From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web09.3816.1619141789884652992 for ; Thu, 22 Apr 2021 18:36:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=vWFCZO3x; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: min.m.xu@intel.com) IronPort-SDR: OQaadRqnMm8Z0xJtwXq/UiIimit+geO7sxw4VXkk7kFLDwoaTQ9IGmZkkzt7C5OKDs75XVObGO llRt9gDjMGsA== X-IronPort-AV: E=McAfee;i="6200,9189,9962"; a="195558547" X-IronPort-AV: E=Sophos;i="5.82,244,1613462400"; d="scan'208";a="195558547" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2021 18:36:28 -0700 IronPort-SDR: xsK39TxEulwoRlFuNd7SY/vBexKE1e3MBNldl1/MBqhHmEj6CArgqJiJbI/O74xeI0dKThDqyN eILekv/cXuPA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.82,244,1613462400"; d="scan'208";a="391960908" Received: from fmsmsx604.amr.corp.intel.com ([10.18.126.84]) by fmsmga007.fm.intel.com with ESMTP; 22 Apr 2021 18:36:28 -0700 Received: from fmsmsx604.amr.corp.intel.com (10.18.126.84) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 22 Apr 2021 18:36:27 -0700 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Thu, 22 Apr 2021 18:36:27 -0700 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.102) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Thu, 22 Apr 2021 18:36:27 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HM0TxpYXOkgtzFmTmP9YEa0Biv+PA61Fs171uI2+evtgytNX1xROJyDMOAExCfvey3HMOfxIIvKZGsNc/D06Nhub4I5LQtcex2FhZYE8wwTu+TuXP1I9F2gFRDEQ0EMXbp78fe0RQvDaM04SEB3UnZLjf1kf2dnXHzmvDgIieTTcO9gLskcU/SjPf/iFayxQstsmbK1eT+LL8UTSt7+/4NLrAVIAcp8QRwRLl8/jJ3Mr3j2NCLxaj7BHJX7DF+eI9V7FeZaghPPEIPFUujJQU5NQYGwOtLd1Pbe9UbIYj3Rkga7V24PNRSznbzli4MvFqDgTvEz2du3h8dJ2ez+ZaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nxRm5VUar2h3uWQAcKL4eXOwCNu8TTRY73QrhBtQeLg=; b=WTFbmh03dwUKnAfKsnnlkPSFySIJOQic0yi86SXu/lRmqy5V4ZDNv4i07jYPudKiH5xLZ6L9WEt1/EflvVvpoitvTlqhv3sCtWpIQOG1EoXEn21oXU9pJD6T4sl9/Jkx/GrLBAFog5CcOW8vyZnS+x37fG5wucnJkYOCedcLw5yAgYE53YVa4bP4t/mpbKROLLGwFxD9cIH4FR2yVlJkMK1mTmL257JgIsiUR6sgVLVe5irwm0CbJNAAqFQFNS3cZK4wVn9GQqrEcsQ8B5cjlTOuykTmZ59kh6lXvqH1opIF1Gepwu6M++veXtDSRlW704lncisi5bnIRPN+yoIL1A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nxRm5VUar2h3uWQAcKL4eXOwCNu8TTRY73QrhBtQeLg=; b=vWFCZO3xJVtvmtTC6u/ChZwHArnKVA1pSNJTUJ/uUJJ3Dn9q3qB2j1x+5db7lIv6wNp/D80cWx4qZZiinbzKkFRoLVlAwEd/dtu0m6wCfI6e1DGkN9RU1N/6nFFDkKmDPDlLYYDu9tE+/NZG9y08GxKKjbWGcvdfsQV7GKJAyZw= Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15) by PH0PR11MB4917.namprd11.prod.outlook.com (2603:10b6:510:32::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.20; Fri, 23 Apr 2021 01:36:26 +0000 Received: from PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::a1ff:189a:6570:a842]) by PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::a1ff:189a:6570:a842%6]) with mapi id 15.20.4065.021; Fri, 23 Apr 2021 01:36:26 +0000 From: "Min Xu" To: "Gao, Jiaqi" , "devel@edk2.groups.io" CC: "Yao, Jiewen" Subject: Re: [PATCH] SecurityPkg: Add constraints on PK strength Thread-Topic: [PATCH] SecurityPkg: Add constraints on PK strength Thread-Index: