From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web11.34377.1674441461471705701 for ; Sun, 22 Jan 2023 18:37:41 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=ad3K7UPr; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674441461; x=1705977461; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=bHKMhXfF+d4LBHJgWSfWaIzxmR/lBgtZoP5/1enGRHs=; b=ad3K7UPrq7khT0L8j3HEH2Rj+yrMKskPRLd+oyyjfxl8uWmBw/xF4yIH jaLvoKauIeNUfK8w5X4PIGxwemG/JhEoHFSbo+xpj2iKMcbx+AyR8aqA/ X2Qzf7HxXxiRgnfs0Py7tDXBC2Bt9y5rjK/FOh7ka6YjkryRhrGunAdRg i1ipwndZUb4q8tETjgNST6MtyS0I/XWZWQZC6zs6qlokQHoHTiDDzwZbE 6IgkWWKEzYNs/xlVen775GdPPbRjqz9uYAHAYroPKcZEmAIy0XNdAU0dF c8IN8MGe7s6gABAtzOsuRYtK3r9S2bGH8lNhm7QVEAo88Q+yme3gV29aA w==; X-IronPort-AV: E=McAfee;i="6500,9779,10598"; a="412191207" X-IronPort-AV: E=Sophos;i="5.97,238,1669104000"; d="scan'208,217";a="412191207" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Jan 2023 18:37:41 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10598"; a="724873089" X-IronPort-AV: E=Sophos;i="5.97,238,1669104000"; d="scan'208,217";a="724873089" Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by fmsmga008.fm.intel.com with ESMTP; 22 Jan 2023 18:37:41 -0800 Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Sun, 22 Jan 2023 18:37:40 -0800 Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Sun, 22 Jan 2023 18:37:40 -0800 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16 via Frontend Transport; Sun, 22 Jan 2023 18:37:40 -0800 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.170) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Sun, 22 Jan 2023 18:37:39 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BJ7iKq+Emeg6Plzmw8F/4Q8KWkYvs8Gphzlw/TPwrzGIqBulszFP0CGjCYZM54vi9OCkyDrFUgybjwCyCel/NWG9+60Ei3djUgeTOswK39VHCwH502CCMeuTu7tmKTdCjXSlbvwra3yZcaxYVGWYJzyyXxLRppok76YFLAGX6wlIq+3jdesO/a0KuP4peDu1jVEIJohdjoIsOXXHvDfXgQoMoQJQ10AUHscUREdJWPGg2OfEzSl0cmp58vGSInr1pBSvjbvKoTc+Mt7OZfCpQt+Q32WG1bBAmkc6wEaGTgshin1R4ujgv4xaFSIwr+5vWOj0eecLN9J0hTKzqhjKDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bHKMhXfF+d4LBHJgWSfWaIzxmR/lBgtZoP5/1enGRHs=; b=n3lg9VIUX7mMY6fm4qBXXoFSUKs9vyJijcex4OmEn7wl8e0psc+zEqaxH937/0PMliOTPViDplNKhan+FPUmezxYWjEKg+XvPu4iAwxsU9dQu8wzGRXHVvujBP8987d+Z7X03/Mjuno1OSFbr+RYaCQi7Op6Cw+eeBxvV795RjwJsosypq4cooEpgQ+gLZdo8sR8B4zSMcre6FgNXPOzUAO1iNsOROhANIIWzSir3naPTgeyAiMU3/Km6lTluXN7vRPbq6no6s+dvtq+Eu2iQywvJeH/uui/pEHFULeTk05c0AysRnn/COlq+NYO0dTEbSO7yD3zrWM8Mlsf7VzGtw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by