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; >=20 > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; >=20 > EFI_CERT_DATA *CertDataPtr; >=20 >=20 >=20 > // >=20 > @@ -1928,7 +2123,7 @@ VerifyTimeBasedPayload ( >=20 >=20 > // >=20 > // SignedData.digestAlgorithms shall contain the digest algorithm used= when > preparing the >=20 > - // signature. Only a digest algorithm of SHA-256 is accepted. >=20 > + // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 i= s > accepted. >=20 > // >=20 > // According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/r= fc2315): >=20 > // SignedData ::=3D SEQUENCE { >=20 > @@ -1978,7 +2173,19 @@ VerifyTimeBasedPayload ( > || (CompareMem (SigData + 13, &mSha256OidValue, sizeof > (mSha256OidValue)) !=3D 0))) >=20 > && ( (SigDataSize >=3D (32 + sizeof (mSha256OidValue))) >=20 > && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCOD= E) >=20 > - || (CompareMem (SigData + 32, &mSha256OidValue, sizeof > (mSha256OidValue)) !=3D 0)))) >=20 > + || (CompareMem (SigData + 32, &mSha256OidValue, sizeof > (mSha256OidValue)) !=3D 0))) >=20 > + && ( (SigDataSize >=3D (13 + sizeof (mSha384OidValue))) >=20 > + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE= ) >=20 > + || (CompareMem (SigData + 13, &mSha384OidValue, sizeof > (mSha384OidValue)) !=3D 0))) >=20 > + && ( (SigDataSize >=3D (32 + sizeof (mSha384OidValue))) >=20 > + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCOD= E) >=20 > + || (CompareMem (SigData + 32, &mSha384OidValue, sizeof > (mSha384OidValue)) !=3D 0))) >=20 > + && ( (SigDataSize >=3D (13 + sizeof (mSha512OidValue))) >=20 > + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE= ) >=20 > + || (CompareMem (SigData + 13, &mSha512OidValue, sizeof > (mSha512OidValue)) !=3D 0))) >=20 > + && ( (SigDataSize >=3D (32 + sizeof (mSha512OidValue))) >=20 > + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCOD= E) >=20 > + || (CompareMem (SigData + 32, &mSha512OidValue, sizeof > (mSha512OidValue)) !=3D 0)))) >=20 > { >=20 > return EFI_SECURITY_VIOLATION; >=20 > } >=20 > @@ -2180,9 +2387,39 @@ VerifyTimeBasedPayload ( > ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDa= taLength)), >=20 > TopLevelCert, >=20 > TopLevelCertSize, >=20 > - Sha256Digest >=20 > + ShaDigest >=20 > + ); >=20 > + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, > CertsSizeinDb) !=3D 0)) { >=20 > + goto Exit; >=20 > + } >=20 > + } else if (CertsSizeinDb =3D=3D SHA384_DIGEST_SIZE) { >=20 > + // >=20 > + // Check hash of signer cert CommonName + Top-level issuer > tbsCertificate against data in CertDb >=20 > + // >=20 > + CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1); >=20 > + Status =3D CalculatePrivAuthVarSignChainSHA384Digest ( >=20 > + CertDataPtr->CertDataBuffer, >=20 > + ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDa= taLength)), >=20 > + TopLevelCert, >=20 > + TopLevelCertSize, >=20 > + ShaDigest >=20 > + ); >=20 > + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, > CertsSizeinDb) !=3D 0)) { >=20 > + goto Exit; >=20 > + } >=20 > + } else if (CertsSizeinDb =3D=3D SHA512_DIGEST_SIZE) { >=20 > + // >=20 > + // Check hash of signer cert CommonName + Top-level issuer > tbsCertificate against data in CertDb >=20 > + // >=20 > + CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1); >=20 > + Status =3D CalculatePrivAuthVarSignChainSHA512Digest ( >=20 > + CertDataPtr->CertDataBuffer, >=20 > + ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDa= taLength)), >=20 > + TopLevelCert, >=20 > + TopLevelCertSize, >=20 > + ShaDigest >=20 > ); >=20 > - if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCert= Db, > CertsSizeinDb) !=3D 0)) { >=20 > + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, > CertsSizeinDb) !