Hi Jiewen,
Thank you for the comments.
I will update the patch and follow the process.
BR
Sheng Wei
> -----Original Message-----
> From: Yao, Jiewen <jiewen....@intel.com>
> Sent: 2023年7月25日 14:06
> To: Sheng, W <w.sh...@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.w...@intel.com>; Xu, Min M <min.m...@intel.com>;
> Chen, Zeyi <zeyi.c...@intel.com>; Wang, Fiona <fiona.w...@intel.com>
> Subject: RE: [PATCH v4] SecurityPkg/SecureBoot: Support RSA 512 and RSA
> 384
>
> Thanks for the update, Wei.
>
> From process perspective, please always do following:
>
> 1) Please describe what is the difference between this version and previous
> version. As such, we can know what is delta and we can focus on the delta.
>
> 2) Please describe what test has been done for this specific version. Such as
> unit test, integration test, etc.
>
> 3) Please split the patch based upon package. The reason is that we need
> different reviewer for each package.
>
>
> For the patch, I have below comment:
>
> 1) Please don't use magic number. Please always define MACRO for better
> maintenance.
>
> + if (KeyInfo->KeyType == 0) {
>
> Please use "if (KeyInfo->KeyType == KEY_TYPE_RSASSA) {"
>
>
> Thank you
> Yao, Jiewen
>
>
> > -----Original Message-----
> > From: Sheng, W <w.sh...@intel.com>
> > Sent: Thursday, July 6, 2023 4:06 PM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen....@intel.com>; Wang, Jian J
> > <jian.j.w...@intel.com>; Xu, Min M <min.m...@intel.com>; Chen, Zeyi
> > <zeyi.c...@intel.com>; Wang, Fiona <fiona.w...@intel.com>
> > Subject: [PATCH v4] SecurityPkg/SecureBoot: Support RSA 512 and RSA
> > 384
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413
> >
> > Cc: Jiewen Yao <jiewen....@intel.com>
> > Cc: Jian J Wang <jian.j.w...@intel.com>
> > Cc: Min Xu <min.m...@intel.com>
> > Cc: Zeyi Chen <zeyi.c...@intel.com>
> > Cc: Fiona Wang <fiona.w...@intel.com>
> > Signed-off-by: Sheng Wei <w.sh...@intel.com>
> > ---
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +-
> > MdePkg/Include/Guid/ImageAuthentication.h | 26 +++
> > MdePkg/MdePkg.dec | 2 +
> > .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++---
> > .../AuthVariableLib/AuthServiceInternal.h | 4 +-
> > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++--
> > .../DxeImageVerificationLib.c | 73 +++---
> > .../SecureBootConfigDxe.inf | 16 ++
> > .../SecureBootConfigImpl.c | 114 +++++++--
> > .../SecureBootConfigImpl.h | 2 +
> > .../SecureBootConfigStrings.uni | 6 +
> > 11 files changed, 416 insertions(+), 92 deletions(-)
> >
> > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> > index 027dbb6842..944bcf8d38 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> > @@ -591,7 +591,8 @@ ImageTimestampVerify (
> > // Register & Initialize necessary digest algorithms for PKCS#7 Handling.
> >
> > //
> >
> > if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1
> > ()) == 0)
> > ||
> >
> > - (EVP_add_digest (EVP_sha256 ()) == 0) || ((EVP_add_digest_alias
> > (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
> >
> > + (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest
> > + (EVP_sha384 ())
> > == 0) ||
> >
> > + (EVP_add_digest (EVP_sha512 ()) == 0) || ((EVP_add_digest_alias
> > (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
> >
> > {
> >
> > return FALSE;
> >
> > }
> >
> > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > b/MdePkg/Include/Guid/ImageAuthentication.h
> > index fe83596571..c8ea2c14fb 100644
> > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > @@ -144,6 +144,30 @@ typedef struct {
> > 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85,
> > 0xb3, 0xb6} \
> >
> > }
> >
> >
> >
> > +///
> >
> > +/// This identifies a signature containing an RSA-3072 key. The key
> > +(only the
> > modulus
> >
> > +/// since the public key exponent is known to be 0x10001) shall be
> > +stored in big-
> > endian
> >
> > +/// order.
> >
> > +/// The SignatureHeader size shall always be 0. The SignatureSize
> > +shall always be
> > 16 (size
> >
> > +/// of SignatureOwner component) + 384 bytes.
> >
> > +///
> >
> > +#define EFI_CERT_RSA3072_GUID \
> >
> > + { \
> >
> > + 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89,
> > + 0xee,
> > 0x92 } \
> >
> > + }
> >
> > +
> >
> > +///
> >
> > +/// This identifies a signature containing an RSA-4096 key. The key
> > +(only the
> > modulus
> >
> > +/// since the public key exponent is known to be 0x10001) shall be
> > +stored in big-
> > endian
> >
> > +/// order.
> >
> > +/// The SignatureHeader size shall always be 0. The SignatureSize
> > +shall always be
> > 16 (size
> >
> > +/// of SignatureOwner component) + 512 bytes.
> >
> > +///
> >
> > +#define EFI_CERT_RSA4096_GUID \
> >
> > + { \
> >
> > + 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00,
> > + 0x98,
> > 0x2c } \
> >
> > + }
> >
> > +
> >
> > ///
> >
> > /// This identifies a signature containing a RSA-2048 signature of a
> > SHA-256
> hash.
> > The
> >
> > /// SignatureHeader size shall always be 0. The SignatureSize shall
> > always be 16 (size of
> >
> > @@ -330,6 +354,8 @@ typedef struct {
> > extern EFI_GUID gEfiImageSecurityDatabaseGuid;
> >
> > extern EFI_GUID gEfiCertSha256Guid;
> >
> > extern EFI_GUID gEfiCertRsa2048Guid;
> >
> > +extern EFI_GUID gEfiCertRsa3072Guid;
> >
> > +extern EFI_GUID gEfiCertRsa4096Guid;
> >
> > extern EFI_GUID gEfiCertRsa2048Sha256Guid;
> >
> > extern EFI_GUID gEfiCertSha1Guid;
> >
> > extern EFI_GUID gEfiCertRsa2048Sha1Guid;
> >
> > diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index
> > d6c4179b2a..c88e88fa6b 100644
> > --- a/MdePkg/MdePkg.dec
> > +++ b/MdePkg/MdePkg.dec
> > @@ -571,6 +571,8 @@
> > gEfiImageSecurityDatabaseGuid = { 0xd719b2cb, 0x3d3a, 0x4596,
> > {0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }}
> >
> > gEfiCertSha256Guid = { 0xc1c41626, 0x504c, 0x4092, {0xac,
> > 0xa9,
> 0x41,
> > 0xf9, 0x36, 0x93, 0x43, 0x28 }}
> >
> > gEfiCertRsa2048Guid = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa,
> > 0x14,
> 0xed,
> > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}
> >
> > + gEfiCertRsa3072Guid = { 0xedd320c2, 0xb057, 0x4b8e, {0xad,
> > 0x46,
> 0x2c,
> > 0x9b, 0x85, 0x89, 0xee, 0x92 }}
> >
> > + gEfiCertRsa4096Guid = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85,
> > 0x73,
> > 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }}
> >
> > gEfiCertRsa2048Sha256Guid = { 0xe2b36190, 0x879b, 0x4a3d, {0xad,
> 0x8d,
> > 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> >
> > gEfiCertSha1Guid = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1,
> > 0x87, 0xbe,
> > 0x1, 0x49, 0x66, 0x31, 0xbd }}
> >
> > gEfiCertRsa2048Sha1Guid = { 0x67f8444f, 0x8743, 0x48f1, {0xa3,
> > 0x28,
> > 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}
> >
> > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> > b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> > index d81c581d78..4c268a85cd 100644
> > --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> > +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> > @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > #include <Protocol/VariablePolicy.h>
> >
> > #include <Library/VariablePolicyLib.h>
> >
> >
> >
> > +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
> >
> > +
> >
> > +/**
> >
> > + Retrieves the size, in bytes, of the context buffer required for hash
> operations.
