CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- MdePkg/Include/Guid/ImageAuthentication.h | 26 +++ MdePkg/MdePkg.dec | 2 + .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++--- .../AuthVariableLib/AuthServiceInternal.h | 4 +- .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- .../DxeImageVerificationLib.c | 73 +++--- .../SecureBootConfigDxe.inf | 16 ++ .../SecureBootConfigImpl.c | 114 +++++++-- .../SecureBootConfigImpl.h | 7 + .../SecureBootConfigStrings.uni | 6 + 11 files changed, 421 insertions(+), 92 deletions(-)
Patch V5: Using define KEY_TYPE_RSASSA to replace the magic number. Patch V4: Determine the RSA algorithm by a supported algorithm list. Patch V3: Select SHA algorithm automaticly for a unsigned efi image. Patch V2: Determine the SHA algorithm by a supported algorithm list. Create SHA context for each algorithm. Test Case: 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI shell. 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI shell. 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI shell. 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell Test Result: Pass Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Zeyi Chen <zeyi.chen@intel.com> Cc: Fiona Wang <fiona.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Sheng Wei (3): MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- MdePkg/Include/Guid/ImageAuthentication.h | 26 +++ MdePkg/MdePkg.dec | 2 + .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++--- .../AuthVariableLib/AuthServiceInternal.h | 4 +- .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- .../DxeImageVerificationLib.c | 73 +++--- .../SecureBootConfigDxe.inf | 16 ++ .../SecureBootConfigImpl.c | 114 +++++++-- .../SecureBootConfigImpl.h | 7 + .../SecureBootConfigStrings.uni | 6 + 11 files changed, 421 insertions(+), 92 deletions(-) -- 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#107293): https://edk2.groups.io/g/devel/message/107293 Mute This Topic: https://groups.io/mt/100385941/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Thanks. May I know what *negative* test you have done? > -----Original Message----- > From: Sheng, W <w.sheng@intel.com> > Sent: Thursday, July 27, 2023 2:35 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; > Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang, > Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, > Guomin <guomin.jiang@intel.com>; Kinney, Michael D > <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn> > Subject: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 > > Patch V5: > Using define KEY_TYPE_RSASSA to replace the magic number. > > Patch V4: > Determine the RSA algorithm by a supported algorithm list. > > Patch V3: > Select SHA algorithm automaticly for a unsigned efi image. > > Patch V2: > Determine the SHA algorithm by a supported algorithm list. > Create SHA context for each algorithm. > > Test Case: > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI > shell. > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI > shell. > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI > shell. > 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell > > Test Result: > Pass > > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Jian J Wang <jian.j.wang@intel.com> > Cc: Min Xu <min.m.xu@intel.com> > Cc: Zeyi Chen <zeyi.chen@intel.com> > Cc: Fiona Wang <fiona.wang@intel.com> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > Cc: Guomin Jiang <guomin.jiang@intel.com> > Cc: Michael D Kinney <michael.d.kinney@intel.com> > Cc: Liming Gao <gaoliming@byosoft.com.cn> > > Sheng Wei (3): > MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 > CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to > ImageTimestampVerify > SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 > > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- > MdePkg/Include/Guid/ImageAuthentication.h | 26 +++ > MdePkg/MdePkg.dec | 2 + > .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++--- > .../AuthVariableLib/AuthServiceInternal.h | 4 +- > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- > .../DxeImageVerificationLib.c | 73 +++--- > .../SecureBootConfigDxe.inf | 16 ++ > .../SecureBootConfigImpl.c | 114 +++++++-- > .../SecureBootConfigImpl.h | 7 + > .../SecureBootConfigStrings.uni | 6 + > 11 files changed, 421 insertions(+), 92 deletions(-) > > -- > 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#107300): https://edk2.groups.io/g/devel/message/107300 Mute This Topic: https://groups.io/mt/100385941/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Here are my negative tests. 1) Enroll a RSA2048 Cert, execute an unsigned efi image. 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image. 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image. 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi image. Test Result: Get "Access Denied" when try to execute the efi image. Thank you. BR Sheng Wei > -----Original Message----- > From: Yao, Jiewen <jiewen.yao@intel.com> > Sent: 2023年7月27日 17:45 > To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io > Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; > Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; > Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin > <guomin.jiang@intel.com>; Kinney, Michael D > <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn> > Subject: RE: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 > > Thanks. May I know what *negative* test you have done? > > > > -----Original Message----- > > From: Sheng, W <w.sheng@intel.com> > > Sent: Thursday, July 27, 2023 2:35 PM > > To: devel@edk2.groups.io > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 > > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; > > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming > > <gaoliming@byosoft.com.cn> > > Subject: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 > > > > Patch