From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.9985.1688126200650788112 for ; Fri, 30 Jun 2023 04:56:41 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=Z3iotgWJ; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1688126200; x=1719662200; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=3dp+1lY4nQyo8K13hVV/IgMxZRmXTc2MySnNaUhUMRI=; b=Z3iotgWJb42k9FohEBjbGKGTVcVADejvcj20lCOI0sxzSNbk/gXwOcgJ AJVThch/KubdzJ3b1n4k/pG0+6lHnME9EKGWUy3BINoY8ox0f+BI/7w3f pyhxlzNFHOKmjzmb5V2TO3NeBHoJyMhRcT9flvMPQvd5q8/I9v6CoXNXH SDVKmIA1OHmWmSWzoPNmg8ClfCV2Z5H0dZf9KxE1MLWxi5jQJb1WMyFHR ly/Tbmt2HntJeyc6LvwRaZ2tsD5GTvKsiAUbMVrr8Lp+PjxOcfyVncsP3 UYB4F6RC1sBbSUkSWN2DXLff0L/xX+IV5QzW1t+M+7MuVjVjyAq5ZHC/5 w==; X-IronPort-AV: E=McAfee;i="6600,9927,10756"; a="362418671" X-IronPort-AV: E=Sophos;i="6.01,170,1684825200"; d="scan'208";a="362418671" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jun 2023 04:56:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10756"; a="783056286" X-IronPort-AV: E=Sophos;i="6.01,170,1684825200"; d="scan'208";a="783056286" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by fmsmga008.fm.intel.com with ESMTP; 30 Jun 2023 04:56:39 -0700 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Fri, 30 Jun 2023 04:56:39 -0700 Received: from fmsmsx601.amr.corp.intel.com (10.18.126.81) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Fri, 30 Jun 2023 04:56:38 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27 via Frontend Transport; Fri, 30 Jun 2023 04:56:38 -0700 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.173) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.27; Fri, 30 Jun 2023 04:56:35 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OKi3T54fX0kx842MCFSCMVdiUG/elRHwXqbO3B0qf0dnXHJmVpB7kphHqMFQ9P6JSy4YqRtDqJEc/rNU3cHB2GKqm9uZXIfwVpuR4GHDdCcx290UAR3gH8dwBrdpyGTx3W+xGSkPYNkYqWnPZsqUPW8+/y1B9xWm067cEZrWQrqanYM4k2PHhMaM27Mo+WU56M3NeuKu+lNkcoXHUpNEjTAKy5q5B/SWrOPgmNKm1PN454cLN4uJeole6xa27PDT5vceUMbNXOoVcbiCTTShGYJEoLfKbNl9Kq0F9wf4NF9uOCuW68Q1u4OdEWChvJlJNkTONZyEGJbATCgqxyTlWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zA9/Unt5LOQaDscnICHRbio8TO0525C1IStiuW9Pu18=; b=ML9x3bhalCNXsI0kkNkqVxJtSzWej7gSB9Wpe3B2U6yIduSHTEm7aPuuGcDVajT/kSyjdadv8ZaqKMMV8459K8AxUqi7TQZvD0293td6ubdz8kXlP3Zl/nCJKxRqSZEFmXz5S087CuRRr/TCUfPIwcT0GtmBqUpJeKw/KlGeYHTMuIbev1eLTNhrXqAftSlwgBXNk7DhhhzJvEyoZCO89JVuUG3N2wG4hofX1oOp+CAIFdUWJeJVjH8fYDHEEt+jP7bAG7HfL0OjSrX4BKoOsLqOgUP9lAPzxXiw0lXnDOHkK6hUDeHNqo8PZwWMpPbGXZG+3TkhGdarxB/kKg1C1A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by MW4PR11MB5870.namprd11.prod.outlook.com (2603:10b6:303:187::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6544.19; Fri, 30 Jun 2023 11:56:31 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::3caa:6866:1037:5388]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::3caa:6866:1037:5388%7]) with mapi id 15.20.6521.024; Fri, 30 Jun 2023 11:56:31 +0000 From: "Yao, Jiewen" To: "Sheng, W" , "devel@edk2.groups.io" CC: "Wang, Jian J" , "Xu, Min M" , "Chen, Zeyi" , "Wang, Fiona" Subject: Re: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Thread-Topic: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Thread-Index: AQHZjskJ013VdJPEo0+BUvJoerQ0VK+WlClQgAybtrCAAEWxUA== Date: Fri, 30 Jun 2023 11:56:31 +0000 Message-ID: References: <20230525052316.512-1-w.sheng@intel.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|MW4PR11MB5870:EE_ x-ms-office365-filtering-correlation-id: aeb4459e-b2e3-4825-1d35-08db79610b72 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Tj4K5TRvfJ94Bc2XFqV+mHXgAB5UZrfjnxCvh4feerXFC04+9xanKv5eGWfh0C+dkT90CQKTMSrgN76TNvj0Dp/0/BRgKXO0GGxWvQ1v+nJh1EiH1gUWzduDZqdJs3zqz0G5Jf+YKpYFVDY34sg1PRKDbGRlEio6xuW99zNgNmpDAmDOJJjiuYGfN9gxu2g6dKKOL0so+3DGc2urRHazl3NVeXvGK+/x3X8ebxOqEX4DKRqac3fkvkgmWKahyZTuUUmkqUZfG/UpYRIlqpW10iOGPxdnAjIjqTszjR4VDzzG1V4Xe0QDD3YzJRqYCoIPLqEDuoJ4l6eiCo+dj2/eFRRGRMAVfKraeHW33EV3OBYSp/Ar9ijcd2V76MzLLHl+bnxvz/Zi8PjWMECosXCz2f/048vZ5pi3cmp6eCPd4CHPS5Ks60a8bi19BOPZJOEA+5MQhaYPs+mL9fcnDoLJdp/rCCKPkMeWiAqsBVMlNKHLEQzxwHQkLg3TLRokaMuh6IapqOdY1XT1zjfYSWAg143hN2n/Rqct97ffw+EuRTOMaJTW07o43II/aBKq6GGWMyKajkG1eh59Ce0axNdcTzw3Ev0mktL7Xj7wWqv800c= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(396003)(136003)(366004)(346002)(39860400002)(376002)(451199021)(7696005)(966005)(478600001)(71200400001)(33656002)(26005)(9686003)(186003)(53546011)(6506007)(83380400001)(82960400001)(38100700002)(122000001)(38070700005)(86362001)(107886003)(55016003)(4326008)(64756008)(76116006)(66946007)(66556008)(66476007)(66446008)(2906002)(316002)(5660300002)(15650500001)(8936002)(8676002)(41300700001)(30864003)(52536014)(110136005)(54906003)(19627235002)(579004)(559001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-2022-jp?B?emRNQS9nSXYzQnpxNW8xOTVFU0xuMHBwc2kwV1RQOGZQWTlWVThpWEJJ?= =?iso-2022-jp?B?djJXZWw3SzJjSkJ2ZzBrR0htUG01T05XczZMSmZEdHRBMjVLaVRLR0FB?= =?iso-2022-jp?B?MFlQbndJaXVxSU0rRGhuVWdpRk9qTTZCNUUzRVNUOU0xZTJLVnV1TDBr?= =?iso-2022-jp?B?YVF1MXVqUDFqa3UySVZzd3Z5UzVjbGV2aWJCWjhFTnAzNHpMYWVHMmp1?= =?iso-2022-jp?B?ZlJ2N2NXSGl4SDRxRHJUZEVjYm5vZmRYMWx1QmpQRkZzd1RPL0tiNk94?= =?iso-2022-jp?B?bXJSai9haGprMGtmNk01SjJ3UmNWcnZsWTVBY3k3N2V2Y0c5WGlDUnVa?= =?iso-2022-jp?B?VEFSb2dnRUM5OTc5RGhITXp3RVZrZ0FwOXhMU3AzdVcwV01id2Uyd2lZ?= =?iso-2022-jp?B?OHNBeGVzcXBEZ3U3ZEFSTk0vNlU5NzVRclJYZkZSdVh1Sk9HU1lNQVRv?= =?iso-2022-jp?B?T1AyMUpuK0kxemhQcmRLZUZ3MjFPbnlPNGhueGd5MHo5eDdiWUpHbHJa?= =?iso-2022-jp?B?MzJBak1CZkkwcEFtdE5TL2J6aXJUVFAxUGE5bGhXZGFXYW93NjJIZ3ps?= =?iso-2022-jp?B?bjZTRzNUN1plVmJ0cFpwVnBQRUNRYkcybDBEU050QmFuR3ZYS25WVVhX?= =?iso-2022-jp?B?bHFodGhXbGs3VFB1TmcxSnowWDVJNG1TSkFkUHdCSnNqUTQ0aXlyVUVl?= =?iso-2022-jp?B?QUFZNUlUNHF6dld1STBrWnZ4azFKMHdjLzNRMFZUTEFQd0hHOXFoZnQ1?= =?iso-2022-jp?B?eXdjRkF1anZ1ZGdsQzRveUZHbitZSlI3R3ljR2tJbXFJYmRVM3ZLNFlZ?= =?iso-2022-jp?B?aXVTWU1sdDVCRkpUMGJEcHpIN3F3TjlzNjhFR0o3Yk9jRzRRUldUcCsy?= =?iso-2022-jp?B?T05nbEZhanQzVS80cGpDeFU0enBnMExSNEVUeFByVUZNU1dQZkNHL3dC?= =?iso-2022-jp?B?d2NTNUhjejRtVTV3VW5FbExteXFXeDd6b2M3WGxqUkQ4ZXJ6N25mUlBD?= =?iso-2022-jp?B?SmZmS0RJNEpDTlVnL0h1VFF2Q0Q3eVJiZ1gxMUlYUmM3c0lRNEh4MkVX?= =?iso-2022-jp?B?UXh4dlZsRnZUODhocUxzS2NDS1BGSlB3L0ZIMFVWZURFdWU1K1FUWGJF?= =?iso-2022-jp?B?V2gvL3dJQ24xanRhSThUanNNd2JGSHJ6Q2pvY2RQMk0wMUtOOG54VExF?= =?iso-2022-jp?B?bm9JWlhIUm5RNGgxMjl4SUcwaXhEcmE2MWJyeUZtV0pGN2RBUFh3NDhw?= =?iso-2022-jp?B?K0xTZ1l0S2lTbXNnTzU4Y0JiRWVoM1JGS1F3b2FJWExEVUhnUEFId0hs?= =?iso-2022-jp?B?enRZVFVEZ2hWZXA0MlF3VE9oMmJnQ1VldG5IVkZWVVF3NHJnTW9CL0Rn?= =?iso-2022-jp?B?VDRBanh4NzlybWg0Q1RRUjZGTUlmOHBkQXhjSUJwUlhLUTI1ZEowWk9J?= =?iso-2022-jp?B?Zmxlc2g3dFFpS0tXaWRqRWhtNlVzYmJDbkMxOG0xRkpZUGc5ZFY1SUl0?= =?iso-2022-jp?B?RHRDMkJuQnZlbzFkK3I2M0krYVhsci91aTNxckZRNkpseEpmSlF4ZkdO?= =?iso-2022-jp?B?SWtOQ29TenZ2NXNaSzV3dE9aNHVaRHlCbUNXeWJoWDRNODRkSHR3ZHc2?= =?iso-2022-jp?B?U0g5LytLbm9zVWxQMkZrT1p1YjR5T0dLZ2VIcFBDd3dSbDNwTWJKamc2?= =?iso-2022-jp?B?dTRhK3gzZ1RFbjM5QlU3NXd1ODlGOTJxMUVncER6OXJ0RTd1ZFZJLzFF?= =?iso-2022-jp?B?enI2MXJQK2lEYk5CdEFiN0k1T0R0dVlxYTRpcm5YZ05McWZyd2VDNW9M?= =?iso-2022-jp?B?ai9VcElJaDR0cGRjT2JpMEV5Y01VTjV0N3daRUI1aTZqYmdZNm9JQmth?= =?iso-2022-jp?B?cEFYWmMrNk9kUGdQcWU5VFZ2WUpMVk5HZmMwejJPbHJ6RWtlOWxObEZY?= =?iso-2022-jp?B?c1dGQ3B4dnFlT3pDQmtNa05yU1B3Tkx0VCt3L3o0eTVweVgyQjRNNW5G?= =?iso-2022-jp?B?WFZ4bkRsT3NZNkpGeUI4bGFvMmNaSXpxWmtMTm1YR3llN0RQbzJhNjRv?= =?iso-2022-jp?B?V09BczdlbUdyd3JPT0xJSHN2dWl6RmZ5SWVzQkYwbFArMDZQbSt4N3NY?