MW4PR11MB6738.namprd11.prod.outlook.com (2603:10b6:303:20c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13; Mon, 23 Jan 2023 02:37:31 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::5f56:1bdc:2eae:c041]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::5f56:1bdc:2eae:c041%9]) with mapi id 15.20.6002.028; Mon, 23 Jan 2023 02:37:30 +0000 From: "Yao, Jiewen" To: Jan Bobek , "devel@edk2.groups.io" CC: Jan Bobek , "Wang, Jian J" , "Xu, Min M" Subject: Re: [PATCH v2 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present Thread-Topic: [PATCH v2 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present Thread-Index: AQHZLqwW8pjCI4sPLUehk8hjTSOxz66rSbNU Date: Mon, 23 Jan 2023 02:37:30 +0000 Message-ID: References: <20230122215348.47191-1-jbobek@nvidia.com> In-Reply-To: <20230122215348.47191-1-jbobek@nvidia.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|MW4PR11MB6738:EE_ x-ms-office365-filtering-correlation-id: 20d78ae9-07b5-4b35-f28e-08dafceac64c x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: soyBD1zZ+jAuLHFhkWMoIWqgWglqQ+iQAIcZEaLkDjtSDClK2XmrqE04H1uV1gWz15Ea6JoXjXOQf4UGuC09MLTz2SnlKCahyu3i0yPozHcO5HZZ8YIF3IfH4HPO9Pa12Yldi6QiDNN4D1wL2wiCEhaj2e7wyLKmF1AMwvH+kqrLap3g5mRtD41PbEzZzcX6rNImcigwVz+s0PQNaKLMNrFx4GBmAZAyzrYVnBcuCs4C4O8ubGxvaqbyv9l3MkFcoldbHxWLyE+8QV2Xn3MIWG7F0yHNb0GV5qUqPlLOJRqEkdjdqYvsrn2d7pERRH1THA/iNu0aMLZLJCos53O6zJPHxOEM7PYj3Lbj1SlVAV7xewnOTRwb/F+g/iBKHtdgBpNnjiY0+E9BHIesgy40+8/A5yFO0AyY2p4hrM8yVjcsax6SHZxDNcctJ9QRqeY2+g7ZkBy1T/3KrXK6IhnWmeVArZH4sPhU1kF317zZ9OWeqa/HSSTAdXeRqkv7FsdUlK01hQTdCjro02d+BB6Un7hCWcxKuA0VlQjlshj5TI7NKO9jbGmxRuFVvPCUF2YGic66lVE0YUo9SMQPZQ4jKraBW7hpHEycPjm6FrYc7qrFA4zY0vzbzYtgEAL+tel8uo0kDT03wVsHvRc1WSZ2rM2+J3VO09rVNO9zHGto568pPOh5QqQoHcC6MstiqwPcsUxmDbeEb5tTN3Y4Gq+kecVinfQAX1jB+VrFFlLNKHDGwRWgxszBkGbMysYWAcik9/M0WJbeqkTgB7ZZULQPGA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(136003)(376002)(346002)(366004)(39860400002)(451199015)(66446008)(33656002)(8676002)(64756008)(478600001)(91956017)(4326008)(76116006)(66476007)(66556008)(41300700001)(9686003)(186