=3D 0)) { >=20 > goto Exit; >=20 > } >=20 > } else { >=20 > @@ -2221,7 +2458,8 @@ VerifyTimeBasedPayload ( > CertDataPtr->CertDataBuffer, >=20 > ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertData= Length)), >=20 > TopLevelCert, >=20 > - TopLevelCertSize >=20 > + TopLevelCertSize, >=20 > + CertsSizeinDb >=20 > ); >=20 > if (EFI_ERROR (Status)) { >=20 > VerifyStatus =3D FALSE; >=20 > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > index dc61ae840c..552c0e99be 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > @@ -26,7 +26,7 @@ UINT32 mMaxCertDbSize; > UINT32 mPlatformMode; >=20 > UINT8 mVendorKeyState; >=20 >=20 >=20 > -EFI_GUID mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, > EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID }; >=20 > +EFI_GUID mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, > EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, > EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID, EFI_CERT_RSA4096_GUID, > EFI_CERT_X509_GUID }; >=20 >=20 >=20 > // >=20 > // Hash context pointer >=20 > @@ -135,7 +135,7 @@ AuthVariableLibInitialize ( > // >=20 > // Initialize hash context. >=20 > // >=20 > - CtxSize =3D Sha256GetContextSize (); >=20 > + CtxSize =3D Sha512GetContextSize (); >=20 > mHashCtx =3D AllocateRuntimePool (CtxSize); >=20 > if (mHashCtx =3D=3D NULL) { >=20 > return EFI_OUT_OF_RESOURCES; >=20 > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 66e2f5eaa3..f642aad64d 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > @@ -1606,6 +1606,35 @@ Done: > return VerifyStatus; >=20 > } >=20 >=20 >=20 > +/** >=20 > + Get Hash Alg by PcdSecureBootDefaultHashAlg >=20 > + >=20 > + @retval UINT32 Hash Alg >=20 > + **/ >=20 > +UINT32 >=20 > +GetDefaultHashAlg ( >=20 > + VOID >=20 > + ) >=20 > +{ >=20 > + UINT32 HashAlg; >=20 > + >=20 > + switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) { >=20 > + case 1: >=20 > + DEBUG ((DEBUG_INFO, "%a use SHA384", __func__)); >=20 > + HashAlg =3D HASHALG_SHA384; >=20 > + break; >=20 > + case 2: >=20 > + DEBUG ((DEBUG_INFO, "%a use SHA512", __func__)); >=20 > + HashAlg =3D HASHALG_SHA512; >=20 > + break; >=20 > + default: >=20 > + DEBUG ((DEBUG_INFO, "%a use SHA256", __func__)); >=20 > + HashAlg =3D HASHALG_SHA256; >=20 > + break; >=20 > + } >=20 > + return HashAlg; >=20 > +} >=20 > + >=20 > /** >=20 > Provide verification service for signed images, which include both sig= nature > validation >=20 > and platform policy control. For signature types, both UEFI > WIN_CERTIFICATE_UEFI_GUID and >=20 > @@ -1620,7 +1649,7 @@ Done: > in the security database "db", and no valid signature nor any hash= value of > the image may >=20 > be reflected in the security database "dbx". >=20 > Otherwise, the image is not signed, >=20 > - The SHA256 hash value of the image must match a record in the secu= rity > database "db", and >=20 > + The hash value of the image must match a record in the security da= tabase > "db", and >=20 > not be reflected in the security data base "dbx". >=20 >=20 >=20 > Caution: This function may receive untrusted input. >=20 > @@ -1832,10 +1861,10 @@ DxeImageVerificationHandler ( > // >=20 > if ((SecDataDir =3D=3D NULL) || (SecDataDir->Size =3D=3D 0)) { >=20 > // >=20 > - // This image is not signed. The SHA256 hash value of the image must= match > a record in the security database "db", >=20 > + // This image is not signed. The hash value of the image must match = a record > in the security database "db", >=20 > // and not be reflected in the security data base "dbx". >=20 > // >=20 > - if (!HashPeImage (HASHALG_SHA256)) { >=20 > + if (!HashPeImage (GetDefaultHashAlg ())) { >=20 > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this = image > using %s.