From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 by mx.groups.io with SMTP id smtpd.web10.15995.1688627190891662917
 for <devel@edk2.groups.io>;
 Thu, 06 Jul 2023 00:06:31 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=DeyFqrNT;
 spf=pass (domain: intel.com, ip: 134.134.136.100, mailfrom: jiewen.yao@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1688627190; x=1720163190;
  h=from:to:cc:subject:date:message-id:references:
   in-reply-to:content-transfer-encoding:mime-version;
  bh=ZrdxY29kYM1OpNQSvYw5n4imi91v7BgbgMlMBcsrbAM=;
  b=DeyFqrNTMylSq2oMBwjEqZ8wHnfihpxaQscv0LG/yQxl3UQms/jkECYJ
   zf66kT/qniwiFauGnfpvA2q+RNnbojLIZdtRohXLAfMRGs3b1ymqutvO7
   5hwi+RJK4hKff07N14Xr5Z0zky8Bp3yYJhbrkD1ny32uNKwXrrDEWiEcG
   b4LDhc/mI5BegbMhLEXWmNGSVd5wFic9ZliUjyQ8hK6C714kOSparX4K7
   qaADDTIA/oOtauhkHbp9IhuW8RRPCmhR9MgUjHad5D/xyGtbfqyvc47uP
   1/YYXhWs+4V8FzZaaYuP08DN7ChSxBAoMBxdiuaRtB973dMpsqbt3y6yC
   w==;
X-IronPort-AV: E=McAfee;i="6600,9927,10762"; a="429569486"
X-IronPort-AV: E=Sophos;i="6.01,185,1684825200"; 
   d="scan'208";a="429569486"
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jul 2023 00:06:30 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10762"; a="719493968"
X-IronPort-AV: E=Sophos;i="6.01,185,1684825200"; 
   d="scan'208";a="719493968"
Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82])
  by orsmga002.jf.intel.com with ESMTP; 06 Jul 2023 00:06:30 -0700
Received: from fmsmsx603.amr.corp.intel.com (10.18.126.83) by
 fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.27; Thu, 6 Jul 2023 00:06:29 -0700
Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by
 fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.27 via Frontend Transport; Thu, 6 Jul 2023 00:06:29 -0700
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.102)
 by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2507.27; Thu, 6 Jul 2023 00:06:29 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=DsngdlbsIgNY5mFVE6cygCfn6MNegFD55va/8/4eILPBaVqdXp+WUqlSCZSxqF6irAm1cOQS9C0LdY0AMMGM67wHVzkjRhsLRvui7/iCXNLf60r/pI9Yky4LYNyRZglaozfcIKOlokEVR6T5jv6dVaXrs0RTM2CsU5ogObDqsZojgu4fleefMdYD7/Igsc2M47CuRIDspOW640Co8NB097SBDMYBWFkc9vlKlbrnS4UpCr4M9A37Qp87NwpPkRqp6ef0O4Cxk99BzyWCAcg7HktaJIapZsZWLYjf+8oI4mFkSnCXf8UswMw/p20klXcQ87Y4fl1RG1UT/IId111L5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=FemlasFmkBl52eKYAvLravfzxiRKO4M5coIlPZlauXQ=;
 b=OwNwocWH/1J5hoavQes6YmivL8HitY/sm/2Kw50af1zbiaoFijoTl10uBste6eS7UIRgtV9PNVICL+WkFiR9CzpJkKwixVyL0zwxedLjL79jxVvJYClBAFDP/MdfBLC+LlRSrOMPZjTP68bhu1QBGSz3ho2mJSbXm52zB2VjcKwZmDm/5NdnexFDD1WcIHLvuMEZAdxgGsO+Gdfkm3P8xJJ50K9uqtqCSifCYc0rLpX/ABhwF31G30TI9O0ErJdIwty7S/Yjc3rBPNwPaICogkrffCjSQLM9cgQlDI8FFnTZT6lH2GgkoinLQ39MpoBVxf2ThYpYAtNVkFNlCHHhow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14)
 by DS7PR11MB6270.namprd11.prod.outlook.com (2603:10b6:8:96::12) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6565.17; Thu, 6 Jul
 2023 07:06:26 +0000
Received: from MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::3caa:6866:1037:5388]) by MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::3caa:6866:1037:5388%7]) with mapi id 15.20.6565.016; Thu, 6 Jul 2023
 07:06:25 +0000
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Sheng, W" <w.sheng@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "Wang, Jian J" <jian.j.wang@intel.com>, "Xu, Min M" <min.m.xu@intel.com>,
	"Chen, Zeyi" <zeyi.chen@intel.com>, "Wang, Fiona" <fiona.wang@intel.com>
Subject: Re: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
Thread-Topic: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
Thread-Index: AQHZjskJ013VdJPEo0+BUvJoerQ0VK+WlClQgAybtrCAAEWxUIAJFZFggAAG1WA=
Date: Thu, 6 Jul 2023 07:06:25 +0000
Message-ID: <MW4PR11MB5872826ABD23D995BE91BEA68C2CA@MW4PR11MB5872.namprd11.prod.outlook.com>
References: <20230525052316.512-1-w.sheng@intel.com>
 <MW4PR11MB5872735612B0F303E4844CB18C22A@MW4PR11MB5872.namprd11.prod.outlook.com>
 <PH0PR11MB487003C39250D39F4FDA556CE12AA@PH0PR11MB4870.namprd11.prod.outlook.com>
 <MW4PR11MB5872C7084E7912A758A425098C2AA@MW4PR11MB5872.namprd11.prod.outlook.com>
 <PH0PR11MB4870790C3EF6A748EF40AA34E12CA@PH0PR11MB4870.namprd11.prod.outlook.com>
In-Reply-To: <PH0PR11MB4870790C3EF6A748EF40AA34E12CA@PH0PR11MB4870.namprd11.prod.outlook.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|DS7PR11MB6270:EE_
x-ms-office365-filtering-correlation-id: fc5728c6-be4d-4256-4324-08db7def8373
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fhiR1ZCpk+zxLT/hbqZTD0Pa3G4qdzfX1kT6FdmV1gaxIA7P9548gXHxTFTcfDYtYExY+rwXgpr5iJOOLkn+j3GCr4cfbTotIIfsVO+vaghUrw/NgMFjo/15g6yIk69qTDfIOVDG22aT9WEnTb2eYK8I3yi44z4Xqd4O261GOTjrsr6g9g/AtW90Oo4f5C5UbTs2PNyx+IWme5Neg/pWoMvBGOQdGd43oxDhx/AjaGUdcMgyf7ZWYBapJa2Ih8s5j6ZDII8LxptLm70WscbOOTzFW6SNifz6hwCj3ZXyz5b4QsRk12SSSLfzt9QLaM9+a/sIF2TUCA2befgg+MsXYkLRG9z+D/uFPBHSDbjAz2Z0MSTrrLTbxMV2zjhOnqBMTLrXRlPrNOjGXkMcrMw7s+OLKw/npCrkYvLrUbfar3jckax2Dnse9Dm6qM9lUdzr+64L5zUh8l6EUqJy0rHHBUIIhyPQGSPoXZ3qV2fy/cABzX6zxCpJHf/w/7tG6qgzwMQUO208UZfCTanWk/9qi14eBi5/ikl2rkYdoGlrr4lFCUiMm2HSTOu4TaYiAPW+y7fQyvzARp0HaIwl4pv7GtqKD14g7vjz2R+GAdDEdSI=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(396003)(366004)(346002)(376002)(39860400002)(136003)(451199021)(107886003)(41300700001)(30864003)(38070700005)(478600001)(9686003)(966005)(110136005)(54906003)(19627235002)(86362001)(66476007)(38100700002)(122000001)(71200400001)(7696005)(82960400001)(66556008)(316002)(66946007)(4326008)(83380400001)(33656002)(64756008)(66446008)(55016003)(2906002)(8936002)(8676002)(5660300002)(52536014)(186003)(26005)(6506007)(53546011)(76116006)(15650500001)(559001)(579004);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-2022-jp?B?WGE0TzM0UHVRQWNoNEdpQ2lGN0crRVdTeVhyaENRcGJlQ3VWL0ZWdVRY?=
 =?iso-2022-jp?B?QU5qZG40Y2xuZmQ4UUxQNnJnTnZub2F3a1Mvb3AwNHEyN0dHU2tZMTVi?=
 =?iso-2022-jp?B?MVBpdEJ1UkZjeFVCcWVSM0d3MkdGRTJSMUpaSUVpVlRtc0sxSVIzV3U3?=
 =?iso-2022-jp?B?M2hpaXhGZ3FuZUNXMWJBWUdNZTZHSzZBTjRseDRtYnF0T0dnajNZcVI0?=
 =?iso-2022-jp?B?bXFZYkRkZktJV0VMR1RhbG5lQUpKdjd4MnZybWRKVmhZVVIwaEF6K05Q?=
 =?iso-2022-jp?B?ZGk4MlY4b3ZRRUNRemM1VGlqQVFtM1E1cXg5L2IxRjZkektKeXZOWlFQ?=
 =?iso-2022-jp?B?N0ZrN3FCdlJmYjl3ejh3d1dxUDQ2V2c3cHlmR1NJU3k5SFg0UDBLNzY3?=
 =?iso-2022-jp?B?blVtWWUyVjNoM2NOWk8zTExxaGc2Y0NmN3lxM3dHZjVxVFIzNEo4R3N2?=
 =?iso-2022-jp?B?VjF1cStSbXFhYTBzaGFvRVNqL2cvVC82ZmNYem1xUENoa3YrSkowNnpr?=
 =?iso-2022-jp?B?cXVuTUJhMXhlbGtEL3A1MXNrN3RweUJNNXREK2p3OUNRQzJkRjJEZ2JE?=
 =?iso-2022-jp?B?T1Nnb095bDFKUm1KQUowT3VpU05CUUFLVmloR1c1b3VzSUV4NzVUbEc1?=
 =?iso-2022-jp?B?Ny9McXJXVUFSQ2t2RW5TWlc5M1ozdDMzUnU4UTdyM2hCUi91Unk4NUFV?=
 =?iso-2022-jp?B?RFN6ZzVIbDdOZzh1YUJsWlM3cWVjYkVBR1gxNnNXUGRYb2ZPdTFtYU1w?=
 =?iso-2022-jp?B?WXgvSGVDMjBvaFVMWmllRy91c1hJQ29JOW9CQXdRY3ZMb1RhMWw3bjRS?=
 =?iso-2022-jp?B?c1JqWDI0c29kUW1BRFNxNG8vOVFkdXRScU1wdWpwUDlrZXkzU3krUVNO?=
 =?iso-2022-jp?B?bEFsd1QwVWthSXlOdVF3cmp5VjZ1dHB0WVhPNittdXRPM3FTaVVVd0Fm?=
 =?iso-2022-jp?B?SFBZR3Uya3VqajRyOVVhTWMrK1gwQm9GcWNpMDFhMnlBc1dqb3RuNjB6?=
 =?iso-2022-jp?B?NkJWSG1TMWlEamhHTHRFNWptRThJc01HV1V4L0I2ZHVMOFRBVW1WNGcw?=
 =?iso-2022-jp?B?QVUrQ244Uy9aMWM0Qy9DaVRlMUMyRFJXRlhLQ1lqS2VYYUZoYkJweWU3?=
 =?iso-2022-jp?B?cGpOZlB4NUlaYnlzaEZwYXNXYUxBNSs0Z0Q2M2hwb2llcUZ3MXgrV1BX?=
 =?iso-2022-jp?B?M0liVkl5MWhONlNDc211WGNQVmtDc0dFSVFRVWhNN01BaWYydFhqWnRF?=
 =?iso-2022-jp?B?czFKRlMxaGtpQUw2aGVTTnhPQVFTeVNLMnk1WUQyUTFoZmFUWWxBOE1w?=
 =?iso-2022-jp?B?T1VSbGJRbUdKWGdFK2lvUmtyd0pPR3RnWGwxeEd1dk1DUEhGVWh3Zm9r?=
 =?iso-2022-jp?B?bFlUeHVINVc3aWtBQmozNThzRHcvL011NmZYaDZWVTNMbnVSeVA5WEZS?=
 =?iso-2022-jp?B?MzlYOTIyblYzYWhDYXVCSVJ5a0Y2N0JBRVVoV2RrQ2hhNTl1cnBRZys2?=
 =?iso-2022-jp?B?V1hEQTNLK0JuYVhrUFpIYkVTN3VXVTBYSzZpU1JuWUdUMG9pQ21venNI?=
 =?iso-2022-jp?B?R01KcUd6djRMYlZqVXMvS2xjZXhqZFVpZFBDdFVZd1ZDTFNiUis0NmZa?=
 =?iso-2022-jp?B?YXVhTVpiQVhPNnhDV2ZBSGhFN1dKY3A3dWlmYWZaTzhxcFhTcHc2ajF6?=
 =?iso-2022-jp?B?dFpQYWFPczRiWUdDSnl4KzhzSXFvSzFoZWJJSkt2cFRJS0tUMGZsTU9R?=
 =?iso-2022-jp?B?QlpSQ0Fpckt1d3d6WkNLMVQ3SFk2VnR6R3RmTG41Q3h3VnhyR05oNUJt?=
 =?iso-2022-jp?B?QUlaTERDRTQzaG91NEdiZzFKc3doTG9GWU9BUDNYV05Tb3l5dVE4VTFI?=
 =?iso-2022-jp?B?ZjhuQTU3UGdlaWNVQ0ovV3AyVDM1cDZTbThoeGZiUTcyQlJ6RjlOR2U3?=
 =?iso-2022-jp?B?UWZJZlhQUlNQS2tXYkt6b291enNOVldYOEw3SkNyUEw1cHZkQ0hhbW55?=
