Re: [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Sheng Wei" <w.sheng@intel.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Wang, Jian J" <jian.j.wang@intel.com>,
	"Xu, Min M" <min.m.xu@intel.com>,
	"Chen, Zeyi" <zeyi.chen@intel.com>,
	"Wang, Fiona" <fiona.wang@intel.com>,
	"Lu, Xiaoyu1" <xiaoyu1.lu@intel.com>,
	"Jiang, Guomin" <guomin.jiang@intel.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Gao, Liming" <gaoliming@byosoft.com.cn>
Subject: Re: [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
Date: Fri, 28 Jul 2023 01:49:44 +0000	[thread overview]
Message-ID: <PH0PR11MB4870A6F34FA543AA84338A7EE106A@PH0PR11MB4870.namprd11.prod.outlook.com> (raw)
In-Reply-To: <MW4PR11MB58727C27596F4345B3F8EF668C01A@MW4PR11MB5872.namprd11.prod.outlook.com>

Here are my negative tests.
1) Enroll a RSA2048 Cert, execute an unsigned efi image.
2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi image.

Test Result:
Get "Access Denied" when try to execute the efi image.

Thank you.
BR
Sheng Wei

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: 2023年7月27日 17:45
> To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
> Subject: RE: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> 
> Thanks. May I know what *negative* test you have done?
> 
> 
> > -----Original Message-----
> > From: Sheng, W <w.sheng@intel.com>
> > Sent: Thursday, July 27, 2023 2:35 PM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> > <gaoliming@byosoft.com.cn>
> > Subject: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> >
> > Patch V5:
> > Using define KEY_TYPE_RSASSA to replace the magic number.
> >
> > Patch V4:
> > Determine the RSA algorithm by a supported algorithm list.
> >
> > Patch V3:
> > Select SHA algorithm automaticly for a unsigned efi image.
> >
> > Patch V2:
> > Determine the SHA algorithm by a supported algorithm list.
> > Create SHA context for each algorithm.
> >
> > Test Case:
> > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image
> > under UEFI shell.
> > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image
> > under UEFI shell.
> > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image
> > under UEFI shell.
> > 4. Enroll an unsigned efi image, execute the unsigned efi image under
> > UEFI shell
> >
> > Test Result:
> > Pass
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Min Xu <min.m.xu@intel.com>
> > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > Cc: Fiona Wang <fiona.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> >
> > Sheng Wei (3):
> >   MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
> >   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
> >     ImageTimestampVerify
> >   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> >
> >  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
> >  MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
> >  MdePkg/MdePkg.dec                             |   2 +
> >  .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
> >  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
> >  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
> >  .../DxeImageVerificationLib.c                 |  73 +++---
> >  .../SecureBootConfigDxe.inf                   |  16 ++
> >  .../SecureBootConfigImpl.c                    | 114 +++++++--
> >  .../SecureBootConfigImpl.h                    |   7 +
> >  .../SecureBootConfigStrings.uni               |   6 +
> >  11 files changed, 421 insertions(+), 92 deletions(-)
> >
> > --
> > 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107306): https://edk2.groups.io/g/devel/message/107306
Mute This Topic: https://groups.io/mt/100385941/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

next prev parent reply	other threads:[~2023-07-28  1:49 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-27  6:35 [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
2023-07-27  6:35 ` [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 Sheng Wei
2023-07-27  6:35 ` [edk2-devel] [PATCH V5 2/3] CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify Sheng Wei
2023-07-27  9:42   ` Yao, Jiewen
2023-07-27  6:35 ` [edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
2023-07-28  2:34   ` Yao, Jiewen
2023-07-27  9:44 ` [edk2-devel] [PATCH V5 0/3] SecureBoot: " Yao, Jiewen
2023-07-28  1:49   ` Sheng Wei [this message]
2023-07-28  2:15     ` Yao, Jiewen
     [not found] ` <1775A5F91CFEF78E.27447@groups.io>
2023-07-28  4:32   ` [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 Sheng Wei
2023-07-31  2:01     ` Sheng Wei
2023-08-02  2:58       ` 回复: " gaoliming via groups.io
2023-08-02  8:03       ` Sheng Wei
2023-08-02  9:12         ` 回复: " gaoliming via groups.io
2023-08-03  7:29           ` Sheng Wei
2023-08-03  8:12             ` Yao, Jiewen
2023-08-07  9:17               ` Sheng Wei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=PH0PR11MB4870A6F34FA543AA84338A7EE106A@PH0PR11MB4870.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox