Hi Jiewen, Do you have any comments on the patch V7? The 2 patches are for CryptoPkg and SecurityPky. Could you help to review/merge the patches? Thank you. BR Sheng Wei > -----Original Message----- > From: Sheng, W > Sent: Tuesday, August 22, 2023 1:59 PM > To: devel@edk2.groups.io; Yao, Jiewen > Cc: Wang, Jian J ; Xu, Min M ; > Chen, Zeyi ; Wang, Fiona ; Lu, > Xiaoyu1 ; Jiang, Guomin ; > Kinney, Michael D ; Sheng, W > > Subject: RE: [edk2-devel] [PATCH V7 0/2] Support RSA4096 and RSA3072 > > Hi Jiewen, > I update the patch V6 to V7, drop raw RSA3K and RSA4K. The change is in > SecurityPkg. > And I did all the tests which are listed in the cover letter. I got the expected > results. > Could you help to review/merge this V7 patch for secure boot feature ? > Thank you. > BR > Sheng Wei > > > -----Original Message----- > > From: devel@edk2.groups.io On Behalf Of Sheng > > Wei > > Sent: 2023Äê8ÔÂ10ÈÕ 10:24 > > To: devel@edk2.groups.io > > Cc: Yao, Jiewen ; Wang, Jian J > > ; Xu, Min M ; Chen, Zeyi > > ; Wang, Fiona ; Lu, Xiaoyu1 > > ; Jiang, Guomin ; > > Kinney, Michael D > > Subject: [edk2-devel] [PATCH V7 0/2] Support RSA4096 and RSA3072 > > > > Patch V7: > > Drop raw RSA3072 and RSA4096. Only use gEfiCertX509Guid for RSA3072 > > and > > RSA4096 Do the positive tests and the negative tests below. And got > > all the expected results. > > > > Patch V6: > > Remove the changes in MdePkg. > > The changes of patch v6 are in CryptoPkg and SecurityPkg. > > Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK. > > This signature type is used to check the supported signature and show > > the strings. > > > > Patch V5: > > Using define KEY_TYPE_RSASSA to replace the magic number. > > > > Patch V4: > > Determine the RSA algorithm by a supported algorithm list. > > > > Patch V3: > > Select SHA algorithm automaticly for a unsigned efi image. > > > > Patch V2: > > Determine the SHA algorithm by a supported algorithm list. > > Create SHA context for each algorithm. > > > > Test Case: > > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image > > under UEFI shell. > > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image > > under UEFI shell. > > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image > > under UEFI shell. > > 4. Enroll an unsigned efi image, execute the unsigned efi image under > > UEFI shell > > > > Test Result: > > Pass > > > > Negative Test Case: > > 1) Enroll a RSA2048 Cert, execute an unsigned efi image. > > 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image. > > 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image. > > 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 > > signed efi image. > > > > Test Result: > > Get "Access Denied" when try to execute the efi image. > > > > Cc: Jiewen Yao > > Cc: Jian J Wang > > Cc: Min Xu > > Cc: Zeyi Chen > > Cc: Fiona Wang > > Cc: Xiaoyu Lu > > Cc: Guomin Jiang > > Cc: Michael D Kinney > > > > Sheng Wei (2): > > CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to > > ImageTimestampVerify > > SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 > > > > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- > > .../Library/AuthVariableLib/AuthService.c | 218 +++++++++++++++--- > > .../AuthVariableLib/AuthServiceInternal.h | 4 +- > > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- > > .../DxeImageVerificationLib.c | 73 +++--- > > .../SecureBootConfigDxe.inf | 8 + > > .../SecureBootConfigImpl.c | 50 +++- > > .../SecureBootConfigImpl.h | 7 + > > .../SecureBootConfigStrings.uni | 2 + > > 9 files changed, 324 insertions(+), 83 deletions(-) > > > > -- > > 2.26.2.windows.1 > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#108129): https://edk2.groups.io/g/devel/message/108129 Mute This Topic: https://groups.io/mt/100656918/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-