> >
> > +
> >
> > + If this interface is not supported, then return zero.
> >
> > +
> >
> > + @return The size, in bytes, of the context buffer required for hash
> operations.
> >
> > + @retval 0 This interface is not supported.
> >
> > +
> >
> > +**/
> >
> > +typedef
> >
> > +UINTN
> >
> > +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
> >
> > + VOID
> >
> > + );
> >
> > +
> >
> > +/**
> >
> > + Initializes user-supplied memory pointed by Sha1Context as hash
> > + context for
> >
> > + subsequent use.
> >
> > +
> >
> > + If HashContext is NULL, then return FALSE.
> >
> > + If this interface is not supported, then return FALSE.
> >
> > +
> >
> > + @param[out] HashContext Pointer to Hashcontext being initialized.
> >
> > +
> >
> > + @retval TRUE Hash context initialization succeeded.
> >
> > + @retval FALSE Hash context initialization failed.
> >
> > + @retval FALSE This interface is not supported.
> >
> > +
> >
> > +**/
> >
> > +typedef
> >
> > +BOOLEAN
> >
> > +(EFIAPI *EFI_HASH_INIT)(
> >
> > + OUT VOID *HashContext
> >
> > + );
> >
> > +
> >
> > +/**
> >
> > + Digests the input data and updates Hash context.
> >
> > +
> >
> > + This function performs Hash digest on a data buffer of the specified
> > size.
> >
> > + It can be called multiple times to compute the digest of long or
> > + discontinuous
> > data streams.
> >
> > + Hash context should be already correctly initialized by HashInit(),
> > + and should
> > not be finalized
> >
> > + by HashFinal(). Behavior with invalid context is undefined.
> >
> > +
> >
> > + If HashContext is NULL, then return FALSE.
> >
> > + If this interface is not supported, then return FALSE.
> >
> > +
> >
> > + @param[in, out] HashContext Pointer to the Hash context.
> >
> > + @param[in] Data Pointer to the buffer containing the data
> > to be
> > hashed.
> >
> > + @param[in] DataSize Size of Data buffer in bytes.
> >
> > +
> >
> > + @retval TRUE SHA-1 data digest succeeded.
> >
> > + @retval FALSE SHA-1 data digest failed.
> >
> > + @retval FALSE This interface is not supported.
> >
> > +
> >
> > +**/
> >
> > +typedef
> >
> > +BOOLEAN
> >
> > +(EFIAPI *EFI_HASH_UPDATE)(
> >
> > + IN OUT VOID *HashContext,
> >
> > + IN CONST VOID *Data,
> >
> > + IN UINTN DataSize
> >
> > + );
> >
> > +
> >
> > +/**
> >
> > + Completes computation of the Hash digest value.
> >
> > +
> >
> > + This function completes hash computation and retrieves the digest
> > + value into
> >
> > + the specified memory. After this function has been called, the Hash
> > + context
> > cannot
> >
> > + be used again.
> >
> > + Hash context should be already correctly initialized by HashInit(),
> > + and should
> > not be
> >
> > + finalized by HashFinal(). Behavior with invalid Hash context is
> > undefined.
> >
> > +
> >
> > + If HashContext is NULL, then return FALSE.
> >
> > + If HashValue is NULL, then return FALSE.
> >
> > + If this interface is not supported, then return FALSE.
> >
> > +
> >
> > + @param[in, out] HashContext Pointer to the Hash context.
> >
> > + @param[out] HashValue Pointer to a buffer that receives the Hash
> digest
> >
> > + value.
> >
> > +
> >
> > + @retval TRUE Hash digest computation succeeded.
> >
> > + @retval FALSE Hash digest computation failed.
> >
> > + @retval FALSE This interface is not supported.
> >
> > +
> >
> > +**/
> >
> > +typedef
> >
> > +BOOLEAN
> >
> > +(EFIAPI *EFI_HASH_FINAL)(
> >
> > + IN OUT VOID *HashContext,
> >
> > + OUT UINT8 *HashValue
> >
> > + );
> >
> > +
> >
> > +typedef struct {
> >
> > + UINT32 HashSize;
> >
> > + EFI_HASH_GET_CONTEXT_SIZE GetContextSize;
> >
> > + EFI_HASH_INIT Init;
> >
> > + EFI_HASH_UPDATE Update;
> >
> > + EFI_HASH_FINAL Final;
> >
> > + VOID **HashShaCtx;
> >
> > + UINT8 *OidValue;
> >
> > + UINTN OidLength;
> >
> > +} EFI_HASH_INFO;
> >
> > +
> >
> > //
> >
> > // Public Exponent of RSA Key.
> >
> > //
> >
> > CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
> >
> >
> >
> > -CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65,
> > 0x03, 0x04, 0x02, 0x01 };
> >
> > +UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
> > +0x04, 0x02,
> > 0x01 };
> >
> > +UINT8 mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
> > +0x04, 0x02,
> > 0x02 };
> >
> > +UINT8 mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
> > +0x04, 0x02,
> > 0x03 };
> >
> > +
> >
> > +EFI_HASH_INFO mHashInfo[] = {
> >
> > + {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init,
> > + Sha256Update,
> > Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9},
> >
> > + {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init,
> > + Sha384Update,
> > Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9},
> >
> > + {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init,
> > + Sha512Update,
> > Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9},
> >
> > +};
> >
> >
> >
> > //
> >
> > // Requirement for different signature type which have been defined
> > in UEFI spec.