= =?iso-2022-jp?B?K1hsdkRKdWx3R20zUWpoMGVPNTJRMEorSnJ5SVorVGM3cFhRNFlxQzNl?= =?iso-2022-jp?B?VDdOdVB5NmJJd0hETVVmWWZGTmhERmc3RzJLR0RtSzN6ZEl3dGx5c0lF?= =?iso-2022-jp?B?RndNLzdjYmdnVWg0c2lqNDVZRy9LMlZ4S3Fzb3N3LzVBNzRtN1dVUUli?= =?iso-2022-jp?B?KzdXbg==?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: aeb4459e-b2e3-4825-1d35-08db79610b72 X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2023 11:56:31.3843 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: TIwEnW8+so8ZEPz2VCNtYZc/HbqysyCmJqMg7KFsjFR3Fw6YSNm3HwGntuOUzwu1QYPuDwyWPPlkTT0IBijuMg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR11MB5870 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable For 4, I think we can enroll all supported algorithms, or the active algori= thm. I don=1B$B!G=1B(Bt think the PCD is needed. For 5, I suggest to change the data structure to include the algorithm ID. Thank you Yao, Jiewen > -----Original Message----- > From: Sheng, W > Sent: Friday, June 30, 2023 3:52 PM > To: Yao, Jiewen ; devel@edk2.groups.io > Cc: Wang, Jian J ; Xu, Min M ; > Chen, Zeyi ; Wang, Fiona > Subject: RE: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 >=20 > Hi Jiewen, > I raised the patch V2. > I do the fix for 1) , 2), 3). > But for 4) 5), I have below comments. >=20 > 4) I am not sure why we need this PCD. Why cannot we support all of hash = algo? >=20 > + ## Indicates default hash algorithm in Secure Boot > + # 0 - Use SHA256 > + # 1 - Use SHA384 > + # 2 - Use SHA512 > + # @Prompt Secure Boot default hash algorithm > + > + > gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg|0|UINT8|0x00 > + 010040 >=20 > PCD PcdSecureBootDefaultHashAlg is used for the only case of enroll an > unsigned image. > The original logic is BIOS will genrate SHA256 digest for this unsigned i= mage and > save it. > The PCD is used to select the hash algorithm for this case. > So we have to use a PCD to select the algorithm manully. >=20 >=20 > 5) I don=1B$B!G=1B(Bt believe that you can use size to determine the algo= rithm. We need a > more robust way, such as algorithm ID. >=20 > + switch (KeyLenInBytes) { > + case WIN_CERT_UEFI_RSA2048_SIZE: > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); > + break; > + case WIN_CERT_UEFI_RSA3072_SIZE: > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid); > + break; > + case WIN_CERT_UEFI_RSA4096_SIZE: > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid); > + break; > + break; >=20 > This code is used when enroll a RSA public key storing file (*.pbk). > Here is the header Struct of this file. > typedef struct _CPL_KEY_INFO { > UINT32 KeyLengthInBits; // Key Length In Bits > UINT32 BlockSize; // Operation Block Size in Bytes > UINT32 CipherBlockSize; // Output Cipher Block Size in Bytes > UINT32 KeyType; // Key Type > UINT32 CipherMode; // Cipher Mode for Symmetric Algorith= m > UINT32 Flags; // Additional Key Property Flags > } CPL_KEY_INFO; > Edk2/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > figImpl.h > We can only get to know the RSA algorithm by KeyLengthInBits. > (RSA2048/RSA3072/RSA4096) >=20 > Thank you. > BR > Sheng Wei >=20 > > -----Original Message----- > > From: Yao, Jiewen > > Sent: 2023=1B$BG/=1B(B6=1B$B7n=1B(B22=1B$BF|=1B(B 15:22 > > To: Sheng, W ; devel@edk2.groups.io > > Cc: Wang, Jian J ; Xu, Min M ; > > Chen, Zeyi ; Wang, Fiona > > Subject: RE: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 38= 4 > > > > Thank you very much to contribute this patch. Here is my feedback. > > > > 1) I don=1B$B!G=1B(Bt believe that you cannot use digest size to determ= ine the algorithm, > > because different hash algorithm may have same time. E.g. SHA256 and > > SHA3_256. > > > > + if (DigestSize =3D=3D SHA256_DIGEST_SIZE) { > > + Status =3D CalculatePrivAuthVarSignChainSHA256Digest ( > > + SignerCert, > > + SignerCertSize, > > + TopLevelCert, > > + TopLevelCertSize, > > + ShaDigest > > + ); > > > > 2) I don=1B$B!G=1B(Bt believe that you cannot assuming CtxSize of SHA51= 2 is bigger than > > SHA256. I think we may need create context for each algo. > > > > @@ -135,7 +135,7 @@ AuthVariableLibInitialize ( > > // > > // Initialize hash context. > > // > > - CtxSize =3D Sha256GetContextSize (); > > + CtxSize =3D Sha512GetContextSize (); > > mHashCtx =3D AllocateRuntimePool (CtxSize); > > if (mHashCtx =3D=3D NULL) { > > > > 3) I believe we should use 0 for SHA256 and ASSERT in default. > > > > + switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) { case 1: > > + DEBUG ((DEBUG_INFO, "%a use SHA384", __func__)); > > + HashAlg =3D HASHALG_SHA384; > > + break; > > + case 2: > > + DEBUG ((DEBUG_INFO, "%a use SHA512", __func__)); > > + HashAlg =3D HASHALG_SHA512; > > + break; > > + default: > > + DEBUG ((DEBUG_INFO, "%a use SHA256", __func__)); > > + HashAlg =3D HASHALG_SHA256; > > + break; > > + } > > > > 4) I am not sure why we need this PCD. Why cannot we support all of has= h > > algo? > > > > + ## Indicates default hash algorithm in Secure Boot > > + # 0 - Use SHA256 > > + # 1 - Use SHA384 > > + # 2 - Use SHA512 > > + # @Prompt Secure Boot default hash algorithm > > + > > + > > gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg|0|UINT8|0x > > 00 > > + 010040 > > > > 5) I don=1B$B!G=1B(Bt believe that you can use size to determine the al= gorithm. We need > > a more robust way, such as algorithm ID. > > > > + switch (KeyLenInBytes) { > > + case WIN_CERT_UEFI_RSA2048_SIZE: > > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); > > + break; > > + case WIN_CERT_UEFI_RSA3072_SIZE: > > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid); > > + break; > > + case WIN_CERT_UEFI_RSA4096_SIZE: > > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid); > > + break; > > + break; > > > > Thank you > > Yao, Jiewen > > > > > -----Original Message----- > > > From: Sheng, W > > > Sent: Thursday, May 25, 2023 1:23 PM > > > To: devel@edk2.groups.io > > > Cc: Yao, Jiewen ; Wang, Jian J > > > ; Xu, Min M ; Chen, Zeyi > > > ; Wang, Fiona > > > Subject: [PATCH] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 > > > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3413 > > > > > > Cc: Jiewen Yao > > > Cc: Jian J Wang > > > Cc: Min Xu > > > Cc: Zeyi Chen > > > Cc: Fiona Wang > > > Signed-off-by: Sheng Wei > > > --- > > > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- > > > MdePkg/Include/Guid/ImageAuthentication.h | 26 ++ > > > MdePkg/MdePkg.dec | 2 + > > > .../Library/AuthVariableLib/AuthService.c | 272 ++++++++++++++++= -- > > > .../Library/AuthVariableLib/AuthVariableLib.c | 4 +- > > > .../DxeImageVerificationLib.c | 35 ++- > > > .../DxeImageVerificationLib.inf | 1 + > > > SecurityPkg/SecurityPkg.dec | 7 + > > > .../SecureBootConfigDxe.inf | 19 ++ > > > .../SecureBootConfigImpl.c | 122 +++++++- > > > .../SecureBootConfigImpl.h | 2 + > > > .../SecureBootConfigStrings.uni | 6 + > > > 12 files changed, 463 insertions(+), 36 deletions(-) > > > > > > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > > > index 027dbb6842..944bcf8d38 100644 > > > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > > > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c > > > @@ -591,7 +591,8 @@ ImageTimestampVerify ( > > > // Register & Initialize necessary digest algorithms for PKCS#7 Ha= ndling. > > > > > > // > > > > > > if ((EVP_add_digest (EVP_md5 ()) =3D=3D 0) || (EVP_add_digest (EVP= _sha1 > > > ()) =3D=3D 0) > > > || > > > > > > - (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || ((EVP_add_digest_= alias > > > (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0)) > > > > > > + (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || (EVP_add_digest > > > + (EVP_sha384 ()) > > > =3D=3D 0) || > > > > > > + (EVP_add_digest (EVP_sha512 ()) =3D=3D 0) || ((EVP_add_digest_= alias > > > (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0)) > > > > > > { > > > > > > return FALSE; > > > > > > } > > > > > > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h > > > b/MdePkg/Include/Guid/ImageAuthentication.h > > > index fe83596571..c8ea2c14fb 100644 > > > --- a/MdePkg/Include/Guid/ImageAuthentication.h > > > +++ b/MdePkg/Include/Guid/ImageAuthentication.h > > > @@ -144,6 +144,30 @@ typedef struct { > > > 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, > > > 0xb3, 0xb6} \ > > > > > > } > > > > > > > > > > > > +/// > > > > > > +/// This identifies a signature containing an RSA-3072 key. The key > > > +(only the > > > modulus > > > > > > +/// since the public key exponent is known to be 0x10001) shall be > > > +stored in big- > > > endian > > > > > > +/// order. > > > > > > +/// The SignatureHeader size shall always be 0. The SignatureSize > > > +shall always > > > be 16 (size > > > > > > +/// of SignatureOwner component) + 384 bytes. > > > > > > +/// > > > > > > +#define EFI_CERT_RSA3072_GUID \ > > > > > > + { \ > > > > > > + 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, > > > + 0xee, > > > 0x92 } \ > > > > > > + } > > > > > > + > > > > > > +/// > > > > > > +/// This identifies a signature containing an RSA-4096 key. The key > > > +(only the > > > modulus > > > > > > +/// since the public key exponent is known to be 0x10001) shall be > > > +stored in big- > > > endian > > > > > > +/// order. > > > > > > +/// The SignatureHeader size shall always be 0. The SignatureSize > > > +shall always > > > be 16 (size > > > > > > +/// of SignatureOwner component) + 512 bytes. > > > > > > +/// > > > > > > +#define EFI_CERT_RSA4096_GUID \ > > > > > > + { \ > > > > > > + 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, > > > + 0x98, > > > 0x2c } \ > > > > > > + } > > > > > > + > > > > > > /// > > > > > > /// This identifies a signature containing a RSA-2048 signature of a > > > SHA-256 hash. The > > > > > > /// SignatureHeader size shall always be 0. The SignatureSize shall > > > always be 16 (size of > > > > > > @@ -330,6 +354,8 @@ typedef struct { > > > extern EFI_GUID gEfiImageSecurityDatabaseGuid; > > > > > > extern EFI_GUID gEfiCertSha256Guid; > > > > > > extern EFI_GUID gEfiCertRsa2048Guid; > > > > > > +extern EFI_GUID gEfiCertRsa3072Guid; > > > > > > +extern EFI_GUID gEfiCertRsa4096Guid; > > > > > > extern EFI_GUID gEfiCertRsa2048Sha256Guid; > > > > > > extern EFI_GUID gEfiCertSha1Guid; > > > > > > extern EFI_GUID gEfiCertRsa2048Sha1Guid; > > > > > > diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index > > > 80b6559053..782f6d184d 100644 > > > --- a/MdePkg/MdePkg.dec > > > +++ b/MdePkg/MdePkg.dec > > > @@ -562,6 +562,8 @@ > > > gEfiImageSecurityDatabaseGuid =3D { 0xd719b2cb, 0x3d3a, 0x4596, > > > {0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }} > > > > > > gEfiCertSha256Guid =3D { 0xc1c41626, 0x504c, 0x4092, {= 0xac, 0xa9, > > 0x41, > > > 0xf9, 0x36, 0x93, 0x43, 0x28 }} > > > > > > gEfiCertRsa2048Guid =3D { 0x3c5766e8, 0x269c, 0x4e34, {= 0xaa, 0x14, > > 0xed, > > > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }} > > > > > > + gEfiCertRsa3072Guid =3D { 0xedd320c2, 0xb057, 0x4b8e, {= 0xad, 0x46, > > > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }} > > > > > > + gEfiCertRsa4096Guid =3D { 0xb23e89a6, 0x8c8b, 0x4412, {= 0x85, 0x73, > > > 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }} > > > > > > gEfiCertRsa2048Sha256Guid =3D { 0xe2b36190, 0x879b, 0x4a3d, {= 0xad, > > 0x8d, > > > 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }} > > > > > > gEfiCertSha1Guid =3D { 0x826ca512, 0xcf10, 0x4ac9, {= 0xb1, 0x87, > 0xbe, > > > 0x1, 0x49, 0x66, 0x31, 0xbd }} > > > > > > gEfiCertRsa2048Sha1Guid =3D { 0x67f8444f, 0x8743, 0x48f1, {= 0xa3, 0x28, > > > 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }} > > > > > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c > > > b/SecurityPkg/Library/AuthVariableLib/AuthService.c > > > index 452ed491ea..288e44a359 100644 > > > --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c > > > +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c > > > @@ -29,12 +29,16 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > > > #include > > > > > > #include > > > > > > > > > > > > +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE > > > > > > + > > > > > > // > > > > > > // Public Exponent of RSA Key. > > > > > > // > > > > > > CONST UINT8 mRsaE[] =3D { 0x01, 0x00, 0x01 }; > > > > > > > > > > > > CONST UINT8 mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, > > > 0x03, 0x04, 0x02, 0x01 }; > > > > > > +CONST UINT8 mSha384OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, > > > +0x03, > > > 0x04, 0x02, 0x02 }; > > > > > > +CONST UINT8 mSha512OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, > > > +0x03, > > > 0x04, 0x02, 0x03 }; > > > > > > > > > > > > // > > > > > > // Requirement for different signature type which have been defined > > > in UEFI spec. > > > > > > @@ -44,6 +48,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] =3D { > > > // {SigType, SigHeaderSize, SigDataSize } > > > > > > { EFI_CERT_SHA256_GUID, 0, 32 }, > > > > > > { EFI_CERT_RSA2048_GUID, 0, 256 }, > > > > > > + { EFI_CERT_RSA3072_GUID, 0, 384 }, > > > > > > + { EFI_CERT_RSA4096_GUID, 0, 512 }, > > > > > > { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 }, > > > > > > { EFI_CERT_SHA1_GUID, 0, 20 }, > > > > > > { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 }, > > > > > > @@ -1172,6 +1178,172 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > > > return EFI_SUCCESS; > > > > > > } > > > > > > > > > > > > +/** > > > > > > + Calculate SHA38 digest of SignerCert CommonName + ToplevelCert > > > tbsCertificate > > > > > > + SignerCert and ToplevelCert are inside the signer certificate chai= n. > > > > > > + > > > > > > + @param[in] SignerCert A pointer to SignerCert data. > > > > > > + @param[in] SignerCertSize Length of SignerCert data. > > > > > > + @param[in] TopLevelCert A pointer to TopLevelCert data. > > > > > > + @param[in] TopLevelCertSize Length of TopLevelCert data. > > > > > > + @param[out] Sha384Digest Sha384 digest calculated. > > > > > > + > > > > > > + @return EFI_ABORTED Digest process failed. > > > > > > + @return EFI_SUCCESS SHA384 Digest is successfully calcula= ted. > > > > > > + > > > > > > +**/ > > > > > > +EFI_STATUS > > > > > > +CalculatePrivAuthVarSignChainSHA384Digest ( > > > > > > + IN UINT8 *SignerCert, > > > > > > + IN UINTN SignerCertSize, > > > > > > + IN UINT8 *TopLevelCert, > > > > > > + IN UINTN TopLevelCertSize, > > > > > > + OUT UINT8 *Sha384Digest > > > > > > + ) > > > > > > +{ > > > > > > + UINT8 *TbsCert; > > > > > > + UINTN TbsCertSize; > > > > > > + CHAR8 CertCommonName[128]; > > > > > > + UINTN CertCommonNameSize; > > > > > > + BOOLEAN CryptoStatus; > > > > > > + EFI_STATUS Status; > > > > > > + > > > > > > + CertCommonNameSize =3D sizeof (CertCommonName); > > > > > > + > > > > > > + // > > > > > > + // Get SignerCert CommonName > > > > > > + // > > > > > > + Status =3D X509GetCommonName (SignerCert, SignerCertSize, > > > CertCommonName, &CertCommonNameSize); > > > > > > + if (EFI_ERROR (Status)) { > > > > > > + DEBUG ((DEBUG_INFO, "%a Get SignerCert CommonName failed with > > > status %x\n", __FUNCTION__, Status)); > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + // > > > > > > + // Get TopLevelCert tbsCertificate > > > > > > + // > > > > > > + if (!X509GetTBSCert (TopLevelCert, TopLevelCertSize, &TbsCert, > > > &TbsCertSize)) { > > > > > > + DEBUG ((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate > > > + failed!