AQHXMpYDIElm6v/sTEevUEzSZyZqO6q69hdggAAcB4CABkp2kA== Date: Fri, 23 Apr 2021 01:36:25 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.198] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 4b636782-eea0-4a4a-341a-08d905f835bd x-ms-traffictypediagnostic: PH0PR11MB4917: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:2150; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 0eKgCJMTvHlEjSuvHvUHFVj2vFJYHP8Z9z6i0YKf10FKYXINumoBAuMpEch6wIUl18O65m6oB3uz2ZWn2YpOWDmTc/t3snB2XgbQBrEs35i+yhcfMikWHLr4MYcTiogcb3dIqz0xkAfi+DbwnwT7XQbDD73oAwllLubPZjqVX11kTGC05CnYI4GYs/NcJi/9/OAdwXhpnFMX7Zv2KHVg+CscPGYHWIiR6lm/RBXFZoYXUsteTu+2oDhjQ/8lvi5iryBuy+ySdak3rF9VVh+VFWBkHgz0dYHni+hHWZwqE7ncFqubczWhsnTgGfAeA6bovB3qefp9+ILdddOOXdjKrhZ4PyNbNUPkg7iQnikYg4AQOIMKEYQWq7amDLtCWLCQWEK5J50qpW1XOLx/GP9wA5AaP1/yCBEZGy5hcGvM9ikS1KMRa+/DicjtorxifvKcZ+yNPIv129IyjSFfWAnC9UhCNk1aiK5epiLVURZ13J3WSLAPkCloWLMeM4A1ohkPlrJVh6DDzYaEsFfTA6ZoQ1IoDVqzwoxxqSL2SZjwaG/kOjRGXo1RfHBI89hxE5eWcWR+x3JWYihOQcseYq1+vb1MCvEWIGBA1yk0QZ5LSz9tcASvqLm872HfufMH/O/KrFYH0sMjkgCDoi+jVfoM4RkNGvIu8aAybiHtsk0nhWYYPXuErcwHy8YYGX6akH8h x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(136003)(396003)(39860400002)(366004)(346002)(83380400001)(316002)(5660300002)(86362001)(122000001)(4326008)(2906002)(19627235002)(26005)(186003)(71200400001)(6506007)(53546011)(66556008)(8936002)(66446008)(66476007)(52536014)(66946007)(107886003)(8676002)(64756008)(15650500001)(76116006)(38100700002)(478600001)(110136005)(966005)(55016002)(30864003)(33656002)(9686003)(7696005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?qm8zH6bVH/Yl7dTifeN6o+FeChejha3BHE/U1g1laZm9g3ivzZeGgGzBoOvZ?= =?us-ascii?Q?4uN5Tz72PB/J1gecZoj2mHeusNs2/nwk9rJRbWl7okCe8iWO6tfK283yL+Jj?= =?us-ascii?Q?rpjbQL7UPDvLr6MAtfWIsz6h1r2O7upIvhUA7j5QGPFvN7eM6Lq+0AszTeTQ?= =?us-ascii?Q?t9tVa7rJQniBF7HePxgUKktEVsHGu+1D+/+5k1A4WGC3wDPitUzMR0UhFYR0?= =?us-ascii?Q?hw3u8hpgmj5usbrdpwRrqK+YpNUnDRUc6v6j4MULNlHd/gnUi9VkHCYNO7IM?= =?us-ascii?Q?ZeSi4wwEoGpCmHTusV/3X3/yG3QtObXOCOryw0/dcqb5dqGbBSdTHWTQaNgK?= =?us-ascii?Q?52lSAnyxVqGW6IMU/r4FtnFof1Bz2NGfNlT8mr2n6twmR0SyY0U3ktH7IF0s?= =?us-ascii?Q?qz0Y7SA8p/ubweKdOC/H+AYxkQAO+EBEY6cAwAV2B+NLdSX7JMoeNe4PyaPr?= =?us-ascii?Q?/lsbpy6dQ8y2bPT8CC69yg7EzWu4xa++rznuDE/haViGbah7Quz4OBNjuEwj?= =?us-ascii?Q?ZkNWfS2mpAeBhmcp7nr7nMvE5TM6MkW4FwCcsukfNsY8w9DemGwk/L3YdUWE?= =?us-ascii?Q?b3FHa7wgjR/FUwRgero0QUJDcW22IYwI3dLWy8DJRYl8wS3IwlqTatAkV6I7?= =?us-ascii?Q?9USGIPkeNl8leolIDtbQTdVWluRs/yAM0yhXEK4qsER9XYMyzJ8JFqxSsm+9?= =?us-ascii?Q?inmhuuA7CaTDg8OQpqxwXLvSnYBesC99UEO47Yof+p88N0oW7GXAz0qtMKvj?= =?us-ascii?Q?KfeRHIaiBRxdN9f4kfQOZSN7GfhmDTLTDLvJVyfjEn0UoJU5Q+TGu1SL6z73?= =?us-ascii?Q?pAwJJD0let3rVt8SMx0TyiZq5ps89IHNJMBD/jPJoRHZhOVGZMdQIaGY7nTB?= =?us-ascii?Q?DOZXlimtAH+TwYN8OAb+1qHn47EJUNBdzUQVH12Pu3m+ypQFGGToS3W0GGwb?= =?us-ascii?Q?LVOsxrvU1FDsGT1YOh5Mmmt4QXKh6hZRvw6PkmcRKC9VLP43O+dG9a7PZQd5?= =?us-ascii?Q?EdzQhBQig9TxM4Lif2TwXmNSIL7hKQZ1+ejknSZEkvgiS9OWLm5JLq1aSBJ0?= =?us-ascii?Q?YAsV4+NMHlGipOHHOuxduScQrge95AzpVoVEMcvvUJP4GHPUnzNKYII5TNL5?