From nobody Sun May 12 10:17:32 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+106682+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+106682+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1688630819; cv=none; d=zohomail.com; s=zohoarc; b=iDOPaEmYPIodRuM3q6XOiuqe6V8VkD37819wP4RzheEMVgEjuQbYBTJbF744EcOQH4PbBPQ7Tw8XWKs8to1Ywsm4/hFH7lxKhYrLAn50vThb7od0TqL0At10rXKAhCFwSnBW6JGWfDMpIxBAdvIXWzVHI9juKDL0ANqHDb2cTl0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1688630819; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=OIJ0RO3QxQLjTmHg6le0BsHvxOJW5YqApvA6/FJBIdQ=; b=RKFlQUy9+UcwGiE/aby1RaikeebQ0BBMwdKaPzATzC0VED8N+jC6YJMr+MtJkm0lw1ba8/nlwh4aVdNxYeKjCIWKF6tQ29aiAN8+v/gDqhoN3hIGm5vbS2a0Q8yrL5lYdDxoVX/bpSsQKt4nT8z1d1JIeE7C/mJ1axsxdePqGDM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+106682+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1688630819311523.0453959078263; Thu, 6 Jul 2023 01:06:59 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id qEAyYY1788612xLDiKwANGEM; Thu, 06 Jul 2023 01:06:58 -0700 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.16806.1688630817642668691 for ; Thu, 06 Jul 2023 01:06:58 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10762"; a="343129133" X-IronPort-AV: E=Sophos;i="6.01,185,1684825200"; d="scan'208";a="343129133" X-Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jul 2023 01:06:35 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10762"; a="843583487" X-IronPort-AV: E=Sophos;i="6.01,185,1684825200"; d="scan'208";a="843583487" X-Received: from shwdesssddpdwei.ccr.corp.intel.com ([10.239.157.28]) by orsmga004.jf.intel.com with ESMTP; 06 Jul 2023 01:06:29 -0700 From: "Sheng Wei" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Zeyi Chen , Fiona Wang Subject: [edk2-devel] [PATCH v4] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Date: Thu, 6 Jul 2023 16:06:26 +0800 Message-Id: <20230706080626.1667-1-w.sheng@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,w.sheng@intel.com X-Gm-Message-State: jZvmVpTkj1o1Br0w8Bbja3RPx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1688630818; bh=r9IYoKMP8e5erEn0jbHH0G2QetkWpLJxhEzrU4AQdvE=; h=Cc:Date:From:Reply-To:Subject:To; b=rti3ZrIyA66I9IG1J5Z1SbXndULBwtvPPKT34rq8ANRvqu1GzhIfSmocWw1RYOFzqwU YMtBk6dO/lkvlSH/WaTDZCZ2uW2tJSo4mzt2CbB0E+lhxc6UKL/0C3RGYUIOGHxzJe81I vQwrDYCSAsoydzOLkdoAdHNAc3lSR0U87E8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1688630820211100001 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3413 Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Zeyi Chen Cc: Fiona Wang Signed-off-by: Sheng Wei --- CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- MdePkg/Include/Guid/ImageAuthentication.h | 26 +++ MdePkg/MdePkg.dec | 2 + .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++--- .../AuthVariableLib/AuthServiceInternal.h | 4 +- .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- .../DxeImageVerificationLib.c | 73 +++--- .../SecureBootConfigDxe.inf | 16 ++ .../SecureBootConfigImpl.c | 114 +++++++-- .../SecureBootConfigImpl.h | 2 + .../SecureBootConfigStrings.uni | 6 + 11 files changed, 416 insertions(+), 92 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Librar= y/BaseCryptLib/Pk/CryptTs.c index 027dbb6842..944bcf8d38 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c @@ -591,7 +591,8 @@ ImageTimestampVerify ( // Register & Initialize necessary digest algorithms for PKCS#7 Handling. // if ((EVP_add_digest (EVP_md5 ()) =3D=3D 0) || (EVP_add_digest (EVP_sha1 = ()) =3D=3D 0) || - (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || ((EVP_add_digest_alias = (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0)) + (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || (EVP_add_digest (EVP_sh= a384 ()) =3D=3D 0) || + (EVP_add_digest (EVP_sha512 ()) =3D=3D 0) || ((EVP_add_digest_alias = (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0)) { return FALSE; } diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Gui= d/ImageAuthentication.h index fe83596571..c8ea2c14fb 100644 --- a/MdePkg/Include/Guid/ImageAuthentication.h +++ b/MdePkg/Include/Guid/ImageAuthentication.h @@ -144,6 +144,30 @@ typedef struct { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3,= 0xb6} \ } =20 +/// +/// This identifies a signature containing an RSA-3072 key. The key (only = the modulus +/// since the public key exponent is known to be 0x10001) shall be stored = in big-endian +/// order. +/// The SignatureHeader size shall always be 0. The SignatureSize shall al= ways be 16 (size +/// of SignatureOwner component) + 384 bytes. +/// +#define EFI_CERT_RSA3072_GUID \ + { \ + 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee,= 0x92 } \ + } + +/// +/// This identifies a signature containing an RSA-4096 key. The key (only = the modulus +/// since the public key