\n", > > > __FUNCTION__)); > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + // > > > > > > + // Digest SignerCert CN + TopLevelCert tbsCertificate > > > > > > + // > > > > > > + ZeroMem (Sha384Digest, SHA384_DIGEST_SIZE); > > > > > > + CryptoStatus =3D Sha384Init (mHashCtx); > > > > > > + if (!CryptoStatus) { > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + // > > > > > > + // '\0' is forced in CertCommonName. No overflow issue > > > > > > + // > > > > > > + CryptoStatus =3D Sha384Update ( > > > > > > + mHashCtx, > > > > > > + CertCommonName, > > > > > > + AsciiStrLen (CertCommonName) > > > > > > + ); > > > > > > + if (!CryptoStatus) { > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + CryptoStatus =3D Sha384Update (mHashCtx, TbsCert, TbsCertSize); > > > > > > + if (!CryptoStatus) { > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + CryptoStatus =3D Sha384Final (mHashCtx, Sha384Digest); > > > > > > + if (!CryptoStatus) { > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + return EFI_SUCCESS; > > > > > > +} > > > > > > + > > > > > > +/** > > > > > > + Calculate SHA512 digest of SignerCert CommonName + ToplevelCert > > > tbsCertificate > > > > > > + SignerCert and ToplevelCert are inside the signer certificate chai= n. > > > > > > + > > > > > > + @param[in] SignerCert A pointer to SignerCert data. > > > > > > + @param[in] SignerCertSize Length of SignerCert data. > > > > > > + @param[in] TopLevelCert A pointer to TopLevelCert data. > > > > > > + @param[in] TopLevelCertSize Length of TopLevelCert data. > > > > > > + @param[out] Sha512Digest Sha512 digest calculated. > > > > > > + > > > > > > + @return EFI_ABORTED Digest process failed. > > > > > > + @return EFI_SUCCESS SHA512 Digest is successfully calcula= ted. > > > > > > + > > > > > > +**/ > > > > > > +EFI_STATUS > > > > > > +CalculatePrivAuthVarSignChainSHA512Digest ( > > > > > > + IN UINT8 *SignerCert, > > > > > > + IN UINTN SignerCertSize, > > > > > > + IN UINT8 *TopLevelCert, > > > > > > + IN UINTN TopLevelCertSize, > > > > > > + OUT UINT8 *Sha512Digest > > > > > > + ) > > > > > > +{ > > > > > > + UINT8 *TbsCert; > > > > > > + UINTN TbsCertSize; > > > > > > + CHAR8 CertCommonName[128]; > > > > > > + UINTN CertCommonNameSize; > > > > > > + BOOLEAN CryptoStatus; > > > > > > + EFI_STATUS Status; > > > > > > + > > > > > > + CertCommonNameSize =3D sizeof (CertCommonName); > > > > > > + > > > > > > + // > > > > > > + // Get SignerCert CommonName > > > > > > + // > > > > > > + Status =3D X509GetCommonName (SignerCert, SignerCertSize, > > > CertCommonName, &CertCommonNameSize); > > > > > > + if (EFI_ERROR (Status)) { > > > > > > + DEBUG ((DEBUG_INFO, "%a Get SignerCert CommonName failed with > > > status %x\n", __FUNCTION__, Status)); > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + // > > > > > > + // Get TopLevelCert tbsCertificate > > > > > > + // > > > > > > + if (!X509GetTBSCert (TopLevelCert, TopLevelCertSize, &TbsCert, > > > &TbsCertSize)) { > > > > > > + DEBUG ((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate > > > + failed!\n", > > > __FUNCTION__)); > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + // > > > > > > + // Digest SignerCert CN + TopLevelCert tbsCertificate > > > > > > + // > > > > > > + ZeroMem (Sha512Digest, SHA512_DIGEST_SIZE); > > > > > > + CryptoStatus =3D Sha512Init (mHashCtx); > > > > > > + if (!CryptoStatus) { > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + // > > > > > > + // '\0' is forced in CertCommonName. No overflow issue > > > > > > + // > > > > > > + CryptoStatus =3D Sha512Update ( > > > > > > + mHashCtx, > > > > > > + CertCommonName, > > > > > > + AsciiStrLen (CertCommonName) > > > > > > + ); > > > > > > + if (!CryptoStatus) { > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + CryptoStatus =3D Sha512Update (mHashCtx, TbsCert, TbsCertSize); > > > > > > + if (!CryptoStatus) { > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + CryptoStatus =3D Sha512Final (mHashCtx, Sha512Digest); > > > > > > + if (!CryptoStatus) { > > > > > > + return EFI_ABORTED; > > > > > > + } > > > > > > + > > > > > > + return EFI_SUCCESS; > > > > > > +} > > > > > > + > > > > > > /** > > > > > > Find matching signer's certificates for common authenticated > > > variable > > > > > > by corresponding VariableName and VendorGuid from "certdb" or > > "certdbv". > > > > > > @@ -1526,6 +1698,7 @@ DeleteCertsFromDb ( > > > @param[in] SignerCertSize Length of signer certificate. > > > > > > @param[in] TopLevelCert Top-level certificate data. > > > > > > @param[in] TopLevelCertSize Length of top-level certificate. > > > > > > + @param[in] DigestSize Digest Size. > > > > > > > > > > > > @retval EFI_INVALID_PARAMETER Any input parameter is invalid. > > > > > > @retval EFI_ACCESS_DENIED An AUTH_CERT_DB_DATA entry with > > same > > > VariableName > > > > > > @@ -1542,7 +1715,8 @@ InsertCertsToDb ( > > > IN UINT8 *SignerCert, > > > > > > IN UINTN SignerCertSize, > > > > > > IN UINT8 *TopLevelCert, > > > > > > - IN UINTN TopLevelCertSize > > > > > > + IN UINTN TopLevelCertSize, > > > > > > + IN UINT32 DigestSize > > > > > > ) > > > > > > { > > > > > > EFI_STATUS Status; > > > > > > @@ -1556,7 +1730,7 @@ InsertCertsToDb ( > > > UINT32 CertDataSize; > > > > > > AUTH_CERT_DB_DATA *Ptr; > > > > > > CHAR16 *DbName; > > > > > > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; > > > > > > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; > > > > > > > > > > > > if ((VariableName =3D=3D NULL) || (VendorGuid =3D=3D NULL) || (Sig= nerCert > > > =3D=3D NULL) > > > || (TopLevelCert =3D=3D NULL)) { > > > > > > return EFI_INVALID_PARAMETER; > > > > > > @@ -1618,20 +1792,41 @@ InsertCertsToDb ( > > > // Construct new data content of variable "certdb" or "certdbv". > > > > > > // > > > > > > NameSize =3D (UINT32)StrLen (VariableName); > > > > > > - CertDataSize =3D sizeof (Sha256Digest); > > > > > > + CertDataSize =3D DigestSize; > > > > > > CertNodeSize =3D sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSiz= e + > > > NameSize * sizeof (CHAR16); > > > > > > NewCertDbSize =3D (UINT32)DataSize + CertNodeSize; > > > > > > if (NewCertDbSize > mMaxCertDbSize) { > > > > > > return EFI_OUT_OF_RESOURCES; > > > > > > } > > > > > > > > > > > > - Status =3D CalculatePrivAuthVarSignChainSHA256Digest ( > > > > > > - SignerCert, > > > > > > - SignerCertSize, > > > > > > - TopLevelCert, > > > > > > - TopLevelCertSize, > > > > > > - Sha256Digest > > > > > > - ); > > > > > > + if (DigestSize =3D=3D SHA256_DIGEST_SIZE) { > > > > > > + Status =3D CalculatePrivAuthVarSignChainSHA256Digest ( > > > > > > + SignerCert, > > > > > > + SignerCertSize, > > > > > > + TopLevelCert, > > > > > > + TopLevelCertSize, > > > > > > + ShaDigest > > > > > > + ); > > > > > > + } else if (DigestSize =3D=3D SHA384_DIGEST_SIZE) { > > > > > > + Status =3D CalculatePrivAuthVarSignChainSHA384Digest ( > > > > > > + SignerCert, > > > > > > + SignerCertSize, > > > > > > + TopLevelCert, > > > > > > + TopLevelCertSize, > > > > > > + ShaDigest > > > > > > + ); > > > > > > + } else if (DigestSize =3D=3D SHA512_DIGEST_SIZE) { > > > > > > + Status =3D CalculatePrivAuthVarSignChainSHA512Digest ( > > > > > > + SignerCert, > > > > > > + SignerCertSize, > > > > > > + TopLevelCert, > > > > > > + TopLevelCertSize, > > > > > > + ShaDigest > > > > > > + ); > > > > > > + } else { > > > > > > + return EFI_UNSUPPORTED; > > > > > > + } > > > > > > + > > > > > > if (EFI_ERROR (Status)) { > > > > > > return Status; > > > > > > } > > > > > > @@ -1663,7 +1858,7 @@ InsertCertsToDb ( > > > > > > > > > CopyMem ( > > > > > > (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof > > > (CHAR16), > > > > > > - Sha256Digest, > > > > > > + ShaDigest, > > > > > > CertDataSize > > > > > > ); > > > > > > > > > > > > @@ -1857,7 +2052,7 @@ VerifyTimeBasedPayload ( > > > UINTN CertStackSize; > > > > > > UINT8 *CertsInCertDb; > > > > > > UINT32 CertsSizeinDb; > > > > > > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; > > > > > > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; > > > > > > EFI_CERT_DATA *CertDataPtr; > > > > > > > > > > > > // > > > > > > @@ -1928,7 +2123,7 @@ VerifyTimeBasedPayload ( > > > > > > > > > // > > > > > > // SignedData.digestAlgorithms shall contain the digest algorithm > > > used when preparing the > > > > > > - // signature. Only a digest algorithm of SHA-256 is accepted. > > > > > > + // signature. Only a digest algorithm of SHA-256, SHA-384 or > > > + SHA-512 is > > > accepted. > > > > > > // > > > > > > // According to PKCS#7 Definition (https://www.rfc- > > editor.org/rfc/rfc2315): > > > > > > // SignedData ::=3D SEQUENCE { > > > > > > @@ -1978,7 +2173,19 @@ VerifyTimeBasedPayload ( > > > || (CompareMem (SigData + 13, &mSha256OidValue, sizeof > > > (mSha256OidValue)) !=3D 0))) > > > > > > && ( (SigDataSize >=3D (32 + sizeof (mSha256OidValue))) > > > > > > && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D > > > TWO_BYTE_ENCODE) > > > > > > - || (CompareMem (SigData + 32, &mSha256OidValue, sizeof > > > (mSha256OidValue)) !=3D 0)))) > > > > > > + || (CompareMem (SigData + 32, &mSha256OidValue, sizeof > > > (mSha256OidValue)) !=3D 0))) > > > > > > + && ( (SigDataSize >=3D (13 + sizeof (mSha384OidValue))) > > > > > > + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D > > > + TWO_BYTE_ENCODE) > > > > > > + || (CompareMem (SigData + 13, &mSha384OidValue, sizeof > > > (mSha384OidValue)) !=3D 0))) > > > > > > + && ( (SigDataSize >=3D (32 + sizeof (mSha384OidValue))) > > > > > > + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D > > > + TWO_BYTE_ENCODE) > > > > > > + || (CompareMem (SigData + 32, &mSha384OidValue, sizeof > > > (mSha384OidValue)) !=3D 0))) > > > > > > + && ( (SigDataSize >=3D (13 + sizeof (mSha512OidValue))) > > > > > > + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D > > > + TWO_BYTE_ENCODE) > > > > > > + || (CompareMem (SigData + 13, &mSha512OidValue, sizeof > > > (mSha512OidValue)) !=3D 0))) > > > > > > + && ( (SigDataSize >=3D (32 + sizeof (mSha512OidValue))) > > > > > > + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D > > > + TWO_BYTE_ENCODE) > > > > > > + || (CompareMem (SigData + 32, &mSha512OidValue, sizeof > > > (mSha512OidValue)) !=3D 0)))) > > > > > > { > > > > > > return EFI_SECURITY_VIOLATION; > > > > > > } > > > > > > @@ -2180,9 +2387,39 @@ VerifyTimeBasedPayload ( > > > ReadUnaligned32 ((UINT32 > > > *)&(CertDataPtr->CertDataLength)), > > > > > > TopLevelCert, > > > > > > TopLevelCertSize, > > > > > > - Sha256Digest > > > > > > + ShaDigest > > > > > > + ); > > > > > > + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, > > > + CertsInCertDb, > > > CertsSizeinDb) !=3D 0)) { > > > > > > + goto Exit; > > > > > > + } > > > > > > + } else if (CertsSizeinDb =3D=3D SHA384_DIGEST_SIZE) { > > > > > > + // > > > > > > + // Check hash of signer cert CommonName + Top-level issuer > > > tbsCertificate against data in CertDb > > > > > > + // > > > > > > + CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1); > > > > > > + Status =3D CalculatePrivAuthVarSignChainSHA384Digest ( > > > > > > + CertDataPtr->CertDataBuffer, > > > > > > + ReadUnaligned32 ((UINT32 > > > + *)&(CertDataPtr->CertDataLength)), > > > > > > + TopLevelCert, > > > > > > + TopLevelCertSize, > > > > > > + ShaDigest > > > > > > + ); > > > > > > + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, > > > + CertsInCertDb, > > > CertsSizeinDb) !=3D 0)) { > > > > > > + goto Exit; > > > > > > + } > > > > > > + } else if (CertsSizeinDb =3D=3D SHA512_DIGEST_SIZE) { > > > > > > + // > > > > > > + // Check hash of signer cert CommonName + Top-level issuer > > > tbsCertificate against data in CertDb > > > > > > + // > > > > > > + CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1); > > > > > > + Status =3D CalculatePrivAuthVarSignChainSHA512Digest ( > > > > > > + CertDataPtr->CertDataBuffer, > > > > > > + ReadUnaligned32 ((UINT32 > > > + *)&(CertDataPtr->CertDataLength)), > > > > > > + TopLevelCert, > > > > > > + TopLevelCertSize, > > > > > > + ShaDigest > > > > > > ); > > > > > > - if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, > > CertsInCertDb, > > > CertsSizeinDb) !=3D 0)) { > > > > > > + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, > > > + CertsInCertDb, > > > CertsSizeinDb) !=3D 0)) { > > > > > > goto Exit; > > > > > > } > > > > > > } else { > > > > > > @@ -2221,7 +2458,8 @@ VerifyTimeBasedPayload ( > > > CertDataPtr->CertDataBuffer, > > > > > > ReadUnaligned32 ((UINT32 > > > *)&(CertDataPtr->CertDataLength)), > > > > > > TopLevelCert, > > > > > > - TopLevelCertSize > > > > > > + TopLevelCertSize, > > > > > > + CertsSizeinDb > > > > > > ); > > > > > > if (EFI_ERROR (Status)) { > > > > > > VerifyStatus =3D FALSE; > > > > > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > > > b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > > > index dc61ae840c..552c0e99be 100644 > > > --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > > > +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > > > @@ -26,7 +26,7 @@ UINT32 mMaxCertDbSize; > > > UINT32 mPlatformMode; > > > > > > UINT8 mVendorKeyState; > > > > > > > > > > > > -EFI_GUID mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, > > > EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, > > EFI_CERT_X509_GUID }; > > > > > > +EFI_GUID mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, > > > EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, > > EFI_CERT_SHA512_GUID, > > > EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID, > > EFI_CERT_RSA4096_GUID, > > > EFI_CERT_X509_GUID }; > > > > > > > > > > > > // > > > > > > // Hash context pointer > > > > > > @@ -135,7 +135,7 @@ AuthVariableLibInitialize ( > > > // > > > > > > // Initialize hash context. > > > > > > // > > > > > > - CtxSize =3D Sha256GetContextSize (); > > > > > > + CtxSize =3D Sha512GetContextSize (); > > > > > > mHashCtx =3D AllocateRuntimePool (CtxSize); > > > > > > if (mHashCtx =3D=3D NULL) { > > > > > > return EFI_OUT_OF_RESOURCES; > > > > > > diff --git > > > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= . > > > c > > > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= . > > > c > > > index 66e2f5eaa3..f642aad64d 100644 > > > --- > > > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= . > > > c > > > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= n > > > +++ Lib.c > > > @@ -1606,6 +1606,35 @@ Done: > > > return VerifyStatus; > > > > > > } > > > > > > > > > > > > +/** > > > > > > + Get Hash Alg by PcdSecureBootDefaultHashAlg > > > > > > + > > > > > > + @retval UINT32 Hash Alg > > > > > > + **/ > > > > > > +UINT32 > > > > > > +GetDefaultHashAlg ( > > > > > > + VOID > > > > > > + ) > > > > > > +{ > > > > > > + UINT32 HashAlg; > > > > > > + > > > > > > + switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) { > > > > > > + case 1: > > > > > > + DEBUG ((DEBUG_INFO, "%a use SHA384", __func__)); > > > > > > + HashAlg =3D HASHALG_SHA384; > > > > > > + break; > > > > > > + case 2: > > > > > > + DEBUG ((DEBUG_INFO, "%a use SHA512", __func__)); > > > > > > + HashAlg =3D HASHALG_SHA512; > > > > > > + break; > > > > > > + default: > > > > > > + DEBUG ((DEBUG_INFO, "%a use SHA256", __func__)); > > > > > > + HashAlg =3D HASHALG_SHA256; > > > > > > + break; > > > > > > + } > > > > > > + return HashAlg; > > > > > > +} > > > > > > + > > > > > > /** > > > > > > Provide verification service for signed images, which include both > > > signature validation > > > > > > and platform policy control. For signature types, both UEFI > > > WIN_CERTIFICATE_UEFI_GUID and > > > > > > @@ -1620,7 +1649,7 @@ Done: > > > in the security database "db", and no valid signature nor any > > > hash value of the image may > > > > > > be reflected in the security database "dbx". > > > > > > Otherwise, the image is not signed, > > > > > > - The SHA256 hash value of the image must match a record in the > > security > > > database "db", and > > > > > > + The hash value of the image must match a record in the securit= y > > > + database > > > "db", and > > > > > > not be reflected in the security data base "dbx". > > > > > > > > > > > > Caution: This function may receive untrusted input. > > > > > > @@ -1832,10 +1861,10 @@ DxeImageVerificationHandler ( > > > // > > > > > > if ((SecDataDir =3D=3D NULL) || (SecDataDir->Size =3D=3D 0)) { > > > > > > // > > > > > > - // This image is not signed. The SHA256 hash value of the image = must > > match > > > a record in the security database "db", > > > > > > + // This image is not signed. The hash value of the image must > > > + match a record > > > in the security database "db", > > > > > > // and not be reflected in the security data base "dbx". > > > > > > // > > > > > > - if (!HashPeImage (HASHALG_SHA256)) { > > > > > > + if (!HashPeImage (GetDefaultHashAlg ())) { > > > > > > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash > > > this image using %s.\n", mHashTypeStr)); > > > > > > goto Failed; > > > > > > } > > > > > > diff --git > > > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= . > > > inf > > > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= . > > > inf > > > index 1e1a639857..f1ef9236c2 100644 > > > --- > > > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= . > > > inf > > > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= n > > > +++ Lib.inf > > > @@ -93,3 +93,4 @@ > > > gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy > > > ## SOMETIMES_CONSUMES > > > > > > > > > > > gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolic > > y > > > ## SOMETIMES_CONSUMES > > > > > > gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy > > ## > > > SOMETIMES_CONSUMES > > > > > > + gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg > > ## > > > CONSUMES > > > > > > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.de= c > > > index 0382090f4e..4adc2a72ab 100644 > > > --- a/SecurityPkg/SecurityPkg.dec > > > +++ b/SecurityPkg/SecurityPkg.dec > > > @@ -521,6 +521,13 @@ > > > # @Prompt Skip Hdd Password prompt. > > > > > > > > > > > gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt|FALSE|BOOLE > > AN| > > > 0x00010021 > > > > > > > > > > > > + ## Indicates default hash algorithm in Secure Boot > > > > > > + # 0 - Use SHA256 > > > > > > + # 1 - Use SHA384 > > > > > > + # 2 - Use SHA512 > > > > > > + # @Prompt Secure Boot default hash algorithm > > > > > > + > > > > > gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg|0|UINT8|0x > > 00 > > > 0 > > > 10040 > > > > > > + > > > > > > [PcdsDynamic, PcdsDynamicEx] > > > > > > > > > > > > ## This PCD indicates Hash mask for TPM 2.0. Bit definition > > > strictly follows TCG Algorithm Registry.

> > > > > > diff --git > > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > ig > > > Dxe.inf > > > > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > ig > > > Dxe.inf > > > index 1671d5be7c..4b0012d033 100644 > > > --- > > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > ig > > > Dxe.inf > > > +++ > > > > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > ig > > > Dxe.inf > > > @@ -70,6 +70,14 @@ > > > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > gEfiCertRsa2048Guid > > > > > > > > > > > > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > + gEfiCertRsa3072Guid > > > > > > + > > > > > > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > + gEfiCertRsa4096Guid > > > > > > + > > > > > > ## SOMETIMES_CONSUMES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > gEfiCertX509Guid > > > > > > @@ -82,6 +90,14 @@ > > > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > gEfiCertSha256Guid > > > > > > > > > > > > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > + gEfiCertSha384Guid > > > > > > + > > > > > > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the = type of > > the > > > signature. > > > > > > + gEfiCertSha512Guid > > > > > > + > > > > > > ## SOMETIMES_CONSUMES ## Variable:L"db" > > > > > > ## SOMETIMES_PRODUCES ## Variable:L"db" > > > > > > ## SOMETIMES_CONSUMES ## Variable:L"dbx" > > > > > > @@ -107,6 +123,9 @@ > > > gEfiCertX509Sha384Guid ## SOMETIMES_PRODUCE= S ## GUID > > # > > > Unique ID for the type of the certificate. > > > > > > gEfiCertX509Sha512Guid ## SOMETIMES_PRODUCE= S ## GUID > > # > > > Unique ID for the type of the certificate. > > > > > > > > > > > > +[Pcd] > > > > > > + gEfiSecurityPkgTokenSpaceGuid.PcdSecureBootDefaultHashAlg > > ## > > > CONSUMES > > > > > > + > > > > > > [Protocols] > > > > > > gEfiHiiConfigAccessProtocolGuid ## PRODUCES > > > > > > gEfiDevicePathProtocolGuid ## PRODUCES > > > > > > diff --git > > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igI > > > mpl.c > > > > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igI > > > mpl.c > > > index 4299a6b5e5..0ba029a394 100644 > > > --- > > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igI > > > mpl.c > > > +++ > > > > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igI > > > mpl.c > > > @@ -560,7 +560,7 @@ ON_EXIT: > > > > > > > > > **/ > > > > > > EFI_STATUS > > > > > > -EnrollRsa2048ToKek ( > > > > > > +EnrollRsaToKek ( > > > > > > IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private > > > > > > ) > > > > > > { > > > > > > @@ -603,8 +603,13 @@ EnrollRsa2048ToKek ( > > > > > > > > > ASSERT (KeyBlob !