 =?iso-2022-jp?B?NzJwb0EzVmhvL1BvTlVvU0tNTkNKV2JBdStOTWJNRUkrUkx4UHBYSHYx?=
 =?iso-2022-jp?B?Mkp5Mno1em95VTI3T3luR1FpRFR0dWpFSlNpNEwzbUlTcDJwaGl2RDBN?=
 =?iso-2022-jp?B?VDIzRWM4Sk9SVFhUNlFKTXQwR1lqMCticEc1SW01MVY1MmdCNDF3RWNF?=
 =?iso-2022-jp?B?bm8vMFgydzR0WVhzV2ZOVVV6ejNNZ04zVVhEV29XRUY2b2VMb1RUWFRU?=
 =?iso-2022-jp?B?bnArNHhLa3pOYjdVZmxHZVllcjdYQWR6Q3lTTkx4VXNGa0h4QzNsR1J1?=
 =?iso-2022-jp?B?Z3JGSw==?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fc5728c6-be4d-4256-4324-08db7def8373
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2023 07:06:25.8633
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LHinEK3X5JIzq3vmObkgvZoOQEyo8ygpmBFDM0Vli3qwY50h3Hr6pOwRtk6+Sf7qlMg4YJ8OQdjUsGQ7w36k9A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR11MB6270
Return-Path: jiewen.yao@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable

CPL_KEY_INFO is not standard, but implementation choice.

I notice KeyType field is not used today. I assume it is 0 today.

Can we use 0 to indicate RSASSA?

Thank you
Yao, Jiewen



> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Thursday, July 6, 2023 2:48 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>
> Subject: RE: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
>=20
> Hi Jiewen,
> I raised the patch V3, And I also attached the patch file.
> For 4,
> My solution is below.
> When enroll the unsigned image, BIOS will select the most supported compl=
ex
> hash algorithm to get the hash.
> When do the verification, BIOS will try all supported hash algorithm in "=
db" and
> "dbx".
>=20
> For 5.
> The struct of CPL_KEY_INFO should be binded to .pbk file format.
> I cannot find the spec of .pbk file. I can not change the struct items.
> Do you know where to find the spec of public key storing file (*.pbk) ?
> Or is *.pbk file a legacy file format? We do not need to change this part=
 and
> keep it for RSA 2048 only ?
>=20
> Thank you
> BR
> Sheng Wei
>=20
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: 2023=1B$BG/=1B(B6=1B$B7n=1B(B30=1B$BF|=1B(B 19:57
> > To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> > Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M
> > <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona
> > <fiona.wang@intel.com>
> > Subject: RE: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 38=
4
> >
> > For 4, I think we can enroll all supported algorithms, or the active al=
gorithm. I
> > don=1B$B!G=1B(Bt think the PCD is needed.
> >
> > For 5, I suggest to change the data structure to include the algorithm =
ID.
> >
> > Thank you
> > Yao, Jiewen
> >
> >
> > > -----Original Message-----
> > > From: Sheng, W <w.sheng@intel.com>
> > > Sent: Friday, June 30, 2023 3:52 PM
> > > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> > > Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M
> > <min.m.xu@intel.com>;
> > > Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>
> > > Subject: RE: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA
> > 384
> > >
> > > Hi Jiewen,
> > > I raised the patch V2.
> > > I do the fix for 1) , 2), 3).
> > > But for 4) 5), I have below comments.
> > >
> > > 4) I am not sure why we need this PCD. Why cannot we support all of h=
ash
> > algo?
> > >
> > > +  ## Indicates default hash algorithm in Secure Boot
> > > +  #   0 - Use SHA256
> > > +  #   1 - Use SHA384
> > > +  #   2 - Use SHA512
> > > +  # @Prompt Secure Boot default hash algorithm
> > > +
> > > +
> > >
> > gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg|0|UINT8|0x
> > 00
> > > + 010040
> > >
> > > PCD PcdSecureBootDefaultHashAlg is used for the only case of enroll a=
n
> > > unsigned image.
> > > The original logic is BIOS will genrate SHA256 digest for this unsign=
ed image
> > and
> > > save it.
> > > The PCD is used to select the hash algorithm for this case.
> > > So we have to use a PCD to select the algorithm manully.
> > >
> > >
> > > 5) I don=1B$B!G=1B(Bt believe that you can use size to determine the =
algorithm. We
> > need a
> > > more robust way, such as algorithm ID.
> > >
> > > +  switch (KeyLenInBytes) {
> > > +  case WIN_CERT_UEFI_RSA2048_SIZE:
> > > +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> > > +    break;
> > > +  case WIN_CERT_UEFI_RSA3072_SIZE:
> > > +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
> > > +    break;
> > > +  case WIN_CERT_UEFI_RSA4096_SIZE:
> > > +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
> > > +    break;
> > > +    break;
> > >
> > > This code is used when enroll a RSA public key storing file (*.pbk).
> > > Here is the header Struct of this file.
> > > typedef struct _CPL_KEY_INFO {
> > >   UINT32    KeyLengthInBits;        // Key Length In Bits
> > >   UINT32    BlockSize;              // Operation Block Size in Bytes
> > >   UINT32    CipherBlockSize;        // Output Cipher Block Size in By=
tes
> > >   UINT32    KeyType;                // Key Type
> > >   UINT32    CipherMode;             // Cipher Mode for Symmetric Algo=
rithm
> > >   UINT32    Flags;                  // Additional Key Property Flags
> > > } CPL_KEY_INFO;
> > >
> > Edk2/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot
> > Con
> > > figImpl.h
> > > We can only get to know the RSA algorithm by KeyLengthInBits.
> > > (RSA2048/RSA3072/RSA4096)
> > >
> > > Thank you.
> > > BR
> > > Sheng Wei
> > >
> > > > -----Original Message-----
> > > > From: Yao, Jiewen <jiewen.yao@intel.com>
> > > > Sent: 2023=1B$BG/=1B(B6=1B$B7n=1B(B22=1B$BF|=1B(B 15:22
> > > > To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> > > > Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M
> > <min.m.xu@intel.com>;
> > > > Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com=
>
> > > > Subject: RE: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RS=
A
> > 384
> > > >
> > > > Thank you very much to contribute this patch. Here is my feedback.
> > > >
> > > > 1) I don=1B$B!G=1B(Bt believe that you cannot use digest size to de=
termine the
> > algorithm,
> > > > because different hash algorithm may have same time. E.g. SHA256 an=
d
> > > > SHA3_256.
> > > >
> > > > +  if (DigestSize =3D=3D SHA256_DIGEST_SIZE) {
> > > > +    Status =3D CalculatePrivAuthVarSignChainSHA256Digest (
> > > > +               SignerCert,
> > > > +               SignerCertSize,
> > > > +               TopLevelCert,
> > > > +               TopLevelCertSize,
> > > > +               ShaDigest
> > > > +               );
> > > >
> > > > 2) I don=1B$B!G=1B(Bt believe that you cannot assuming CtxSize of S=
HA512 is bigger
> > than
> > > > SHA256. I think we may need create context for each algo.
> > > >
> > > > @@ -135,7 +135,7 @@ AuthVariableLibInitialize (
> > > >    //
> > > >    // Initialize hash context.
> > > >    //
> > > > -  CtxSize  =3D Sha256GetContextSize ();
> > > > +  CtxSize  =3D Sha512GetContextSize ();
> > > >    mHashCtx =3D AllocateRuntimePool (CtxSize);
> > > >    if (mHashCtx =3D=3D NULL) {
> > > >
> > > > 3) I believe we should use 0 for SHA256 and ASSERT in default.
> > > >
> > > > +  switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) {  case 1:
> > > > +    DEBUG ((DEBUG_INFO, "%a use SHA384", __func__));
> > > > +    HashAlg =3D HASHALG_SHA384;
> > > > +    break;
> > > > +  case 2:
> > > > +    DEBUG ((DEBUG_INFO, "%a use SHA512", __func__));
> > > > +    HashAlg =3D HASHALG_SHA512;
> > > > +    break;
> > > > +  default:
> > > > +    DEBUG ((DEBUG_INFO, "%a use SHA256", __func__));
> > > > +    HashAlg =3D HASHALG_SHA256;
> > > > +    break;
> > > > +  }
> > > >
> > > > 4) I am not sure why we need this PCD. Why cannot we support all of
> > hash
> > > > algo?
> > > >
> > > > +  ## Indicates default hash algorithm in Secure Boot
> > > > +  #   0 - Use SHA256
> > > > +  #   1 - Use SHA384
> > > > +  #   2 - Use SHA512
> > > > +  # @Prompt Secure Boot default hash algorithm
> > > > +
> > > > +
> > > >
> > gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg|0|UINT8|0x
> > > > 00
> > > > + 010040
> > > >
> > > > 5) I don=1B$B!G=1B(Bt believe that you can use size to determine th=
e algorithm. We
> > need
> > > > a more robust way, such as algorithm ID.