exponent is known to be 0x10001) shall be stored = in big-endian +/// order. +/// The SignatureHeader size shall always be 0. The SignatureSize shall al= ways be 16 (size +/// of SignatureOwner component) + 512 bytes. +/// +#define EFI_CERT_RSA4096_GUID \ + { \ + 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98,= 0x2c } \ + } + /// /// This identifies a signature containing a RSA-2048 signature of a SHA-2= 56 hash. The /// SignatureHeader size shall always be 0. The SignatureSize shall always= be 16 (size of @@ -330,6 +354,8 @@ typedef struct { extern EFI_GUID gEfiImageSecurityDatabaseGuid; extern EFI_GUID gEfiCertSha256Guid; extern EFI_GUID gEfiCertRsa2048Guid; +extern EFI_GUID gEfiCertRsa3072Guid; +extern EFI_GUID gEfiCertRsa4096Guid; extern EFI_GUID gEfiCertRsa2048Sha256Guid; extern EFI_GUID gEfiCertSha1Guid; extern EFI_GUID gEfiCertRsa2048Sha1Guid; diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index d6c4179b2a..c88e88fa6b 100644 --- a/MdePkg/MdePkg.dec +++ b/MdePkg/MdePkg.dec @@ -571,6 +571,8 @@ gEfiImageSecurityDatabaseGuid =3D { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, = 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }} gEfiCertSha256Guid =3D { 0xc1c41626, 0x504c, 0x4092, {0xac, = 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }} gEfiCertRsa2048Guid =3D { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, = 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }} + gEfiCertRsa3072Guid =3D { 0xedd320c2, 0xb057, 0x4b8e, {0xad, = 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }} + gEfiCertRsa4096Guid =3D { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, = 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }} gEfiCertRsa2048Sha256Guid =3D { 0xe2b36190, 0x879b, 0x4a3d, {0xad, = 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }} gEfiCertSha1Guid =3D { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, = 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }} gEfiCertRsa2048Sha1Guid =3D { 0x67f8444f, 0x8743, 0x48f1, {0xa3, = 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }} diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk= g/Library/AuthVariableLib/AuthService.c index d81c581d78..4c268a85cd 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include =20 +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE + +/** + Retrieves the size, in bytes, of the context buffer required for hash op= erations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for hash ope= rations. + @retval 0 This interface is not supported. + +**/ +typedef +UINTN +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)( + VOID + ); + +/** + Initializes user-supplied memory pointed by Sha1Context as hash context = for + subsequent use. + + If HashContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] HashContext Pointer to Hashcontext being initialized. + + @retval TRUE Hash context initialization succeeded. + @retval FALSE Hash context initialization failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EFI_HASH_INIT)( + OUT VOID *HashContext + ); + +/** + Digests the input data and updates Hash context. + + This function performs Hash digest on a data buffer of the specified siz= e. + It can be called multiple times to compute the digest of long or discont= inuous data streams. + Hash context should be already correctly initialized by HashInit(), and = should not be finalized + by HashFinal(). Behavior with invalid context is undefined. + + If HashContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HashContext Pointer to the Hash context. + @param[in] Data Pointer to the buffer containing the data = to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-1 data digest succeeded. + @retval FALSE SHA-1 data digest failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EFI_HASH_UPDATE)( + IN OUT VOID *HashContext, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the Hash digest value. + + This function completes hash computation and retrieves the digest value = into + the specified memory. After this function has been called, the Hash cont= ext cannot + be used again. + Hash context should be already correctly initialized by HashInit(), and = should not be + finalized by HashFinal(). Behavior with invalid Hash context is undefine= d. + + If HashContext is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HashContext Pointer to the Hash context. + @param[out] HashValue Pointer to a buffer that receives the Hash= digest + value. + + @retval TRUE Hash digest computation succeeded. + @retval FALSE Hash digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EFI_HASH_FINAL)( + IN OUT VOID *HashContext, + OUT UINT8 *HashValue + ); + +typedef struct { + UINT32 HashSize; + EFI_HASH_GET_CONTEXT_SIZE GetContextSize; + EFI_HASH_INIT Init; + EFI_HASH_UPDATE Update; + EFI_HASH_FINAL