\n", mHashTypeStr)); >=20 > goto Failed; >=20 > } >=20 > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > index 1e1a639857..f1ef9236c2 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .inf > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .inf > @@ -93,3 +93,4 @@ > gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy > ## SOMETIMES_CONSUMES >=20 > gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy > ## SOMETIMES_CONSUMES >=20 > gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy = ## > SOMETIMES_CONSUMES >=20 > + gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg = ## > CONSUMES >=20 > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec > index 0382090f4e..4adc2a72ab 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -521,6 +521,13 @@ > # @Prompt Skip Hdd Password prompt. >=20 >=20 > gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt|FALSE|BOOLEAN| > 0x00010021 >=20 >=20 >=20 > + ## Indicates default hash algorithm in Secure Boot >=20 > + # 0 - Use SHA256 >=20 > + # 1 - Use SHA384 >=20 > + # 2 - Use SHA512 >=20 > + # @Prompt Secure Boot default hash algorithm >=20 > + > gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg|0|UINT8|0x000 > 10040 >=20 > + >=20 > [PcdsDynamic, PcdsDynamicEx] >=20 >=20 >=20 > ## This PCD indicates Hash mask for TPM 2.0. Bit definition strictly f= ollows TCG > Algorithm Registry.

>=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > index 1671d5be7c..4b0012d033 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > @@ -70,6 +70,14 @@ > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > gEfiCertRsa2048Guid >=20 >=20 >=20 > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type= of the > signature. >=20 > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > + gEfiCertRsa3072Guid >=20 > + >=20 > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type= of the > signature. >=20 > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > + gEfiCertRsa4096Guid >=20 > + >=20 > ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type= of the > signature. >=20 > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > gEfiCertX509Guid >=20 > @@ -82,6 +90,14 @@ > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > gEfiCertSha256Guid >=20 >=20 >=20 > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type= of the > signature. >=20 > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > + gEfiCertSha384Guid >=20 > + >=20 > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type= of the > signature. >=20 > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type= of the > signature. >=20 > + gEfiCertSha512Guid >=20 > + >=20 > ## SOMETIMES_CONSUMES ## Variable:L"db" >=20 > ## SOMETIMES_PRODUCES ## Variable:L"db" >=20 > ## SOMETIMES_CONSUMES ## Variable:L"dbx" >=20 > @@ -107,6 +123,9 @@ > gEfiCertX509Sha384Guid ## SOMETIMES_PRODUCES #= # GUID # > Unique ID for the type of the certificate. >=20 > gEfiCertX509Sha512Guid ## SOMETIMES_PRODUCES #= # GUID # > Unique ID for the type of the certificate. >=20 >=20 >=20 > +[Pcd] >=20 > + gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg = ## > CONSUMES >=20 > + >=20 > [Protocols] >=20 > gEfiHiiConfigAccessProtocolGuid ## PRODUCES >=20 > gEfiDevicePathProtocolGuid ## PRODUCES >=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > index 4299a6b5e5..0ba029a394 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > @@ -560,7 +560,7 @@ ON_EXIT: >=20 >=20 > **/ >=20 > EFI_STATUS >=20 > -EnrollRsa2048ToKek ( >=20 > +EnrollRsaToKek ( >=20 > IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private >=20 > ) >=20 > { >=20 > @@ -603,8 +603,13 @@ EnrollRsa2048ToKek ( >=20 >=20 > ASSERT (KeyBlob !=3D NULL); >=20 > KeyInfo =3D (CPL_KEY_INFO *)KeyBlob; >=20 > - if (KeyInfo->KeyLengthInBits / 8 !=3D WIN_CERT_UEFI_RSA2048_SIZE) { >=20 > - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is > supported.\n")); >=20 > + switch (KeyInfo->KeyLengthInBits / 8) { >=20 > + case WIN_CERT_UEFI_RSA2048_SIZE: >=20 > + case WIN_CERT_UEFI_RSA3072_SIZE: >=20 > + case WIN_CERT_UEFI_RSA4096_SIZE: >=20 > + break; >=20 > + default : >=20 > + DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 > and RSA4096 are supported.