> > > >
> > > > +  switch (KeyLenInBytes) {
> > > > +  case WIN_CERT_UEFI_RSA2048_SIZE:
> > > > +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> > > > +    break;
> > > > +  case WIN_CERT_UEFI_RSA3072_SIZE:
> > > > +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
> > > > +    break;
> > > > +  case WIN_CERT_UEFI_RSA4096_SIZE:
> > > > +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
> > > > +    break;
> > > > +    break;
> > > >
> > > > Thank you
> > > > Yao, Jiewen
> > > >
> > > > > -----Original Message-----
> > > > > From: Sheng, W <w.sheng@intel.com>
> > > > > Sent: Thursday, May 25, 2023 1:23 PM
> > > > > To: devel@edk2.groups.io
> > > > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen,
> > Zeyi
> > > > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>
> > > > > Subject: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA
> > 384
> > > > >
> > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3413
> > > > >
> > > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > > Cc: Min Xu <min.m.xu@intel.com>
> > > > > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > > > > Cc: Fiona Wang <fiona.wang@intel.com>
> > > > > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > > > > ---
> > > > >  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
> > > > >  MdePkg/Include/Guid/ImageAuthentication.h     |  26 ++
> > > > >  MdePkg/MdePkg.dec                             |   2 +
> > > > >  .../Library/AuthVariableLib/AuthService.c     | 272 ++++++++++++=
++++-
> > -
> > > > >  .../Library/AuthVariableLib/AuthVariableLib.c |   4 +-
> > > > >  .../DxeImageVerificationLib.c                 |  35 ++-
> > > > >  .../DxeImageVerificationLib.inf               |   1 +
> > > > >  SecurityPkg/SecurityPkg.dec                   |   7 +
> > > > >  .../SecureBootConfigDxe.inf                   |  19 ++
> > > > >  .../SecureBootConfigImpl.c                    | 122 +++++++-
> > > > >  .../SecureBootConfigImpl.h                    |   2 +
> > > > >  .../SecureBootConfigStrings.uni               |   6 +
> > > > >  12 files changed, 463 insertions(+), 36 deletions(-)
> > > > >
> > > > > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> > > > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> > > > > index 027dbb6842..944bcf8d38 100644
> > > > > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> > > > > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> > > > > @@ -591,7 +591,8 @@ ImageTimestampVerify (
> > > > >    // Register & Initialize necessary digest algorithms for PKCS#=
7 Handling.
> > > > >
> > > > >    //
> > > > >
> > > > >    if ((EVP_add_digest (EVP_md5 ()) =3D=3D 0) || (EVP_add_digest
> > (EVP_sha1
> > > > > ()) =3D=3D 0)
> > > > > ||
> > > > >
> > > > > -      (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || ((EVP_add_dig=
est_alias
> > > > > (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0))
> > > > >
> > > > > +      (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || (EVP_add_dige=
st
> > > > > + (EVP_sha384 ())
> > > > > =3D=3D 0) ||
> > > > >
> > > > > +      (EVP_add_digest (EVP_sha512 ()) =3D=3D 0) || ((EVP_add_dig=
est_alias
> > > > > (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0))
> > > > >
> > > > >    {
> > > > >
> > > > >      return FALSE;
> > > > >
> > > > >    }
> > > > >
> > > > > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > index fe83596571..c8ea2c14fb 100644
> > > > > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > @@ -144,6 +144,30 @@ typedef struct {
> > > > >      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0=
x85,
> > > > > 0xb3, 0xb6} \
> > > > >
> > > > >    }
> > > > >
> > > > >
> > > > >
> > > > > +///
> > > > >
> > > > > +/// This identifies a signature containing an RSA-3072 key. The =
key
> > > > > +(only the
> > > > > modulus
> > > > >
> > > > > +/// since the public key exponent is known to be 0x10001) shall =
be
> > > > > +stored in big-
> > > > > endian
> > > > >
> > > > > +/// order.
> > > > >
> > > > > +/// The SignatureHeader size shall always be 0. The SignatureSiz=
e
> > > > > +shall always
> > > > > be 16 (size
> > > > >
> > > > > +/// of SignatureOwner component) + 384 bytes.
> > > > >
> > > > > +///
> > > > >
> > > > > +#define EFI_CERT_RSA3072_GUID \
> > > > >
> > > > > +  { \
> > > > >
> > > > > +    0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0=
x89,
> > > > > + 0xee,
> > > > > 0x92 } \
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +///
> > > > >
> > > > > +/// This identifies a signature containing an RSA-4096 key. The =
key
> > > > > +(only the
> > > > > modulus
> > > > >
> > > > > +/// since the public key exponent is known to be 0x10001) shall =
be
> > > > > +stored in big-
> > > > > endian
> > > > >
> > > > > +/// order.
> > > > >
> > > > > +/// The SignatureHeader size shall always be 0. The SignatureSiz=
e
> > > > > +shall always
> > > > > be 16 (size
> > > > >
> > > > > +/// of SignatureOwner component) + 512 bytes.
> > > > >
> > > > > +///
> > > > >
> > > > > +#define EFI_CERT_RSA4096_GUID \
> > > > >
> > > > > +  { \
> > > > >
> > > > > +    0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0=
x00,
> > > > > + 0x98,
> > > > > 0x2c } \
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > >  ///
> > > > >
> > > > >  /// This identifies a signature containing a RSA-2048 signature =
of a
> > > > > SHA-256 hash.  The
> > > > >
> > > > >  /// SignatureHeader size shall always be 0. The SignatureSize sh=
all
> > > > > always be 16 (size of
> > > > >
> > > > > @@ -330,6 +354,8 @@ typedef struct {
> > > > >  extern EFI_GUID  gEfiImageSecurityDatabaseGuid;
> > > > >
> > > > >  extern EFI_GUID  gEfiCertSha256Guid;
> > > > >
> > > > >  extern EFI_GUID  gEfiCertRsa2048Guid;
> > > > >
> > > > > +extern EFI_GUID  gEfiCertRsa3072Guid;
> > > > >
> > > > > +extern EFI_GUID  gEfiCertRsa4096Guid;
> > > > >
> > > > >  extern EFI_GUID  gEfiCertRsa2048Sha256Guid;
> > > > >
> > > > >  extern EFI_GUID  gEfiCertSha1Guid;
> > > > >
> > > > >  extern EFI_GUID  gEfiCertRsa2048Sha1Guid;
> > > > >
> > > > > diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index
> > > > > 80b6559053..782f6d184d 100644
> > > > > --- a/MdePkg/MdePkg.dec
> > > > > +++ b/MdePkg/MdePkg.dec
> > > > > @@ -562,6 +562,8 @@
> > > > >    gEfiImageSecurityDatabaseGuid  =3D { 0xd719b2cb, 0x3d3a, 0x459=
6,
> > > > > {0xa3, 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}
> > > > >
> > > > >    gEfiCertSha256Guid             =3D { 0xc1c41626, 0x504c, 0x409=
2, {0xac, 0xa9,
> > > > 0x41,
> > > > > 0xf9, 0x36, 0x93, 0x43, 0x28 }}
> > > > >
> > > > >    gEfiCertRsa2048Guid            =3D { 0x3c5766e8, 0x269c, 0x4e3=
4, {0xaa,
> 0x14,
> > > > 0xed,
> > > > > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}
> > > > >
> > > > > +  gEfiCertRsa3072Guid            =3D { 0xedd320c2, 0xb057, 0x4b8=
e, {0xad,
> > 0x46,
> > > > > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}
> > > > >
> > > > > +  gEfiCertRsa4096Guid            =3D { 0xb23e89a6, 0x8c8b, 0x441=
2, {0x85,
> > 0x73,
> > > > > 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }}
> > > > >
> > > > >    gEfiCertRsa2048Sha256Guid      =3D { 0xe2b36190, 0x879b, 0x4a3=
d, {0xad,
> > > > 0x8d,
> > > > > 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> > > > >
> > > > >    gEfiCertSha1Guid               =3D { 0x826ca512, 0xcf10, 0x4ac=
9, {0xb1, 0x87,
> > > 0xbe,
> > > > > 0x1, 0x49, 0x66, 0x31, 0xbd }}
> > > > >
> > > > >    gEfiCertRsa2048Sha1Guid        =3D { 0x67f8444f, 0x8743, 0x48f=
1, {0xa3,
> > 0x28,
> > > > > 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}
> > > > >
> > > > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> > > > > b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> > > > > index 452ed491ea..288e44a359 100644
> > > > > --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> > > > > +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> > > > > @@ -29,12 +29,16 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > > #include <Protocol/VariablePolicy.h>
> > > > >
> > > > >  #include <Library/VariablePolicyLib.h>
> > > > >
> > > > >
> > > > >
> > > > > +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
> > > > >
> > > > > +
> > > > >
> > > > >  //
> > > > >
> > > > >  // Public Exponent of RSA Key.
> > > > >
> > > > >  //
> > > > >
> > > > >  CONST UINT8  mRsaE[] =3D { 0x01, 0x00, 0x01 };
> > > > >
> > > > >
> > > > >
> > > > >  CONST UINT8  mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x6=
5,
> > > > > 0x03, 0x04, 0x02, 0x01 };
> > > > >
> > > > > +CONST UINT8  mSha384OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x6=
5,
> > > > > +0x03,
> > > > > 0x04, 0x02, 0x02 };
> > > > >
> > > > > +CONST UINT8  mSha512OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x6=
5,
> > > > > +0x03,
> > > > > 0x04, 0x02, 0x03 };
> > > > >
> > > > >
> > > > >
> > > > >  //
> > > > >
> > > > >  // Requirement for different signature type which have been defi=
ned
> > > > > in UEFI spec.
> > > > >
> > > > > @@ -44,6 +48,8 @@ EFI_SIGNATURE_ITEM  mSupportSigItem[] =3D {
> > > > >    // {SigType,                       SigHeaderSize,   SigDataSiz=
e  }
> > > > >
> > > > >    { EFI_CERT_SHA256_GUID,         0, 32            },
> > > > >
> > > > >    { EFI_CERT_RSA2048_GUID,        0, 256           },
> > > > >
> > > > > +  { EFI_CERT_RSA3072_GUID,        0, 384           },
> > > > >
> > > > > +  { EFI_CERT_RSA4096_GUID,        0, 512           },
> > > > >
> > > > >    { EFI_CERT_RSA2048_SHA256_GUID, 0, 256           },
> > > > >
> > > > >    { EFI_CERT_SHA1_GUID,           0, 20            },
> > > > >
> > > > >    { EFI_CERT_RSA2048_SHA1_GUID,   0, 256           },
> > > > >
> > > > > @@ -1172,6 +1178,172 @@
> > CalculatePrivAuthVarSignChainSHA256Digest (
> > > > >    return EFI_SUCCESS;
> > > > >
> > > > >  }
> > > > >
> > > > >
> > > > >
> > > > > +/**
> > > > >
> > > > > +  Calculate SHA38 digest of SignerCert CommonName + ToplevelCert
> > > > > tbsCertificate
> > > > >
> > > > > +  SignerCert and ToplevelCert are inside the signer certificate =
chain.
> > > > >
> > > > > +
> > > > >
> > > > > +  @param[in]  SignerCert          A pointer to SignerCert data.
> > > > >
> > > > > +  @param[in]  SignerCertSize      Length of SignerCert data.
> > > > >
> > > > > +  @param[in]  TopLevelCert        A pointer to TopLevelCert data=
.
