From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web11.1463.1618789938030388219 for ; Sun, 18 Apr 2021 16:52:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=HX11IaQi; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: min.m.xu@intel.com) IronPort-SDR: dYQD9kZrW/RIBw6iumIG9i6HcmuGJ8d/sD2D1eHyR+pccjfD5nIx/MEdQHk9YKXGV5gwTqv6Tr cfcntUaUellA== X-IronPort-AV: E=McAfee;i="6200,9189,9958"; a="182380199" X-IronPort-AV: E=Sophos;i="5.82,232,1613462400"; d="scan'208";a="182380199" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Apr 2021 16:52:16 -0700 IronPort-SDR: UoRkv5QJY2s3wXII+NAU9N3ccTJfd6CC2ngavW9YegcP5U3cGn/zCGi0tx2A7wnHK8gTG9ynQE n5c9jZGaG0Gw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.82,232,1613462400"; d="scan'208";a="444996409" Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by fmsmga004.fm.intel.com with ESMTP; 18 Apr 2021 16:52:15 -0700 Received: from fmsmsx609.amr.corp.intel.com (10.18.126.89) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Sun, 18 Apr 2021 16:52:15 -0700 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx609.amr.corp.intel.com (10.18.126.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Sun, 18 Apr 2021 16:52:15 -0700 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.107) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Sun, 18 Apr 2021 16:52:15 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Cc5xVss1ZFsTSzNBm41JsRd7cmsPMCWQGnmw62rmYV9oe09hLngeUttdb0TI1hWXYQmFdJEuItNoQB1ylEWeyyZyvioeh1VC0/LVdtMS2FCPT8i4POqgdlXoi8LJ8y1dOdI8CliJvMilnK0FN8iVUW2DB6P4bbO6EcZL9+DUmVqFjs8rXx0G8lNjCcMtsU6E0MCgkRPf0oEvMYBi9AQEX0/K2htDr+dG0dmVilEFClB7eHw6yaBvtgHlxsVe6iUbuv0BxxNm7ajAehm3lqj+zaFPj35K+YnrJBej0EF5/1dqzVIKsY5EacULR4RdN1gmjESwuFdzuAJtkRDFcFExVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2/zKLeK5jf2UfE6Mt0k7pK6J/bwaH5PhgIVxUwuLq+A=; b=A1MKog6cRI54seuKS1X6Xp398oGbHMAHXPaUNxQwWebdb4T7dGPRSxr9+LJo7W2oH7ZqPG60mDQF3W8pKsNa/zi6pHJZBgaq9BN/l5DNLEtYDHmRF1uhvKpU39ks14aJT23EDldeAt57HYdWTORQ2IehCYHOocMp+ijWIRoEKY6x0/jaz4IQtcBvJzOrlGRMf+1h2AN8BsPqpg70y9YvgVS9x4XAjfb7dkMLugO9dxfWrYHXxtDmnOSodg/lNjnt6Pe5t1FvfaiNYm5qikn8K3KxRHlEgWAhwHxhjTCCBlIDbbniHi21nfFOTB6AUFN6zm249nW1LxrslmnPO6GVLA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2/zKLeK5jf2UfE6Mt0k7pK6J/bwaH5PhgIVxUwuLq+A=; b=HX11IaQi9FR4R1c5RnHoX8JL3vSO2pc7H26t6EnMF4UvcNQNPBoVKoeUT9GbWpiVa/7azMF46d4/jO3PRkI/oaLsZj7qEYpwK/LhuZtmZR6fVbIGO58gLaCMidykPa8it8jn+ZZi1bWPVpRNWqXSwtlx/3kxI/3XAviZ7Q1kThI= Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15) by PH0PR11MB5175.namprd11.prod.outlook.com (2603:10b6:510:3d::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.18; Sun, 18 Apr 2021 23:52:14 +0000 Received: from PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::a1ff:189a:6570:a842]) by PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::a1ff:189a:6570:a842%6]) with mapi id 15.20.4042.024; Sun, 18 Apr 2021 23:52:14 +0000 From: "Min Xu" To: "Gao, Jiaqi" , "devel@edk2.groups.io" CC: "Yao, Jiewen" Subject: Re: [PATCH] SecurityPkg: Add constraints on PK strength Thread-Topic: [PATCH] SecurityPkg: Add constraints on PK strength Thread-Index: AQHXMpYDIElm6v/sTEevUEzSZyZqO6q69hdg Date: Sun, 18 Apr 2021 23:52:13 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.198] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 762e81a3-3b5a-4af0-ec25-08d902c4fd90 x-ms-traffictypediagnostic: PH0PR11MB5175: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:5236; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ILFutvXXtTvnhTZRehTmhM5uiFHGbD9641RUOB9NbEitJeYGjhU1hFsFW5MgCX0Fv0cpGML6FTdQcKlCjtcAt7POj+KTAw8XZhEhc8O6+5feXp1DoHNGoVHEMZThynuiyS+aniYyGeq3HH7I3u4IZQYLVzUbpTEwGWrajMbgC/2gVkgfvJ9TThA+2zc6v3+1QaXjiIhzHYzTx4xqPWo4lhiz/H3KL/Tc8L3t2LT+/yHdfXtRZO2ao5+vPB5kn5qmin6vVy0nJ2uaCVca4Qw+cX/59YrANDqYrJDkZ/LWNyikL+pMe97Ba2bDV17HHevK0n31z10xM6n7pUTcyYCCPH19eyoG+0Iif1OgHXTkS/s6+AnEuORya2wNIyjcqyptfQsg22sqNNwNqSCColthR65Y4AWJyN9EqkHPLRZcs5WPFfMQynewonJY6W3yP+NCpYZAFS8we/Y6KJdmIWR0HoSIFrevvUfPkAHBV3/YX+Q3u6KA7LlQsFMETqIM8J6I2RV/cJPJo32CcR6ZGnMD0JktTcnCnxa+5v/CuIOsRMvei0kTAy6+lL1xZ8ksyTVZKMwuf5HubYkRU0fyuWXIIobVr86qJrct9yAnBmqPJSMWVWCH0HxKO9PdqCmUE9yLEf6gw4zH6fol2QuoJfSIE0OEwF1TmeqNdXrAOV7y2aRq6kzJcJt41rktje3M5rik x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(136003)(396003)(366004)(39860400002)(346002)(376002)(76116006)(66946007)(66476007)(83380400001)(15650500001)(66556008)(4326008)(8936002)(9686003)(110136005)(316002)(7696005)(55016002)(5660300002)(186003)(86362001)(478600001)(8676002)(64756008)(66446008)(966005)(38100700002)(53546011)(6506007)(2906002)(19627235002)(52536014)(107886003)(71200400001)(26005)(33656002)(122000001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?tMeMmNqC0KVf8Tp1Xt1YPr5q1AuhrNQYPUsi9ov8IjvWbsLvspXp11rWRP7v?= =?us-ascii?Q?OcCo2E5EigpbEQEugzuvTF/oYwpe/ure7Xga8+om/iEgrvGNZm9XCDY4LQZc?= =?us-ascii?Q?w/PyQzXhsU+XMfdRR0kR2oEaP7QD5ZspcJVZ88pZ1pG3q9fXgK0MZ4IQzyD5?= =?us-ascii?Q?xL07DExO6NTwYV38gdgIv1gTanwrE+gRGf1/aVoWWrNGG3XfRXIubaEscLQb?= =?us-ascii?Q?WBMiXESCZGpwqKqfaTw+1dtx+O5ft0BC723Y1H9eOGgH6aTilVvj4r4/tV+o?= =?us-ascii?Q?bEU3MczbhHGpPOQ9uW3TzAleLZQOcNsbczJ2zeZESCV1qIjt+YidAw3B4yfz?= =?us-ascii?Q?S5J3NGwbiThbGKay/+25ObVWkRLtXqM5VRZSLpVgkblq9wxSqZCal8gzPDEr?= =?us-ascii?Q?BQA8iRhfIiW26P6focyHMvLbePE1PbDB1rhHoaWdGLo0hs8AdNVFiYq9Mg1z?= =?us-ascii?Q?PvFUkE4prxCkTLTGnpvwCU2c2xbMVIGnPGHiPhJrXNycuyilpMyTN09iVnN2?= =?us-ascii?Q?AMs2kFvM+8yA9O/5WgFVL0Kuj7pw7WdgjXtkm2H4fkuX/XjdcFm3pII+wChz?= =?us-ascii?Q?zhfb9DDvaHhP1E5vxxt9Lq8jJvFchtnjGhAhl33YYCg6N1Mqg5r/Yx+gBIjS?= =?us-ascii?Q?dlvKOpN7cnuj9xqYfG7ZOVhFxlKSG5oKwbgEffVl/A7BMcK3a7130xRJDbSu?= =?us-ascii?Q?GaKjZWJdXr7gzmN361fjkIoBH2eVon7x6hkmjGsc+I4xQSRIBDKwh7t7SC+R?= =?us-ascii?Q?SHPRl0VlfJikNu/qBRbimCKdO1TS3ITdrCu53WiLYZfIKXI5c0FtDph3X9KT?= =?us-ascii?Q?RU+gTSiQyFsasA2UE13cZxCNLHr0BJvuI0+rHhpFS2kY91jnQMK5bkDWmgqH?= =?us-ascii?Q?CEGLLLsEkqhXc1yMvRR3dR9hF7gtbfpleH2O4exU2mQcKBMtdhsY6KVWCpCJ?= =?us-ascii?Q?YLJd4jR8hB3u7dC/55kvB+VOW07s2fmEsFqR/7uB2mtmPw8+58cpz7thehJ8?= =?us-ascii?Q?snh6Ufi0uxG7A1PNBei90Qt43lslN+ncXsbu02qrmwv1WYK18qv/S8o/7njo?= =?us-ascii?Q?xKfTA5ckILCwCvJEYpcMCPYR3b1NScx5adVSKQyOZdqgjjGiPy484fkYtuzX?= =?us-ascii?Q?Jf0NaxGgcRsqeL70Ru+yvdxFLpRShei659ydhLTxUEkmcNF/pPvDhP+QyzL7?= =?us-ascii?Q?Cncbwu1pQ8NGaWWF9WIAkgFeEpfoZrZgkz0VZ6ajo1qdXmtiwmEWXmAVdAjV?= =?us-ascii?Q?hH6MtoTrqXEDxe1NfLuvPbUMPuUUD+/I75z9PlqAYGA/gIz2qKVwK1D9uqL4?