003)(66946007)(15650500001)(86362001)(55016003)(2906002)(83380400001)(71200400001)(6506007)(107886003)(316002)(7696005)(966005)(54906003)(52536014)(82960400001)(38070700005)(110136005)(5660300002)(122000001)(166002)(38100700002)(8936002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?gb2312?B?RTZzNk1Pc1RhR3p0Z0hna2l6Z2puUFhFK1VVanRYV3V5MnZjRTUzczMxdENX?= =?gb2312?B?K0YyUDZ6Mk5YeXp5djEycld3cDZRdVFUVGlpclRISHh0eGkvN0lRZVU1WjRk?= =?gb2312?B?ZDZBSlRraVBLaGl1bk4wUGtwVlRnYk1ma09uajFZV1ZMcTBLM05aMkROb1dn?= =?gb2312?B?Ly9Td1Z2OC85MW9kTW1PZzhWT0RtbW5XV1VVanNGS0FyY2QyaE1aVU5DR0ZP?= =?gb2312?B?Unl6R0NLVlVGcmxQRUxObjE4OHljQzhmVnduZHJtUVVCWm1GL1hLRFk4TTJY?= =?gb2312?B?c0QzenhkaEJrVlk3OGZJcytic05DYnUrWnA4cHlHc0JaY3F5ZGNpMVlQTFNL?= =?gb2312?B?RHZBUEp4TVRNQ1lEY3E5ZVhock5odHdLYm43dlIveHhBeU85a0o5R1lPMHJ3?= =?gb2312?B?dU0xZW45azdpY2lSbzBPcXRmdTdIbnplYVNQQmlqbWl2c3dCVG8rVmpTMnFI?= =?gb2312?B?R0NuTENtOFRGZm9WTEg4K1RSdVh6L3lheHFhNzdnSFpYRks5VnJ1NG1YOFFu?= =?gb2312?B?anJLaDlacFRDaGs1SkJETlNaNjdZU1g5SWVCZUZESXlSUU9lQnl2Y2dTZUhz?= =?gb2312?B?ZHRqaUxyRjI2ZmtSc0tXNW1OSkg4R0cwOTBiUE0yRWt1aTU5anBISlBTWTFG?= =?gb2312?B?NHRuZnJzdUJXWjJHK0dKSjRaaitLU3lGQWdlaE1aVGhDVkxxb2h3T21taFZs?= =?gb2312?B?ZUtTaURCWU0wTGRhWnpweHZTTDlyQU5HZ0dkZWdSNzhsUGFjZ1lTY2hPN25p?= =?gb2312?B?Y3VzeEJiT0NsRTB6VnVVd0RIcVpqOXVvOXNFclF0VzZqWmZxeCtnVXk1K3J4?= =?gb2312?B?ZlI1aVlVTE54TXBYSlpzMk02anBhaHpkbEl5bFpJWC8rQVdhWnRvZ00zK05Y?= =?gb2312?B?cnppREgwNXFPWGIvOVJRcEVzMTFPb3VHVXhhOVF6WnFaT21NSXFFMVZSZjRK?= =?gb2312?B?dEYrZThwS21qNm4rb29uWjMxNDJRR0dxU3AwWTlFbC9makhqa3k2WGxBK1pj?= =?gb2312?B?WlE2cDJ2OHlhLytzVE5qRmlkK3NTdmhzU1dvMzJKbzVVOUZTdk1ORXJYSUNF?= =?gb2312?B?ejgrajR3dDlSRHZlMlJUajFwVUhEZUcxM3VyR2dUUzdYR3pTUWRDM1UrdkNr?= =?gb2312?B?V0R1M2U0KzdBcXVCUFhTbnpRTmxHMkY4OVVKZkpmb01QMEsxMjFmeG80eFcx?= =?gb2312?B?SG1zbFpsR05BZnlyYzIxa2lYVEVLc2c1bW1mZnFTTTV0OGZRQnNDeERnZ3Ja?= =?gb2312?B?cjNQKzRqcEpPcStJdm1ETnRSaU80N1N1NWpVYlNucXlLd3RmalFTZlpCTktm?= =?gb2312?B?YUV3RnJwdW9TMzIvY1YwbW1IclhCSEdtaFVwMXpIS0J2ckJnV3lWY2ZGbC9z?= =?gb2312?B?SGZ1OXU1RGpWUmlVRldZak5Cem9XRk5MajE3K2xiNjN6czNGbEVtOWV2ZHd4?= =?gb2312?B?Szk5UXZEZWJSRlpENE9MSmJGM2lQWjRqZ0pyWVc3dVRQR1NvVHZpODAzTUN5?= =?gb2312?B?WGFVcUYrN2hqeHk4bWtqNGxyb2FBSlNVZFlJRmJRQXVwdTA1ZW9ENGIyaWRr?= =?gb2312?B?SjBESnRRbmQrSnBNajVPNS9WRTVMTjhEc0tGUStPcEh4N1V1ajJUU2VOMnd4?