> > > > >
> > > > > +  @param[in]  TopLevelCertSize    Length of TopLevelCert data.
> > > > >
> > > > > +  @param[out] Sha384Digest       Sha384 digest calculated.
> > > > >
> > > > > +
> > > > >
> > > > > +  @return EFI_ABORTED          Digest process failed.
> > > > >
> > > > > +  @return EFI_SUCCESS          SHA384 Digest is successfully cal=
culated.
> > > > >
> > > > > +
> > > > >
> > > > > +**/
> > > > >
> > > > > +EFI_STATUS
> > > > >
> > > > > +CalculatePrivAuthVarSignChainSHA384Digest (
> > > > >
> > > > > +  IN     UINT8  *SignerCert,
> > > > >
> > > > > +  IN     UINTN  SignerCertSize,
> > > > >
> > > > > +  IN     UINT8  *TopLevelCert,
> > > > >
> > > > > +  IN     UINTN  TopLevelCertSize,
> > > > >
> > > > > +  OUT    UINT8  *Sha384Digest
> > > > >
> > > > > +  )
> > > > >
> > > > > +{
> > > > >
> > > > > +  UINT8       *TbsCert;
> > > > >
> > > > > +  UINTN       TbsCertSize;
> > > > >
> > > > > +  CHAR8       CertCommonName[128];
> > > > >
> > > > > +  UINTN       CertCommonNameSize;
> > > > >
> > > > > +  BOOLEAN     CryptoStatus;
> > > > >
> > > > > +  EFI_STATUS  Status;
> > > > >
> > > > > +
> > > > >
> > > > > +  CertCommonNameSize =3D sizeof (CertCommonName);
> > > > >
> > > > > +
> > > > >
> > > > > +  //
> > > > >
> > > > > +  // Get SignerCert CommonName
> > > > >
> > > > > +  //
> > > > >
> > > > > +  Status =3D X509GetCommonName (SignerCert, SignerCertSize,
> > > > > CertCommonName, &CertCommonNameSize);
> > > > >
> > > > > +  if (EFI_ERROR (Status)) {
> > > > >
> > > > > +    DEBUG ((DEBUG_INFO, "%a Get SignerCert CommonName failed
> > with
> > > > > status %x\n", __FUNCTION__, Status));
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  //
> > > > >
> > > > > +  // Get TopLevelCert tbsCertificate
> > > > >
> > > > > +  //
> > > > >
> > > > > +  if (!X509GetTBSCert (TopLevelCert, TopLevelCertSize, &TbsCert,
> > > > > &TbsCertSize)) {
> > > > >
> > > > > +    DEBUG ((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate
> > > > > + failed!\n",
> > > > > __FUNCTION__));
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  //
> > > > >
> > > > > +  // Digest SignerCert CN + TopLevelCert tbsCertificate
> > > > >
> > > > > +  //
> > > > >
> > > > > +  ZeroMem (Sha384Digest, SHA384_DIGEST_SIZE);
> > > > >
> > > > > +  CryptoStatus =3D Sha384Init (mHashCtx);
> > > > >
> > > > > +  if (!CryptoStatus) {
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  //
> > > > >
> > > > > +  // '\0' is forced in CertCommonName. No overflow issue
> > > > >
> > > > > +  //
> > > > >
> > > > > +  CryptoStatus =3D Sha384Update (
> > > > >
> > > > > +                   mHashCtx,
> > > > >
> > > > > +                   CertCommonName,
> > > > >
> > > > > +                   AsciiStrLen (CertCommonName)
> > > > >
> > > > > +                   );
> > > > >
> > > > > +  if (!CryptoStatus) {
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  CryptoStatus =3D Sha384Update (mHashCtx, TbsCert, TbsCertSize)=
;
> > > > >
> > > > > +  if (!CryptoStatus) {
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  CryptoStatus =3D Sha384Final (mHashCtx, Sha384Digest);
> > > > >
> > > > > +  if (!CryptoStatus) {
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  return EFI_SUCCESS;
> > > > >
> > > > > +}
> > > > >
> > > > > +
> > > > >
> > > > > +/**
> > > > >
> > > > > +  Calculate SHA512 digest of SignerCert CommonName + ToplevelCer=
t
> > > > > tbsCertificate
> > > > >
> > > > > +  SignerCert and ToplevelCert are inside the signer certificate =
chain.
> > > > >
> > > > > +
> > > > >
> > > > > +  @param[in]  SignerCert          A pointer to SignerCert data.
> > > > >
> > > > > +  @param[in]  SignerCertSize      Length of SignerCert data.
> > > > >
> > > > > +  @param[in]  TopLevelCert        A pointer to TopLevelCert data=
.
> > > > >
> > > > > +  @param[in]  TopLevelCertSize    Length of TopLevelCert data.
> > > > >
> > > > > +  @param[out] Sha512Digest       Sha512 digest calculated.
> > > > >
> > > > > +
> > > > >
> > > > > +  @return EFI_ABORTED          Digest process failed.
> > > > >
> > > > > +  @return EFI_SUCCESS          SHA512 Digest is successfully cal=
culated.
> > > > >
> > > > > +
> > > > >
> > > > > +**/
> > > > >
> > > > > +EFI_STATUS
> > > > >
> > > > > +CalculatePrivAuthVarSignChainSHA512Digest (
> > > > >
> > > > > +  IN     UINT8  *SignerCert,
> > > > >
> > > > > +  IN     UINTN  SignerCertSize,
> > > > >
> > > > > +  IN     UINT8  *TopLevelCert,
> > > > >
> > > > > +  IN     UINTN  TopLevelCertSize,
> > > > >
> > > > > +  OUT    UINT8  *Sha512Digest
> > > > >
> > > > > +  )
> > > > >
> > > > > +{
> > > > >
> > > > > +  UINT8       *TbsCert;
> > > > >
> > > > > +  UINTN       TbsCertSize;
> > > > >
> > > > > +  CHAR8       CertCommonName[128];
> > > > >
> > > > > +  UINTN       CertCommonNameSize;
> > > > >
> > > > > +  BOOLEAN     CryptoStatus;
> > > > >
> > > > > +  EFI_STATUS  Status;
> > > > >
> > > > > +
> > > > >
> > > > > +  CertCommonNameSize =3D sizeof (CertCommonName);
> > > > >
> > > > > +
> > > > >
> > > > > +  //
> > > > >
> > > > > +  // Get SignerCert CommonName
> > > > >
> > > > > +  //
> > > > >
> > > > > +  Status =3D X509GetCommonName (SignerCert, SignerCertSize,
> > > > > CertCommonName, &CertCommonNameSize);
> > > > >
> > > > > +  if (EFI_ERROR (Status)) {
> > > > >
> > > > > +    DEBUG ((DEBUG_INFO, "%a Get SignerCert CommonName failed
> > with
> > > > > status %x\n", __FUNCTION__, Status));
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  //
> > > > >
> > > > > +  // Get TopLevelCert tbsCertificate
> > > > >
> > > > > +  //
> > > > >
> > > > > +  if (!X509GetTBSCert (TopLevelCert, TopLevelCertSize, &TbsCert,
> > > > > &TbsCertSize)) {
> > > > >
> > > > > +    DEBUG ((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate
> > > > > + failed!\n",
> > > > > __FUNCTION__));
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  //
> > > > >
> > > > > +  // Digest SignerCert CN + TopLevelCert tbsCertificate
> > > > >
> > > > > +  //
> > > > >
> > > > > +  ZeroMem (Sha512Digest, SHA512_DIGEST_SIZE);
> > > > >
> > > > > +  CryptoStatus =3D Sha512Init (mHashCtx);
> > > > >
> > > > > +  if (!CryptoStatus) {
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  //
> > > > >
> > > > > +  // '\0' is forced in CertCommonName. No overflow issue
> > > > >
> > > > > +  //
> > > > >
> > > > > +  CryptoStatus =3D Sha512Update (
> > > > >
> > > > > +                   mHashCtx,
> > > > >
> > > > > +                   CertCommonName,
> > > > >
> > > > > +                   AsciiStrLen (CertCommonName)
> > > > >
> > > > > +                   );
> > > > >
> > > > > +  if (!CryptoStatus) {
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  CryptoStatus =3D Sha512Update (mHashCtx, TbsCert, TbsCertSize)=
;
> > > > >
> > > > > +  if (!CryptoStatus) {
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  CryptoStatus =3D Sha512Final (mHashCtx, Sha512Digest);
> > > > >
> > > > > +  if (!CryptoStatus) {
> > > > >
> > > > > +    return EFI_ABORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > > +  return EFI_SUCCESS;
> > > > >
> > > > > +}
> > > > >
> > > > > +
> > > > >
> > > > >  /**
> > > > >
> > > > >    Find matching signer's certificates for common authenticated
> > > > > variable
> > > > >
> > > > >    by corresponding VariableName and VendorGuid from "certdb" or
> > > > "certdbv".
> > > > >
> > > > > @@ -1526,6 +1698,7 @@ DeleteCertsFromDb (
> > > > >    @param[in]  SignerCertSize    Length of signer certificate.
> > > > >
> > > > >    @param[in]  TopLevelCert      Top-level certificate data.
> > > > >
> > > > >    @param[in]  TopLevelCertSize  Length of top-level certificate.
> > > > >
> > > > > +  @param[in]  DigestSize        Digest Size.
> > > > >
> > > > >
> > > > >
> > > > >    @retval  EFI_INVALID_PARAMETER Any input parameter is invalid.
> > > > >
> > > > >    @retval  EFI_ACCESS_DENIED     An AUTH_CERT_DB_DATA entry with
> > > > same
> > > > > VariableName
> > > > >
> > > > > @@ -1542,7 +1715,8 @@ InsertCertsToDb (
> > > > >    IN     UINT8     *SignerCert,
> > > > >
> > > > >    IN     UINTN     SignerCertSize,
> > > > >
> > > > >    IN     UINT8     *TopLevelCert,
> > > > >
> > > > > -  IN     UINTN     TopLevelCertSize
> > > > >
> > > > > +  IN     UINTN     TopLevelCertSize,
> > > > >
> > > > > +  IN     UINT32    DigestSize
> > > > >
> > > > >    )
> > > > >
> > > > >  {
> > > > >
> > > > >    EFI_STATUS         Status;
> > > > >
> > > > > @@ -1556,7 +1730,7 @@ InsertCertsToDb (
> > > > >    UINT32             CertDataSize;
> > > > >
> > > > >    AUTH_CERT_DB_DATA  *Ptr;
> > > > >
> > > > >    CHAR16             *DbName;
> > > > >
> > > > > -  UINT8              Sha256Digest[SHA256_DIGEST_SIZE];
> > > > >
> > > > > +  UINT8              ShaDigest[SHA_DIGEST_SIZE_MAX];
> > > > >
> > > > >
> > > > >
> > > > >    if ((VariableName =3D=3D NULL) || (VendorGuid =3D=3D NULL) || =
(SignerCert
> > > > > =3D=3D NULL)
> > > > > || (TopLevelCert =3D=3D NULL)) {
> > > > >
> > > > >      return EFI_INVALID_PARAMETER;
> > > > >
> > > > > @@ -1618,20 +1792,41 @@ InsertCertsToDb (
> > > > >    // Construct new data content of variable "certdb" or "certdbv=
".