Final; + VOID **HashShaCtx; + UINT8 *OidValue; + UINTN OidLength; +} EFI_HASH_INFO; + // // Public Exponent of RSA Key. // CONST UINT8 mRsaE[] =3D { 0x01, 0x00, 0x01 }; =20 -CONST UINT8 mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0= x04, 0x02, 0x01 }; +UINT8 mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0= x02, 0x01 }; +UINT8 mSha384OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0= x02, 0x02 }; +UINT8 mSha512OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0= x02, 0x03 }; + +EFI_HASH_INFO mHashInfo[] =3D { + {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha= 256Final, &mHashSha256Ctx, mSha256OidValue, 9}, + {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha= 384Final, &mHashSha384Ctx, mSha384OidValue, 9}, + {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha= 512Final, &mHashSha512Ctx, mSha512OidValue, 9}, +}; =20 // // Requirement for different signature type which have been defined in UEF= I spec. @@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] =3D { // {SigType, SigHeaderSize, SigDataSize } { EFI_CERT_SHA256_GUID, 0, 32 }, { EFI_CERT_RSA2048_GUID, 0, 256 }, + { EFI_CERT_RSA3072_GUID, 0, 384 }, + { EFI_CERT_RSA4096_GUID, 0, 512 }, { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 }, { EFI_CERT_SHA1_GUID, 0, 20 }, { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 }, @@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp ( } =20 /** - Calculate SHA256 digest of SignerCert CommonName + ToplevelCert tbsCerti= ficate + Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertific= ate SignerCert and ToplevelCert are inside the signer certificate chain. =20 + @param[in] HashAlgId Hash algorithm index @param[in] SignerCert A pointer to SignerCert data. @param[in] SignerCertSize Length of SignerCert data. @param[in] TopLevelCert A pointer to TopLevelCert data. @param[in] TopLevelCertSize Length of TopLevelCert data. - @param[out] Sha256Digest Sha256 digest calculated. + @param[out] ShaDigest Sha digest calculated. =20 @return EFI_ABORTED Digest process failed. - @return EFI_SUCCESS SHA256 Digest is successfully calculated. + @return EFI_SUCCESS SHA Digest is successfully calculated. =20 **/ EFI_STATUS -CalculatePrivAuthVarSignChainSHA256Digest ( +CalculatePrivAuthVarSignChainSHADigest ( + IN UINT8 HashAlgId, IN UINT8 *SignerCert, IN UINTN SignerCertSize, IN UINT8 *TopLevelCert, IN UINTN TopLevelCertSize, - OUT UINT8 *Sha256Digest + OUT UINT8 *ShaDigest ) { UINT8 *TbsCert; @@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest ( BOOLEAN CryptoStatus; EFI_STATUS Status; =20 + if (HashAlgId >=3D (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { + DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__, Ha= shAlgId)); + return EFI_ABORTED; + } + CertCommonNameSize =3D sizeof (CertCommonName); =20 // @@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest ( // // Digest SignerCert CN + TopLevelCert tbsCertificate // - ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE); - CryptoStatus =3D Sha256Init (mHashCtx); + ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize); + CryptoStatus =3D mHashInfo[HashAlgId].Init (*(mHashInfo[HashAlgId].HashS= haCtx)); if (!CryptoStatus) { return EFI_ABORTED; } @@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest ( // // '\0' is forced in CertCommonName. No overflow issue // - CryptoStatus =3D Sha256Update ( - mHashCtx, + CryptoStatus =3D mHashInfo[HashAlgId].Update ( + *(mHashInfo[HashAlgId].HashShaCtx), CertCommonName, AsciiStrLen (CertCommonName) ); @@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest ( return EFI_ABORTED; } =20 - CryptoStatus =3D Sha256Update (mHashCtx, TbsCert, TbsCertSize); + CryptoStatus =3D mHashInfo[HashAlgId].Update (*(mHashInfo[HashAlgId].Has= hShaCtx), TbsCert, TbsCertSize); if (!CryptoStatus) { return EFI_ABORTED; } =20 - CryptoStatus =3D Sha256Final (mHashCtx, Sha256Digest); + CryptoStatus =3D mHashInfo[HashAlgId].Final (*(mHashInfo[HashAlgId].Hash= ShaCtx), ShaDigest); if (!CryptoStatus) { return EFI_ABORTED; } @@ -1516,9 +1638,10 @@ DeleteCertsFromDb ( /** Insert signer's certificates for common authenticated variable with Vari= ableName and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to - time based authenticated variable attributes. CertData is the SHA256 dig= est of + time based authenticated variable attributes. CertData is the SHA digest= of SignerCert CommonName + TopLevelCert tbsCertificate. =20 + @param[in] HashAlgId Hash algorithm index. @param[in] VariableName Name of authenticated Variable. @param[in] VendorGuid Vendor GUID of authenticated Variable. @param[in] Attributes Attributes of authenticated variable. @@ -1536,6 +1659,7 @@ DeleteCertsFromDb ( **/ EFI_STATUS InsertCertsToDb ( + IN UINT8 HashAlgId, IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT32 Attributes, @@ -1556,12 +1680,16 @@ InsertCertsToDb ( UINT32 CertDataSize; AUTH_CERT_DB_DATA *Ptr; CHAR16 *DbName; - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; =20 if ((VariableName =3D=3D NULL) || (VendorGuid =3D=3D NULL) || (SignerCer= t =3D=3D NULL) || (TopLevelCert =3D=3D NULL)) { return EFI_INVALID_PARAMETER; } =20 + if (HashAlgId >=3D (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { + return EFI_INVALID_PARAMETER; + } + if ((Attributes & EFI_VARIABLE_NON_VOLATILE) !