= =?gb2312?B?b04rNy85QmlmcjduTlVjSVhNREJJOW5ybUFneWpRM010cWo0Z25Ba3c5VkVC?= =?gb2312?B?SnppVWpyVzYzME9sOWFOZldEYXIybHVhbUx3V2ZiZTNjVXdBZVRIM2VZL0Fy?= =?gb2312?B?SURxdHBweXl4QkhUSHd6eVBXUlhhcmI4cSt4aXZMZXU4VGpBNnMybGFMLzFt?= =?gb2312?B?dVNHUTZheFJiMzJJQkxUYU45VDZNNjFpeU9saXcvRmxwRE1ySHRaaEN6V1RB?= =?gb2312?B?eGZGY2YrQWZtTFptWUFyUGkwNWgxSzk4NXkxMTJHaXZaeTYzQXJqVlp4eXJp?= =?gb2312?B?N01xM0hBdXcyRDNIUnRjQWM3Q0kreXFIQzViSHFNcklOWGtpanUxUXI4MXVw?= =?gb2312?B?WkV0MFNMMkd2MTNRMDlpQjBuVGhuYkR2N0V3T3VyQ2ZLZmlRTHV2VEhCMFBm?= =?gb2312?B?WUhrcm1CMFhLcHhKK2VNcnR2R2d1YXovbWtIM1RlanVJeTZrbEtHc0NWZDBO?= =?gb2312?B?MWpQS3VESzFvVENyd3ZMZ3g1cDRuYzhXa0tncHB4bmRXSEJheHB3WWZaUW5q?= =?gb2312?B?VEFjekppNWozd0tsWWIySk9pMGt1cWtJN3NNZEJuNGNjRi9RMldaaUNmZkh1?= =?gb2312?B?eGZPUkw3T0FEMEIrQmhMV2hPZEx3PT0=?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 20d78ae9-07b5-4b35-f28e-08dafceac64c X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2023 02:37:30.5668 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 4m9hzIH//7ht8xCnsZhstghCTY/AoF4Qrd7EjxBaCgLn7YAcQGpTVVmLYBDXO1vxvPIhkrefk23F7h9eg/wsjg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR11MB6738 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: zh-CN Content-Type: multipart/alternative; boundary="_000_MW4PR11MB5872F78DD70120411776F6DC8CC89MW4PR11MB5872namp_" --_000_MW4PR11MB5872F78DD70120411776F6DC8CC89MW4PR11MB5872namp_ Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 cmV2aWV3ZWQtYnk6IEppZXdlbiBZYW8gPEppZXdlbi55YW9AaW50ZWwuY29tPg0KX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18NCreivP7IyzogSmFuIEJvYmVrIDxqYm9iZWtAbnZpZGlh LmNvbT4NCreiy83KsbzkOiBNb25kYXksIEphbnVhcnkgMjMsIDIwMjMgNTo1Mzo0OCBBTQ0KytW8 /sjLOiBkZXZlbEBlZGsyLmdyb3Vwcy5pbyA8ZGV2ZWxAZWRrMi5ncm91cHMuaW8+DQqzrcvNOiBK YW4gQm9iZWsgPGpib2Jla0BudmlkaWEuY29tPjsgWWFvLCBKaWV3ZW4gPGppZXdlbi55YW9AaW50 ZWwuY29tPjsgV2FuZywgSmlhbiBKIDxqaWFuLmoud2FuZ0BpbnRlbC5jb20+OyBYdSwgTWluIE0g PG1pbi5tLnh1QGludGVsLmNvbT4NCtb3zOI6IFtQQVRDSCB2MiAxLzFdIFNlY3VyaXR5UGtnL0F1 dGhWYXJpYWJsZUxpYjogQ2hlY2sgU0hBLTI1NiBPSUQgd2l0aCBDb250ZW50SW5mbyBwcmVzZW50 DQoNClJFRjogaHR0cHM6Ly9idWd6aWxsYS50aWFub2NvcmUub3JnL3Nob3dfYnVnLmNnaT9pZD00 MzA1DQoNCkJhc2VkIG9uIHdoZXRoZXIgdGhlIERFUi1lbmNvZGVkIENvbnRlbnRJbmZvIHN0cnVj dHVyZSBpcyBwcmVzZW50IGluDQphdXRoZW50aWNhdGVkIFNldFZhcmlhYmxlIHBheWxvYWQgb3Ig