\n")); >=20 > Status =3D EFI_UNSUPPORTED; >=20 > goto ON_EXIT; >=20 > } >=20 > @@ -632,7 +637,7 @@ EnrollRsa2048ToKek ( > // >=20 > KekSigListSize =3D sizeof (EFI_SIGNATURE_LIST) >=20 > + sizeof (EFI_SIGNATURE_DATA) - 1 >=20 > - + WIN_CERT_UEFI_RSA2048_SIZE; >=20 > + + KeyLenInBytes; >=20 >=20 >=20 > KekSigList =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize)= ; >=20 > if (KekSigList =3D=3D NULL) { >=20 > @@ -642,17 +647,32 @@ EnrollRsa2048ToKek ( >=20 >=20 > KekSigList->SignatureListSize =3D sizeof (EFI_SIGNATURE_LIST) >=20 > + sizeof (EFI_SIGNATURE_DATA) - 1 >=20 > - + WIN_CERT_UEFI_RSA2048_SIZE; >=20 > + + (UINT32) KeyLenInBytes; >=20 > KekSigList->SignatureHeaderSize =3D 0; >=20 > - KekSigList->SignatureSize =3D sizeof (EFI_SIGNATURE_DATA) - 1 + > WIN_CERT_UEFI_RSA2048_SIZE; >=20 > - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); >=20 > + KekSigList->SignatureSize =3D sizeof (EFI_SIGNATURE_DATA) - 1 + = (UINT32) > KeyLenInBytes; >=20 > + switch (KeyLenInBytes) { >=20 > + case WIN_CERT_UEFI_RSA2048_SIZE: >=20 > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); >=20 > + break; >=20 > + case WIN_CERT_UEFI_RSA3072_SIZE: >=20 > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid); >=20 > + break; >=20 > + case WIN_CERT_UEFI_RSA4096_SIZE: >=20 > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid); >=20 > + break; >=20 > + break; >=20 > + default : >=20 > + DEBUG ((DEBUG_ERROR, "Unsupported key length.\n")); >=20 > + Status =3D EFI_UNSUPPORTED; >=20 > + goto ON_EXIT; >=20 > + } >=20 >=20 >=20 > KEKSigData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof > (EFI_SIGNATURE_LIST)); >=20 > CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID); >=20 > CopyMem ( >=20 > KEKSigData->SignatureData, >=20 > KeyBlob + sizeof (CPL_KEY_INFO), >=20 > - WIN_CERT_UEFI_RSA2048_SIZE >=20 > + KeyLenInBytes >=20 > ); >=20 >=20 >=20 > // >=20 > @@ -890,7 +910,7 @@ EnrollKeyExchangeKey ( > if (IsDerEncodeCertificate (FilePostFix)) { >=20 > return EnrollX509ToKek (Private); >=20 > } else if (CompareMem (FilePostFix, L".pbk", 4) =3D=3D 0) { >=20 > - return EnrollRsa2048ToKek (Private); >=20 > + return EnrollRsaToKek (Private); >=20 > } else { >=20 > // >=20 > // File type is wrong, simply close it >=20 > @@ -1847,7 +1867,7 @@ HashPeImage ( > SectionHeader =3D NULL; >=20 > Status =3D FALSE; >=20 >=20 >=20 > - if (HashAlg !=3D HASHALG_SHA256) { >=20 > + if ((HashAlg >=3D HASHALG_MAX)) { >=20 > return FALSE; >=20 > } >=20 >=20 >=20 > @@ -1856,8 +1876,25 @@ HashPeImage ( > // >=20 > ZeroMem (mImageDigest, MAX_DIGEST_SIZE); >=20 >=20 >=20 > - mImageDigestSize =3D SHA256_DIGEST_SIZE; >=20 > - mCertType =3D gEfiCertSha256Guid; >=20 > + switch (HashAlg) { >=20 > + case HASHALG_SHA256: >=20 > + mImageDigestSize =3D SHA256_DIGEST_SIZE; >=20 > + mCertType =3D gEfiCertSha256Guid; >=20 > + break; >=20 > + >=20 > + case HASHALG_SHA384: >=20 > + mImageDigestSize =3D SHA384_DIGEST_SIZE; >=20 > + mCertType =3D gEfiCertSha384Guid; >=20 > + break; >=20 > + >=20 > + case HASHALG_SHA512: >=20 > + mImageDigestSize =3D SHA512_DIGEST_SIZE; >=20 > + mCertType =3D gEfiCertSha512Guid; >=20 > + break; >=20 > + >=20 > + default: >=20 > + return FALSE; >=20 > + } >=20 >=20 >=20 > CtxSize =3D mHash[HashAlg].GetContextSize (); >=20 >=20 >=20 > @@ -2222,6 +2259,35 @@ ON_EXIT: > return Status; >=20 > } >=20 >=20 >=20 > +/** >=20 > + Get Hash Alg by PcdSecureBootDefaultHashAlg >=20 > + >=20 > + @retval UINT32 Hash Alg >=20 > + **/ >=20 > +UINT32 >=20 > +GetDefaultHashAlg ( >=20 > + VOID >=20 > + ) >=20 > +{ >=20 > + UINT32 HashAlg; >=20 > + >=20 > + switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) { >=20 > + case 1: >=20 > + DEBUG ((DEBUG_INFO, "%a use SHA384", __func__)); >=20 > + HashAlg =3D HASHALG_SHA384; >=20 > + break; >=20 > + case 2: >=20 > + DEBUG ((DEBUG_INFO, "%a use SHA512", __func__)); >=20 > + HashAlg =3D HASHALG_SHA512; >=20 > + break; >=20 > + default: >=20 > + DEBUG ((DEBUG_INFO, "%a use SHA256", __func__)); >=20 > + HashAlg =3D HASHALG_SHA256; >=20 > + break; >=20 > + } >=20 > + return HashAlg; >=20 > +} >=20 > + >=20 > /** >=20 > Enroll a new signature of executable into Signature Database. >=20 >=20 >=20 > @@ -2289,7 +2355,7 @@ EnrollImageSignatureToSigDB ( > } >=20 >=20 >=20 > if (mSecDataDir->SizeOfCert =3D=3D 0) { >=20 > - if (!HashPeImage (HASHALG_SHA256)) { >=20 > + if (!HashPeImage (GetDefaultHashAlg ())) { >=20 > Status =3D EFI_SECURITY_VIOLATION; >=20 > goto ON_EXIT; >=20 > } >=20 > @@ -2589,6 +2655,10 @@ UpdateDeletePage ( > while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureLis= tSize)) { >=20 > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) { >=20 > Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID); >=20 > + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Gu= id)) { >=20 > + Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID); >=20 > + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Gu= id)) { >=20 > + Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID); >=20 > } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)= ) { >=20 > Help =3D STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID); >=20 > } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)= ) { >=20 > @@ -2750,6 +2820,8 @@ DeleteKeyExchangeKey ( > GuidIndex =3D 0; >=20 > while ((KekDataSize > 0) && (KekDataSize >=3D CertList->SignatureListS= ize)) { >=20 > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || >=20 > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) || >=20 > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) || >=20 > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) >=20 > { >=20 > CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + C= ertList- > >SignatureHeaderSize)); >=20 > @@ -2952,6 +3024,8 @@ DeleteSignature ( > GuidIndex =3D 0; >=20 > while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureLis= tSize)) { >=20 > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || >=20 > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) || >=20 > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) || >=20 > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) || >=20 > CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) || >=20 > CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) || >=20 > @@ -3758,12 +3832,20 @@ LoadSignatureList ( > while ((RemainingSize > 0) && (RemainingSize >=3D ListWalker->Signatur= eListSize)) > { >=20 > if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) = { >=20 > ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); >=20 > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072= Guid)) > { >=20 > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); >=20 > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096= Guid)) > { >=20 > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); >=20 > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Gui= d)) { >=20 > ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509); >=20 > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Gui= d)) { >=20 > ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA1); >=20 > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256G= uid)) { >=20 > ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA256); >=20 > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384G= uid)) > { >=20 > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA384); >=20 > + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512G= uid)) > { >=20 > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA512); >=20 > } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertX509Sha256Guid)) { >=20 > ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); >=20 > } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertX509Sha384Guid)) { >=20 > @@ -4001,6 +4083,14 @@ FormatHelpInfo ( > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); >=20 > DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); >=20 > IsCert =3D TRUE; >=20 > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Gui= d)) { >=20 > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); >=20 > + DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); >=20 > + IsCert =3D TRUE; >=20 > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Gui= d)) { >=20 > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); >=20 > + DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); >=20 > + IsCert =3D TRUE; >=20 > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid))= { >=20 > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509); >=20 > DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); >=20 > @@ -4011,6 +4101,12 @@ FormatHelpInfo ( > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid= )) { >=20 > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA256); >=20 > DataSize =3D 32; >=20 > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid= )) { >=20 > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA384); >=20 > + DataSize =3D 48; >=20 > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid= )) { >=20 > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA512); >=20 > + DataSize =3D 64; >=20 > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256= Guid)) > { >=20 > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); >=20 > DataSize =3D 32; >=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.h > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.h > index 37c66f1b95..ae50d929a7 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.h > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.h > @@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; > #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE >=20 >=20 >=20 > #define WIN_CERT_UEFI_RSA2048_SIZE 256 >=20 > +#define WIN_CERT_UEFI_RSA3072_SIZE 384 >=20 > +#define WIN_CERT_UEFI_RSA4096_SIZE 512 >=20 >=20 >=20 > // >=20 > // Support hash types >=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS > trings.uni > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS > trings.uni > index 0d01701de7..1b48acc800 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS > trings.uni > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS > trings.uni > @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US > "Read the public key of KEK from file" >=20 > #string STR_FILE_EXPLORER_TITLE #language en-US "File = Explorer" >=20 > #string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US > "RSA2048_SHA256_GUID" >=20 > +#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US > "RSA3072_SHA384_GUID" >=20 > +#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US > "RSA4096_SHA512_GUID" >=20 > #string STR_CERT_TYPE_PCKS7_GUID #language en-US "PKCS7= _GUID" >=20 > #string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_= GUID" >=20 > #string STR_CERT_TYPE_SHA256_GUID #language en-US > "SHA256_GUID" >=20 > @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US > "X509_SHA512_GUID" >=20 >=20 >=20 > #string STR_LIST_TYPE_RSA2048_SHA256 #language en-US > "RSA2048_SHA256" >=20 > +#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US > "RSA3072_SHA384" >=20 > +#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US > "RSA4096_SHA512" >=20 > #string STR_LIST_TYPE_X509 #language en-US "X509" >=20 > #string STR_LIST_TYPE_SHA1 #language en-US "SHA1" >=20 > #string STR_LIST_TYPE_SHA256 #language en-US "SHA25= 6" >=20 > +#string STR_LIST_TYPE_SHA384 #language en-US "SHA38= 4" >=20 > +#string STR_LIST_TYPE_SHA512 #language en-US "SHA51= 2" >=20 > #string STR_LIST_TYPE_X509_SHA256 #language en-US > "X509_SHA256" >=20 > #string STR_LIST_TYPE_X509_SHA384 #language en-US > "X509_SHA384" >=20 > #string STR_LIST_TYPE_X509_SHA512 #language en-US > "X509_SHA512" >=20 > -- > 2.26.2.windows.1