= =?us-ascii?Q?5CKbiaCDx9m/n/zxqAtMPchR?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 762e81a3-3b5a-4af0-ec25-08d902c4fd90 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2021 23:52:13.9141 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: /BH5DP2URrtB/SbLcUwl6xp9Vln4idnxIMNPxRnKeWnrbzJjuQOrHXBkr4WnZxDeT85yvzdD4iNEXl1HX7OvEA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5175 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Have you tested the patch? Would you please post the test result in the mai= l thread? Thanks. > -----Original Message----- > From: Gao, Jiaqi > Sent: Friday, April 16, 2021 3:56 PM > To: devel@edk2.groups.io > Cc: Gao, Jiaqi ; Xu, Min M ; Yao= , > Jiewen > Subject: [PATCH] SecurityPkg: Add constraints on PK strength >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3293 >=20 > Add constraints on the key strength of enrolled platform key(PK), which m= ust > be greater than or equal to 2048 bit.PK key strength is required by Intel= SDL > and MSFT, etc. This limitation prevents user from using weak keys as PK. >=20 > The original code to check the certificate file type is placed in a new f= unction > CheckX509Certificate(), which checks if the X.509 certificate meets the > requirements of encode type, RSA-Key strengh, etc. >=20 > Cc: Min Xu > Cc: Jiewen Yao > Signed-off-by: Jiaqi Gao > --- > .../SecureBootConfigImpl.c | 165 +++++++++++++++--- > .../SecureBootConfigImpl.h | 21 +++ > 2 files changed, 160 insertions(+), 26 deletions(-) >=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > index 4f01a2ed67..1304e21266 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo > +++ nfigImpl.c > @@ -90,6 +90,22 @@ CHAR16* mDerEncodedSuffix[] =3D { }; > CHAR16* mSupportX509Suffix =3D L"*.cer/der/crt"; >=20 > +// > +// Prompt strings during certificate enrollment. > +// > +CHAR16* mX509EnrollPromptTitle[] =3D { > + L"", > + L"ERROR: Unsupported file type!", > + L"ERROR: Unsupported certificate!", > + NULL > +}; > +CHAR16* mX509EnrollPromptString[] =3D { > + L"", > + L"Only DER encoded certificate file (*.cer/der/crt) is supported.", > + L"Public key length should be equal to or greater than 2048 bits.", > + NULL > +}; > + > SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData =3D NULL; >=20 > /** > @@ -383,6 +399,102 @@ SetSecureBootMode ( > ); > } >=20 > +/** > + This code checks if the encode type and key strength of X.509 > + certificate is qualified. > + > + @param[in] X509FileContext FileContext of X.509 certificate stori= ng > + file. > + @param[out] Error Error type checked in the certificate. > + > + @return EFI_SUCCESS The certificate checked successfully. > + @return EFI_INVALID_PARAMETER The parameter is invalid. > + @return EFI_OUT_OF_RESOURCES Memory allocation failed. > + > +**/ > +EFI_STATUS > +CheckX509Certificate ( > + IN SECUREBOOT_FILE_CONTEXT* X509FileContext, > + OUT ENROLL_KEY_ERROR* Error > +) > +{ > + EFI_STATUS Status; > + UINT16* FilePostFix; > + UINTN NameLength; > + UINT8* X509Data; > + UINTN X509DataSize; > + void* X509PubKey; > + UINTN PubKeyModSize; > + > + if (X509FileContext->FileName =3D=3D NULL) { > + *Error =3D