=3D 0) { // // Get variable "certdb". @@ -1618,20 +1746,22 @@ InsertCertsToDb ( // Construct new data content of variable "certdb" or "certdbv". // NameSize =3D (UINT32)StrLen (VariableName); - CertDataSize =3D sizeof (Sha256Digest); + CertDataSize =3D mHashInfo[HashAlgId].HashSize; CertNodeSize =3D sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + Na= meSize * sizeof (CHAR16); NewCertDbSize =3D (UINT32)DataSize + CertNodeSize; if (NewCertDbSize > mMaxCertDbSize) { return EFI_OUT_OF_RESOURCES; } =20 - Status =3D CalculatePrivAuthVarSignChainSHA256Digest ( + Status =3D CalculatePrivAuthVarSignChainSHADigest ( + HashAlgId, SignerCert, SignerCertSize, TopLevelCert, TopLevelCertSize, - Sha256Digest + ShaDigest ); + if (EFI_ERROR (Status)) { return Status; } @@ -1663,7 +1793,7 @@ InsertCertsToDb ( =20 CopyMem ( (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16= ), - Sha256Digest, + ShaDigest, CertDataSize ); =20 @@ -1790,6 +1920,36 @@ CleanCertsFromDb ( return Status; } =20 +/** + Find hash algorithm index + + @param[in] SigData Pointer to the PKCS#7 message + @param[in] SigDataSize Length of the PKCS#7 message + + @retval UINT8 Hash Algorithm Index +**/ +UINT8 +FindHashAlgorithmIndex ( + IN UINT8 *SigData, + IN UINT32 SigDataSize +) +{ + UINT8 i; + + for (i =3D 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) { + if ( ( (SigDataSize >=3D (13 + mHashInfo[i].OidLength)) + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) =3D=3D TWO_BYTE_ENCODE) + && (CompareMem (SigData + 13, mHashInfo[i].OidValue, mHashInfo= [i].OidLength) =3D=3D 0))) + || (( (SigDataSize >=3D (32 + mHashInfo[i].OidLength))) + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) =3D=3D TWO_BYTE_ENCODE) + && (CompareMem (SigData + 32, mHashInfo[i].OidValue, mHashInfo[i= ].OidLength) =3D=3D 0)))) + { + break; + } + } + return i; +} + /** Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS= set =20 @@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload ( UINTN CertStackSize; UINT8 *CertsInCertDb; UINT32 CertsSizeinDb; - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; EFI_CERT_DATA *CertDataPtr; + UINT8 HashAlgId; =20 // // 1. TopLevelCert is the top-level issuer certificate in signature Sign= er Cert Chain @@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload ( =20 // // SignedData.digestAlgorithms shall contain the digest algorithm used w= hen preparing the - // signature. Only a digest algorithm of SHA-256 is accepted. + // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is = accepted. // // According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc= 2315): // SignedData ::=3D SEQUENCE { @@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload ( // // Example generated with: https://wiki.archlinux.org/title/Unified_Exte= nsible_Firmware_Interface/Secure_Boot#Manual_process // + HashAlgId =3D FindHashAlgorithmIndex (SigData, SigDataSize); if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != =3D 0) { - if ( ( (SigDataSize >=3D (13 + sizeof (mSha256OidValue))) - && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE) - || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha2= 56OidValue)) !=3D 0))) - && ( (SigDataSize >=3D (32 + sizeof (mSha256OidValue))) - && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE) - || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha2= 56OidValue)) !=3D 0)))) - { + if (HashAlgId >=3D (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { return EFI_SECURITY_VIOLATION; } } @@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload ( goto Exit; } =20 - if (CertsSizeinDb =3D=3D SHA256_DIGEST_SIZE) { + if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) && (= CertsSizeinDb =3D=3D mHashInfo[HashAlgId].HashSize)) { // // Check hash of signer cert CommonName + Top-level issuer tbsCert= ificate against data in CertDb // CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1); - Status =3D CalculatePrivAuthVarSignChainSHA256Digest ( + Status =3D CalculatePrivAuthVarSignChainSHADigest ( + HashAlgId, CertDataPtr->CertDataBuffer, ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertData= Length)), TopLevelCert, TopLevelCertSize, - Sha256Digest + ShaDigest ); - if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb= , CertsSizeinDb) !=3D 0)) { + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, C= ertsSizeinDb) !