Re: [edk2-devel] [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384

["Sheng Wei" <w.sheng@intel.com>]

Hi Jiewen,
Thank you for comments.
I update the patch V6 to V7, drop raw RSA3K and RSA4K. The change is in SecurityPkg.
And I did all the tests which are listed in the cover letter. I got the expected results.
Could you help to review/merge the patches ?
Thank you.
BR
Sheng Wei


> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: 2023年8月7日 19:49
> To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
> Subject: RE: [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384
> 
> > Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
> 
> =======
>   switch (KeyLenInBytes) {
>   case WIN_CERT_UEFI_RSA2048_SIZE:
>     CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
>     break;
>   case WIN_CERT_UEFI_RSA3072_SIZE:
>   case WIN_CERT_UEFI_RSA4096_SIZE:
>     CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
>     break;
>   default :
>     DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
>     Status = EFI_UNSUPPORTED;
>     goto ON_EXIT;
>   }
> =======
> 
> Sorry that I am not clear on this. I don’t mean to use gEfiCertX509Guid to
> support raw RSA3K or 4K.
> I mean to use *drop* raw RSA3K or 4k. And Only use gEfiCertX509Guid for
> RSA3K or 4K. You don’t need to change EnrollRsa2048ToKek().
> Please just support RSA3K or 4K in EnrollX509ToKek(), and add test case to
> validate that.
> 
> ===========
>   if (IsDerEncodeCertificate (FilePostFix)) {
>     return EnrollX509ToKek (Private);
>   } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
>     return EnrollRsa2048ToKek (Private);
>   } else {
> ===========
> 
> Thank you
> Yao, Jiewen
> 
> 
> > -----Original Message-----
> > From: Sheng, W <w.sheng@intel.com>
> > Sent: Monday, August 7, 2023 5:10 PM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > Kinney, Michael D <michael.d.kinney@intel.com>
> > Subject: [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384
> >
> > Patch V6:
> > Remove the changes in MdePkg.
> > The changes of patch v6 are in CryptoPkg and SecurityPkg.
> > Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
> > This signature type is used to check the supported signature and show the
> strings.
> >
> > Patch V5:
> > Using define KEY_TYPE_RSASSA to replace the magic number.
> >
> > Patch V4:
> > Determine the RSA algorithm by a supported algorithm list.
> >
> > Patch V3:
> > Select SHA algorithm automaticly for a unsigned efi image.
> >
> > Patch V2:
> > Determine the SHA algorithm by a supported algorithm list.
> > Create SHA context for each algorithm.
> >
> > Test Case:
> > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image
> > under UEFI shell.
> > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image
> > under UEFI shell.
> > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image
> > under UEFI shell.
> > 4. Enroll an unsigned efi image, execute the unsigned efi image under
> > UEFI shell
> >
> > Test Result:
> > Pass
> >
> > Negative Test Case:
> > 1) Enroll a RSA2048 Cert, execute an unsigned efi image.
> > 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
> > 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
> > 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096
> > signed efi image.
> >
> > Test Result:
> > Get "Access Denied" when try to execute the efi image.
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Min Xu <min.m.xu@intel.com>
> > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > Cc: Fiona Wang <fiona.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> >
> > Sheng Wei (2):
> >   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
> >     ImageTimestampVerify
> >   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> >
> >  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
> >  .../Library/AuthVariableLib/AuthService.c     | 218 +++++++++++++++---
> >  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
> >  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
> >  .../DxeImageVerificationLib.c                 |  73 +++---
> >  .../SecureBootConfigDxe.inf                   |   8 +
> >  .../SecureBootConfigImpl.c                    |  91 ++++++--
> >  .../SecureBootConfigImpl.h                    |   7 +
> >  .../SecureBootConfigStrings.uni               |   2 +
> >  9 files changed, 356 insertions(+), 92 deletions(-)
> >
> > --
> > 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107676): https://edk2.groups.io/g/devel/message/107676
Mute This Topic: https://groups.io/mt/100596018/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-