> > > > >
> > > > >    //
> > > > >
> > > > >    NameSize      =3D (UINT32)StrLen (VariableName);
> > > > >
> > > > > -  CertDataSize  =3D sizeof (Sha256Digest);
> > > > >
> > > > > +  CertDataSize  =3D DigestSize;
> > > > >
> > > > >    CertNodeSize  =3D sizeof (AUTH_CERT_DB_DATA) +
> > (UINT32)CertDataSize +
> > > > > NameSize * sizeof (CHAR16);
> > > > >
> > > > >    NewCertDbSize =3D (UINT32)DataSize + CertNodeSize;
> > > > >
> > > > >    if (NewCertDbSize > mMaxCertDbSize) {
> > > > >
> > > > >      return EFI_OUT_OF_RESOURCES;
> > > > >
> > > > >    }
> > > > >
> > > > >
> > > > >
> > > > > -  Status =3D CalculatePrivAuthVarSignChainSHA256Digest (
> > > > >
> > > > > -             SignerCert,
> > > > >
> > > > > -             SignerCertSize,
> > > > >
> > > > > -             TopLevelCert,
> > > > >
> > > > > -             TopLevelCertSize,
> > > > >
> > > > > -             Sha256Digest
> > > > >
> > > > > -             );
> > > > >
> > > > > +  if (DigestSize =3D=3D SHA256_DIGEST_SIZE) {
> > > > >
> > > > > +    Status =3D CalculatePrivAuthVarSignChainSHA256Digest (
> > > > >
> > > > > +               SignerCert,
> > > > >
> > > > > +               SignerCertSize,
> > > > >
> > > > > +               TopLevelCert,
> > > > >
> > > > > +               TopLevelCertSize,
> > > > >
> > > > > +               ShaDigest
> > > > >
> > > > > +               );
> > > > >
> > > > > +  } else if (DigestSize =3D=3D SHA384_DIGEST_SIZE) {
> > > > >
> > > > > +    Status =3D CalculatePrivAuthVarSignChainSHA384Digest (
> > > > >
> > > > > +               SignerCert,
> > > > >
> > > > > +               SignerCertSize,
> > > > >
> > > > > +               TopLevelCert,
> > > > >
> > > > > +               TopLevelCertSize,
> > > > >
> > > > > +               ShaDigest
> > > > >
> > > > > +               );
> > > > >
> > > > > +  } else if (DigestSize =3D=3D SHA512_DIGEST_SIZE) {
> > > > >
> > > > > +    Status =3D CalculatePrivAuthVarSignChainSHA512Digest (
> > > > >
> > > > > +               SignerCert,
> > > > >
> > > > > +               SignerCertSize,
> > > > >
> > > > > +               TopLevelCert,
> > > > >
> > > > > +               TopLevelCertSize,
> > > > >
> > > > > +               ShaDigest
> > > > >
> > > > > +               );
> > > > >
> > > > > +  } else {
> > > > >
> > > > > +    return EFI_UNSUPPORTED;
> > > > >
> > > > > +  }
> > > > >
> > > > > +
> > > > >
> > > > >    if (EFI_ERROR (Status)) {
> > > > >
> > > > >      return Status;
> > > > >
> > > > >    }
> > > > >
> > > > > @@ -1663,7 +1858,7 @@ InsertCertsToDb (
> > > > >
> > > > >
> > > > >    CopyMem (
> > > > >
> > > > >      (UINT8 *)Ptr +  sizeof (AUTH_CERT_DB_DATA) + NameSize * size=
of
> > > > > (CHAR16),
> > > > >
> > > > > -    Sha256Digest,
> > > > >
> > > > > +    ShaDigest,
> > > > >
> > > > >      CertDataSize
> > > > >
> > > > >      );
> > > > >
> > > > >
> > > > >
> > > > > @@ -1857,7 +2052,7 @@ VerifyTimeBasedPayload (
> > > > >    UINTN                          CertStackSize;
> > > > >
> > > > >    UINT8                          *CertsInCertDb;
> > > > >
> > > > >    UINT32                         CertsSizeinDb;
> > > > >
> > > > > -  UINT8                          Sha256Digest[SHA256_DIGEST_SIZE=
];
> > > > >
> > > > > +  UINT8                          ShaDigest[SHA_DIGEST_SIZE_MAX];
> > > > >
> > > > >    EFI_CERT_DATA                  *CertDataPtr;
> > > > >
> > > > >
> > > > >
> > > > >    //
> > > > >
> > > > > @@ -1928,7 +2123,7 @@ VerifyTimeBasedPayload (
> > > > >
> > > > >
> > > > >    //
> > > > >
> > > > >    // SignedData.digestAlgorithms shall contain the digest algori=
thm
> > > > > used when preparing the
> > > > >
> > > > > -  // signature. Only a digest algorithm of SHA-256 is accepted.
> > > > >
> > > > > +  // signature. Only a digest algorithm of SHA-256, SHA-384 or
> > > > > + SHA-512 is
> > > > > accepted.
> > > > >
> > > > >    //
> > > > >
> > > > >    //    According to PKCS#7 Definition (https://www.rfc-
> > > > editor.org/rfc/rfc2315):
> > > > >
> > > > >    //        SignedData ::=3D SEQUENCE {
> > > > >
> > > > > @@ -1978,7 +2173,19 @@ VerifyTimeBasedPayload (
> > > > >               || (CompareMem (SigData + 13, &mSha256OidValue, siz=
eof
> > > > > (mSha256OidValue)) !=3D 0)))
> > > > >
> > > > >         && (  (SigDataSize >=3D (32 + sizeof (mSha256OidValue)))
> > > > >
> > > > >            && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D
> > > > > TWO_BYTE_ENCODE)
> > > > >
> > > > > -             || (CompareMem (SigData + 32, &mSha256OidValue, siz=
eof
> > > > > (mSha256OidValue)) !=3D 0))))
> > > > >
> > > > > +             || (CompareMem (SigData + 32, &mSha256OidValue, siz=
eof
> > > > > (mSha256OidValue)) !=3D 0)))
> > > > >
> > > > > +       && (  (SigDataSize >=3D (13 + sizeof (mSha384OidValue)))
> > > > >
> > > > > +          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D
> > > > > + TWO_BYTE_ENCODE)
> > > > >
> > > > > +             || (CompareMem (SigData + 13, &mSha384OidValue, siz=
eof
> > > > > (mSha384OidValue)) !=3D 0)))
> > > > >
> > > > > +       && (  (SigDataSize >=3D (32 + sizeof (mSha384OidValue)))
> > > > >
> > > > > +          && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D
> > > > > + TWO_BYTE_ENCODE)
> > > > >
> > > > > +             || (CompareMem (SigData + 32, &mSha384OidValue, siz=
eof
> > > > > (mSha384OidValue)) !=3D 0)))
> > > > >
> > > > > +       && (  (SigDataSize >=3D (13 + sizeof (mSha512OidValue)))
> > > > >
> > > > > +          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D
> > > > > + TWO_BYTE_ENCODE)
> > > > >
> > > > > +             || (CompareMem (SigData + 13, &mSha512OidValue, siz=
eof
> > > > > (mSha512OidValue)) !=3D 0)))
> > > > >
> > > > > +       && (  (SigDataSize >=3D (32 + sizeof (mSha512OidValue)))
> > > > >
> > > > > +          && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D
> > > > > + TWO_BYTE_ENCODE)
> > > > >
> > > > > +             || (CompareMem (SigData + 32, &mSha512OidValue, siz=
eof
> > > > > (mSha512OidValue)) !=3D 0))))
> > > > >
> > > > >      {
> > > > >
> > > > >        return EFI_SECURITY_VIOLATION;
> > > > >
> > > > >      }
> > > > >
> > > > > @@ -2180,9 +2387,39 @@ VerifyTimeBasedPayload (
> > > > >                          ReadUnaligned32 ((UINT32
> > > > > *)&(CertDataPtr->CertDataLength)),
> > > > >
> > > > >                          TopLevelCert,
> > > > >
> > > > >                          TopLevelCertSize,
> > > > >
> > > > > -                        Sha256Digest
> > > > >
> > > > > +                        ShaDigest
> > > > >
> > > > > +                        );
> > > > >
> > > > > +        if (EFI_ERROR (Status) || (CompareMem (ShaDigest,
> > > > > + CertsInCertDb,
> > > > > CertsSizeinDb) !=3D 0)) {
> > > > >
> > > > > +          goto Exit;
> > > > >
> > > > > +        }
> > > > >
> > > > > +      } else if (CertsSizeinDb =3D=3D SHA384_DIGEST_SIZE) {
> > > > >
> > > > > +        //
> > > > >
> > > > > +        // Check hash of signer cert CommonName + Top-level issu=
er
> > > > > tbsCertificate against data in CertDb
> > > > >
> > > > > +        //
> > > > >
> > > > > +        CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1);
> > > > >
> > > > > +        Status      =3D CalculatePrivAuthVarSignChainSHA384Diges=
t (
> > > > >
> > > > > +                        CertDataPtr->CertDataBuffer,
> > > > >
> > > > > +                        ReadUnaligned32 ((UINT32
> > > > > + *)&(CertDataPtr->CertDataLength)),
> > > > >
> > > > > +                        TopLevelCert,
> > > > >
> > > > > +                        TopLevelCertSize,
> > > > >
> > > > > +                        ShaDigest
> > > > >
> > > > > +                        );
> > > > >
> > > > > +        if (EFI_ERROR (Status) || (CompareMem (ShaDigest,
> > > > > + CertsInCertDb,
> > > > > CertsSizeinDb) !=3D 0)) {
> > > > >
> > > > > +          goto Exit;
> > > > >
> > > > > +        }
> > > > >
> > > > > +      } else if (CertsSizeinDb =3D=3D SHA512_DIGEST_SIZE) {
> > > > >
> > > > > +        //
> > > > >
> > > > > +        // Check hash of signer cert CommonName + Top-level issu=
er
> > > > > tbsCertificate against data in CertDb
> > > > >
> > > > > +        //
> > > > >
> > > > > +        CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1);
> > > > >
> > > > > +        Status      =3D CalculatePrivAuthVarSignChainSHA512Diges=
t (
> > > > >
> > > > > +                        CertDataPtr->CertDataBuffer,
> > > > >
> > > > > +                        ReadUnaligned32 ((UINT32
> > > > > + *)&(CertDataPtr->CertDataLength)),
> > > > >
> > > > > +                        TopLevelCert,
> > > > >
> > > > > +                        TopLevelCertSize,
> > > > >
> > > > > +                        ShaDigest
> > > > >
> > > > >                          );
> > > > >
> > > > > -        if (EFI_ERROR (Status) || (CompareMem (Sha256Digest,
> > > > CertsInCertDb,
> > > > > CertsSizeinDb) !=3D 0)) {
> > > > >
> > > > > +        if (EFI_ERROR (Status) || (CompareMem (ShaDigest,
> > > > > + CertsInCertDb,
> > > > > CertsSizeinDb) !=3D 0)) {
> > > > >
> > > > >            goto Exit;
> > > > >
> > > > >          }
> > > > >
> > > > >        } else {
> > > > >
> > > > > @@ -2221,7 +2458,8 @@ VerifyTimeBasedPayload (
> > > > >                        CertDataPtr->CertDataBuffer,
> > > > >
> > > > >                        ReadUnaligned32 ((UINT32
> > > > > *)&(CertDataPtr->CertDataLength)),
> > > > >
> > > > >                        TopLevelCert,
> > > > >
> > > > > -                      TopLevelCertSize
> > > > >
> > > > > +                      TopLevelCertSize,
> > > > >
> > > > > +                      CertsSizeinDb
> > > > >
> > > > >                        );
> > > > >
> > > > >        if (EFI_ERROR (Status)) {
> > > > >
> > > > >          VerifyStatus =3D FALSE;
> > > > >
> > > > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.=
c
> > > > > b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> > > > > index dc61ae840c..552c0e99be 100644
> > > > > --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> > > > > +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> > > > > @@ -26,7 +26,7 @@ UINT32  mMaxCertDbSize;
> > > > >  UINT32  mPlatformMode;
> > > > >
> > > > >  UINT8   mVendorKeyState;
> > > > >
> > > > >
> > > > >
> > > > > -EFI_GUID  mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID,
> > > > > EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID,
> > > > EFI_CERT_X509_GUID };
> > > > >
> > > > > +EFI_GUID  mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID,
> > > > > EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID,
> > > > EFI_CERT_SHA512_GUID,
> > > > > EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID,
> > > > EFI_CERT_RSA4096_GUID,
> > > > > EFI_CERT_X509_GUID };
> > > > >
> > > > >
> > > > >
> > > > >  //
> > > > >
> > > > >  // Hash context pointer
> > > > >
> > > > > @@ -135,7 +135,7 @@ AuthVariableLibInitialize (
> > > > >    //
> > > > >
> > > > >    // Initialize hash context.