bm90LCB0aGUgU0hBLTI1NiBPSUQgY2FuIGJlDQpsb2NhdGVkIGF0IGRpZmZlcmVudCBwbGFjZXMu DQoNClVFRkkgc3BlY2lmaWNhdGlvbiBleHBsaWNpdGx5IHN0YXRlcyB0aGUgZHJpdmVyIHNoYWxs IHN1cHBvcnQgYm90aA0KY2FzZXMsIGJ1dCB0aGUgb2xkIGNvZGUgYXNzdW1lZCBDb250ZW50SW5m byB3YXMgbm90IHByZXNlbnQgYW5kDQppbmNvcnJlY3RseSByZWplY3RlZCBhdXRoZW50aWNhdGVk IHZhcmlhYmxlIHVwZGF0ZXMgd2hlbiBpdCB3ZXJlDQpwcmVzZW50Lg0KDQpDYzogSmlld2VuIFlh byA8amlld2VuLnlhb0BpbnRlbC5jb20+DQpDYzogSmlhbiBKIFdhbmcgPGppYW4uai53YW5nQGlu dGVsLmNvbT4NCkNjOiBNaW4gWHUgPG1pbi5tLnh1QGludGVsLmNvbT4NClNpZ25lZC1vZmYtYnk6 IEphbiBCb2JlayA8amJvYmVrQG52aWRpYS5jb20+DQotLS0NCiAuLi4vTGlicmFyeS9BdXRoVmFy aWFibGVMaWIvQXV0aFNlcnZpY2UuYyAgICAgfCA1MCArKysrKysrKysrKysrKysrLS0tDQogMSBm aWxlIGNoYW5nZWQsIDQyIGluc2VydGlvbnMoKyksIDggZGVsZXRpb25zKC0pDQoNCmRpZmYgLS1n aXQgYS9TZWN1cml0eVBrZy9MaWJyYXJ5L0F1dGhWYXJpYWJsZUxpYi9BdXRoU2VydmljZS5jIGIv U2VjdXJpdHlQa2cvTGlicmFyeS9BdXRoVmFyaWFibGVMaWIvQXV0aFNlcnZpY2UuYw0KaW5kZXgg MDU0ZWU0ZDFkOTg4Li45YmVlY2EwOWFlYmEgMTAwNjQ0DQotLS0gYS9TZWN1cml0eVBrZy9MaWJy YXJ5L0F1dGhWYXJpYWJsZUxpYi9BdXRoU2VydmljZS5jDQorKysgYi9TZWN1cml0eVBrZy9MaWJy YXJ5L0F1dGhWYXJpYWJsZUxpYi9BdXRoU2VydmljZS5jDQpAQCAtMTkyNSw3ICsxOTI1LDcgQEAg VmVyaWZ5VGltZUJhc2VkUGF5bG9hZCAoDQogICAvLyBTaWduZWREYXRhLmRpZ2VzdEFsZ29yaXRo bXMgc2hhbGwgY29udGFpbiB0aGUgZGlnZXN0IGFsZ29yaXRobSB1c2VkIHdoZW4gcHJlcGFyaW5n IHRoZQ0KICAgLy8gc2lnbmF0dXJlLiBPbmx5IGEgZGlnZXN0IGFsZ29yaXRobSBvZiBTSEEtMjU2 IGlzIGFjY2VwdGVkLg0KICAgLy8NCi0gIC8vICAgIEFjY29yZGluZyB0byBQS0NTIzcgRGVmaW5p dGlvbjoNCisgIC8vICAgIEFjY29yZGluZyB0byBQS0NTIzcgRGVmaW5pdGlvbiAoaHR0cHM6Ly93 d3cucmZjLWVkaXRvci5vcmcvcmZjL3JmYzIzMTUpOg0KICAgLy8gICAgICAgIFNpZ25lZERhdGEg Ojo9IFNFUVVFTkNFIHsNCiAgIC8vICAgICAgICAgICAgdmVyc2lvbiBWZXJzaW9uLA0KICAgLy8g ICAgICAgICAgICBkaWdlc3RBbGdvcml0aG1zIERpZ2VzdEFsZ29yaXRobUlkZW50aWZpZXJzLA0K QEAgLTE5MzMsMTUgKzE5MzMsNDkgQEAgVmVyaWZ5VGltZUJhc2VkUGF5bG9hZCAoDQogICAvLyAg ICAgICAgICAgIC4uLi4gfQ0KICAgLy8gICAgVGhlIERpZ2VzdEFsZ29yaXRobUlkZW50aWZpZXJz IGNhbiBiZSB1c2VkIHRvIGRldGVybWluZSB0aGUgaGFzaCBhbGdvcml0aG0NCiAgIC8vICAgIGlu IFZBUklBQkxFX0FVVEhFTlRJQ0FUSU9OXzIgZGVzY3JpcHRvci4NCi0gIC8vICAgIFRoaXMgZmll bGQgaGFzIHRoZSBmaXhlZCBvZmZzZXQgKCsxMykgYW5kIGJlIGNhbGN1bGF0ZWQgYmFzZWQgb24g dHdvIGJ5dGVzIG9mIGxlbmd0aCBlbmNvZGluZy4NCisgIC8vICAgIFRoaXMgZmllbGQgaGFzIHRo ZSBmaXhlZCBvZmZzZXQgKCsxMykgb3IgKCszMikgYmFzZWQgb24gd2hldGhlciB0aGUgREVSLWVu