=3D NULL); > > > > > > KeyInfo =3D (CPL_KEY_INFO *)KeyBlob; > > > > > > - if (KeyInfo->KeyLengthInBits / 8 !=3D WIN_CERT_UEFI_RSA2048_SIZE) = { > > > > > > - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is > > > supported.\n")); > > > > > > + switch (KeyInfo->KeyLengthInBits / 8) { > > > > > > + case WIN_CERT_UEFI_RSA2048_SIZE: > > > > > > + case WIN_CERT_UEFI_RSA3072_SIZE: > > > > > > + case WIN_CERT_UEFI_RSA4096_SIZE: > > > > > > + break; > > > > > > + default : > > > > > > + DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, > > > + RSA3072 > > > and RSA4096 are supported.\n")); > > > > > > Status =3D EFI_UNSUPPORTED; > > > > > > goto ON_EXIT; > > > > > > } > > > > > > @@ -632,7 +637,7 @@ EnrollRsa2048ToKek ( > > > // > > > > > > KekSigListSize =3D sizeof (EFI_SIGNATURE_LIST) > > > > > > + sizeof (EFI_SIGNATURE_DATA) - 1 > > > > > > - + WIN_CERT_UEFI_RSA2048_SIZE; > > > > > > + + KeyLenInBytes; > > > > > > > > > > > > KekSigList =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool > > > (KekSigListSize); > > > > > > if (KekSigList =3D=3D NULL) { > > > > > > @@ -642,17 +647,32 @@ EnrollRsa2048ToKek ( > > > > > > > > > KekSigList->SignatureListSize =3D sizeof (EFI_SIGNATURE_LIST) > > > > > > + sizeof (EFI_SIGNATURE_DATA) - 1 > > > > > > - + WIN_CERT_UEFI_RSA2048_SIZE; > > > > > > + + (UINT32) KeyLenInBytes; > > > > > > KekSigList->SignatureHeaderSize =3D 0; > > > > > > - KekSigList->SignatureSize =3D sizeof (EFI_SIGNATURE_DATA) - = 1 + > > > WIN_CERT_UEFI_RSA2048_SIZE; > > > > > > - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); > > > > > > + KekSigList->SignatureSize =3D sizeof (EFI_SIGNATURE_DATA) - = 1 + > > (UINT32) > > > KeyLenInBytes; > > > > > > + switch (KeyLenInBytes) { > > > > > > + case WIN_CERT_UEFI_RSA2048_SIZE: > > > > > > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); > > > > > > + break; > > > > > > + case WIN_CERT_UEFI_RSA3072_SIZE: > > > > > > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid); > > > > > > + break; > > > > > > + case WIN_CERT_UEFI_RSA4096_SIZE: > > > > > > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid); > > > > > > + break; > > > > > > + break; > > > > > > + default : > > > > > > + DEBUG ((DEBUG_ERROR, "Unsupported key length.\n")); > > > > > > + Status =3D EFI_UNSUPPORTED; > > > > > > + goto ON_EXIT; > > > > > > + } > > > > > > > > > > > > KEKSigData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof > > > (EFI_SIGNATURE_LIST)); > > > > > > CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID); > > > > > > CopyMem ( > > > > > > KEKSigData->SignatureData, > > > > > > KeyBlob + sizeof (CPL_KEY_INFO), > > > > > > - WIN_CERT_UEFI_RSA2048_SIZE > > > > > > + KeyLenInBytes > > > > > > ); > > > > > > > > > > > > // > > > > > > @@ -890,7 +910,7 @@ EnrollKeyExchangeKey ( > > > if (IsDerEncodeCertificate (FilePostFix)) { > > > > > > return EnrollX509ToKek (Private); > > > > > > } else if (CompareMem (FilePostFix, L".pbk", 4) =3D=3D 0) { > > > > > > - return EnrollRsa2048ToKek (Private); > > > > > > + return EnrollRsaToKek (Private); > > > > > > } else { > > > > > > // > > > > > > // File type is wrong, simply close it > > > > > > @@ -1847,7 +1867,7 @@ HashPeImage ( > > > SectionHeader =3D NULL; > > > > > > Status =3D FALSE; > > > > > > > > > > > > - if (HashAlg !=3D HASHALG_SHA256) { > > > > > > + if ((HashAlg >=3D HASHALG_MAX)) { > > > > > > return FALSE; > > > > > > } > > > > > > > > > > > > @@ -1856,8 +1876,25 @@ HashPeImage ( > > > // > > > > > > ZeroMem (mImageDigest, MAX_DIGEST_SIZE); > > > > > > > > > > > > - mImageDigestSize =3D SHA256_DIGEST_SIZE; > > > > > > - mCertType =3D gEfiCertSha256Guid; > > > > > > + switch (HashAlg) { > > > > > > + case HASHALG_SHA256: > > > > > > + mImageDigestSize =3D SHA256_DIGEST_SIZE; > > > > > > + mCertType =3D gEfiCertSha256Guid; > > > > > > + break; > > > > > > + > > > > > > + case HASHALG_SHA384: > > > > > > + mImageDigestSize =3D SHA384_DIGEST_SIZE; > > > > > > + mCertType =3D gEfiCertSha384Guid; > > > > > > + break; > > > > > > + > > > > > > + case HASHALG_SHA512: > > > > > > + mImageDigestSize =3D SHA512_DIGEST_SIZE; > > > > > > + mCertType =3D gEfiCertSha512Guid; > > > > > > + break; > > > > > > + > > > > > > + default: > > > > > > + return FALSE; > > > > > > + } > > > > > > > > > > > > CtxSize =3D mHash[HashAlg].GetContextSize (); > > > > > > > > > > > > @@ -2222,6 +2259,35 @@ ON_EXIT: > > > return Status; > > > > > > } > > > > > > > > > > > > +/** > > > > > > + Get Hash Alg by PcdSecureBootDefaultHashAlg > > > > > > + > > > > > > + @retval UINT32 Hash Alg > > > > > > + **/ > > > > > > +UINT32 > > > > > > +GetDefaultHashAlg ( > > > > > > + VOID > > > > > > + ) > > > > > > +{ > > > > > > + UINT32 HashAlg; > > > > > > + > > > > > > + switch (PcdGet8 (PcdSecureBootDefaultHashAlg)) { > > > > > > + case 1: > > > > > > + DEBUG ((DEBUG_INFO, "%a use SHA384", __func__)); > > > > > > + HashAlg =3D HASHALG_SHA384; > > > > > > + break; > > > > > > + case 2: > > > > > > + DEBUG ((DEBUG_INFO, "%a use SHA512", __func__)); > > > > > > + HashAlg =3D HASHALG_SHA512; > > > > > > + break; > > > > > > + default: > > > > > > + DEBUG ((DEBUG_INFO, "%a use SHA256", __func__)); > > > > > > + HashAlg =3D HASHALG_SHA256; > > > > > > + break; > > > > > > + } > > > > > > + return HashAlg; > > > > > > +} > > > > > > + > > > > > > /** > > > > > > Enroll a new signature of executable into Signature Database. > > > > > > > > > > > > @@ -2289,7 +2355,7 @@ EnrollImageSignatureToSigDB ( > > > } > > > > > > > > > > > > if (mSecDataDir->SizeOfCert =3D=3D 0) { > > > > > > - if (!HashPeImage (HASHALG_SHA256)) { > > > > > > + if (!HashPeImage (GetDefaultHashAlg ())) { > > > > > > Status =3D EFI_SECURITY_VIOLATION; > > > > > > goto ON_EXIT; > > > > > > } > > > > > > @@ -2589,6 +2655,10 @@ UpdateDeletePage ( > > > while ((ItemDataSize > 0) && (ItemDataSize >=3D > > > CertList->SignatureListSize)) { > > > > > > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)= ) > > > { > > > > > > Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID); > > > > > > + } else if (CompareGuid (&CertList->SignatureType, > > > + &gEfiCertRsa3072Guid)) { > > > > > > + Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID); > > > > > > + } else if (CompareGuid (&CertList->SignatureType, > > > + &gEfiCertRsa4096Guid)) { > > > > > > + Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID); > > > > > > } else if (CompareGuid (&CertList->SignatureType, > > > &gEfiCertX509Guid)) { > > > > > > Help =3D STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID); > > > > > > } else if (CompareGuid (&CertList->SignatureType, > > > &gEfiCertSha1Guid)) { > > > > > > @@ -2750,6 +2820,8 @@ DeleteKeyExchangeKey ( > > > GuidIndex =3D 0; > > > > > > while ((KekDataSize > 0) && (KekDataSize >=3D > > > CertList->SignatureListSize)) { > > > > > > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) > > > || > > > > > > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) > > > + || > > > > > > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) > > > + || > > > > > > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) > > > > > > { > > > > > > CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) > > > + CertList- > > > >SignatureHeaderSize)); > > > > > > @@ -2952,6 +3024,8 @@ DeleteSignature ( > > > GuidIndex =3D 0; > > > > > > while ((ItemDataSize > 0) && (ItemDataSize >=3D > > > CertList->SignatureListSize)) { > > > > > > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) > > > || > > > > > > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) > > > + || > > > > > > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) > > > + || > > > > > > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) || > > > > > > CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) || > > > > > > CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) > > > || > > > > > > @@ -3758,12 +3832,20 @@ LoadSignatureList ( > > > while ((RemainingSize > 0) && (RemainingSize >=3D > > > ListWalker->SignatureListSize)) { > > > > > > if (CompareGuid (&ListWalker->SignatureType, > > > &gEfiCertRsa2048Guid)) { > > > > > > ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); > > > > > > + } else if (CompareGuid (&ListWalker->SignatureType, > > > + &gEfiCertRsa3072Guid)) > > > { > > > > > > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); > > > > > > + } else if (CompareGuid (&ListWalker->SignatureType, > > > + &gEfiCertRsa4096Guid)) > > > { > > > > > > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); > > > > > > } else if (CompareGuid (&ListWalker->SignatureType, > > > &gEfiCertX509Guid)) { > > > > > > ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509); > > > > > > } else if (CompareGuid (&ListWalker->SignatureType, > > > &gEfiCertSha1Guid)) { > > > > > > ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA1); > > > > > > } else if (CompareGuid (&ListWalker->SignatureType, > > > &gEfiCertSha256Guid)) { > > > > > > ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA256); > > > > > > + } else if (CompareGuid (&ListWalker->SignatureType, > > > + &gEfiCertSha384Guid)) > > > { > > > > > > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA384); > > > > > > + } else if (CompareGuid (&ListWalker->SignatureType, > > > + &gEfiCertSha512Guid)) > > > { > > > > > > + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA512); > > > > > > } else if (CompareGuid (&ListWalker->SignatureType, > > > &gEfiCertX509Sha256Guid)) { > > > > > > ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); > > > > > > } else if (CompareGuid (&ListWalker->SignatureType, > > > &gEfiCertX509Sha384Guid)) { > > > > > > @@ -4001,6 +4083,14 @@ FormatHelpInfo ( > > > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); > > > > > > DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); > > > > > > IsCert =3D TRUE; > > > > > > + } else if (CompareGuid (&ListEntry->SignatureType, > > > + &gEfiCertRsa3072Guid)) { > > > > > > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); > > > > > > + DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); > > > > > > + IsCert =3D TRUE; > > > > > > + } else if (CompareGuid (&ListEntry->SignatureType, > > > + &gEfiCertRsa4096Guid)) { > > > > > > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); > > > > > > + DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); > > > > > > + IsCert =3D TRUE; > > > > > > } else if (CompareGuid (&ListEntry->SignatureType, > > > &gEfiCertX509Guid)) { > > > > > > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509); > > > > > > DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); > > > > > > @@ -4011,6 +4101,12 @@ FormatHelpInfo ( > > > } else if (CompareGuid (&ListEntry->SignatureType, > > > &gEfiCertSha256Guid)) { > > > > > > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA256); > > > > > > DataSize =3D 32; > > > > > > + } else if (CompareGuid (&ListEntry->SignatureType, > > > + &gEfiCertSha384Guid)) { > > > > > > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA384); > > > > > > + DataSize =3D 48; > > > > > > + } else if (CompareGuid (&ListEntry->SignatureType, > > > + &gEfiCertSha512Guid)) { > > > > > > + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA512); > > > > > > + DataSize =3D 64; > > > > > > } else if (CompareGuid (&ListEntry->SignatureType, > > > &gEfiCertX509Sha256Guid)) { > > > > > > ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); > > > > > > DataSize =3D 32; > > > > > > diff --git > > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igI > > > mpl.h > > > > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igI > > > mpl.h > > > index 37c66f1b95..ae50d929a7 100644 > > > --- > > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igI > > > mpl.h > > > +++ > > > > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igI > > > mpl.h > > > @@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; #define > > > MAX_DIGEST_SIZE SHA512_DIGEST_SIZE > > > > > > > > > > > > #define WIN_CERT_UEFI_RSA2048_SIZE 256 > > > > > > +#define WIN_CERT_UEFI_RSA3072_SIZE 384 > > > > > > +#define WIN_CERT_UEFI_RSA4096_SIZE 512 > > > > > > > > > > > > // > > > > > > // Support hash types > > > > > > diff --git > > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igS > > > trings.uni > > > > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igS > > > trings.uni > > > index 0d01701de7..1b48acc800 100644 > > > --- > > > > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igS > > > trings.uni > > > +++ > > > > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon > > f > > > igS > > > trings.uni > > > @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > > > #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en- > > US > > > "Read the public key of KEK from file" > > > > > > #string STR_FILE_EXPLORER_TITLE #language en-US "F= ile > > Explorer" > > > > > > #string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US > > > "RSA2048_SHA256_GUID" > > > > > > +#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US > > > "RSA3072_SHA384_GUID" > > > > > > +#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US > > > "RSA4096_SHA512_GUID" > > > > > > #string STR_CERT_TYPE_PCKS7_GUID #language en-US > > "PKCS7_GUID" > > > > > > #string STR_CERT_TYPE_SHA1_GUID #language en-US > > "SHA1_GUID" > > > > > > #string STR_CERT_TYPE_SHA256_GUID #language en-US > > > "SHA256_GUID" > > > > > > @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > > > #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US > > > "X509_SHA512_GUID" > > > > > > > > > > > > #string STR_LIST_TYPE_RSA2048_SHA256 #language en-US > > > "RSA2048_SHA256" > > > > > > +#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US > > > "RSA3072_SHA384" > > > > > > +#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US > > > "RSA4096_SHA512" > > > > > > #string STR_LIST_TYPE_X509 #language en-US "X= 509" > > > > > > #string STR_LIST_TYPE_SHA1 #language en-US "S= HA1" > > > > > > #string STR_LIST_TYPE_SHA256 #language en-US "S= HA256" > > > > > > +#string STR_LIST_TYPE_SHA384 #language en-US "S= HA384" > > > > > > +#string STR_LIST_TYPE_SHA512 #language en-US "S= HA512" > > > > > > #string STR_LIST_TYPE_X509_SHA256 #language en-US > > > "X509_SHA256" > > > > > > #string STR_LIST_TYPE_X509_SHA384 #language en-US > > > "X509_SHA384" > > > > > > #string STR_LIST_TYPE_X509_SHA512 #language en-US > > > "X509_SHA512" > > > > > > -- > > > 2.26.2.windows.1