> > > > >
> > > > >    //
> > > > >
> > > > > -  CtxSize  =3D Sha256GetContextSize ();
> > > > >
> > > > > +  CtxSize  =3D Sha512GetContextSize ();
> > > > >
> > > > >    mHashCtx =3D AllocateRuntimePool (CtxSize);
> > > > >
> > > > >    if (mHashCtx =3D=3D NULL) {
> > > > >
> > > > >      return EFI_OUT_OF_RESOURCES;
> > > > >
> > > > > diff --git
> > > > >
> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.
> > > > > c
> > > > >
> > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.
> > > > > c
> > > > > index 66e2f5eaa3..f642aad64d 100644
> > > > > ---
> > > > >
> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.
> > > > > c
> > > > > +++
> > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerification
> > > > > +++ Lib.c
> > > > > @@ -1606,6 +1606,35 @@ Done:
> > > > >    return VerifyStatus;
> > > > >
> > > > >  }
> > > > >
> > > > >
> > > > >
> > > > > +/**
> > > > >
> > > > > +  Get Hash Alg by PcdSecureBootDefaultHashAlg
> > > > >
> > > > > +
> > > > >
> > > > > +  @retval  UINT32       Hash Alg
> > > > >
> > > > > +  **/
> > > > >
> > > > > +UINT32
> > > > >
> > > > > +GetDefaultHashAlg (
> > > > >
> > > > > +  VOID
> > > > >
> > > > > +  )
> > > > >
> > > > > +{
> > > > >
> > > > > +  UINT32  HashAlg;
> > > > >
> > > > > +
> > > > >
> > > > > +  switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) {
> > > > >
> > > > > +  case 1:
> > > > >
> > > > > +    DEBUG ((DEBUG_INFO, "%a use SHA384", __func__));
> > > > >
> > > > > +    HashAlg =3D HASHALG_SHA384;
> > > > >
> > > > > +    break;
> > > > >
> > > > > +  case 2:
> > > > >
> > > > > +    DEBUG ((DEBUG_INFO, "%a use SHA512", __func__));
> > > > >
> > > > > +    HashAlg =3D HASHALG_SHA512;
> > > > >
> > > > > +    break;
> > > > >
> > > > > +  default:
> > > > >
> > > > > +    DEBUG ((DEBUG_INFO, "%a use SHA256", __func__));
> > > > >
> > > > > +    HashAlg =3D HASHALG_SHA256;
> > > > >
> > > > > +    break;
> > > > >
> > > > > +  }
> > > > >
> > > > > +  return HashAlg;
> > > > >
> > > > > +}
> > > > >
> > > > > +
> > > > >
> > > > >  /**
> > > > >
> > > > >    Provide verification service for signed images, which include =
both
> > > > > signature validation
> > > > >
> > > > >    and platform policy control. For signature types, both UEFI
> > > > > WIN_CERTIFICATE_UEFI_GUID and
> > > > >
> > > > > @@ -1620,7 +1649,7 @@ Done:
> > > > >        in the security database "db", and no valid signature nor =
any
> > > > > hash value of the image may
> > > > >
> > > > >        be reflected in the security database "dbx".
> > > > >
> > > > >      Otherwise, the image is not signed,
> > > > >
> > > > > -      The SHA256 hash value of the image must match a record in =
the
> > > > security
> > > > > database "db", and
> > > > >
> > > > > +      The hash value of the image must match a record in the sec=
urity
> > > > > + database
> > > > > "db", and
> > > > >
> > > > >        not be reflected in the security data base "dbx".
> > > > >
> > > > >
> > > > >
> > > > >    Caution: This function may receive untrusted input.
> > > > >
> > > > > @@ -1832,10 +1861,10 @@ DxeImageVerificationHandler (
> > > > >    //
> > > > >
> > > > >    if ((SecDataDir =3D=3D NULL) || (SecDataDir->Size =3D=3D 0)) {
> > > > >
> > > > >      //
> > > > >
> > > > > -    // This image is not signed. The SHA256 hash value of the im=
age must
> > > > match
> > > > > a record in the security database "db",
> > > > >
> > > > > +    // This image is not signed. The hash value of the image mus=
t
> > > > > + match a record
> > > > > in the security database "db",
> > > > >
> > > > >      // and not be reflected in the security data base "dbx".
> > > > >
> > > > >      //
> > > > >
> > > > > -    if (!HashPeImage (HASHALG_SHA256)) {
> > > > >
> > > > > +    if (!HashPeImage (GetDefaultHashAlg ())) {
> > > > >
> > > > >        DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to ha=
sh
> > > > > this image using %s.\n", mHashTypeStr));
> > > > >
> > > > >        goto Failed;
> > > > >
> > > > >      }
> > > > >
> > > > > diff --git
> > > > >
> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.
> > > > > inf
> > > > >
> > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.
> > > > > inf
> > > > > index 1e1a639857..f1ef9236c2 100644
> > > > > ---
> > > > >
> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.
> > > > > inf
> > > > > +++
> > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerification
> > > > > +++ Lib.inf
> > > > > @@ -93,3 +93,4 @@
> > > > >
> > gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
> > > > > ## SOMETIMES_CONSUMES
> > > > >
> > > > >
> > > > >
> > > >
> > gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolic
> > > > y
> > > > > ## SOMETIMES_CONSUMES
> > > > >
> > > > >
> > gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy
> > > > ##
> > > > > SOMETIMES_CONSUMES
> > > > >
> > > > > +  gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg
> > > > ##
> > > > > CONSUMES
> > > > >
> > > > > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPk=
g.dec
> > > > > index 0382090f4e..4adc2a72ab 100644
> > > > > --- a/SecurityPkg/SecurityPkg.dec
> > > > > +++ b/SecurityPkg/SecurityPkg.dec
> > > > > @@ -521,6 +521,13 @@
> > > > >    # @Prompt Skip Hdd Password prompt.
> > > > >
> > > > >
> > > > >
> > > >
> > gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt|FALSE|BOOLE
> > > > AN|
> > > > > 0x00010021
> > > > >
> > > > >
> > > > >
> > > > > +  ## Indicates default hash algorithm in Secure Boot
> > > > >
> > > > > +  #   0 - Use SHA256
> > > > >
> > > > > +  #   1 - Use SHA384
> > > > >
> > > > > +  #   2 - Use SHA512
> > > > >
> > > > > +  # @Prompt Secure Boot default hash algorithm
> > > > >
> > > > > +
> > > > >
> > > >
> > gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg|0|UINT8|0x
> > > > 00
> > > > > 0
> > > > > 10040
> > > > >
> > > > > +
> > > > >
> > > > >  [PcdsDynamic, PcdsDynamicEx]
> > > > >
> > > > >
> > > > >
> > > > >    ## This PCD indicates Hash mask for TPM 2.0. Bit definition
> > > > > strictly follows TCG Algorithm Registry.<BR><BR>
> > > > >
> > > > > diff --git
> > > > >
> > > >
> > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > ig
> > > > > Dxe.inf
> > > > >
> > > >
> > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > ig
> > > > > Dxe.inf
> > > > > index 1671d5be7c..4b0012d033 100644
> > > > > ---
> > > > >
> > > >
> > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > ig
> > > > > Dxe.inf
> > > > > +++
> > > > >
> > > >
> > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > ig
> > > > > Dxe.inf
> > > > > @@ -70,6 +70,14 @@
> > > > >    ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for =
the type
> > of
> > > > the
> > > > > signature.
> > > > >
> > > > >    gEfiCertRsa2048Guid
> > > > >
> > > > >
> > > > >
> > > > > +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for =
the
> > type of
> > > > the
> > > > > signature.
> > > > >
> > > > > +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for =
the type
> > of
> > > > the
> > > > > signature.
> > > > >
> > > > > +  gEfiCertRsa3072Guid
> > > > >
> > > > > +
> > > > >
> > > > > +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for =
the
> > type of
> > > > the
> > > > > signature.
> > > > >
> > > > > +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for =
the type
> > of
> > > > the
> > > > > signature.
> > > > >
> > > > > +  gEfiCertRsa4096Guid
> > > > >
> > > > > +
> > > > >
> > > > >    ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for =
the type
> > of
> > > > the
> > > > > signature.
> > > > >
> > > > >    ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for =
the type
> > of
> > > > the
> > > > > signature.
> > > > >
> > > > >    gEfiCertX509Guid
> > > > >
> > > > > @@ -82,6 +90,14 @@
> > > > >    ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for =
the type
> > of
> > > > the
> > > > > signature.
> > > > >
> > > > >    gEfiCertSha256Guid
> > > > >
> > > > >
> > > > >
> > > > > +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for =
the
> > type of
> > > > the
> > > > > signature.
> > > > >
> > > > > +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for =
the type
> > of
> > > > the
> > > > > signature.
> > > > >
> > > > > +  gEfiCertSha384Guid
> > > > >
> > > > > +
> > > > >
> > > > > +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for =
the
> > type of
> > > > the
> > > > > signature.
> > > > >
> > > > > +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for =
the type
> > of
> > > > the
> > > > > signature.
> > > > >
> > > > > +  gEfiCertSha512Guid
> > > > >
> > > > > +
> > > > >
> > > > >    ## SOMETIMES_CONSUMES      ## Variable:L"db"
> > > > >
> > > > >    ## SOMETIMES_PRODUCES      ## Variable:L"db"
> > > > >
> > > > >    ## SOMETIMES_CONSUMES      ## Variable:L"dbx"
> > > > >
> > > > > @@ -107,6 +123,9 @@
> > > > >    gEfiCertX509Sha384Guid                        ## SOMETIMES_PRO=
DUCES  ##
> > GUID
> > > > #
> > > > > Unique ID for the type of the certificate.
> > > > >
> > > > >    gEfiCertX509Sha512Guid                        ## SOMETIMES_PRO=
DUCES  ##
> > GUID
> > > > #
> > > > > Unique ID for the type of the certificate.
