From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com [40.107.244.135]) by mx.groups.io with SMTP id smtpd.web10.2123.1607545266781633569 for ; Wed, 09 Dec 2020 12:21:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=BL6q/Fjx; spf=pass (domain: microsoft.com, ip: 40.107.244.135, mailfrom: bret.barkelew@microsoft.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kvSoQDfkI5YmO1Y6Ef6HLJsFST1wETg091DiM8RI8S6h1voTa1zNKBSJM9408bBJpuymZiySdobX3JbnT/cJ6MhR2fuVfwqD1+u1UBtX1pV3bwSgr4nxN+qpXE5q6d/AvcAGBqR7YKRvgEq9wY9PSPGke9qGIQPPa1S3bOw9NeoIsjkun7WDT1lG43S6Mqyj0lbztp46PDxDrBDhLTZWvc957qk/Sr4jaV/ZhuIy9vzcmd5S+WfkhgIgUNDegWeab3GV451/Yhpmq4sxI1jBCsgQR7DSD4YjhbnV/4BmKKfFQ0OCQrYanbQA0gWEO2ab28hITSCeACzVlbLBcfHZrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tcDaich14A5nXwh0KaewncrjqTwzkiKINnIH4PS01n8=; b=SwTqnJVKaN0DK9/q0OcsIfUPlmGj5jladth26fT8r2Zjcen7AFWF0cDI5z35Gdn+iNgNk/NQ2/Tv08Y30AVOsjaP/h3TM8dkFQSsG82BlAK/qEvez8gKyVOiyJCeBfxiSB/778May2uFN7b94/6tK7isxgdpUImOpp9+N7P1/Kzn/SHDwKVmU5CSRNJ86FrXnwfDdx8WbNB4/3zr/w7NI15s0FDJBnQBehXsE31eVr83lC2VBo7XwcEeQebuLPSgO0jsCY2kmCe5b7qk0UvFy5IQ/57Ms4wslWvO9FgTLFDxtglq9ljeHQVcon+gSlhyPDOUp/k6Dav2dL9YLHORdA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tcDaich14A5nXwh0KaewncrjqTwzkiKINnIH4PS01n8=; b=BL6q/FjxsascxIIj/LFQ5jvDU+jTY52PX/SWpOfeVhhV1M2aBe1qlLGz03c2hGXDdNeVAYWH87XBHGt+KejkWtBvlk87blowbJvszQuC/BNNjxVS4yq3CoRe+4YTRJlh36httT8G+LQBVEuZcrBGwBziTrxIyO+xRqGBHXiPSW8= Received: from (2603:10b6:300:78::18) by MW2PR2101MB1018.namprd21.prod.outlook.com (2603:10b6:302:4::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.3; Wed, 9 Dec 2020 20:21:04 +0000 Received: from MWHPR21MB0160.namprd21.prod.outlook.com ([fe80::2c14:392f:2f40:cd07]) by MWHPR21MB0160.namprd21.prod.outlook.com ([fe80::2c14:392f:2f40:cd07%7]) with mapi id 15.20.3654.012; Wed, 9 Dec 2020 20:21:04 +0000 From: "Bret Barkelew" To: "devel@edk2.groups.io" , "divneil.r.wadhawan@intel.com" CC: "Yao, Jiewen" , Jian J Wang , Min Xu , "Kinney, Michael D" Subject: Re: [EXTERNAL] [edk2-devel] [Patch 2/2] SecurityPkg: Add support for SHA-384/SHA-512 digest algos Thread-Topic: [EXTERNAL] [edk2-devel] [Patch 2/2] SecurityPkg: Add support for SHA-384/SHA-512 digest algos Thread-Index: AQHWzlnWObPpXyV0hEWgCLAJ58Rf06nvNLak Date: Wed, 9 Dec 2020 20:21:04 +0000 Message-ID: References: <20201209183243.30504-1-divneil.r.wadhawan@intel.com>,<20201209183243.30504-3-divneil.r.wadhawan@intel.com> In-Reply-To: <20201209183243.30504-3-divneil.r.wadhawan@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-12-09T20:20:16.4491154Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Privileged authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=microsoft.com; x-originating-ip: [71.212.128.71] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: f9947d8b-4a01-4f1c-2c35-08d89c7ff435 x-ms-traffictypediagnostic: MW2PR2101MB1018: x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: JZFaYPACl9yUtVcyl79Qsm5uNSYwR+t5DUrRRtg7kDMfBrMo3zzKitWV1bQkALQVw+Xsqj56sbfen2BNosv7OSquvl0dB6CMY3rCYbRomaEFvCLaFb+NzENX66jnJHB+dW9H48gCBAB+H4C9bdfT5IeAjmZK76reYEFLXw6wp8FeEt41fYET+ihfCS6C3CM+f7ViolV/0kyITdAk13uDCJvrjUPrDREmtavd+Ww6X+0i4GHeQ0E6+KK+UbDyoNS9e1TTLGHB6fMMaOvEjFHPZ4yQ6xXlJkIBCB8fmEC/t0HbA7/X8/01XFcgbFAb8Z37YjEh9PFgrD7iFeTzh/Egx2I3C6XHhDn92sFKl5rUHX49WFhRfeduWMyl7yptqqZy6D+ZDF12f8VSR62Cl/qpXg== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR21MB0160.