Y29kZWQNCisgIC8vICAgIENvbnRlbnRJbmZvIHN0cnVjdHVyZSBpcyBwcmVzZW50IG9yIG5vdCwg YW5kIGNhbiBiZSBjYWxjdWxhdGVkIGJhc2VkIG9uIHR3bw0KKyAgLy8gICAgYnl0ZXMgb2YgbGVu Z3RoIGVuY29kaW5nLg0KKyAgLy8NCisgIC8vICAgIEJvdGggY29uZGl0aW9uIGNhbiBiZSBoYW5k bGVkIGluIFdyYXBQa2NzN0RhdGEoKSBpbiBDcnlwdFBrY3M3VmVyaWZ5Q29tbW9uLmMuDQorICAv Lw0KKyAgLy8gICAgU2VlIGJlbG93IGV4YW1wbGVzOg0KKyAgLy8NCisgIC8vIDEuIFdpdGhvdXQg Q29udGVudEluZm8NCisgIC8vICAgIDMwIDgyIDBjIGRhIC8vIFNFUVVFTkNFICg1IGVsZW1lbnQp ICgzMjk0IEJZVEVTKSAtLSBTaWduZWREYXRhDQorICAvLyAgICAgICAwMiAwMSAwMSAvLyBJTlRF R0VSIDEgLS0gVmVyc2lvbg0KKyAgLy8gICAgICAgMzEgMGYgLy8gU0VUICgxIGVsZW1lbnQpICgx NSBCWVRFUykgLS0gRGlnZXN0QWxnb3JpdGhtSWRlbnRpZmllcnMNCisgIC8vICAgICAgICAgIDMw IDBkIC8vIFNFUVVFTkNFICgyIGVsZW1lbnQpICgxMyBCWVRFUykgLS0gQWxnb3JpdGhtSWRlbnRp Zmllcg0KKyAgLy8gICAgICAgICAgICAgMDYgMDkgLy8gT0JKRUNULUlERU5USUZJRVIgKDkgQllU RVMpIC0tIGFsZ29yaXRobQ0KKyAgLy8gICAgICAgICAgICAgICAgNjAgODYgNDggMDEgNjUgMDMg MDQgMDIgMDEgLy8gc2hhMjU2IFsyLjE2Ljg0MC4xLjEwMS4zLjQuMi4xXQ0KKyAgLy8gICAgICAg ICAgICAgMDUgMDAgLy8gTlVMTCAoMCBCWVRFUykgLS0gcGFyYW1ldGVycw0KKyAgLy8NCisgIC8v IEV4YW1wbGUgZnJvbTogaHR0cHM6Ly91ZWZpLm9yZy9yZXZvY2F0aW9ubGlzdGZpbGUNCisgIC8v DQorICAvLyAyLiBXaXRoIENvbnRlbnRJbmZvDQorICAvLyAgICAzMCA4MiAwNSA5MCAvLyBTRVFV RU5DRSAoMTQyNCBCWVRFUykgLS0gQ29udGVudEluZm8NCisgIC8vICAgICAgIDA2IDA5IC8vIE9C SkVDVC1JREVOVElGSUVSICg5IEJZVEVTKSAtLSBDb250ZW50VHlwZQ0KKyAgLy8gICAgICAgICAg MmEgODYgNDggODYgZjcgMGQgMDEgMDcgMDIgLy8gc2lnbmVkRGF0YSBbMS4yLjg0MC4xMTM1NDku MS43LjJdDQorICAvLyAgICAgICBhMCA4MiAwNSA4MSAvLyBDT05URVhULVNQRUNJRklDIENPTlNU UlVDVEVEIFRBRyAwICgxNDA5IEJZVEVTKSAtLSBjb250ZW50DQorICAvLyAgICAgICAgICAzMCA4 MiAwNSA3ZCAvLyBTRVFVRU5DRSAoMTQwNSBCWVRFUykgLS0gU2lnbmVkRGF0YQ0KKyAgLy8gICAg ICAgICAgICAgMDIgMDEgMDEgLy8gSU5URUdFUiAxIC0tIFZlcnNpb24NCisgIC8vICAgICAgICAg ICAgIDMxIDBmIC8vIFNFVCAoMSBlbGVtZW50KSAoMTUgQllURVMpIC0tIERpZ2VzdEFsZ29yaXRo bUlkZW50aWZpZXJzDQorICAvLyAgICAgICAgICAgICAgICAzMCAwZCAvLyBTRVFVRU5DRSAoMTMg QllURVMpIC0tIEFsZ29yaXRobUlkZW50aWZpZXINCisgIC8vICAgICAgICAgICAgICAgICAgIDA2 IDA5IC8vIE9CSkVDVC1JREVOVElGSUVSICg5IEJZVEVTKSAtLSBhbGdvcml0aG0NCisgIC8vICAg ICAgICAgICAgICAgICAgICAgIDYwIDg2IDQ4IDAxIDY1IDAzIDA0IDAyIDAxIC8vIHNoYTI1NiBb Mi4xNi44NDAuMS4xMDEuMy40LjIuMV0NCisgIC8vICAgICAgICAgICAgICAgICAgIDA1IDAwIC8v