> >
> > @@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] = {
> > // {SigType, SigHeaderSize, SigDataSize }
> >
> > { EFI_CERT_SHA256_GUID, 0, 32 },
> >
> > { EFI_CERT_RSA2048_GUID, 0, 256 },
> >
> > + { EFI_CERT_RSA3072_GUID, 0, 384 },
> >
> > + { EFI_CERT_RSA4096_GUID, 0, 512 },
> >
> > { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 },
> >
> > { EFI_CERT_SHA1_GUID, 0, 20 },
> >
> > { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 },
> >
> > @@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp ( }
> >
> >
> >
> > /**
> >
> > - Calculate SHA256 digest of SignerCert CommonName + ToplevelCert
> > tbsCertificate
> >
> > + Calculate SHA digest of SignerCert CommonName + ToplevelCert
> > + tbsCertificate
> >
> > SignerCert and ToplevelCert are inside the signer certificate chain.
> >
> >
> >
> > + @param[in] HashAlgId Hash algorithm index
> >
> > @param[in] SignerCert A pointer to SignerCert data.
> >
> > @param[in] SignerCertSize Length of SignerCert data.
> >
> > @param[in] TopLevelCert A pointer to TopLevelCert data.
> >
> > @param[in] TopLevelCertSize Length of TopLevelCert data.
> >
> > - @param[out] Sha256Digest Sha256 digest calculated.
> >
> > + @param[out] ShaDigest Sha digest calculated.
> >
> >
> >
> > @return EFI_ABORTED Digest process failed.
> >
> > - @return EFI_SUCCESS SHA256 Digest is successfully calculated.
> >
> > + @return EFI_SUCCESS SHA Digest is successfully calculated.
> >
> >
> >
> > **/
> >
> > EFI_STATUS
> >
> > -CalculatePrivAuthVarSignChainSHA256Digest (
> >
> > +CalculatePrivAuthVarSignChainSHADigest (
> >
> > + IN UINT8 HashAlgId,
> >
> > IN UINT8 *SignerCert,
> >
> > IN UINTN SignerCertSize,
> >
> > IN UINT8 *TopLevelCert,
> >
> > IN UINTN TopLevelCertSize,
> >
> > - OUT UINT8 *Sha256Digest
> >
> > + OUT UINT8 *ShaDigest
> >
> > )
> >
> > {
> >
> > UINT8 *TbsCert;
> >
> > @@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> > BOOLEAN CryptoStatus;
> >
> > EFI_STATUS Status;
> >
> >
> >
> > + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> >
> > + DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n",
> > + __func__,
> > HashAlgId));
> >
> > + return EFI_ABORTED;
> >
> > + }
> >
> > +
> >
> > CertCommonNameSize = sizeof (CertCommonName);
> >
> >
> >
> > //
> >
> > @@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> > //
> >
> > // Digest SignerCert CN + TopLevelCert tbsCertificate
> >
> > //
> >
> > - ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE);
> >
> > - CryptoStatus = Sha256Init (mHashCtx);
> >
> > + ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize);
> >
> > + CryptoStatus = mHashInfo[HashAlgId].Init
> > (*(mHashInfo[HashAlgId].HashShaCtx));
> >
> > if (!CryptoStatus) {
> >
> > return EFI_ABORTED;
> >
> > }
> >
> > @@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> > //
> >
> > // '\0' is forced in CertCommonName. No overflow issue
> >
> > //
> >
> > - CryptoStatus = Sha256Update (
> >
> > - mHashCtx,
> >
> > + CryptoStatus = mHashInfo[HashAlgId].Update (
> >
> > + *(mHashInfo[HashAlgId].HashShaCtx),
> >
> > CertCommonName,
> >
> > AsciiStrLen (CertCommonName)
> >
> > );
> >
> > @@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> > return EFI_ABORTED;
> >
> > }
> >
> >
> >
> > - CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize);
> >
> > + CryptoStatus = mHashInfo[HashAlgId].Update
> > (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize);
> >
> > if (!CryptoStatus) {
> >
> > return EFI_ABORTED;
> >
> > }
> >
> >
> >
> > - CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
> >
> > + CryptoStatus = mHashInfo[HashAlgId].Final
> > (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest);
> >
> > if (!CryptoStatus) {
> >
> > return EFI_ABORTED;
> >
> > }
> >
> > @@ -1516,9 +1638,10 @@ DeleteCertsFromDb (
> > /**
> >
> > Insert signer's certificates for common authenticated variable with
> > VariableName
> >
> > and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv"
> > according to
> >
> > - time based authenticated variable attributes. CertData is the
> > SHA256 digest of
> >
> > + time based authenticated variable attributes. CertData is the SHA
> > + digest of
> >
> > SignerCert CommonName + TopLevelCert tbsCertificate.
> >
> >
> >
> > + @param[in] HashAlgId Hash algorithm index.
> >
> > @param[in] VariableName Name of authenticated Variable.
> >
> > @param[in] VendorGuid Vendor GUID of authenticated Variable.
> >
> > @param[in] Attributes Attributes of authenticated variable.
> >
> > @@ -1536,6 +1659,7 @@ DeleteCertsFromDb ( **/
> >
> > EFI_STATUS
> >
> > InsertCertsToDb (
> >
> > + IN UINT8 HashAlgId,
> >
> > IN CHAR16 *VariableName,
> >
> > IN EFI_GUID *VendorGuid,
> >
> > IN UINT32 Attributes,
> >
> > @@ -1556,12 +1680,16 @@ InsertCertsToDb (
> > UINT32 CertDataSize;
> >
> > AUTH_CERT_DB_DATA *Ptr;
> >
> > CHAR16 *DbName;
> >
> > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
> >
> > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX];
> >
> >
> >
> > if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert
> > == NULL) || (TopLevelCert == NULL)) {
> >
> > return EFI_INVALID_PARAMETER;
> >
> > }
> >
> >
> >
> > + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> >
> > + return EFI_INVALID_PARAMETER;
> >
> > + }
> >
> > +
> >
> > if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
> >
> > //
> >
> > // Get variable "certdb".
> >
> > @@ -1618,20 +1746,22 @@ InsertCertsToDb (
> > // Construct new data content of variable "certdb" or "certdbv".