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(346002)(376002)(366004)(76116006)(66446008)(66946007)(54906003)(83380400001)(9686003)(82950400001)(8936002)(26005)(186003)(52536014)(8990500004)(166002)(82960400001)(71200400001)(53546011)(6506007)(110136005)(33656002)(66556008)(66476007)(8676002)(4326008)(508600001)(966005)(10290500003)(2906002)(64756008)(55016002)(7696005)(15650500001)(86362001)(5660300002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?xzYD5yPD4euxZVHMcXBnyO0Y+c2ah7LEI8xpcJGcIqcdFB0JYvxXK/tc?= =?Windows-1252?Q?4ckA6gxzRFzjzOm0d52svPBSaxLitMrj+pLKIPKCU/b+e3d4uQm23H7j?= =?Windows-1252?Q?GNZLM8I2uELVPCXchyQw51n6UKMoBhB8CQBQDTj5cqUJjsVFTMkxbdKf?= =?Windows-1252?Q?pr3eYjX8VlTHZ73IzR5/dGhYeZ+Yp37pdYSuxWCRKmXrZ6gmABOq7cmJ?= =?Windows-1252?Q?G3S4jHEJwIrD7zQXl6kfp0WPV44v793DMwHxoHksGYCAbkDLb8n8nUCb?= =?Windows-1252?Q?vlPR+9PGk+aZZon2L04olhNzi7S32LQh+ncFPi5Pw3HFewsn7L17li8e?= =?Windows-1252?Q?n2amAMS4gV9RHdKqtkijXR0st0Ks3YzVEmxh5WI8NCWI7OD8BykP4UNW?= =?Windows-1252?Q?rmPJZpPBlKLrHiDyxoQibyqXDCR/5HbXMoYG5ehbuEwUKe9G1QVRCw4m?= =?Windows-1252?Q?lh8TW0wcKTFvFNaC//R7a42X/IS1f0ZoeouNwRFjBO0lohrDLF4m7hlz?= =?Windows-1252?Q?fkWXDUZXV5Qfoey7xIvEwZAGHjjbjfH1WZ2gaFuPgupQhoVvvJOzoNQ6?= =?Windows-1252?Q?/GzWSUO/UtH8vcANutliqD1MhtBw+ctktPRtTu7ULfi7Jqklyt82Hlw1?= =?Windows-1252?Q?KSVw0nJSnjcPipeRCv2fDzl0AT4RdCdztoiNFsAWybpWThEpPzn4EDBL?= =?Windows-1252?Q?AMKp1vqtznev+56zBegnAtscMD/6dBVtu/Wk0LWmDaZmt0vckNedNOu6?= =?Windows-1252?Q?l5YQcXo5NSka/kvs4Khq8qgcdDgGwXiuzeOhd1hvrNY9ogUnr1aXrYVo?= =?Windows-1252?Q?qSkDqrrO05fw+b62OA1a5lQ0suHenAOJGIuTHn6y1eyOvEhPmlF9KC1f?= =?Windows-1252?Q?HrlvIGenCsQIY+RtAt7lYOZ3lnTkVzNMELNsLE7qOfZ7j38DhuoFUn4v?= =?Windows-1252?Q?/rIYL54K0ySnQQOBy++ZwJiwxF0tLAaEfEFaLFAnFqGPkUsLCkB6+eus?= =?Windows-1252?Q?o5Nsyxm9XzOVCGHUQFUfoDDjpBraAykCzvEHeZds8ASgevYWU3V4qPP1?= =?Windows-1252?Q?YoOY296hwkGR6v34nv/lJHvOyIJCzqNeoqJbQg=3D=3D?= x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MWHPR21MB0160.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f9947d8b-4a01-4f1c-2c35-08d89c7ff435 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2020 20:21:04.3101 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: sIxtbz6w0qLrYfqeew1fUvKtjcGGDqxESyFucNHqe1+UM4sINAFk9uHIpqL2r/ssT6KpHIxSpCBUMWcQBlEwWw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB1018 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_MWHPR21MB0160322CC250C5D01854386CEFCC1MWHPR21MB0160namp_" --_000_MWHPR21MB0160322CC250C5D01854386CEFCC1MWHPR21MB0160namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable What=92s with the Markdown file being added to the root directory? Is that = a mistake or part of a different release process? Thanks! - Bret From: Wadhawan, Divneil R via groups.io Sent: Wednesday, December 9, 2020 10:33 AM To: devel@edk2.groups.io Cc: Yao, Jiewen; Jian J Wang; Min Xu; Kinney, Michael D Subject: [EXTERNAL] [edk2-devel] [Patch 2/2] SecurityPkg: Add support for = SHA-384/SHA-512 digest algos o Existing implementation of Authenticated Variables only support SHA-256 digest algorithms in signing scheme. o This has been extended to support SHA-384 and SHA-512 algorithms Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Michael D Kinney Signed-off-by: Divneil Rai Wadhawan --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 8 +++-- AuthVariableDigestUpdate.md | 41 ++++++++++++++++++= +++++ 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 AuthVariableDigestUpdate.md diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityP= kg/Library/AuthVariableLib/AuthService.c index 4fb609504d..8f024c42a8 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -35,6 +35,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent CONST UINT8 mRsaE[] =3D { 0x01, 0x00, 0x01 }; CONST UINT8 mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0= x04, 0x02, 0x01 }; +CONST UINT8 mSha384OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0= x04, 0x02, 0x02 }; +CONST UINT8 mSha512OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0= x04, 0x02, 0x03 }; // // Requirement for different signature type which have been defined in UE= FI spec. @@ -1901,7 +1903,7 @@ VerifyTimeBasedPayload ( // // SignedData.digestAlgorithms shall contain the digest algorithm used = when preparing the - // signature. Only a digest algorithm of SHA-256 is accepted. + // signature. Digest algorithm of SHA-256, SHA-384, SHA-512 are accepte= d. // // According to PKCS#7 Definition: // SignedData ::=3D SEQUENCE { @@ -1916,7 +1918,9 @@ VerifyTimeBasedPayload ( if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != = =3D 0) { if (SigDataSize >=3D (13 + sizeof (mSha256OidValue))) { if (((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE) || - (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256Oi= dValue)) !=3D 0)) { + ((CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256O= idValue)) !=3D 0) && + (CompareMem (SigData + 13, &mSha384OidValue, sizeof (mSha384O= idValue)) !=3D 0) && + (CompareMem (SigData + 13, &mSha512OidValue, sizeof (mSha512O= idValue)) !=3D 0))) { return EFI_SECURITY_VIOLATION; } } diff --git a/AuthVariableDigestUpdate.md b/AuthVariableDigestUpdate.md new file mode 100644 index 0000000000..10992845a4 --- /dev/null +++ b/AuthVariableDigestUpdate.md @@ -0,0 +1,41 @@ +# Title: Digest Algorithm flexibility in Authenticated Variable signature= s + +# Status: Draft + +# Document: UEFI Specification Version 2.8 + +# License + +SPDX-License-Identifier: CC-BY-4.0 + +# Submitter: [TianoCore Community](https://nam06.safelinks.protection.out= look.com/?url=3Dhttps%3A%2F%2Fwww.tianocore.org%2F&data=3D04%7C01%7CBre= t.Barkelew%40microsoft.com%7C5b6eb98d1288493a5f7f08d89c70f78b%7C72f988bf86f= 141af91ab2d7cd011db47%7C1%7C0%7C637431356285650012%7CUnknown%7CTWFpbGZsb3d8= eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&a= mp;sdata=3D7mtSkIFgxu5iIg519YwkxjFfx6DeXOVJT67j58dHSK4%3D&reserved=3D0) + +# Summary of the change +EFI_VARIABLE_AUTHENTICATION_2 specifies the SignedData.digestAlgorithms t= o be always +SHA256. The implication is that the signing algorithm can use RSA keys gr= eater than +2048 bits, but the digest algorithm remains SHA256. The proposed change i= s to allow +digest algorithm to be greater than SHA256. + +# Benefits of the change +This brings agility to the signing mechanism of Authenticated variables b= y allowing +it to sign a larger digest. + +# Impact of the change +There is no impact on the existing Authenticated variables. + +# Detailed description of the change [normative updates] + +Bold text indicates the proposed change + +8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor +When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is = set, then the Data buffer shall begin with an instance of a complete (and s= erialized) ... + +Construct a DER-encoded PKCS #7 version 1.5 SignedData (see [RFC2315]) wi= th the signed content as follows: + +a. SignedData.version shall be set to 1 + +b. SignedData.digestAlgorithms shall contain the digest algorithm used wh= en preparing the signature. Only a digest algorithm greater than or equa= l to SHA-256 is accepted. + + +# Special Instructions +NA -- 2.16.2.windows.1 --_000_MWHPR21MB0160322CC250C5D01854386CEFCC1MWHPR21MB0160namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