= =?us-ascii?Q?MAO2s1q45uMldVwqvFeZy09lJWLfs3K5QC3/NrNt617iqkBlLhPmcMR52bKt?= =?us-ascii?Q?eRjxI3e7876DR/FDyVTbmkbLJBHBHmhO0OsdVhoWCEKLn+hKkQbJK6iyAKGO?= =?us-ascii?Q?dAo7FIRDxqcmZ/OpdmmzVpCZC7/z4a7FlmT/mrSVbL4dq+0oU/FB9oiUa40N?= =?us-ascii?Q?0Bwu5J4vp7hhMFJsA5wSA/d0?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4b636782-eea0-4a4a-341a-08d905f835bd X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2021 01:36:25.9633 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: /KklRksrg2rqHNqdVk/7PEqzUW2CaKH+Qa5/NyRPY+lqOAbUyMa5DbAy4pdoISfe7VBNVWjWCdfCNnnDlz8LHg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4917 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable This patch is good to me. Reviewed-by: Min Xu > -----Original Message----- > From: Gao, Jiaqi > Sent: Monday, April 19, 2021 9:31 AM > To: Xu, Min M ; devel@edk2.groups.io > Cc: Yao, Jiewen > Subject: RE: [PATCH] SecurityPkg: Add constraints on PK strength >=20 > Hi, >=20 > The patch has been built and tested with several toolchains: > 1. GCC5 on Linux, both DEBUG and RELEASE. > 2. VS2017 on Windows, both DEBUG and RELEASE. > 3. VS2019 on Windows, both DEBUG and RELEASE. >=20 > To make sure the program can cope with various input, test cases consist = of > different PK certificate enrollment , which are: > 1. Platform Keys (PKs) with RSA public key length less than 2048 bits, in= clude > RSA-512 and RSA-1024, etc. These kind of certificates were rejected durin= g user > enrollment. > 2. PKs with RSA public key length equal to or greater than 2048 bits, inc= lude RSA- > 2048, RSA-3072 and RSA-4096, etc. These kind of certificates were success= fully > enrolled. > 3. PKs which are not DER encoded, such as PEM encoded certificates > with .cer/.der/.crt file suffix. > 4. Empty PKs. > 5. Empty inputs. >=20 > All the test cases were performed as expected. Test cases with unqualifie= d key > strength pop up the prompt of unqualified key, and the others with unsupp= orted > encode format or illegal input act as previous program. >=20 >=20 > Best Regards, > Jiaqi >=20 > -----Original Message----- > From: Xu, Min M > Sent: Monday, April 19, 2021 7:52 AM > To: Gao, Jiaqi ; devel@edk2.groups.io > Cc: Yao, Jiewen > Subject: RE: [PATCH] SecurityPkg: Add constraints on PK strength >=20 > Have you tested the patch? Would you please post the test result in the m= ail > thread? > Thanks. >=20 > > -----Original Message----- > > From: Gao, Jiaqi > > Sent: Friday, April 16, 2021 3:56 PM > > To: devel@edk2.groups.io > > Cc: Gao, Jiaqi ; Xu, Min M ; > > Yao, Jiewen > > Subject: [PATCH] SecurityPkg: Add constraints on PK strength > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3293 > > > > Add constraints on the key strength of enrolled platform key(PK), > > which must be greater than or equal to 2048 bit.PK key strength is > > required by Intel SDL and MSFT, etc. This limitation prevents user from= using > weak keys as PK. > > > > The original code to check the certificate file type is placed in a > > new function CheckX509Certificate(), which