> >
> > //
> >
> > NameSize = (UINT32)StrLen (VariableName);
> >
> > - CertDataSize = sizeof (Sha256Digest);
> >
> > + CertDataSize = mHashInfo[HashAlgId].HashSize;
> >
> > CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize +
> > NameSize * sizeof (CHAR16);
> >
> > NewCertDbSize = (UINT32)DataSize + CertNodeSize;
> >
> > if (NewCertDbSize > mMaxCertDbSize) {
> >
> > return EFI_OUT_OF_RESOURCES;
> >
> > }
> >
> >
> >
> > - Status = CalculatePrivAuthVarSignChainSHA256Digest (
> >
> > + Status = CalculatePrivAuthVarSignChainSHADigest (
> >
> > + HashAlgId,
> >
> > SignerCert,
> >
> > SignerCertSize,
> >
> > TopLevelCert,
> >
> > TopLevelCertSize,
> >
> > - Sha256Digest
> >
> > + ShaDigest
> >
> > );
> >
> > +
> >
> > if (EFI_ERROR (Status)) {
> >
> > return Status;
> >
> > }
> >
> > @@ -1663,7 +1793,7 @@ InsertCertsToDb (
> >
> >
> > CopyMem (
> >
> > (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof
> > (CHAR16),
> >
> > - Sha256Digest,
> >
> > + ShaDigest,
> >
> > CertDataSize
> >
> > );
> >
> >
> >
> > @@ -1790,6 +1920,36 @@ CleanCertsFromDb (
> > return Status;
> >
> > }
> >
> >
> >
> > +/**
> >
> > + Find hash algorithm index
> >
> > +
> >
> > + @param[in] SigData Pointer to the PKCS#7 message
> >
> > + @param[in] SigDataSize Length of the PKCS#7 message
> >
> > +
> >
> > + @retval UINT8 Hash Algorithm Index
> >
> > +**/
> >
> > +UINT8
> >
> > +FindHashAlgorithmIndex (
> >
> > + IN UINT8 *SigData,
> >
> > + IN UINT32 SigDataSize
> >
> > +)
> >
> > +{
> >
> > + UINT8 i;
> >
> > +
> >
> > + for (i = 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++)
> > + {
> >
> > + if ( ( (SigDataSize >= (13 + mHashInfo[i].OidLength))
> >
> > + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) ==
> > + TWO_BYTE_ENCODE)
> >
> > + && (CompareMem (SigData + 13, mHashInfo[i].OidValue,
> > mHashInfo[i].OidLength) == 0)))
> >
> > + || (( (SigDataSize >= (32 + mHashInfo[i].OidLength)))
> >
> > + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) ==
> > + TWO_BYTE_ENCODE)
> >
> > + && (CompareMem (SigData + 32, mHashInfo[i].OidValue,
> > mHashInfo[i].OidLength) == 0))))
> >
> > + {
> >
> > + break;
> >
> > + }
> >
> > + }
> >
> > + return i;
> >
> > +}
> >
> > +
> >
> > /**
> >
> > Process variable with
> > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
> >
> >
> >
> > @@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload (
> > UINTN CertStackSize;
> >
> > UINT8 *CertsInCertDb;
> >
> > UINT32 CertsSizeinDb;
> >
> > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
> >
> > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX];
> >
> > EFI_CERT_DATA *CertDataPtr;
> >
> > + UINT8 HashAlgId;
> >
> >
> >
> > //
> >
> > // 1. TopLevelCert is the top-level issuer certificate in signature
> > Signer Cert Chain
> >
> > @@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload (
> >
> >
> > //
> >
> > // SignedData.digestAlgorithms shall contain the digest algorithm
> > used when preparing the
> >
> > - // signature. Only a digest algorithm of SHA-256 is accepted.
> >
> > + // signature. Only a digest algorithm of SHA-256, SHA-384 or
> > + SHA-512 is
> > accepted.
> >
> > //
> >
> > // According to PKCS#7 Definition (https://www.rfc-
> editor.org/rfc/rfc2315):
> >
> > // SignedData ::= SEQUENCE {
> >
> > @@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload (
> > //
> >
> > // Example generated with:
> > https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface
> > /Secure_
> > Boot#Manual_process
> >
> > //
> >
> > + HashAlgId = FindHashAlgorithmIndex (SigData, SigDataSize);
> >
> > if ((Attributes &
> > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
> >
> > - if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue)))
> >
> > - && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
> >
> > - || (CompareMem (SigData + 13, &mSha256OidValue, sizeof
> > (mSha256OidValue)) != 0)))
> >
> > - && ( (SigDataSize >= (32 + sizeof (mSha256OidValue)))
> >
> > - && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=
> TWO_BYTE_ENCODE)
> >
> > - || (CompareMem (SigData + 32, &mSha256OidValue, sizeof
> > (mSha256OidValue)) != 0))))
> >
> > - {
> >
> > + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> >
> > return EFI_SECURITY_VIOLATION;
> >
> > }
> >
> > }
> >
> > @@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload (
> > goto Exit;
> >
> > }
> >
> >
> >
> > - if (CertsSizeinDb == SHA256_DIGEST_SIZE) {
> >
> > + if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)))
> > + &&
> > (CertsSizeinDb == mHashInfo[HashAlgId].HashSize)) {
> >
> > //
> >
> > // Check hash of signer cert CommonName + Top-level issuer
> > tbsCertificate against data in CertDb
> >
> > //
> >
> > CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
> >
> > - Status = CalculatePrivAuthVarSignChainSHA256Digest (
> >
> > + Status = CalculatePrivAuthVarSignChainSHADigest (
> >
> > + HashAlgId,
> >
> > CertDataPtr->CertDataBuffer,
> >
> > ReadUnaligned32 ((UINT32
> > *)&(CertDataPtr->CertDataLength)),
> >
> > TopLevelCert,
> >
> > TopLevelCertSize,
> >
> > - Sha256Digest
> >
> > + ShaDigest
> >
> > );
> >
> > - if (EFI_ERROR (Status) || (CompareMem (Sha256Digest,
> CertsInCertDb,
> > CertsSizeinDb) != 0)) {
> >
> > + if (EFI_ERROR (Status) || (CompareMem (ShaDigest,
> > + CertsInCertDb,
> > CertsSizeinDb) != 0)) {
> >
> > goto Exit;
> >
> > }
> >
> > } else {
> >
> > @@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload (
> > //
> >
> > CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
> >
> > Status = InsertCertsToDb (
> >
> > + HashAlgId,
> >
> > VariableName,
> >
> > VendorGuid,
> >
> > Attributes,
> >
> > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> > b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> > index b202e613bc..f7bf771d55 100644
> > --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> > +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> > @@ -92,7 +92,9 @@ extern UINT32 mMaxCertDbSize; extern UINT32
> > mPlatformMode;
> >
> > extern UINT8 mVendorKeyState;
> >
> >
> >
> > -extern VOID *mHashCtx;
> >
> > +extern VOID *mHashSha256Ctx;
> >
> > +extern VOID *mHashSha384Ctx;
> >
> > +extern VOID *mHashSha512Ctx;
> >
> >
> >
> > extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn;
> >
> >
> >
> > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> > b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> > index dc61ae840c..19e0004699 100644
> > --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> > +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> > @@ -26,12 +26,14 @@ UINT32 mMaxCertDbSize;
> > UINT32 mPlatformMode;
> >
> > UINT8 mVendorKeyState;
> >
> >
> >
> > -EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID,
> > EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID,
> EFI_CERT_X509_GUID };
> >
> > +EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID,
> > EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID,
> EFI_CERT_SHA512_GUID,
> > EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID,
> EFI_CERT_RSA4096_GUID,
> > EFI_CERT_X509_GUID };
> >
> >
> >
> > //
> >
> > // Hash context pointer
> >
> > //
> >
> > -VOID *mHashCtx = NULL;
> >
> > +VOID *mHashSha256Ctx = NULL;
> >
> > +VOID *mHashSha384Ctx = NULL;
> >
> > +VOID *mHashSha512Ctx = NULL;
> >
> >
> >
> > VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
> >
> > {
> >
> > @@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
> > },
> >
> > };
> >
> >
> >
> > -VOID **mAuthVarAddressPointer[9];
> >
> > +VOID **mAuthVarAddressPointer[11];
> >
> >
> >
> > AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn = NULL;
> >
> >
> >
> > @@ -120,7 +122,6 @@ AuthVariableLibInitialize (
> > UINT32 VarAttr;
> >
> > UINT8 *Data;
> >
> > UINTN DataSize;
> >
> > - UINTN CtxSize;
> >
> > UINT8 SecureBootMode;
> >
> > UINT8 SecureBootEnable;
> >
> > UINT8 CustomMode;
> >
> > @@ -135,9 +136,18 @@ AuthVariableLibInitialize (
> > //
> >
> > // Initialize hash context.