=3D 0)) { goto Exit; } } else { @@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload ( // CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1); Status =3D InsertCertsToDb ( + HashAlgId, VariableName, VendorGuid, Attributes, diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/Se= curityPkg/Library/AuthVariableLib/AuthServiceInternal.h index b202e613bc..f7bf771d55 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h @@ -92,7 +92,9 @@ extern UINT32 mMaxCertDbSize; extern UINT32 mPlatformMode; extern UINT8 mVendorKeyState; =20 -extern VOID *mHashCtx; +extern VOID *mHashSha256Ctx; +extern VOID *mHashSha384Ctx; +extern VOID *mHashSha512Ctx; =20 extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn; =20 diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/Securi= tyPkg/Library/AuthVariableLib/AuthVariableLib.c index dc61ae840c..19e0004699 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -26,12 +26,14 @@ UINT32 mMaxCertDbSize; UINT32 mPlatformMode; UINT8 mVendorKeyState; =20 -EFI_GUID mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GU= ID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID }; +EFI_GUID mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GU= ID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, EFI_CERT_RSA2048_GUID, EFI_= CERT_RSA3072_GUID, EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID }; =20 // // Hash context pointer // -VOID *mHashCtx =3D NULL; +VOID *mHashSha256Ctx =3D NULL; +VOID *mHashSha384Ctx =3D NULL; +VOID *mHashSha512Ctx =3D NULL; =20 VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] =3D { { @@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] =3D { }, }; =20 -VOID **mAuthVarAddressPointer[9]; +VOID **mAuthVarAddressPointer[11]; =20 AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn =3D NULL; =20 @@ -120,7 +122,6 @@ AuthVariableLibInitialize ( UINT32 VarAttr; UINT8 *Data; UINTN DataSize; - UINTN CtxSize; UINT8 SecureBootMode; UINT8 SecureBootEnable; UINT8 CustomMode; @@ -135,9 +136,18 @@ AuthVariableLibInitialize ( // // Initialize hash context. // - CtxSize =3D Sha256GetContextSize (); - mHashCtx =3D AllocateRuntimePool (CtxSize); - if (mHashCtx =3D=3D NULL) { + mHashSha256Ctx =3D AllocateRuntimePool (Sha256GetContextSize ()); + if (mHashSha256Ctx =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + mHashSha384Ctx =3D AllocateRuntimePool (Sha384GetContextSize ()); + if (mHashSha384Ctx =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + mHashSha512Ctx =3D AllocateRuntimePool (Sha512GetContextSize ()); + if (mHashSha512Ctx =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } =20 @@ -356,14 +366,16 @@ AuthVariableLibInitialize ( AuthVarLibContextOut->AuthVarEntry =3D mAuthVarEntry; AuthVarLibContextOut->AuthVarEntryCount =3D ARRAY_SIZE (mAuthVarEntry); mAuthVarAddressPointer[0] =3D (VOID **)&mCertDbStore; - mAuthVarAddressPointer[1] =3D (VOID **)&mHashCtx; - mAuthVarAddressPointer[2] =3D (VOID **)&mAuthVarLibConte= xtIn; - mAuthVarAddressPointer[3] =3D (VOID **)&(mAuthVarLibCont= extIn->FindVariable), - mAuthVarAddressPointer[4] =3D (VOID **)&(mAuthVarLibCont= extIn->FindNextVariable), - mAuthVarAddressPointer[5] =3D (VOID **)&(mAuthVarLibCont= extIn->UpdateVariable), - mAuthVarAddressPointer[6] =3D (VOID **)&(mAuthVarLibCont= extIn->GetScratchBuffer), - mAuthVarAddressPointer[7] =3D (VOID **)&(mAuthVarLibCont= extIn->CheckRemainingSpaceForConsistency), - mAuthVarAddressPointer[8] =3D (VOID **)&(mAuthVarLibCont= extIn->AtRuntime), + mAuthVarAddressPointer[1] =3D (VOID **)&mHashSha256Ctx; + mAuthVarAddressPointer[2] =3D (VOID **)&mHashSha384Ctx; + mAuthVarAddressPointer[3] =3D (VOID **)&mHashSha512Ctx; + mAuthVarAddressPointer[4] =3D (VOID **)&mAuthVarLibConte= xtIn; + mAuthVarAddressPointer[5] =3D (VOID **)&(mAuthVarLibCont= extIn->FindVariable), + mAuthVarAddressPointer[6] =3D (VOID **)&(mAuthVarLibCont= extIn->FindNextVariable), + mAuthVarAddressPointer[7] =3D (VOID **)&(mAuthVarLibCont= extIn->UpdateVariable), + mAuthVarAddressPointer[8] =3D (VOID **)&(mAuthVarLibCont= extIn->GetScratchBuffer), + mAuthVarAddressPointer[9] =3D (VOID **)&(mAuthVarLibCont= extIn->CheckRemainingSpaceForConsistency), + mAuthVarAddressPointer[10] =3D (VOID **)&(mAuthVarLibCon= textIn->AtRuntime), AuthVarLibContextOut->AddressPointer =3D mAuthVarAddressPointer; AuthVarLibContextOut->AddressPointerCount =3D ARRAY_SIZE (mAuthVarAddres= sPointer); =20 diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 5d8dbd5468..88b2d3c6c1 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1620,7 +1620,7 @@ Done: in the security database "db", and no valid signature nor any hash v= alue of the image may be reflected in the security database "dbx". Otherwise, the image is not signed, - The SHA256 hash value of the image must match a record