Hi Jiewen,
I update the patch V6 to V7, drop raw RSA3K and RSA4K. The change is in SecurityPkg.
And I did all the tests which are listed in the cover letter. I got the expected results.
Could you help to review/merge this V7 patch for secure boot feature ?
Thank you.
BR
Sheng Wei

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sheng
> Wei
> Sent: 2023年8月10日 10:24
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney,
> Michael D <michael.d.kinney@intel.com>
> Subject: [edk2-devel] [PATCH V7 0/2] Support RSA4096 and RSA3072
> 
> Patch V7:
> Drop raw RSA3072 and RSA4096. Only use gEfiCertX509Guid for RSA3072 and
> RSA4096 Do the positive tests and the negative tests below. And got all the
> expected results.
> 
> Patch V6:
> Remove the changes in MdePkg.
> The changes of patch v6 are in CryptoPkg and SecurityPkg.
> Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
> This signature type is used to check the supported signature and show the
> strings.
> 
> Patch V5:
> Using define KEY_TYPE_RSASSA to replace the magic number.
> 
> Patch V4:
> Determine the RSA algorithm by a supported algorithm list.
> 
> Patch V3:
> Select SHA algorithm automaticly for a unsigned efi image.
> 
> Patch V2:
> Determine the SHA algorithm by a supported algorithm list.
> Create SHA context for each algorithm.
> 
> Test Case:
> 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under
> UEFI shell.
> 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under
> UEFI shell.
> 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under
> UEFI shell.
> 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI
> shell
> 
> Test Result:
> Pass
> 
> Negative Test Case:
> 1) Enroll a RSA2048 Cert, execute an unsigned efi image.
> 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
> 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
> 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi
> image.
> 
> Test Result:
> Get "Access Denied" when try to execute the efi image.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> 
> Sheng Wei (2):
>   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
>     ImageTimestampVerify
>   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> 
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
>  .../Library/AuthVariableLib/AuthService.c     | 218 +++++++++++++++---
>  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
>  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
>  .../DxeImageVerificationLib.c                 |  73 +++---
>  .../SecureBootConfigDxe.inf                   |   8 +
>  .../SecureBootConfigImpl.c                    |  50 +++-
>  .../SecureBootConfigImpl.h                    |   7 +
>  .../SecureBootConfigStrings.uni               |   2 +
>  9 files changed, 324 insertions(+), 83 deletions(-)
> 
> --
> 2.26.2.windows.1
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107943): https://edk2.groups.io/g/devel/message/107943
Mute This Topic: https://groups.io/mt/100656918/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-