> >
> > //
> >
> > - CtxSize = Sha256GetContextSize ();
> >
> > - mHashCtx = AllocateRuntimePool (CtxSize);
> >
> > - if (mHashCtx == NULL) {
> >
> > + mHashSha256Ctx = AllocateRuntimePool (Sha256GetContextSize ());
> >
> > + if (mHashSha256Ctx == NULL) {
> >
> > + return EFI_OUT_OF_RESOURCES;
> >
> > + }
> >
> > +
> >
> > + mHashSha384Ctx = AllocateRuntimePool (Sha384GetContextSize ());
> >
> > + if (mHashSha384Ctx == NULL) {
> >
> > + return EFI_OUT_OF_RESOURCES;
> >
> > + }
> >
> > +
> >
> > + mHashSha512Ctx = AllocateRuntimePool (Sha512GetContextSize ());
> >
> > + if (mHashSha512Ctx == NULL) {
> >
> > return EFI_OUT_OF_RESOURCES;
> >
> > }
> >
> >
> >
> > @@ -356,14 +366,16 @@ AuthVariableLibInitialize (
> > AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry;
> >
> > AuthVarLibContextOut->AuthVarEntryCount = ARRAY_SIZE
> (mAuthVarEntry);
> >
> > mAuthVarAddressPointer[0] = (VOID **)&mCertDbStore;
> >
> > - mAuthVarAddressPointer[1] = (VOID **)&mHashCtx;
> >
> > - mAuthVarAddressPointer[2] = (VOID
> **)&mAuthVarLibContextIn;
> >
> > - mAuthVarAddressPointer[3] = (VOID
> **)&(mAuthVarLibContextIn-
> > >FindVariable),
> >
> > - mAuthVarAddressPointer[4] = (VOID
> **)&(mAuthVarLibContextIn-
> > >FindNextVariable),
> >
> > - mAuthVarAddressPointer[5] = (VOID
> **)&(mAuthVarLibContextIn-
> > >UpdateVariable),
> >
> > - mAuthVarAddressPointer[6] = (VOID
> **)&(mAuthVarLibContextIn-
> > >GetScratchBuffer),
> >
> > - mAuthVarAddressPointer[7] = (VOID
> **)&(mAuthVarLibContextIn-
> > >CheckRemainingSpaceForConsistency),
> >
> > - mAuthVarAddressPointer[8] = (VOID
> **)&(mAuthVarLibContextIn-
> > >AtRuntime),
> >
> > + mAuthVarAddressPointer[1] = (VOID **)&mHashSha256Ctx;
> >
> > + mAuthVarAddressPointer[2] = (VOID **)&mHashSha384Ctx;
> >
> > + mAuthVarAddressPointer[3] = (VOID **)&mHashSha512Ctx;
> >
> > + mAuthVarAddressPointer[4] = (VOID
> **)&mAuthVarLibContextIn;
> >
> > + mAuthVarAddressPointer[5] = (VOID
> **)&(mAuthVarLibContextIn-
> > >FindVariable),
> >
> > + mAuthVarAddressPointer[6] = (VOID
> **)&(mAuthVarLibContextIn-
> > >FindNextVariable),
> >
> > + mAuthVarAddressPointer[7] = (VOID
> **)&(mAuthVarLibContextIn-
> > >UpdateVariable),
> >
> > + mAuthVarAddressPointer[8] = (VOID
> **)&(mAuthVarLibContextIn-
> > >GetScratchBuffer),
> >
> > + mAuthVarAddressPointer[9] = (VOID
> **)&(mAuthVarLibContextIn-
> > >CheckRemainingSpaceForConsistency),
> >
> > + mAuthVarAddressPointer[10] = (VOID
> **)&(mAuthVarLibContextIn-
> > >AtRuntime),
> >
> > AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
> >
> > AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE
> > (mAuthVarAddressPointer);
> >
> >
> >
> > diff --git
> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.
> > c
> > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.
> > c
> > index 5d8dbd5468..88b2d3c6c1 100644
> > ---
> > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.
> > c
> > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerification
> > +++ Lib.c
> > @@ -1620,7 +1620,7 @@ Done:
> > in the security database "db", and no valid signature nor any
> > hash value of the image may
> >
> > be reflected in the security database "dbx".
> >
> > Otherwise, the image is not signed,
> >
> > - The SHA256 hash value of the image must match a record in the
> security
> > database "db", and
> >
> > + The hash value of the image must match a record in the security
> > + database
> > "db", and
> >
> > not be reflected in the security data base "dbx".
> >
> >
> >
> > Caution: This function may receive untrusted input.
> >
> > @@ -1690,6 +1690,8 @@ DxeImageVerificationHandler (
> > EFI_STATUS VarStatus;
> >
> > UINT32 VarAttr;
> >
> > BOOLEAN IsFound;
> >
> > + UINT8 HashAlg;
> >
> > + BOOLEAN IsFoundInDatabase;
> >
> >
> >
> > SignatureList = NULL;
> >
> > SignatureListSize = 0;
> >
> > @@ -1699,6 +1701,7 @@ DxeImageVerificationHandler (
> > Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
> >
> > IsVerified = FALSE;
> >
> > IsFound = FALSE;
> >
> > + IsFoundInDatabase = FALSE;
> >
> >
> >
> > //
> >
> > // Check the image type and get policy setting.