in the securi= ty database "db", and + The hash value of the image must match a record in the security data= base "db", and not be reflected in the security data base "dbx". =20 Caution: This function may receive untrusted input. @@ -1690,6 +1690,8 @@ DxeImageVerificationHandler ( EFI_STATUS VarStatus; UINT32 VarAttr; BOOLEAN IsFound; + UINT8 HashAlg; + BOOLEAN IsFoundInDatabase; =20 SignatureList =3D NULL; SignatureListSize =3D 0; @@ -1699,6 +1701,7 @@ DxeImageVerificationHandler ( Action =3D EFI_IMAGE_EXECUTION_AUTH_UNTESTED; IsVerified =3D FALSE; IsFound =3D FALSE; + IsFoundInDatabase =3D FALSE; =20 // // Check the image type and get policy setting. @@ -1837,40 +1840,50 @@ DxeImageVerificationHandler ( // if ((SecDataDir =3D=3D NULL) || (SecDataDir->Size =3D=3D 0)) { // - // This image is not signed. The SHA256 hash value of the image must m= atch a record in the security database "db", + // This image is not signed. The hash value of the image must match a = record in the security database "db", // and not be reflected in the security data base "dbx". // - if (!HashPeImage (HASHALG_SHA256)) { - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this im= age using %s.\n", mHashTypeStr)); - goto Failed; - } + HashAlg =3D sizeof (mHash) / sizeof (HASH_TABLE); + while (HashAlg > 0) { + HashAlg--; + if ((mHash[HashAlg].GetContextSize =3D=3D NULL) || (mHash[HashAlg].H= ashInit =3D=3D NULL) || (mHash[HashAlg].HashUpdate =3D=3D NULL) || (mHash[H= ashAlg].HashFinal =3D=3D NULL)) { + continue; + } + if (!HashPeImage (HashAlg)) { + continue; + } =20 - DbStatus =3D IsSignatureFoundInDatabase ( - EFI_IMAGE_SECURITY_DATABASE1, - mImageDigest, - &mCertType, - mImageDigestSize, - &IsFound - ); - if (EFI_ERROR (DbStatus) || IsFound) { - // - // Image Hash is in forbidden database (DBX). - // - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed an= d %s hash of image is forbidden by DBX.\n", mHashTypeStr)); - goto Failed; + DbStatus =3D IsSignatureFoundInDatabase ( + EFI_IMAGE_SECURITY_DATABASE1, + mImageDigest, + &mCertType, + mImageDigestSize, + &IsFound + ); + if (EFI_ERROR (DbStatus) || IsFound) { + // + // Image Hash is in forbidden database (DBX). + // + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed = and %s hash of image is forbidden by DBX.\n", mHashTypeStr)); + goto Failed; + } + + DbStatus =3D IsSignatureFoundInDatabase ( + EFI_IMAGE_SECURITY_DATABASE, + mImageDigest, + &mCertType, + mImageDigestSize, + &IsFound + ); + if (!EFI_ERROR (DbStatus) && IsFound) { + // + // Image Hash is in allowed database (DB). + // + IsFoundInDatabase =3D TRUE; + } } =20 - DbStatus =3D IsSignatureFoundInDatabase ( - EFI_IMAGE_SECURITY_DATABASE, - mImageDigest, - &mCertType, - mImageDigestSize, - &IsFound - ); - if (!EFI_ERROR (DbStatus) && IsFound) { - // - // Image Hash is in allowed database (DB). - // + if (IsFoundInDatabase) { return EFI_SUCCESS; } =20 diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 1671d5be7c..cb52a16c09 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -70,6 +70,14 @@ ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature. gEfiCertRsa2048Guid =20 + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type o= f the signature. + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature. + gEfiCertRsa3072Guid + + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type o= f the signature. + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature. + gEfiCertRsa4096Guid + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type o= f the signature. ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature. gEfiCertX509Guid @@ -82,6 +90,14 @@ ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature. gEfiCertSha256Guid =20 + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type o= f the signature. + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature. + gEfiCertSha384Guid + + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type o= f the signature. + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type o= f the signature. + gEfiCertSha512Guid + ## SOMETIMES_CONSUMES ## Variable:L"db" ## SOMETIMES_PRODUCES ## Variable:L"db" ## SOMETIMES_CONSUMES ## Variable:L"dbx" diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index 0e31502b1b..90268d34d3 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -560,7 +560,7 @@ ON_EXIT: =20 **/ EFI_STATUS -EnrollRsa2048ToKek ( +EnrollRsaToKek ( IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private ) { @@ -603,8 +603,19 @@ EnrollRsa2048ToKek ( =20 ASSERT (KeyBlob !=3D NULL); KeyInfo =3D (CPL_KEY_INFO *)KeyBlob; - if (KeyInfo->KeyLengthInBits / 8 !=3D WIN_CERT_UEFI_RSA2048_SIZE) { - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supporte= d.