Re: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096

["Sheng Wei" <w.sheng@intel.com>]

Hi Jiewen,
I remove the new GUIDs.
I use signature type gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
This signature type is used in below 6 places.
1) Show key name string in KEK delete page                     UpdateDeletePage()
2) Check supported SignatureType when delete KEK       DeleteKeyExchangeKey()
3) Check supported SignatureType when delete KEK       DeleteSignature()
4) Show key name when load the Signature                      LoadSignatureList()
5) Show help info string when load the Signature             FormatHelpInfo()
6) Check supported SignatureType                                       CheckSignatureListFormat()

It is no need to change MdePkg.
All the changes are in CryptoPkg and SecurityPkg.
I did the local unit test and raised the patch v6.
Could you help to review/merge the patches ?

Thank you
BR
Sheng Wei

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: 2023年8月3日 16:13
> To: Sheng, W <w.sheng@intel.com>; Gao, Liming
> <gaoliming@byosoft.com.cn>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
> Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> CERT_RSA3072 and CERT_RSA4096
> 
> Hey
> We cannot add anything not defined in UEFI spec yet. Thanks Liming to catch
> that.
> 
> Can you remove CERT_RSA3072 and CERT_RSA4096?
> 
> I think we need to use EFI_CERT_TYPE_PKCS7_GUID + EFI_CERT_X509_GUID
> to support RSA3072 and RSA4096.
> Have you validated that configuration?
> 
> 
> > -----Original Message-----
> > From: Sheng, W <w.sheng@intel.com>
> > Sent: Thursday, August 3, 2023 3:29 PM
> > To: Gao, Liming <gaoliming@byosoft.com.cn>; devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > Kinney, Michael D <michael.d.kinney@intel.com>
> > Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > CERT_RSA3072 and CERT_RSA4096
> >
> > Hi Liming,
> > Sorry for the late response.
> > The two new GUID are not in the public UEFI spec yet.
> > Do we have any process to add these 2 new GUIDs ?
> > Thank you.
> > BR
> > Sheng Wei
> >
> >
> >
> > > -----Original Message-----
> > > From: gaoliming <gaoliming@byosoft.com.cn>
> > > Sent: 2023年8月2日 17:12
> > > To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu,
> > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > <guomin.jiang@intel.com>; Kinney, Michael D
> > > <michael.d.kinney@intel.com>
> > > Subject: 回复: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID
> > > for
> > > CERT_RSA3072 and CERT_RSA4096
> > >
> > > Sheng Wei:
> > >   I gave my comments for the patch 1/3 on this morning. Have you got
> > > my response?
> > >
> > >   I just want to confirm whether these two new GUID are in the
> > > public UEFI spec or not.
> > >
> > > Thanks
> > > Liming
> > > > -----邮件原件-----
> > > > 发件人: Sheng, W <w.sheng@intel.com>
> > > > 发送时间: 2023年8月2日 16:04
> > > > 收件人: devel@edk2.groups.io; Gao, Liming
> <gaoliming@byosoft.com.cn>
> > > > 抄送: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen,
> > > > Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> > > > Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > > <guomin.jiang@intel.com>; Kinney, Michael D
> > > > <michael.d.kinney@intel.com>
> > > > 主题: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > > > CERT_RSA3072 and CERT_RSA4096
> > > >
> > > > Hi Gao, Liming,
> > > > For this patch group, we have got review-by from Yao, Jiewen on
> > > > patch
> > > > 2/3(CryptoPkg) and patch 3/3(SecurityPkg).
> > > > Do you any comments on the patch 1/3 (MdePkg) ?
> > > > Patch 1/3 is only to add 2 new GUIDs.
> > > > Could you help to merge it ?
> > > >
> > > > Thank you.
> > > > BR
> > > > Sheng Wei
> > > >
> > > > > -----Original Message-----
> > > > > From: Sheng, W
> > > > > Sent: 2023年7月31日 10:02
> > > > > To: 'devel@edk2.groups.io' <devel@edk2.groups.io>; Gao, Liming
> > > > > <gaoliming@byosoft.com.cn>
> > > > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen,
> > > > > Zeyi <Zeyi.Chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> > > > > Lu,
> > > > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > > > <Guomin.Jiang@intel.com>; Kinney, Michael D
> > > > > <michael.d.kinney@intel.com>
> > > > > Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add
> > > > > GUID for
> > > > > CERT_RSA3072 and CERT_RSA4096
> > > > >
> > > > > Hi Gao, Liming,
> > > > > Could you help to review and merge this patch to MdePkg?
> > > > > This patch is only to add 2 new GUIDs.
> > > > > These 2 GUIDs will be used for adding RSA3072/RSA4096 cert
> > > > > support for secure boot feature.
> > > > > Thank you.
> > > > > BR
> > > > > Sheng Wei
> > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf
> > > > > > > Of
> > > > > Sheng
> > > > > > > Wei
> > > > > > > Sent: 2023年7月27日 14:35
> > > > > > > To: devel@edk2.groups.io
> > > > > > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > > > > > > Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona
> > > > > > > <fiona.wang@intel.com>; Lu,
> > > > > > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > > > > > <guomin.jiang@intel.com>; Kinney, Michael D
> > > > > > > <michael.d.kinney@intel.com>; Gao, Liming
> > > > <gaoliming@byosoft.com.cn>
> > > > > > > Subject: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add
> > > > > > > GUID for
> > > > > > > CERT_RSA3072 and CERT_RSA4096
> > > > > > >
> > > > > > > Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid
> > > > > > >
> > > > > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > > > > Cc: Min Xu <min.m.xu@intel.com>
> > > > > > > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > > > > > > Cc: Fiona Wang <fiona.wang@intel.com>
> > > > > > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > > > > > > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > > > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > > > > > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > > > > > > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > > > > > > ---
> > > > > > >  MdePkg/Include/Guid/ImageAuthentication.h | 26
> > > > > > > +++++++++++++++++++++++
> > > > > > >  MdePkg/MdePkg.dec                         |  2 ++
> > > > > > >  2 files changed, 28 insertions(+)
> > > > > > >
> > > > > > > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > index fe83596571..c8ea2c14fb 100644
> > > > > > > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > @@ -144,6 +144,30 @@ typedef struct {
> > > > > > >      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77,
> > > > > > > 0x6e,
> > > 0x85,
> > > > 0xb3,
> > > > > > > 0xb6} \   } +///+/// This identifies a signature containing an
> > > RSA-3072
> > > > key.
> > > > > > The
> > > > > > > key (only the modulus+/// since the public key exponent is
> > > > > > > known to be
> > > > > > > 0x10001) shall be stored in big-endian+/// order.+/// The
> > > > > > > SignatureHeader size shall always be 0. The SignatureSize
> > > > > > > shall always be 16 (size+/// of SignatureOwner component) +
> > > > > > > 384
> > > > > bytes.+///+#define
> > > > > > > EFI_CERT_RSA3072_GUID \+  { \+    0xedd320c2, 0xb057, 0x4b8e,
> > > > {0xad,
> > > > > > 0x46,
> > > > > > > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \+  }++///+/// This
> > > > > > > identifies a signature containing an RSA-4096 key. The key
> > > > > > > (only the
> > > > > > > modulus+/// since the public key exponent is known to be
> > > > > > > modulus+0x10001)
> > > > > > > shall be stored in big-endian+/// order.+/// The
> > > > > > > SignatureHeader size shall always be 0. The SignatureSize
> > > > > > > shall always be 16 (size+/// of SignatureOwner
> > > > > > component) + 512
> > > > > > > bytes.+///+#define EFI_CERT_RSA4096_GUID \+  { \+
> > > > 0xb23e89a6,
> > > > > 0x8c8b,
> > > > > > > 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \+
> > > > > > > }+ /// /// This identifies a signature containing a RSA-2048
> > > > > > > signature of a
> > > > > > > SHA-256 hash.  The /// SignatureHeader size shall always be 0.
> > > > > > > The SignatureSize shall always be
> > > > > > > 16 (size of@@ -330,6 +354,8 @@ typedef struct {  extern
> > > > > > > EFI_GUID gEfiImageSecurityDatabaseGuid; extern EFI_GUID
> > > > > > > gEfiCertSha256Guid; extern EFI_GUID
> > > > > > > gEfiCertRsa2048Guid;+extern EFI_GUID
> > > > > > > gEfiCertRsa3072Guid;+extern EFI_GUID gEfiCertRsa4096Guid;
> > > > > > > extern EFI_GUID  gEfiCertRsa2048Sha256Guid; extern EFI_GUID
> > > > > > > gEfiCertSha1Guid; extern EFI_GUID
> > > > > > > gEfiCertRsa2048Sha1Guid;diff --git a/MdePkg/MdePkg.dec
> > > > > > > b/MdePkg/MdePkg.dec index
> > > > > > > b85614992b..24e4779d33 100644
> > > > > > > --- a/MdePkg/MdePkg.dec
> > > > > > > +++ b/MdePkg/MdePkg.dec
> > > > > > > @@ -581,6 +581,8 @@
> > > > > > >    gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a,
> > > > > > > 0x4596,
> > > > {0xa3,
> > > > > > > 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}   gEfiCertSha256Guid
> > > > =
> > > > > > > { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36,
> > > > > > > 0x93, 0x43,
> > > > > > 0x28 }}
> > > > > > > gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34,
> > > > {0xaa, 0x14,
> > > > > > 0xed,
> > > > > > > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}+  gEfiCertRsa3072Guid            =
> > > > > { 0xedd320c2,
> > > > > > > 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}+
> > > > > > > gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412,
> > > > {0x85, 0x73,
> > > > > > 0x15,
> > > > > > > 0x4e, 0x8d, 0x00, 0x98, 0x2c }}   gEfiCertRsa2048Sha256Guid      =
> > > > > > { 0xe2b36190,
> > > > > > > 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> > > > > > > gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9,
> > > > {0xb1, 0x87, 0xbe,
> > > > > > > 0x1, 0x49, 0x66, 0x31, 0xbd }}   gEfiCertRsa2048Sha1Guid        =
> > > > > { 0x67f8444f,
> > > > > > > 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60,
> > > > > > > 0x80
> > > > > > > }}--
> > > > > > > 2.26.2.windows.1
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -=-=-=-=-=-=
> > > > > > > Groups.io Links: You receive all messages sent to this group.
> > > > > > > View/Reply Online (#107294):
> > > > > > > https://edk2.groups.io/g/devel/message/107294
> > > > > > > Mute This Topic: https://groups.io/mt/100385942/2558558
> > > > > > > Group Owner: devel+owner@edk2.groups.io
> > > > > > > Unsubscribe: https://edk2.groups.io/g/devel/unsub
> > > > > > > [w.sheng@intel.com]
> > > > > > > - =-=-=-=-=-=
> > > > > > >
> > >
> > >



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107614): https://edk2.groups.io/g/devel/message/107614
Mute This Topic: https://groups.io/mt/100521910/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-