> > > > >
> > > > >
> > > > >
> > > > > +[Pcd]
> > > > >
> > > > > +  gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg
> > > > ##
> > > > > CONSUMES
> > > > >
> > > > > +
> > > > >
> > > > >  [Protocols]
> > > > >
> > > > >    gEfiHiiConfigAccessProtocolGuid               ## PRODUCES
> > > > >
> > > > >    gEfiDevicePathProtocolGuid                    ## PRODUCES
> > > > >
> > > > > diff --git
> > > > >
> > > >
> > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igI
> > > > > mpl.c
> > > > >
> > > >
> > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igI
> > > > > mpl.c
> > > > > index 4299a6b5e5..0ba029a394 100644
> > > > > ---
> > > > >
> > > >
> > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igI
> > > > > mpl.c
> > > > > +++
> > > > >
> > > >
> > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igI
> > > > > mpl.c
> > > > > @@ -560,7 +560,7 @@ ON_EXIT:
> > > > >
> > > > >
> > > > >  **/
> > > > >
> > > > >  EFI_STATUS
> > > > >
> > > > > -EnrollRsa2048ToKek (
> > > > >
> > > > > +EnrollRsaToKek (
> > > > >
> > > > >    IN SECUREBOOT_CONFIG_PRIVATE_DATA  *Private
> > > > >
> > > > >    )
> > > > >
> > > > >  {
> > > > >
> > > > > @@ -603,8 +603,13 @@ EnrollRsa2048ToKek (
> > > > >
> > > > >
> > > > >    ASSERT (KeyBlob !=3D NULL);
> > > > >
> > > > >    KeyInfo =3D (CPL_KEY_INFO *)KeyBlob;
> > > > >
> > > > > -  if (KeyInfo->KeyLengthInBits / 8 !=3D WIN_CERT_UEFI_RSA2048_SI=
ZE) {
> > > > >
> > > > > -    DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 i=
s
> > > > > supported.\n"));
> > > > >
> > > > > +  switch (KeyInfo->KeyLengthInBits / 8) {
> > > > >
> > > > > +  case WIN_CERT_UEFI_RSA2048_SIZE:
> > > > >
> > > > > +  case WIN_CERT_UEFI_RSA3072_SIZE:
> > > > >
> > > > > +  case WIN_CERT_UEFI_RSA4096_SIZE:
> > > > >
> > > > > +    break;
> > > > >
> > > > > +  default :
> > > > >
> > > > > +    DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048,
> > > > > + RSA3072
> > > > > and RSA4096 are supported.\n"));
> > > > >
> > > > >      Status =3D EFI_UNSUPPORTED;
> > > > >
> > > > >      goto ON_EXIT;
> > > > >
> > > > >    }
> > > > >
> > > > > @@ -632,7 +637,7 @@ EnrollRsa2048ToKek (
> > > > >    //
> > > > >
> > > > >    KekSigListSize =3D sizeof (EFI_SIGNATURE_LIST)
> > > > >
> > > > >                     + sizeof (EFI_SIGNATURE_DATA) - 1
> > > > >
> > > > > -                   + WIN_CERT_UEFI_RSA2048_SIZE;
> > > > >
> > > > > +                   + KeyLenInBytes;
> > > > >
> > > > >
> > > > >
> > > > >    KekSigList =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool
> > > > > (KekSigListSize);
> > > > >
> > > > >    if (KekSigList =3D=3D NULL) {
> > > > >
> > > > > @@ -642,17 +647,32 @@ EnrollRsa2048ToKek (
> > > > >
> > > > >
> > > > >    KekSigList->SignatureListSize =3D sizeof (EFI_SIGNATURE_LIST)
> > > > >
> > > > >                                    + sizeof (EFI_SIGNATURE_DATA) =
- 1
> > > > >
> > > > > -                                  + WIN_CERT_UEFI_RSA2048_SIZE;
> > > > >
> > > > > +                                  + (UINT32) KeyLenInBytes;
> > > > >
> > > > >    KekSigList->SignatureHeaderSize =3D 0;
> > > > >
> > > > > -  KekSigList->SignatureSize       =3D sizeof (EFI_SIGNATURE_DATA=
) - 1 +
> > > > > WIN_CERT_UEFI_RSA2048_SIZE;
> > > > >
> > > > > -  CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> > > > >
> > > > > +  KekSigList->SignatureSize       =3D sizeof (EFI_SIGNATURE_DATA=
) - 1 +
> > > > (UINT32)
> > > > > KeyLenInBytes;
> > > > >
> > > > > +  switch (KeyLenInBytes) {
> > > > >
> > > > > +  case WIN_CERT_UEFI_RSA2048_SIZE:
> > > > >
> > > > > +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> > > > >
> > > > > +    break;
> > > > >
> > > > > +  case WIN_CERT_UEFI_RSA3072_SIZE:
> > > > >
> > > > > +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
> > > > >
> > > > > +    break;
> > > > >
> > > > > +  case WIN_CERT_UEFI_RSA4096_SIZE:
> > > > >
> > > > > +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
> > > > >
> > > > > +    break;
> > > > >
> > > > > +    break;
> > > > >
> > > > > +  default :
> > > > >
> > > > > +    DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
> > > > >
> > > > > +    Status =3D EFI_UNSUPPORTED;
> > > > >
> > > > > +    goto ON_EXIT;
> > > > >
> > > > > +  }
> > > > >
> > > > >
> > > > >
> > > > >    KEKSigData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + si=
zeof
> > > > > (EFI_SIGNATURE_LIST));
> > > > >
> > > > >    CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID)=
;
> > > > >
> > > > >    CopyMem (
> > > > >
> > > > >      KEKSigData->SignatureData,
> > > > >
> > > > >      KeyBlob + sizeof (CPL_KEY_INFO),
> > > > >
> > > > > -    WIN_CERT_UEFI_RSA2048_SIZE
> > > > >
> > > > > +    KeyLenInBytes
> > > > >
> > > > >      );
> > > > >
> > > > >
> > > > >
> > > > >    //
> > > > >
> > > > > @@ -890,7 +910,7 @@ EnrollKeyExchangeKey (
> > > > >    if (IsDerEncodeCertificate (FilePostFix)) {
> > > > >
> > > > >      return EnrollX509ToKek (Private);
> > > > >
> > > > >    } else if (CompareMem (FilePostFix, L".pbk", 4) =3D=3D 0) {
> > > > >
> > > > > -    return EnrollRsa2048ToKek (Private);
> > > > >
> > > > > +    return EnrollRsaToKek (Private);
> > > > >
> > > > >    } else {
> > > > >
> > > > >      //
> > > > >
> > > > >      // File type is wrong, simply close it
> > > > >
> > > > > @@ -1847,7 +1867,7 @@ HashPeImage (
> > > > >    SectionHeader =3D NULL;
> > > > >
> > > > >    Status        =3D FALSE;
> > > > >
> > > > >
> > > > >
> > > > > -  if (HashAlg !=3D HASHALG_SHA256) {
> > > > >
> > > > > +  if ((HashAlg >=3D HASHALG_MAX)) {
> > > > >
> > > > >      return FALSE;
> > > > >
> > > > >    }
> > > > >
> > > > >
> > > > >
> > > > > @@ -1856,8 +1876,25 @@ HashPeImage (
> > > > >    //
> > > > >
> > > > >    ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
> > > > >
> > > > >
> > > > >
> > > > > -  mImageDigestSize =3D SHA256_DIGEST_SIZE;
> > > > >
> > > > > -  mCertType        =3D gEfiCertSha256Guid;
> > > > >
> > > > > +   switch (HashAlg) {
> > > > >
> > > > > +    case HASHALG_SHA256:
> > > > >
> > > > > +      mImageDigestSize =3D SHA256_DIGEST_SIZE;
> > > > >
> > > > > +      mCertType        =3D gEfiCertSha256Guid;
> > > > >
> > > > > +      break;
> > > > >
> > > > > +
> > > > >
> > > > > +    case HASHALG_SHA384:
> > > > >
> > > > > +      mImageDigestSize =3D SHA384_DIGEST_SIZE;
> > > > >
> > > > > +      mCertType        =3D gEfiCertSha384Guid;
> > > > >
> > > > > +      break;
> > > > >
> > > > > +
> > > > >
> > > > > +    case HASHALG_SHA512:
> > > > >
> > > > > +      mImageDigestSize =3D SHA512_DIGEST_SIZE;
> > > > >
> > > > > +      mCertType        =3D gEfiCertSha512Guid;
> > > > >
> > > > > +      break;
> > > > >
> > > > > +
> > > > >
> > > > > +    default:
> > > > >
> > > > > +      return FALSE;
> > > > >
> > > > > +  }
> > > > >
> > > > >
> > > > >
> > > > >    CtxSize =3D mHash[HashAlg].GetContextSize ();
> > > > >
> > > > >
> > > > >
> > > > > @@ -2222,6 +2259,35 @@ ON_EXIT:
> > > > >    return Status;
> > > > >
> > > > >  }
> > > > >
> > > > >
> > > > >
> > > > > +/**
> > > > >
> > > > > +  Get Hash Alg by PcdSecureBootDefaultHashAlg
> > > > >
> > > > > +
> > > > >
> > > > > +  @retval  UINT32       Hash Alg
> > > > >
> > > > > +  **/
> > > > >
> > > > > +UINT32
> > > > >
> > > > > +GetDefaultHashAlg (
> > > > >
> > > > > +  VOID
> > > > >
> > > > > +  )
> > > > >
> > > > > +{
> > > > >
> > > > > +  UINT32  HashAlg;
> > > > >
> > > > > +
> > > > >
> > > > > +  switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) {
> > > > >
> > > > > +  case 1:
> > > > >
> > > > > +    DEBUG ((DEBUG_INFO, "%a use SHA384", __func__));
> > > > >
> > > > > +    HashAlg =3D HASHALG_SHA384;
> > > > >
> > > > > +    break;
> > > > >
> > > > > +  case 2:
> > > > >
> > > > > +    DEBUG ((DEBUG_INFO, "%a use SHA512", __func__));
> > > > >
> > > > > +    HashAlg =3D HASHALG_SHA512;
> > > > >
> > > > > +    break;
> > > > >
> > > > > +  default:
> > > > >
> > > > > +    DEBUG ((DEBUG_INFO, "%a use SHA256", __func__));
> > > > >
> > > > > +    HashAlg =3D HASHALG_SHA256;
> > > > >
> > > > > +    break;
> > > > >
> > > > > +  }
> > > > >
> > > > > +  return HashAlg;
> > > > >
> > > > > +}
> > > > >
> > > > > +
> > > > >
> > > > >  /**
> > > > >
> > > > >    Enroll a new signature of executable into Signature Database.