checks if the X.509 > > certificate meets the requirements of encode type, RSA-Key strengh, etc= . > > > > Cc: Min Xu > > Cc: Jiewen Yao > > Signed-off-by: Jiaqi Gao > > --- > > .../SecureBootConfigImpl.c | 165 +++++++++++++++--- > > .../SecureBootConfigImpl.h | 21 +++ > > 2 files changed, 160 insertions(+), 26 deletions(-) > > > > diff --git > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > igI > > mpl.c > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > igI > > mpl.c > > index 4f01a2ed67..1304e21266 100644 > > --- > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > igI > > mpl.c > > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot > > +++ Co > > +++ nfigImpl.c > > @@ -90,6 +90,22 @@ CHAR16* mDerEncodedSuffix[] =3D { }; > > CHAR16* mSupportX509Suffix =3D L"*.cer/der/crt"; > > > > +// > > +// Prompt strings during certificate enrollment. > > +// > > +CHAR16* mX509EnrollPromptTitle[] =3D { > > + L"", > > + L"ERROR: Unsupported file type!", > > + L"ERROR: Unsupported certificate!", > > + NULL > > +}; > > +CHAR16* mX509EnrollPromptString[] =3D { > > + L"", > > + L"Only DER encoded certificate file (*.cer/der/crt) is supported.", > > + L"Public key length should be equal to or greater than 2048 bits.", > > + NULL > > +}; > > + > > SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData =3D NULL; > > > > /** > > @@ -383,6 +399,102 @@ SetSecureBootMode ( > > ); > > } > > > > +/** > > + This code checks if the encode type and key strength of X.509 > > + certificate is qualified. > > + > > + @param[in] X509FileContext FileContext of X.509 certificate sto= ring > > + file. > > + @param[out] Error Error type checked in the certificat= e. > > + > > + @return EFI_SUCCESS The certificate checked successfully= . > > + @return EFI_INVALID_PARAMETER The parameter is invalid. > > + @return EFI_OUT_OF_RESOURCES Memory allocation failed. > > + > > +**/ > > +EFI_STATUS > > +CheckX509Certificate ( > > + IN SECUREBOOT_FILE_CONTEXT* X509FileContext, > > + OUT ENROLL_KEY_ERROR* Error > > +) > > +{ > > + EFI_STATUS Status; > > + UINT16* FilePostFix; > > + UINTN NameLength; > > + UINT8* X509Data; > > + UINTN X509DataSize; > > + void* X509PubKey; > > + UINTN PubKeyModSize; > > + > > + if (X509FileContext->FileName =3D=3D NULL) { > > + *Error =3D Unsupported_Type; > > + return EFI_INVALID_PARAMETER; > > + } > > + > > + X509Data =3D NULL; > > + X509DataSize =3D 0; > > + X509PubKey =3D NULL; > > + PubKeyModSize =3D 0; > > + > > + // > > + // Parse the file's postfix. Only support DER encoded X.509 certific= ate files. > > + // > > + NameLength =3D StrLen (X509FileContext->FileName); if (NameLength <= =3D > > + 4) { > > + DEBUG ((DEBUG_ERROR, "Wrong X509 NameLength\n")); > > + *Error =3D Unsupported_Type; > > + return EFI_INVALID_PARAMETER; > > + } > > + FilePostFix =3D X509FileContext->FileName + NameLength - 4; if > > + (!IsDerEncodeCertificate (FilePostFix)) { > > + DEBUG ((DEBUG_ERROR, "Unsupported file type, only DER encoded > > certificate (%s) is supported.