What=92s with the Markdown file being added to the = root directory? Is that a mistake or part of a different release process?

 

Thanks!

 

- Bret

 

From: Wadhawan, Divneil R= via groups.io
Sent: Wednesday, December 9, 2020 10:33 AM
To: devel@edk2.groups.io
Cc:
Yao, Jiewen; Jian J Wang; Min Xu; Kinney, Michael D
Subject: [EXTERNAL] [edk2-devel] [Patch 2/2] SecurityPkg: Add suppo= rt for SHA-384/SHA-512 digest algos

 

o Existing implement= ation of Authenticated Variables only
  support SHA-256 digest algorithms in signing scheme.

o This has been extended to support SHA-384 and SHA-512 algorithms

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com> ---
 SecurityPkg/Library/AuthVariableLib/AuthService.c |  8 +++--  AuthVariableDigestUpdate.md       = ;            &n= bsp;   | 41 +++++++++++++++++++++++
 2 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 AuthVariableDigestUpdate.md

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityP= kg/Library/AuthVariableLib/AuthService.c
index 4fb609504d..8f024c42a8 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -35,6 +35,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 CONST UINT8 mRsaE[] =3D { 0x01, 0x00, 0x01 };
 
 CONST UINT8 mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x= 03, 0x04, 0x02, 0x01 };
+CONST UINT8 mSha384OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0= x04, 0x02, 0x02 };
+CONST UINT8 mSha512OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0= x04, 0x02, 0x03 };
 