IE5VTEwgKDAgQllURVMpIC0tIHBhcmFtZXRlcnMNCisgIC8vDQorICAvLyBFeGFtcGxlIGdlbmVy YXRlZCB3aXRoOiBodHRwczovL3dpa2kuYXJjaGxpbnV4Lm9yZy90aXRsZS9VbmlmaWVkX0V4dGVu c2libGVfRmlybXdhcmVfSW50ZXJmYWNlL1NlY3VyZV9Cb290I01hbnVhbF9wcm9jZXNzDQogICAv Lw0KICAgaWYgKChBdHRyaWJ1dGVzICYgRUZJX1ZBUklBQkxFX1RJTUVfQkFTRURfQVVUSEVOVElD QVRFRF9XUklURV9BQ0NFU1MpICE9IDApIHsNCi0gICAgaWYgKFNpZ0RhdGFTaXplID49ICgxMyAr IHNpemVvZiAobVNoYTI1Nk9pZFZhbHVlKSkpIHsNCi0gICAgICBpZiAoKCgqKFNpZ0RhdGEgKyAx KSAmIFRXT19CWVRFX0VOQ09ERSkgIT0gVFdPX0JZVEVfRU5DT0RFKSB8fA0KLSAgICAgICAgICAo Q29tcGFyZU1lbSAoU2lnRGF0YSArIDEzLCAmbVNoYTI1Nk9pZFZhbHVlLCBzaXplb2YgKG1TaGEy NTZPaWRWYWx1ZSkpICE9IDApKQ0KLSAgICAgIHsNCi0gICAgICAgIHJldHVybiBFRklfU0VDVVJJ VFlfVklPTEFUSU9OOw0KLSAgICAgIH0NCisgICAgaWYgKCAgKCAgKFNpZ0RhdGFTaXplID49ICgx MyArIHNpemVvZiAobVNoYTI1Nk9pZFZhbHVlKSkpDQorICAgICAgICAgICYmICggICgoKihTaWdE YXRhICsgMSkgJiBUV09fQllURV9FTkNPREUpICE9IFRXT19CWVRFX0VOQ09ERSkNCisgICAgICAg ICAgICAgfHwgKENvbXBhcmVNZW0gKFNpZ0RhdGEgKyAxMywgJm1TaGEyNTZPaWRWYWx1ZSwgc2l6 ZW9mIChtU2hhMjU2T2lkVmFsdWUpKSAhPSAwKSkpDQorICAgICAgICYmICggIChTaWdEYXRhU2l6 ZSA+PSAoMzIgKyBzaXplb2YgKG1TaGEyNTZPaWRWYWx1ZSkpKQ0KKyAgICAgICAgICAmJiAoICAo KCooU2lnRGF0YSArIDIwKSAmIFRXT19CWVRFX0VOQ09ERSkgIT0gVFdPX0JZVEVfRU5DT0RFKQ0K KyAgICAgICAgICAgICB8fCAoQ29tcGFyZU1lbSAoU2lnRGF0YSArIDMyLCAmbVNoYTI1Nk9pZFZh bHVlLCBzaXplb2YgKG1TaGEyNTZPaWRWYWx1ZSkpICE9IDApKSkpDQorICAgIHsNCisgICAgICBy ZXR1cm4gRUZJX1NFQ1VSSVRZX1ZJT0xBVElPTjsNCiAgICAgfQ0KICAgfQ0KDQotLQ0KMi4zMC4y DQoNCg== --_000_MW4PR11MB5872F78DD70120411776F6DC8CC89MW4PR11MB5872namp_ Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable
reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
=B7=A2=BC=FE=C8=CB: Jan Bob= ek <jbobek@nvidia.com>
=B7=A2=CB=CD=CA=B1=BC=E4: Monday, January 23, 2023 5:53:48 AM
=CA=D5=BC=FE=C8=CB: devel@edk2.groups.io <devel@edk2.groups.io>= ;
=B3=AD=CB=CD: Jan Bobek <jbobek@nvidia.com>; Yao, Jiewen <j= iewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Xu, Mi= n M <min.m.xu@intel.com>
=D6=F7=CC=E2: [PATCH v2 1/1] SecurityPkg/AuthVariableLib: Check SHA-= 256 OID with ContentInfo present
 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4305

Based on whether the DER-encoded ContentInfo structure is present in
authenticated SetVariable payload or not, the SHA-256 OID can be
located at different places.