> >
> > @@ -1837,40 +1840,50 @@ DxeImageVerificationHandler (
> > //
> >
> > if ((SecDataDir == NULL) || (SecDataDir->Size == 0)) {
> >
> > //
> >
> > - // This image is not signed. The SHA256 hash value of the image must
> match a
> > record in the security database "db",
> >
> > + // This image is not signed. The hash value of the image must
> > + match a record
> > in the security database "db",
> >
> > // and not be reflected in the security data base "dbx".
> >
> > //
> >
> > - if (!HashPeImage (HASHALG_SHA256)) {
> >
> > - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this
> image
> > using %s.\n", mHashTypeStr));
> >
> > - goto Failed;
> >
> > - }
> >
> > + HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
> >
> > + while (HashAlg > 0) {
> >
> > + HashAlg--;
> >
> > + if ((mHash[HashAlg].GetContextSize == NULL) ||
> > + (mHash[HashAlg].HashInit
> > == NULL) || (mHash[HashAlg].HashUpdate == NULL) ||
> > (mHash[HashAlg].HashFinal == NULL)) {
> >
> > + continue;
> >
> > + }
> >
> > + if (!HashPeImage (HashAlg)) {
> >
> > + continue;
> >
> > + }
> >
> >
> >
> > - DbStatus = IsSignatureFoundInDatabase (
> >
> > - EFI_IMAGE_SECURITY_DATABASE1,
> >
> > - mImageDigest,
> >
> > - &mCertType,
> >
> > - mImageDigestSize,
> >
> > - &IsFound
> >
> > - );
> >
> > - if (EFI_ERROR (DbStatus) || IsFound) {
> >
> > - //
> >
> > - // Image Hash is in forbidden database (DBX).
> >
> > - //
> >
> > - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed
> and %s
> > hash of image is forbidden by DBX.\n", mHashTypeStr));
> >
> > - goto Failed;
> >
> > + DbStatus = IsSignatureFoundInDatabase (
> >
> > + EFI_IMAGE_SECURITY_DATABASE1,
> >
> > + mImageDigest,
> >
> > + &mCertType,
> >
> > + mImageDigestSize,
> >
> > + &IsFound
> >
> > + );
> >
> > + if (EFI_ERROR (DbStatus) || IsFound) {
> >
> > + //
> >
> > + // Image Hash is in forbidden database (DBX).
> >
> > + //
> >
> > + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not
> > + signed
> > and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
> >
> > + goto Failed;
> >
> > + }
> >
> > +
> >
> > + DbStatus = IsSignatureFoundInDatabase (
> >
> > + EFI_IMAGE_SECURITY_DATABASE,
> >
> > + mImageDigest,
> >
> > + &mCertType,
> >
> > + mImageDigestSize,
> >
> > + &IsFound
> >
> > + );
> >
> > + if (!EFI_ERROR (DbStatus) && IsFound) {
> >
> > + //
> >
> > + // Image Hash is in allowed database (DB).
> >
> > + //
> >
> > + IsFoundInDatabase = TRUE;
> >
> > + }
> >
> > }
> >
> >
> >
> > - DbStatus = IsSignatureFoundInDatabase (
> >
> > - EFI_IMAGE_SECURITY_DATABASE,
> >
> > - mImageDigest,
> >
> > - &mCertType,
> >
> > - mImageDigestSize,
> >
> > - &IsFound
> >
> > - );
> >
> > - if (!EFI_ERROR (DbStatus) && IsFound) {
> >
> > - //
> >
> > - // Image Hash is in allowed database (DB).
> >
> > - //
> >
> > + if (IsFoundInDatabase) {
> >
> > return EFI_SUCCESS;
> >
> > }
> >
> >
> >
> > diff --git
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igDx
> > e.inf
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igDx
> > e.inf
> > index 1671d5be7c..cb52a16c09 100644
> > ---
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igDx
> > e.inf
> > +++
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igDx
> > e.inf
> > @@ -70,6 +70,14 @@
> > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > gEfiCertRsa2048Guid
> >
> >
> >
> > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > + gEfiCertRsa3072Guid
> >
> > +
> >
> > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > + gEfiCertRsa4096Guid
> >
> > +
> >
> > ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > gEfiCertX509Guid
> >
> > @@ -82,6 +90,14 @@
> > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > gEfiCertSha256Guid
> >
> >
> >
> > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > + gEfiCertSha384Guid
> >
> > +
> >
> > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of
> the
> > signature.
> >
> > + gEfiCertSha512Guid
> >
> > +
> >
> > ## SOMETIMES_CONSUMES ## Variable:L"db"
> >
> > ## SOMETIMES_PRODUCES ## Variable:L"db"
> >
> > ## SOMETIMES_CONSUMES ## Variable:L"dbx"
> >
> > diff --git
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igIm
> > pl.c
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igIm
> > pl.c
> > index 0e31502b1b..90268d34d3 100644
> > ---
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igIm
> > pl.c
> > +++
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igIm
> > pl.c
> > @@ -560,7 +560,7 @@ ON_EXIT:
> >
> >
> > **/
> >
> > EFI_STATUS
> >
> > -EnrollRsa2048ToKek (
> >
> > +EnrollRsaToKek (
> >
> > IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
> >
> > )
> >
> > {
> >
> > @@ -603,8 +603,19 @@ EnrollRsa2048ToKek (
> >
> >
> > ASSERT (KeyBlob != NULL);
> >
> > KeyInfo = (CPL_KEY_INFO *)KeyBlob;
> >
> > - if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) {
> >
> > - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is
> > supported.\n"));
> >
> > + if (KeyInfo->KeyType == 0) {
> >
> > + switch (KeyInfo->KeyLengthInBits / 8) {
> >
> > + case WIN_CERT_UEFI_RSA2048_SIZE:
> >
> > + case WIN_CERT_UEFI_RSA3072_SIZE:
> >
> > + case WIN_CERT_UEFI_RSA4096_SIZE:
> >
> > + break;
> >
> > + default :
> >
> > + DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048,
> > + RSA3072
> > and RSA4096 are supported.\n"));
> >
> > + Status = EFI_UNSUPPORTED;
> >
> > + goto ON_EXIT;
> >
> > + }
> >
> > + } else {
> >
> > + DEBUG ((DEBUG_ERROR, "Unsupported key type : %d, only 0 is
> > supported.\n", KeyInfo->KeyType));
> >
> > Status = EFI_UNSUPPORTED;
> >
> > goto ON_EXIT;
> >
> > }
> >
> > @@ -632,7 +643,7 @@ EnrollRsa2048ToKek (
> > //
> >
> > KekSigListSize = sizeof (EFI_SIGNATURE_LIST)
> >
> > + sizeof (EFI_SIGNATURE_DATA) - 1
> >
> > - + WIN_CERT_UEFI_RSA2048_SIZE;
> >
> > + + KeyLenInBytes;
> >
> >
> >
> > KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool
> > (KekSigListSize);
> >
> > if (KekSigList == NULL) {
> >
> > @@ -642,17 +653,32 @@ EnrollRsa2048ToKek (
> >
> >
> > KekSigList->SignatureListSize = sizeof (EFI_SIGNATURE_LIST)
> >
> > + sizeof (EFI_SIGNATURE_DATA) - 1
> >
> > - + WIN_CERT_UEFI_RSA2048_SIZE;
> >
> > + + (UINT32) KeyLenInBytes;
> >
> > KekSigList->SignatureHeaderSize = 0;
> >
> > - KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 +
> > WIN_CERT_UEFI_RSA2048_SIZE;
> >
> > - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> >
> > + KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 +
> (UINT32)
> > KeyLenInBytes;
> >
> > + switch (KeyLenInBytes) {
> >
> > + case WIN_CERT_UEFI_RSA2048_SIZE:
> >
> > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> >
> > + break;
> >
> > + case WIN_CERT_UEFI_RSA3072_SIZE:
> >
> > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
> >
> > + break;
> >
> > + case WIN_CERT_UEFI_RSA4096_SIZE:
> >
> > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
> >
> > + break;
> >
> > + break;
> >
> > + default :
> >
> > + DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
> >
> > + Status = EFI_UNSUPPORTED;
> >
> > + goto ON_EXIT;
> >
> > + }
> >
> >
> >
> > KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof
> > (EFI_SIGNATURE_LIST));
> >
> > CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
> >
> > CopyMem (
> >
> > KEKSigData->SignatureData,
> >
> > KeyBlob + sizeof (CPL_KEY_INFO),
> >
> > - WIN_CERT_UEFI_RSA2048_SIZE
> >
> > + KeyLenInBytes
> >
> > );
> >
> >
> >
> > //
> >
> > @@ -890,7 +916,7 @@ EnrollKeyExchangeKey (
> > if (IsDerEncodeCertificate (FilePostFix)) {
> >
> > return EnrollX509ToKek (Private);
> >
> > } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
> >
> > - return EnrollRsa2048ToKek (Private);
> >
> > + return EnrollRsaToKek (Private);
> >
> > } else {
> >
> > //
> >
> > // File type is wrong, simply close it
> >
> > @@ -1847,7 +1873,7 @@ HashPeImage (
> > SectionHeader = NULL;
> >
> > Status = FALSE;
> >
> >
> >
> > - if (HashAlg != HASHALG_SHA256) {
> >
> > + if ((HashAlg >= HASHALG_MAX)) {
> >
> > return FALSE;
> >
> > }
> >
> >
> >
> > @@ -1856,8 +1882,25 @@ HashPeImage (
> > //
> >
> > ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
> >
> >
> >
> > - mImageDigestSize = SHA256_DIGEST_SIZE;
> >
> > - mCertType = gEfiCertSha256Guid;
> >
> > + switch (HashAlg) {
> >
> > + case HASHALG_SHA256:
> >
> > + mImageDigestSize = SHA256_DIGEST_SIZE;
> >
> > + mCertType = gEfiCertSha256Guid;
> >
> > + break;
> >
> > +
> >
> > + case HASHALG_SHA384:
> >
> > + mImageDigestSize = SHA384_DIGEST_SIZE;
> >
> > + mCertType = gEfiCertSha384Guid;
> >
> > + break;
> >
> > +
> >
> > + case HASHALG_SHA512:
> >
> > + mImageDigestSize = SHA512_DIGEST_SIZE;
> >
> > + mCertType = gEfiCertSha512Guid;
> >
> > + break;
> >
> > +
> >
> > + default:
> >
> > + return FALSE;
> >
> > + }
> >
> >
> >
> > CtxSize = mHash[HashAlg].GetContextSize ();
> >
> >
> >
> > @@ -2251,6 +2294,7 @@ EnrollImageSignatureToSigDB (
> > UINT32 Attr;
> >
> > WIN_CERTIFICATE_UEFI_GUID *GuidCertData;
> >
> > EFI_TIME Time;
> >
> > + UINT32 HashAlg;
> >
> >
> >
> > Data = NULL;
> >
> > GuidCertData = NULL;
> >
> > @@ -2289,8 +2333,20 @@ EnrollImageSignatureToSigDB (
> > }
> >
> >
> >
> > if (mSecDataDir->SizeOfCert == 0) {
> >
> > - if (!HashPeImage (HASHALG_SHA256)) {
> >
> > - Status = EFI_SECURITY_VIOLATION;
> >
> > + Status = EFI_SECURITY_VIOLATION;
> >
> > + HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
> >
> > + while (HashAlg > 0) {
> >
> > + HashAlg--;
> >
> > + if ((mHash[HashAlg].GetContextSize == NULL) ||
> > + (mHash[HashAlg].HashInit
> > == NULL) || (mHash[HashAlg].HashUpdate == NULL) ||
> > (mHash[HashAlg].HashFinal == NULL)) {
> >
> > + continue;
> >
> > + }
> >
> > + if (HashPeImage (HashAlg)) {
> >
> > + Status = EFI_SUCCESS;
> >
> > + break;
> >
> > + }
> >
> > + }
> >
> > + if (EFI_ERROR (Status)) {
> >
> > + DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status));
> >
> > goto ON_EXIT;
> >
> > }
> >
> > } else {
> >
> > @@ -2589,6 +2645,10 @@ UpdateDeletePage (
> > while ((ItemDataSize > 0) && (ItemDataSize >=
> > CertList->SignatureListSize)) {
> >
> > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid))
> > {
> >
> > Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
> >
> > + } else if (CompareGuid (&CertList->SignatureType,
> > + &gEfiCertRsa3072Guid)) {
> >
> > + Help = STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID);
> >
> > + } else if (CompareGuid (&CertList->SignatureType,
> > + &gEfiCertRsa4096Guid)) {
> >
> > + Help = STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID);
> >
> > } else if (CompareGuid (&CertList->SignatureType,
> > &gEfiCertX509Guid)) {
> >
> > Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
> >
> > } else if (CompareGuid (&CertList->SignatureType,
> > &gEfiCertSha1Guid)) {
> >
> > @@ -2750,6 +2810,8 @@ DeleteKeyExchangeKey (
> > GuidIndex = 0;
> >
> > while ((KekDataSize > 0) && (KekDataSize >=
> > CertList->SignatureListSize)) {
> >
> > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)
> > ||
> >
> > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)
> > + ||
> >
> > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)
> > + ||
> >
> > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid))
> >
> > {
> >
> > CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST)
> > + CertList-
> > >SignatureHeaderSize));
> >
> > @@ -2952,6 +3014,8 @@ DeleteSignature (
> > GuidIndex = 0;
> >
> > while ((ItemDataSize > 0) && (ItemDataSize >=
> > CertList->SignatureListSize)) {
> >
> > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)
> > ||
> >
> > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)
> > + ||
> >
> > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)
> > + ||
> >
> > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||
> >
> > CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||
> >
> > CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid)
> > ||
> >
> > @@ -3758,12 +3822,20 @@ LoadSignatureList (
> > while ((RemainingSize > 0) && (RemainingSize >=
> > ListWalker->SignatureListSize)) {
> >