 //
 // Requirement for different signature type which have been defined = in UEFI spec.
@@ -1901,7 +1903,7 @@ VerifyTimeBasedPayload (
 
   //
   // SignedData.digestAlgorithms shall contain the digest algor= ithm used when preparing the
-  // signature. Only a digest algorithm of SHA-256 is accepted.
+  // signature. Digest algorithm of SHA-256, SHA-384, SHA-512 are ac= cepted.
   //
   //    According to PKCS#7 Definition:
   //        SignedData ::=3D= SEQUENCE {
@@ -1916,7 +1918,9 @@ VerifyTimeBasedPayload (
   if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_W= RITE_ACCESS) !=3D 0) {
     if (SigDataSize >=3D (13 + sizeof (mSha256OidV= alue))) {
       if (((*(SigData + 1) & TWO_BYTE_E= NCODE) !=3D TWO_BYTE_ENCODE) ||
-           (CompareMem = (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) !=3D 0)) { +           ((CompareMem= (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) !=3D 0) &am= p;&
+            (Compa= reMem (SigData + 13, &mSha384OidValue, sizeof (mSha384OidValue)) !=3D 0= ) &&
+            (Compa= reMem (SigData + 13, &mSha512OidValue, sizeof (mSha512OidValue)) !=3D 0= ))) {
           return EFI_SE= CURITY_VIOLATION;
         }
     }
diff --git a/AuthVariableDigestUpdate.md b/AuthVariableDigestUpdate.md
new file mode 100644
index 0000000000..10992845a4
--- /dev/null
+++ b/AuthVariableDigestUpdate.md
@@ -0,0 +1,41 @@
+# Title: Digest Algorithm flexibility in Authenticated Variable signature= s
+
+# Status: Draft
+
+# Document: UEFI Specification Version 2.8
+
+# License
+
+SPDX-License-Identifier: CC-BY-4.0
+
+# Submitter: [TianoCore Community](https://nam06.safelinks.protection.outlook.com/?u= rl=3Dhttps%3A%2F%2Fwww.tianocore.org%2F&amp;data=3D04%7C01%7CBret.Barke= lew%40microsoft.com%7C5b6eb98d1288493a5f7f08d89c70f78b%7C72f988bf86f141af91= ab2d7cd011db47%7C1%7C0%7C637431356285650012%7CUnknown%7CTWFpbGZsb3d8eyJWIjo= iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;= sdata=3D7mtSkIFgxu5iIg519YwkxjFfx6DeXOVJT67j58dHSK4%3D&amp;reserved=3D0= )
+
+# Summary of the change
+EFI_VARIABLE_AUTHENTICATION_2 specifies the SignedData.digestAlgorithms t= o be always
+SHA256. The implication is that the signing algorithm can use RSA keys gr= eater than
+2048 bits, but the digest algorithm remains SHA256. The proposed change i= s to allow
+digest algorithm to be greater than SHA256.
+
+# Benefits of the change
+This brings agility to the signing mechanism of Authenticated variables b= y allowing
+it to sign a larger digest.
+
+# Impact of the change
+There is no impact on the existing Authenticated variables.
+
+# Detailed description of the change [normative updates]
+
+<b>Bold text</b> indicates the proposed change
+
+8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor
+When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is = set, then the Data buffer shall begin with an instance of a complete (and s= erialized) ...
+
+Construct a DER-encoded PKCS #7 version 1.5 SignedData (see [RFC2315]) wi= th the signed content as follows:
+
+a. SignedData.version shall be set to 1
+
+b. SignedData.digestAlgorithms shall contain the digest algorithm used wh= en preparing the signature. <b>Only a digest algorithm greater than o= r equal to SHA-256 is accepted.</b>
+
+
+# Special Instructions
+NA
--
2.16.2.windows.1





 

--_000_MWHPR21MB0160322CC250C5D01854386CEFCC1MWHPR21MB0160namp_--