\n", mSupportX509Suffix)); > > + *Error =3D Unsupported_Type; > > + return EFI_INVALID_PARAMETER; > > + } > > + DEBUG ((DEBUG_INFO, "FileName=3D %s\n", X509FileContext->FileName)); > > + DEBUG ((DEBUG_INFO, "FilePostFix =3D %s\n", FilePostFix)); > > + > > + // > > + // Read the certificate file content // Status =3D ReadFileContent > > + (X509FileContext->FHandle, (VOID**) &X509Data, &X509DataSize, 0); if > > + (EFI_ERROR (Status)) { > > + DEBUG ((DEBUG_ERROR, "Error occured while reading the file.\n")); > > + goto ON_EXIT; > > + } > > + > > + // > > + // Parse the public key context. > > + // > > + if (RsaGetPublicKeyFromX509 (X509Data, X509DataSize, &X509PubKey) > > + =3D=3D > > FALSE) { > > + DEBUG ((DEBUG_ERROR, "Error occured while parsing the pubkey from > > certificate.\n")); > > + Status =3D EFI_INVALID_PARAMETER; > > + *Error =3D Unsupported_Type; > > + goto ON_EXIT; > > + } > > + > > + // > > + // Parse Module size of public key using interface provided by > > + CryptoPkg, which is // actually the size of public key. > > + // > > + if (X509PubKey !=3D NULL) { > > + RsaGetKey (X509PubKey, RsaKeyN, NULL, &PubKeyModSize); > > + if (PubKeyModSize < CER_PUBKEY_MIN_SIZE) { > > + DEBUG ((DEBUG_ERROR, "Unqualified PK size, key size should be > > + equal to > > or greater than 2048 bits.\n")); > > + Status =3D EFI_INVALID_PARAMETER; > > + *Error =3D Unqualified_Key; > > + } > > + RsaFree (X509PubKey); > > + } > > + > > + ON_EXIT: > > + if (X509Data !=3D NULL) { > > + FreePool (X509Data); > > + } > > + > > + return Status; > > +} > > + > > /** > > Generate the PK signature list from the X509 Certificate storing > > file (.cer) > > > > @@ -461,7 +573,10 @@ ON_EXIT: > > > > The SignatureOwner GUID will be the same with PK's vendorguid. > > > > - @param[in] PrivateData The module's private data. > > + @param[in] PrivateData The module's private data. > > + @param[out] Error Point to the error code which indicates t= he > > + error during enroll process. > > + > > > > @retval EFI_SUCCESS New PK enrolled successfully. > > @retval EFI_INVALID_PARAMETER The parameter is invalid. > > @@ -477,12 +592,6 @@ EnrollPlatformKey ( > > UINT32 Attr; > > UINTN DataSize; > > EFI_SIGNATURE_LIST *PkCert; > > - UINT16* FilePostFix; > > - UINTN NameLength; > > - > > - if (Private->FileContext->FileName =3D=3D NULL) { > > - return EFI_INVALID_PARAMETER; > > - } > > > > PkCert =3D NULL; > > > > @@ -491,21 +600,6 @@ EnrollPlatformKey ( > > return Status; > > } > > > > - // > > - // Parse the file's postfix. Only support DER encoded X.509 certific= ate files. > > - // > > - NameLength =3D StrLen (Private->FileContext->FileName); > > - if (NameLength <=3D 4) { > > - return EFI_INVALID_PARAMETER; > > - } > > - FilePostFix =3D Private->FileContext->FileName + NameLength - 4; > > - if (!IsDerEncodeCertificate(FilePostFix)) { > > - DEBUG ((EFI_D_ERROR, "Unsupported file type, only DER encoded > > certificate (%s) is supported.", mSupportX509Suffix)); > > - return EFI_INVALID_PARAMETER; > > - } > > - DEBUG ((EFI_D_INFO, "FileName=3D %s\n", > > Private->FileContext->FileName)); > > - DEBUG ((EFI_D_INFO, "FilePostFix =3D %s\n", FilePostFix)); > > - > > // > > // Prase the selected PK file and generate PK certificate list. > > // > > @@ -4300,12 +4394,14 @@ SecureBootCallback ( > > UINT16 *FilePostFix; > > SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; > > BOOLEAN GetBrowserDataResult; > > + ENROLL_KEY_ERROR EnrollKeyErrorCode; > > > > Status =3D EFI_SUCCESS; > > SecureBootEnable =3D NULL; > > SecureBootMode =3D NULL; > > SetupMode =3D NULL; > > File =3D NULL; > > + EnrollKeyErrorCode =3D None_Error; > > > > if ((This =3D=3D NULL) || (Value =3D=3D NULL) || (ActionRequest =3D= =3D NULL)) { > > return EFI_INVALID_PARAMETER; > > @@ -4718,18 +4814,35 @@ SecureBootCallback ( > > } > > break; > > case KEY_VALUE_SAVE_AND_EXIT_PK: > > - Status =3D EnrollPlatformKey (Private); > > + // > > + // Check the suffix, encode type and the key strength of PK cert= ificate. > > + // > > + Status =3D CheckX509Certificate (Private->FileContext, > &EnrollKeyErrorCode); > > + if (EFI_ERROR (Status)) { > > + if (EnrollKeyErrorCode !=3D None_Error && EnrollKeyErrorCode < > > Enroll_Error_Max) { > > + CreatePopUp ( > > + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, > > + &Key, > > + mX509EnrollPromptTitle[EnrollKeyErrorCode], > > + mX509EnrollPromptString[EnrollKeyErrorCode], > > + NULL > > + ); > > + break; > > + } > > + } else { > > + Status =3D EnrollPlatformKey (Private); > > + } > > if (EFI_ERROR (Status)) { > > UnicodeSPrint ( > > PromptString, > > sizeof (PromptString), > > - L"Only DER encoded certificate file (%s) is supported.", > > - mSupportX509Suffix > > + L"Error status: %x.", > > + Status > > ); > > CreatePopUp ( > > EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, > > &Key, > > - L"ERROR: Unsupported file type!", > > + L"ERROR: Enrollment failed!", > > PromptString, > > NULL > > ); > > diff --git > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > igI > > mpl.h > > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > igI > > mpl.h > > index 1fafae07ac..268f015e8e 100644 > > --- > > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf > > igI > > mpl.h > > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot > > +++ Co > > +++ nfigImpl.h > > @@ -93,6 +93,27 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; > > #define HASHALG_RAW 0x00000004 > > #define HASHALG_MAX 0x00000004 > > > > +// > > +// Certificate public key minimum size (bytes) // > > +#define CER_PUBKEY_MIN_SIZE 256 > > + > > +// > > +// Types of errors may occur during certificate enrollment. > > +// > > +typedef enum { > > + None_Error =3D 0, > > + // > > + // Unsupported_type indicates the certificate type is not supported. > > + // > > + Unsupported_Type, > > + // > > + // Unqualified_key indicates the key strength of certificate is not > > + // strong enough. > > + // > > + Unqualified_Key, > > + Enroll_Error_Max > > +}ENROLL_KEY_ERROR; > > > > typedef struct { > > UINTN Signature; > > -- > > 2.31.1.windows.1