Unsupported_Type; > + return EFI_INVALID_PARAMETER; > + } > + > + X509Data =3D NULL; > + X509DataSize =3D 0; > + X509PubKey =3D NULL; > + PubKeyModSize =3D 0; > + > + // > + // Parse the file's postfix. Only support DER encoded X.509 certificat= e files. > + // > + NameLength =3D StrLen (X509FileContext->FileName); if (NameLength <= =3D > + 4) { > + DEBUG ((DEBUG_ERROR, "Wrong X509 NameLength\n")); > + *Error =3D Unsupported_Type; > + return EFI_INVALID_PARAMETER; > + } > + FilePostFix =3D X509FileContext->FileName + NameLength - 4; if > + (!IsDerEncodeCertificate (FilePostFix)) { > + DEBUG ((DEBUG_ERROR, "Unsupported file type, only DER encoded > certificate (%s) is supported.\n", mSupportX509Suffix)); > + *Error =3D Unsupported_Type; > + return EFI_INVALID_PARAMETER; > + } > + DEBUG ((DEBUG_INFO, "FileName=3D %s\n", X509FileContext->FileName)); > + DEBUG ((DEBUG_INFO, "FilePostFix =3D %s\n", FilePostFix)); > + > + // > + // Read the certificate file content > + // > + Status =3D ReadFileContent (X509FileContext->FHandle, (VOID**) > + &X509Data, &X509DataSize, 0); if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Error occured while reading the file.\n")); > + goto ON_EXIT; > + } > + > + // > + // Parse the public key context. > + // > + if (RsaGetPublicKeyFromX509 (X509Data, X509DataSize, &X509PubKey) =3D= =3D > FALSE) { > + DEBUG ((DEBUG_ERROR, "Error occured while parsing the pubkey from > certificate.\n")); > + Status =3D EFI_INVALID_PARAMETER; > + *Error =3D Unsupported_Type; > + goto ON_EXIT; > + } > + > + // > + // Parse Module size of public key using interface provided by > + CryptoPkg, which is // actually the size of public key. > + // > + if (X509PubKey !=3D NULL) { > + RsaGetKey (X509PubKey, RsaKeyN, NULL, &PubKeyModSize); > + if (PubKeyModSize < CER_PUBKEY_MIN_SIZE) { > + DEBUG ((DEBUG_ERROR, "Unqualified PK size, key size should be equa= l to > or greater than 2048 bits.\n")); > + Status =3D EFI_INVALID_PARAMETER; > + *Error =3D Unqualified_Key; > + } > + RsaFree (X509PubKey); > + } > + > + ON_EXIT: > + if (X509Data !=3D NULL) { > + FreePool (X509Data); > + } > + > + return Status; > +} > + > /** > Generate the PK signature list from the X509 Certificate storing file = (.cer) >=20 > @@ -461,7 +573,10 @@ ON_EXIT: >=20 > The SignatureOwner GUID will be the same with PK's vendorguid. >=20 > - @param[in] PrivateData The module's private data. > + @param[in] PrivateData The module's private data. > + @param[out] Error Point to the error code which indicates the > + error during enroll process. > + >=20 > @retval EFI_SUCCESS New PK enrolled successfully. > @retval EFI_INVALID_PARAMETER The parameter is invalid. > @@ -477,12 +592,6 @@ EnrollPlatformKey ( > UINT32 Attr; > UINTN DataSize; > EFI_SIGNATURE_LIST *PkCert; > - UINT16* FilePostFix; > - UINTN NameLength; > - > - if (Private->FileContext->FileName =3D=3D NULL) { > - return EFI_INVALID_PARAMETER; > - } >=20 > PkCert =3D NULL; >=20 > @@ -491,21 +600,6 @@ EnrollPlatformKey ( > return Status; > } >=20 > - // > - // Parse the file's postfix. Only support DER encoded X.509 certificat= e files. > - // > - NameLength =3D StrLen (Private->FileContext->FileName); > - if (NameLength <=3D 4) { > - return EFI_INVALID_PARAMETER; > - } > - FilePostFix =3D Private->FileContext->FileName + NameLength - 4; > - if (!IsDerEncodeCertificate(FilePostFix)) { > - DEBUG ((EFI_D_ERROR, "Unsupported file type, only DER encoded > certificate (%s) is supported.", mSupportX509Suffix)); > - return EFI_INVALID_PARAMETER; > - } > - DEBUG ((EFI_D_INFO, "FileName=3D %s\n", Private->FileContext->FileName= )); > - DEBUG ((EFI_D_INFO, "FilePostFix =3D %s\n", FilePostFix)); > - > // > // Prase the selected PK file and generate PK certificate list. > // > @@ -4300,12 +4394,14 @@ SecureBootCallback ( > UINT16 *FilePostFix; > SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; > BOOLEAN GetBrowserDataResult; > + ENROLL_KEY_ERROR EnrollKeyErrorCode; >=20 > Status =3D EFI_SUCCESS; > SecureBootEnable =3D NULL; > SecureBootMode =3D NULL; > SetupMode =3D NULL; > File =3D NULL; > + EnrollKeyErrorCode =3D None_Error; >=20 > if ((This =3D=3D NULL) || (Value =3D=3D NULL) || (ActionRequest =3D=3D= NULL)) { > return EFI_INVALID_PARAMETER; > @@ -4718,18 +4814,35 @@ SecureBootCallback ( > } > break; > case KEY_VALUE_SAVE_AND_EXIT_PK: > - Status =3D EnrollPlatformKey (Private); > + // > + // Check the suffix, encode type and the key strength of PK certif= icate. > + // > + Status =3D CheckX509Certificate (Private->FileContext, &EnrollKeyE= rrorCode); > + if (EFI_ERROR (Status)) { > + if (EnrollKeyErrorCode !=3D None_Error && EnrollKeyErrorCode < > Enroll_Error_Max) { > + CreatePopUp ( > + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, > + &Key, > + mX509EnrollPromptTitle[EnrollKeyErrorCode], > + mX509EnrollPromptString[EnrollKeyErrorCode], > + NULL > + ); > + break; > + } > + } else { > + Status =3D EnrollPlatformKey (Private); > + } > if (EFI_ERROR (Status)) { > UnicodeSPrint ( > PromptString, > sizeof (PromptString), > - L"Only DER encoded certificate file (%s) is supported.", > - mSupportX509Suffix > + L"Error status: %x.", > + Status > ); > CreatePopUp ( > EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, > &Key, > - L"ERROR: Unsupported file type!", > + L"ERROR: Enrollment failed!", > PromptString, > NULL > ); > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.h > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.h > index 1fafae07ac..268f015e8e 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.h > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo > +++ nfigImpl.h > @@ -93,6 +93,27 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; > #define HASHALG_RAW 0x00000004 > #define HASHALG_MAX 0x00000004 >=20 > +// > +// Certificate public key minimum size (bytes) // > +#define CER_PUBKEY_MIN_SIZE 256 > + > +// > +// Types of errors may occur during certificate enrollment. > +// > +typedef enum { > + None_Error =3D 0, > + // > + // Unsupported_type indicates the certificate type is not supported. > + // > + Unsupported_Type, > + // > + // Unqualified_key indicates the key strength of certificate is not > + // strong enough. > + // > + Unqualified_Key, > + Enroll_Error_Max > +}ENROLL_KEY_ERROR; >=20 > typedef struct { > UINTN Signature; > -- > 2.31.1.windows.1