> > > > >
> > > > >
> > > > >
> > > > > @@ -2289,7 +2355,7 @@ EnrollImageSignatureToSigDB (
> > > > >    }
> > > > >
> > > > >
> > > > >
> > > > >    if (mSecDataDir->SizeOfCert =3D=3D 0) {
> > > > >
> > > > > -    if (!HashPeImage (HASHALG_SHA256)) {
> > > > >
> > > > > +    if (!HashPeImage (GetDefaultHashAlg ())) {
> > > > >
> > > > >        Status =3D  EFI_SECURITY_VIOLATION;
> > > > >
> > > > >        goto ON_EXIT;
> > > > >
> > > > >      }
> > > > >
> > > > > @@ -2589,6 +2655,10 @@ UpdateDeletePage (
> > > > >    while ((ItemDataSize > 0) && (ItemDataSize >=3D
> > > > > CertList->SignatureListSize)) {
> > > > >
> > > > >      if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048G=
uid))
> > > > > {
> > > > >
> > > > >        Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
> > > > >
> > > > > +    } else if (CompareGuid (&CertList->SignatureType,
> > > > > + &gEfiCertRsa3072Guid)) {
> > > > >
> > > > > +      Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID);
> > > > >
> > > > > +    } else if (CompareGuid (&CertList->SignatureType,
> > > > > + &gEfiCertRsa4096Guid)) {
> > > > >
> > > > > +      Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID);
> > > > >
> > > > >      } else if (CompareGuid (&CertList->SignatureType,
> > > > > &gEfiCertX509Guid)) {
> > > > >
> > > > >        Help =3D STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
> > > > >
> > > > >      } else if (CompareGuid (&CertList->SignatureType,
> > > > > &gEfiCertSha1Guid)) {
> > > > >
> > > > > @@ -2750,6 +2820,8 @@ DeleteKeyExchangeKey (
> > > > >    GuidIndex      =3D 0;
> > > > >
> > > > >    while ((KekDataSize > 0) && (KekDataSize >=3D
> > > > > CertList->SignatureListSize)) {
> > > > >
> > > > >      if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048G=
uid)
> > > > > ||
> > > > >
> > > > > +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072G=
uid)
> > > > > + ||
> > > > >
> > > > > +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096G=
uid)
> > > > > + ||
> > > > >
> > > > >          CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid=
))
> > > > >
> > > > >      {
> > > > >
> > > > >        CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_L=
IST)
> > > > > + CertList-
> > > > > >SignatureHeaderSize));
> > > > >
> > > > > @@ -2952,6 +3024,8 @@ DeleteSignature (
> > > > >    GuidIndex    =3D 0;
> > > > >
> > > > >    while ((ItemDataSize > 0) && (ItemDataSize >=3D
> > > > > CertList->SignatureListSize)) {
> > > > >
> > > > >      if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048G=
uid)
> > > > > ||
> > > > >
> > > > > +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072G=
uid)
> > > > > + ||
> > > > >
> > > > > +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096G=
uid)
> > > > > + ||
> > > > >
> > > > >          CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid=
) ||
> > > > >
> > > > >          CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid=
) ||
> > > > >
> > > > >          CompareGuid (&CertList->SignatureType, &gEfiCertSha256Gu=
id)
> > > > > ||
> > > > >
> > > > > @@ -3758,12 +3832,20 @@ LoadSignatureList (
> > > > >    while ((RemainingSize > 0) && (RemainingSize >=3D
> > > > > ListWalker->SignatureListSize)) {
> > > > >
> > > > >      if (CompareGuid (&ListWalker->SignatureType,
> > > > > &gEfiCertRsa2048Guid)) {
> > > > >
> > > > >        ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
> > > > >
> > > > > +    } else if (CompareGuid (&ListWalker->SignatureType,
> > > > > + &gEfiCertRsa3072Guid))
> > > > > {
> > > > >
> > > > > +      ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
> > > > >
> > > > > +    } else if (CompareGuid (&ListWalker->SignatureType,
> > > > > + &gEfiCertRsa4096Guid))
> > > > > {
> > > > >
> > > > > +      ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
> > > > >
> > > > >      } else if (CompareGuid (&ListWalker->SignatureType,
> > > > > &gEfiCertX509Guid)) {
> > > > >
> > > > >        ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509);
> > > > >
> > > > >      } else if (CompareGuid (&ListWalker->SignatureType,
> > > > > &gEfiCertSha1Guid)) {
> > > > >
> > > > >        ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA1);
> > > > >
> > > > >      } else if (CompareGuid (&ListWalker->SignatureType,
> > > > > &gEfiCertSha256Guid)) {
> > > > >
> > > > >        ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA256);
> > > > >
> > > > > +    } else if (CompareGuid (&ListWalker->SignatureType,
> > > > > + &gEfiCertSha384Guid))
> > > > > {
> > > > >
> > > > > +      ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA384);
> > > > >
> > > > > +    } else if (CompareGuid (&ListWalker->SignatureType,
> > > > > + &gEfiCertSha512Guid))
> > > > > {
> > > > >
> > > > > +      ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA512);
> > > > >
> > > > >      } else if (CompareGuid (&ListWalker->SignatureType,
> > > > > &gEfiCertX509Sha256Guid)) {
> > > > >
> > > > >        ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
> > > > >
> > > > >      } else if (CompareGuid (&ListWalker->SignatureType,
> > > > > &gEfiCertX509Sha384Guid)) {
> > > > >
> > > > > @@ -4001,6 +4083,14 @@ FormatHelpInfo (
> > > > >      ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
> > > > >
> > > > >      DataSize   =3D ListEntry->SignatureSize - sizeof (EFI_GUID);
> > > > >
> > > > >      IsCert     =3D TRUE;
> > > > >
> > > > > +  } else if (CompareGuid (&ListEntry->SignatureType,
> > > > > + &gEfiCertRsa3072Guid)) {
> > > > >
> > > > > +    ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
> > > > >
> > > > > +    DataSize   =3D ListEntry->SignatureSize - sizeof (EFI_GUID);
> > > > >
> > > > > +    IsCert     =3D TRUE;
> > > > >
> > > > > +  } else if (CompareGuid (&ListEntry->SignatureType,
> > > > > + &gEfiCertRsa4096Guid)) {
> > > > >
> > > > > +    ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
> > > > >
> > > > > +    DataSize   =3D ListEntry->SignatureSize - sizeof (EFI_GUID);
> > > > >
> > > > > +    IsCert     =3D TRUE;
> > > > >
> > > > >    } else if (CompareGuid (&ListEntry->SignatureType,
> > > > > &gEfiCertX509Guid)) {
> > > > >
> > > > >      ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509);
> > > > >
> > > > >      DataSize   =3D ListEntry->SignatureSize - sizeof (EFI_GUID);
> > > > >
> > > > > @@ -4011,6 +4101,12 @@ FormatHelpInfo (
> > > > >    } else if (CompareGuid (&ListEntry->SignatureType,
> > > > > &gEfiCertSha256Guid)) {
> > > > >
> > > > >      ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA256);
> > > > >
> > > > >      DataSize   =3D 32;
> > > > >
> > > > > +  } else if (CompareGuid (&ListEntry->SignatureType,
> > > > > + &gEfiCertSha384Guid)) {
> > > > >
> > > > > +    ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA384);
> > > > >
> > > > > +    DataSize   =3D 48;
> > > > >
> > > > > +  } else if (CompareGuid (&ListEntry->SignatureType,
> > > > > + &gEfiCertSha512Guid)) {
> > > > >
> > > > > +    ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA512);
> > > > >
> > > > > +    DataSize   =3D 64;
> > > > >
> > > > >    } else if (CompareGuid (&ListEntry->SignatureType,
> > > > > &gEfiCertX509Sha256Guid)) {
> > > > >
> > > > >      ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
> > > > >
> > > > >      DataSize   =3D 32;
> > > > >
> > > > > diff --git
> > > > >
> > > >
> > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igI
> > > > > mpl.h
> > > > >
> > > >
> > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igI
> > > > > mpl.h
> > > > > index 37c66f1b95..ae50d929a7 100644
> > > > > ---
> > > > >
> > > >
> > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igI
> > > > > mpl.h
> > > > > +++
> > > > >
> > > >
> > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igI
> > > > > mpl.h
> > > > > @@ -82,6 +82,8 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
> > #define
> > > > > MAX_DIGEST_SIZE  SHA512_DIGEST_SIZE
> > > > >
> > > > >
> > > > >
> > > > >  #define WIN_CERT_UEFI_RSA2048_SIZE  256
> > > > >
> > > > > +#define WIN_CERT_UEFI_RSA3072_SIZE  384
> > > > >
> > > > > +#define WIN_CERT_UEFI_RSA4096_SIZE  512
> > > > >
> > > > >
> > > > >
> > > > >  //
> > > > >
> > > > >  // Support hash types
> > > > >
> > > > > diff --git
> > > > >
> > > >
> > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igS
> > > > > trings.uni
> > > > >
> > > >
> > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igS
> > > > > trings.uni
> > > > > index 0d01701de7..1b48acc800 100644
> > > > > ---
> > > > >
> > > >
> > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igS
> > > > > trings.uni
> > > > > +++
> > > > >
> > > >
> > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> > > > f
> > > > > igS
> > > > > trings.uni
> > > > > @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > >  #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP    #language
> > en-
> > > > US
> > > > > "Read the public key of KEK from file"
> > > > >
> > > > >  #string STR_FILE_EXPLORER_TITLE                   #language en-U=
S "File
> > > > Explorer"
> > > > >
> > > > >  #string STR_CERT_TYPE_RSA2048_SHA256_GUID         #language en-U=
S
> > > > > "RSA2048_SHA256_GUID"
> > > > >
> > > > > +#string STR_CERT_TYPE_RSA3072_SHA384_GUID         #language en-U=
S
> > > > > "RSA3072_SHA384_GUID"
> > > > >
> > > > > +#string STR_CERT_TYPE_RSA4096_SHA512_GUID         #language en-U=
S
> > > > > "RSA4096_SHA512_GUID"
> > > > >
> > > > >  #string STR_CERT_TYPE_PCKS7_GUID                  #language en-U=
S
> > > > "PKCS7_GUID"
> > > > >
> > > > >  #string STR_CERT_TYPE_SHA1_GUID                   #language en-U=
S
> > > > "SHA1_GUID"
> > > > >
> > > > >  #string STR_CERT_TYPE_SHA256_GUID                 #language en-U=
S
> > > > > "SHA256_GUID"
> > > > >
> > > > > @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > >  #string STR_CERT_TYPE_X509_SHA512_GUID            #language en-U=
S
> > > > > "X509_SHA512_GUID"
> > > > >
> > > > >
> > > > >
> > > > >  #string STR_LIST_TYPE_RSA2048_SHA256              #language en-U=
S
> > > > > "RSA2048_SHA256"
> > > > >
> > > > > +#string STR_LIST_TYPE_RSA3072_SHA384              #language en-U=
S
> > > > > "RSA3072_SHA384"
> > > > >
> > > > > +#string STR_LIST_TYPE_RSA4096_SHA512              #language en-U=
S
> > > > > "RSA4096_SHA512"
> > > > >
> > > > >  #string STR_LIST_TYPE_X509                        #language en-U=
S "X509"
> > > > >
> > > > >  #string STR_LIST_TYPE_SHA1                        #language en-U=
S "SHA1"
> > > > >
> > > > >  #string STR_LIST_TYPE_SHA256                      #language en-U=
S "SHA256"
> > > > >
> > > > > +#string STR_LIST_TYPE_SHA384                      #language en-U=
S "SHA384"
> > > > >
> > > > > +#string STR_LIST_TYPE_SHA512                      #language en-U=
S "SHA512"
> > > > >
> > > > >  #string STR_LIST_TYPE_X509_SHA256                 #language en-U=
S
> > > > > "X509_SHA256"
> > > > >
> > > > >  #string STR_LIST_TYPE_X509_SHA384                 #language en-U=
S
> > > > > "X509_SHA384"
> > > > >
> > > > >  #string STR_LIST_TYPE_X509_SHA512                 #language en-U=
S
> > > > > "X509_SHA512"
> > > > >
> > > > > --
> > > > > 2.26.2.windows.1