\n")); + if (KeyInfo->KeyType =3D=3D 0) { + switch (KeyInfo->KeyLengthInBits / 8) { + case WIN_CERT_UEFI_RSA2048_SIZE: + case WIN_CERT_UEFI_RSA3072_SIZE: + case WIN_CERT_UEFI_RSA4096_SIZE: + break; + default : + DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 = and RSA4096 are supported.\n")); + Status =3D EFI_UNSUPPORTED; + goto ON_EXIT; + } + } else { + DEBUG ((DEBUG_ERROR, "Unsupported key type : %d, only 0 is supported.\= n", KeyInfo->KeyType)); Status =3D EFI_UNSUPPORTED; goto ON_EXIT; } @@ -632,7 +643,7 @@ EnrollRsa2048ToKek ( // KekSigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 - + WIN_CERT_UEFI_RSA2048_SIZE; + + KeyLenInBytes; =20 KekSigList =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize); if (KekSigList =3D=3D NULL) { @@ -642,17 +653,32 @@ EnrollRsa2048ToKek ( =20 KekSigList->SignatureListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 - + WIN_CERT_UEFI_RSA2048_SIZE; + + (UINT32) KeyLenInBytes; KekSigList->SignatureHeaderSize =3D 0; - KekSigList->SignatureSize =3D sizeof (EFI_SIGNATURE_DATA) - 1 + WI= N_CERT_UEFI_RSA2048_SIZE; - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); + KekSigList->SignatureSize =3D sizeof (EFI_SIGNATURE_DATA) - 1 + (U= INT32) KeyLenInBytes; + switch (KeyLenInBytes) { + case WIN_CERT_UEFI_RSA2048_SIZE: + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); + break; + case WIN_CERT_UEFI_RSA3072_SIZE: + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid); + break; + case WIN_CERT_UEFI_RSA4096_SIZE: + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid); + break; + break; + default : + DEBUG ((DEBUG_ERROR, "Unsupported key length.\n")); + Status =3D EFI_UNSUPPORTED; + goto ON_EXIT; + } =20 KEKSigData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_= SIGNATURE_LIST)); CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID); CopyMem ( KEKSigData->SignatureData, KeyBlob + sizeof (CPL_KEY_INFO), - WIN_CERT_UEFI_RSA2048_SIZE + KeyLenInBytes ); =20 // @@ -890,7 +916,7 @@ EnrollKeyExchangeKey ( if (IsDerEncodeCertificate (FilePostFix)) { return EnrollX509ToKek (Private); } else if (CompareMem (FilePostFix, L".pbk", 4) =3D=3D 0) { - return EnrollRsa2048ToKek (Private); + return EnrollRsaToKek (Private); } else { // // File type is wrong, simply close it @@ -1847,7 +1873,7 @@ HashPeImage ( SectionHeader =3D NULL; Status =3D FALSE; =20 - if (HashAlg !=3D HASHALG_SHA256) { + if ((HashAlg >=3D HASHALG_MAX)) { return FALSE; } =20 @@ -1856,8 +1882,25 @@ HashPeImage ( // ZeroMem (mImageDigest, MAX_DIGEST_SIZE); =20 - mImageDigestSize =3D SHA256_DIGEST_SIZE; - mCertType =3D gEfiCertSha256Guid; + switch (HashAlg) { + case HASHALG_SHA256: + mImageDigestSize =3D SHA256_DIGEST_SIZE; + mCertType =3D gEfiCertSha256Guid; + break; + + case HASHALG_SHA384: + mImageDigestSize =3D SHA384_DIGEST_SIZE; + mCertType =3D gEfiCertSha384Guid; + break; + + case HASHALG_SHA512: + mImageDigestSize =3D SHA512_DIGEST_SIZE; + mCertType =3D gEfiCertSha512Guid; + break; + + default: + return FALSE; + } =20 CtxSize =3D mHash[HashAlg].GetContextSize (); =20 @@ -2251,6 +2294,7 @@ EnrollImageSignatureToSigDB ( UINT32 Attr; WIN_CERTIFICATE_UEFI_GUID *GuidCertData; EFI_TIME Time; + UINT32 HashAlg; =20 Data =3D NULL; GuidCertData =3D NULL; @@ -2289,8 +2333,20 @@ EnrollImageSignatureToSigDB ( } =20 if (mSecDataDir->SizeOfCert =3D=3D 0) { - if (!HashPeImage (HASHALG_SHA256)) { - Status =3D EFI_SECURITY_VIOLATION; + Status =3D EFI_SECURITY_VIOLATION; + HashAlg =3D sizeof (mHash) / sizeof (HASH_TABLE); + while (HashAlg > 0) { + HashAlg--; + if ((mHash[HashAlg].GetContextSize =3D=3D NULL) || (mHash[HashAlg].H= ashInit =3D=3D NULL) || (mHash[HashAlg].HashUpdate =3D=3D NULL) || (mHash[H= ashAlg].HashFinal =3D=3D NULL)) { + continue; + } + if (HashPeImage (HashAlg)) { + Status =3D EFI_SUCCESS; + break; + } + } + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status)); goto ON_EXIT; } } else { @@ -2589,6 +2645,10 @@ UpdateDeletePage ( while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureListS= ize)) { if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) { Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID); + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid= )) { + Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID); + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid= )) { + Help =3D STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID); } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { Help =3D STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID); } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) { @@ -2750,6 +2810,8 @@ DeleteKeyExchangeKey ( GuidIndex =3D 0; while ((KekDataSize > 0) && (KekDataSize >=3D CertList->SignatureListSiz= e)) { if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) || + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) || CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + Cer= tList->SignatureHeaderSize)); @@ -2952,6 +3014,8 @@ DeleteSignature ( GuidIndex =3D 0; while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureListS= ize)) { if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) || + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) || CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) || CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) || CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) || @@ -3758,12 +3822,20 @@ LoadSignatureList ( while ((RemainingSize > 0) && (RemainingSize >=3D ListWalker->SignatureL= istSize)) { if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) { ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072Gu= id)) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096Gu= id)) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)= ) { ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509); } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)= ) { ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA1); } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Gui= d)) { ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA256); + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Gui= d)) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA384); + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Gui= d)) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA512); } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha25= 6Guid)) { ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha38= 4Guid)) { @@ -4001,6 +4073,14 @@ FormatHelpInfo ( ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); IsCert =3D TRUE; + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)= ) { + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); + DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); + IsCert =3D TRUE; + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)= ) { + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); + DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); + IsCert =3D TRUE; } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) { ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509); DataSize =3D ListEntry->SignatureSize - sizeof (EFI_GUID); @@ -4011,6 +4091,12 @@ FormatHelpInfo ( } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid))= { ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA256); DataSize =3D 32; + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid))= { + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA384); + DataSize =3D 48; + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid))= { + ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA512); + DataSize =3D 64; } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Gu= id)) { ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); DataSize =3D 32; diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.h index 37c66f1b95..ae50d929a7 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.h @@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE =20 #define WIN_CERT_UEFI_RSA2048_SIZE 256 +#define WIN_CERT_UEFI_RSA3072_SIZE 384 +#define WIN_CERT_UEFI_RSA4096_SIZE 512 =20 // // Support hash types diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe= /SecureBootConfigStrings.uni index 0d01701de7..1b48acc800 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US "Read = the public key of KEK from file" #string STR_FILE_EXPLORER_TITLE #language en-US "File Ex= plorer" #string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US "RSA2048= _SHA256_GUID" +#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US "RSA3072= _SHA384_GUID" +#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US "RSA4096= _SHA512_GUID" #string STR_CERT_TYPE_PCKS7_GUID #language en-US "PKCS7_G= UID" #string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_GU= ID" #string STR_CERT_TYPE_SHA256_GUID #language en-US "SHA256_= GUID" @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SH= A512_GUID" =20 #string STR_LIST_TYPE_RSA2048_SHA256 #language en-US "RSA2048= _SHA256" +#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US "RSA3072= _SHA384" +#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US "RSA4096= _SHA512" #string STR_LIST_TYPE_X509 #language en-US "X509" #string STR_LIST_TYPE_SHA1 #language en-US "SHA1" #string STR_LIST_TYPE_SHA256 #language en-US "SHA256" +#string STR_LIST_TYPE_SHA384 #language en-US "SHA384" +#string STR_LIST_TYPE_SHA512 #language en-US "SHA512" #string STR_LIST_TYPE_X509_SHA256 #language en-US "X509_SH= A256" #string STR_LIST_TYPE_X509_SHA384 #language en-US "X509_SH= A384" #string STR_LIST_TYPE_X509_SHA512 #language en-US "X509_SH= A512" --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#106682): https://edk2.groups.io/g/devel/message/106682 Mute This Topic: https://groups.io/mt/99981532/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-