UEFI specification explicitly states the driver shall support both
cases, but the old code assumed ContentInfo was not present and
incorrectly rejected authenticated variable updates when it were
present.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Signed-off-by: Jan Bobek <jbobek@nvidia.com>
---
 .../Library/AuthVariableLib/AuthService.c     | 5= 0 ++++++++++++++++---
 1 file changed, 42 insertions(+), 8 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk= g/Library/AuthVariableLib/AuthService.c
index 054ee4d1d988..9beeca09aeba 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -1925,7 +1925,7 @@ VerifyTimeBasedPayload (
   // SignedData.digestAlgorithms shall contain the digest algori= thm used when preparing the
   // signature. Only a digest algorithm of SHA-256 is accepted.<= br>    //
-  //    According to PKCS#7 Definition:
+  //    According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315= ):
   //        SignedData ::=3D = SEQUENCE {
   //          =   version Version,
   //          =   digestAlgorithms DigestAlgorithmIdentifiers,
@@ -1933,15 +1933,49 @@ VerifyTimeBasedPayload (
   //          =   .... }
   //    The DigestAlgorithmIdentifiers can be use= d to determine the hash algorithm
   //    in VARIABLE_AUTHENTICATION_2 descriptor.<= br> -  //    This field has the fixed offset (+13) and be c= alculated based on two bytes of length encoding.
+  //    This field has the fixed offset (+13) or (+32)= based on whether the DER-encoded
+  //    ContentInfo structure is present or not, and c= an be calculated based on two
+  //    bytes of length encoding.
+  //
+  //    Both condition can be handled in WrapPkcs7Data= () in CryptPkcs7VerifyCommon.c.
+  //
+  //    See below examples:
+  //
+  // 1. Without ContentInfo
+  //    30 82 0c da // SEQUENCE (5 element) (3294 BYTE= S) -- SignedData
+  //       02 01 01 // INTEGER 1 -- Ver= sion
+  //       31 0f // SET (1 element) (15= BYTES) -- DigestAlgorithmIdentifiers
+  //          30 0d // S= EQUENCE (2 element) (13 BYTES) -- AlgorithmIdentifier
+  //           = ;  06 09 // OBJECT-IDENTIFIER (9 BYTES) -- algorithm
+  //           = ;     60 86 48 01 65 03 04 02 01 // sha256 [2.16.840.1.= 101.3.4.2.1]
+  //           = ;  05 00 // NULL (0 BYTES) -- parameters
+  //
+  // Example from: ht= tps://uefi.org/revocationlistfile
+  //
+  // 2. With ContentInfo
+  //    30 82 05 90 // SEQUENCE (1424 BYTES) -- Conten= tInfo
+  //       06 09 // OBJECT-IDENTIFIER (= 9 BYTES) -- ContentType
+  //          2a 86 48 8= 6 f7 0d 01 07 02 // signedData [1.2.840.113549.1.7.2]
+  //       a0 82 05 81 // CONTEXT-SPECI= FIC CONSTRUCTED TAG 0 (1409 BYTES) -- content
+  //          30 82 05 7= d // SEQUENCE (1405 BYTES) -- SignedData
+  //           = ;  02 01 01 // INTEGER 1 -- Version
+  //           = ;  31 0f // SET (1 element) (15 BYTES) -- DigestAlgorithmIdentifiers +  //           = ;     30 0d // SEQUENCE (13 BYTES) -- AlgorithmIdentifi= er
+  //           = ;        06 09 // OBJECT-IDENTIFIER (9 B= YTES) -- algorithm
+  //           = ;           60 86 48 01 6= 5 03 04 02 01 // sha256 [2.16.840.1.101.3.4.2.1]
+  //           = ;        05 00 // NULL (0 BYTES) -- para= meters
+  //
+  // Example generated with: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secu= re_Boot#Manual_process
   //
   if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WR= ITE_ACCESS) !=3D 0) {
-    if (SigDataSize >=3D (13 + sizeof (mSha256OidValue))= ) {
-      if (((*(SigData + 1) & TWO_BYTE_ENCODE)= !=3D TWO_BYTE_ENCODE) ||
-          (CompareMem (SigDat= a + 13, &mSha256OidValue, sizeof (mSha256OidValue)) !=3D 0))
-      {
-        return EFI_SECURITY_VIOLATION;<= br> -      }
+    if (  (  (SigDataSize >=3D (13 + sizeof (m= Sha256OidValue)))
+          && (  = ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE)
+             |= | (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)= ) !=3D 0)))
+       && (  (SigDataSize >= =3D (32 + sizeof (mSha256OidValue)))
+          && (  = ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE)
+             |= | (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)= ) !=3D 0))))
+    {
+      return EFI_SECURITY_VIOLATION;
     }
   }
 
--
2.30.2

--_000_MW4PR11MB5872F78DD70120411776F6DC8CC89MW4PR11MB5872namp_--