> > if (CompareGuid (&ListWalker->SignatureType,
> > &gEfiCertRsa2048Guid)) {
> >
> > ListType = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
> >
> > + } else if (CompareGuid (&ListWalker->SignatureType,
> > + &gEfiCertRsa3072Guid))
> > {
> >
> > + ListType = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
> >
> > + } else if (CompareGuid (&ListWalker->SignatureType,
> > + &gEfiCertRsa4096Guid))
> > {
> >
> > + ListType = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
> >
> > } else if (CompareGuid (&ListWalker->SignatureType,
> > &gEfiCertX509Guid)) {
> >
> > ListType = STRING_TOKEN (STR_LIST_TYPE_X509);
> >
> > } else if (CompareGuid (&ListWalker->SignatureType,
> > &gEfiCertSha1Guid)) {
> >
> > ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1);
> >
> > } else if (CompareGuid (&ListWalker->SignatureType,
> > &gEfiCertSha256Guid)) {
> >
> > ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256);
> >
> > + } else if (CompareGuid (&ListWalker->SignatureType,
> > + &gEfiCertSha384Guid)) {
> >
> > + ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384);
> >
> > + } else if (CompareGuid (&ListWalker->SignatureType,
> > + &gEfiCertSha512Guid)) {
> >
> > + ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512);
> >
> > } else if (CompareGuid (&ListWalker->SignatureType,
> > &gEfiCertX509Sha256Guid)) {
> >
> > ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
> >
> > } else if (CompareGuid (&ListWalker->SignatureType,
> > &gEfiCertX509Sha384Guid)) {
> >
> > @@ -4001,6 +4073,14 @@ FormatHelpInfo (
> > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
> >
> > DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
> >
> > IsCert = TRUE;
> >
> > + } else if (CompareGuid (&ListEntry->SignatureType,
> > + &gEfiCertRsa3072Guid)) {
> >
> > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
> >
> > + DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
> >
> > + IsCert = TRUE;
> >
> > + } else if (CompareGuid (&ListEntry->SignatureType,
> > + &gEfiCertRsa4096Guid)) {
> >
> > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
> >
> > + DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
> >
> > + IsCert = TRUE;
> >
> > } else if (CompareGuid (&ListEntry->SignatureType,
> > &gEfiCertX509Guid)) {
> >
> > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509);
> >
> > DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
> >
> > @@ -4011,6 +4091,12 @@ FormatHelpInfo (
> > } else if (CompareGuid (&ListEntry->SignatureType,
> > &gEfiCertSha256Guid)) {
> >
> > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256);
> >
> > DataSize = 32;
> >
> > + } else if (CompareGuid (&ListEntry->SignatureType,
> > + &gEfiCertSha384Guid)) {
> >
> > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384);
> >
> > + DataSize = 48;
> >
> > + } else if (CompareGuid (&ListEntry->SignatureType,
> > + &gEfiCertSha512Guid)) {
> >
> > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512);
> >
> > + DataSize = 64;
> >
> > } else if (CompareGuid (&ListEntry->SignatureType,
> > &gEfiCertX509Sha256Guid)) {
> >
> > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
> >
> > DataSize = 32;
> >
> > diff --git
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igIm
> > pl.h
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igIm
> > pl.h
> > index 37c66f1b95..ae50d929a7 100644
> > ---
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igIm
> > pl.h
> > +++
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igIm
> > pl.h
> > @@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; #define
> > MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> >
> >
> >
> > #define WIN_CERT_UEFI_RSA2048_SIZE 256
> >
> > +#define WIN_CERT_UEFI_RSA3072_SIZE 384
> >
> > +#define WIN_CERT_UEFI_RSA4096_SIZE 512
> >
> >
> >
> > //
> >
> > // Support hash types
> >
> > diff --git
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igStr
> > ings.uni
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igStr
> > ings.uni
> > index 0d01701de7..1b48acc800 100644
> > ---
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igStr
> > ings.uni
> > +++
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCon
> f
> > igStr
> > ings.uni
> > @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-
> US
> > "Read the public key of KEK from file"
> >
> > #string STR_FILE_EXPLORER_TITLE #language en-US "File
> Explorer"
> >
> > #string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US
> > "RSA2048_SHA256_GUID"
> >
> > +#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US
> > "RSA3072_SHA384_GUID"
> >
> > +#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US
> > "RSA4096_SHA512_GUID"
> >
> > #string STR_CERT_TYPE_PCKS7_GUID #language en-US
> "PKCS7_GUID"
> >
> > #string STR_CERT_TYPE_SHA1_GUID #language en-US
> "SHA1_GUID"
> >
> > #string STR_CERT_TYPE_SHA256_GUID #language en-US
> > "SHA256_GUID"
> >
> > @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US
> > "X509_SHA512_GUID"
> >
> >
> >
> > #string STR_LIST_TYPE_RSA2048_SHA256 #language en-US
> > "RSA2048_SHA256"
> >
> > +#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US
> > "RSA3072_SHA384"
> >
> > +#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US
> > "RSA4096_SHA512"
> >
> > #string STR_LIST_TYPE_X509 #language en-US "X509"
> >
> > #string STR_LIST_TYPE_SHA1 #language en-US "SHA1"
> >
> > #string STR_LIST_TYPE_SHA256 #language en-US "SHA256"
> >
> > +#string STR_LIST_TYPE_SHA384 #language en-US "SHA384"
> >
> > +#string STR_LIST_TYPE_SHA512 #language en-US "SHA512"
> >
> > #string STR_LIST_TYPE_X509_SHA256 #language en-US
> "X509_SHA256"
> >
> > #string STR_LIST_TYPE_X509_SHA384 #language en-US
> "X509_SHA384"
> >
> > #string STR_LIST_TYPE_X509_SHA512 #language en-US
> "X509_SHA512"
> >
> > --
> > 2.26.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107219): https://edk2.groups.io/g/devel/message/107219
Mute This Topic: https://groups.io/mt/99981532/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