V5: > > Using define KEY_TYPE_RSASSA to replace the magic number. > > > > Patch V4: > > Determine the RSA algorithm by a supported algorithm list. > > > > Patch V3: > > Select SHA algorithm automaticly for a unsigned efi image. > > > > Patch V2: > > Determine the SHA algorithm by a supported algorithm list. > > Create SHA context for each algorithm. > > > > Test Case: > > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image > > under UEFI shell. > > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image > > under UEFI shell. > > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image > > under UEFI shell. > > 4. Enroll an unsigned efi image, execute the unsigned efi image under > > UEFI shell > > > > Test Result: > > Pass > > > > Cc: Jiewen Yao <jiewen.yao@intel.com> > > Cc: Jian J Wang <jian.j.wang@intel.com> > > Cc: Min Xu <min.m.xu@intel.com> > > Cc: Zeyi Chen <zeyi.chen@intel.com> > > Cc: Fiona Wang <fiona.wang@intel.com> > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > > Cc: Guomin Jiang <guomin.jiang@intel.com> > > Cc: Michael D Kinney <michael.d.kinney@intel.com> > > Cc: Liming Gao <gaoliming@byosoft.com.cn> > > > > Sheng Wei (3): > > MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 > > CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to > > ImageTimestampVerify > > SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 > > > > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- > > MdePkg/Include/Guid/ImageAuthentication.h | 26 +++ > > MdePkg/MdePkg.dec | 2 + > > .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++--- > > .../AuthVariableLib/AuthServiceInternal.h | 4 +- > > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- > > .../DxeImageVerificationLib.c | 73 +++--- > > .../SecureBootConfigDxe.inf | 16 ++ > > .../SecureBootConfigImpl.c | 114 +++++++-- > > .../SecureBootConfigImpl.h | 7 + > > .../SecureBootConfigStrings.uni | 6 + > > 11 files changed, 421 insertions(+), 92 deletions(-) > > > > -- > > 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#107306): https://edk2.groups.io/g/devel/message/107306 Mute This Topic: https://groups.io/mt/100385941/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
OK. Thanks! > -----Original Message----- > From: Sheng, W <w.sheng@intel.com> > Sent: Friday, July 28, 2023 9:50 AM > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io > Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; > Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming > <gaoliming@byosoft.com.cn> > Subject: RE: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 > > Here are my negative tests. > 1) Enroll a RSA2048 Cert, execute an unsigned efi image. > 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image. > 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image. > 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi > image. > > Test Result: > Get "Access Denied" when try to execute the efi image. > > Thank you. > BR > Sheng Wei > > > -----Original Message----- > > From: Yao, Jiewen <jiewen.yao@intel.com> > > Sent: 2023年7月27日 17:45 > > To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io > > Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; > > Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; > > Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin > > <guomin.jiang@intel.com>; Kinney, Michael D > > <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn> > > Subject: RE: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 > > > > Thanks. May I know what *negative* test you have done? > > > > > > > -----Original Message----- > > > From: Sheng, W <w.sheng@intel.com> > > > Sent: Thursday, July 27, 2023 2:35 PM > > > To: devel@edk2.groups.io > > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi > > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 > > > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; > > > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming > > > <gaoliming@byosoft.com.cn> > > > Subject: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 > > > > > > Patch V5: > > > Using define KEY_TYPE_RSASSA to replace the magic number. > > > > > > Patch V4: > > > Determine the RSA algorithm by a supported algorithm list. > > > > > > Patch V3: > > > Select SHA algorithm automaticly for a unsigned efi image. > > > > > > Patch V2: > > > Determine the SHA algorithm by a supported algorithm list. > > > Create SHA context for each algorithm. > > > > > > Test Case: > > > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image > > > under UEFI shell. > > > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image > > > under UEFI shell. > > > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image > > > under UEFI shell. > > > 4. Enroll an unsigned efi image, execute the unsigned efi image under > > > UEFI shell > > > > > > Test Result: > > > Pass > > > > > > Cc: Jiewen Yao <jiewen.yao@intel.com> > > > Cc: Jian J Wang <jian.j.wang@intel.com> > > > Cc: Min Xu <min.m.xu@intel.com> > > > Cc: Zeyi Chen <zeyi.chen@intel.com> > > > Cc: Fiona Wang <fiona.wang@intel.com> > > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > > > Cc: Guomin Jiang <guomin.jiang@intel.com> > > > Cc: Michael D Kinney <michael.d.kinney@intel.com> > > > Cc: Liming Gao <gaoliming@byosoft.com.cn> > > > > > > Sheng Wei (3): > > > MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 > > > CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to > > > ImageTimestampVerify > > > SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 > > > > > > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- > > > MdePkg/Include/Guid/ImageAuthentication.h | 26 +++ > > > MdePkg/MdePkg.dec | 2 + > > > .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++--- > > > .../AuthVariableLib/AuthServiceInternal.h | 4 +- > > > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- > > > .../DxeImageVerificationLib.c | 73 +++--- > > > .../SecureBootConfigDxe.inf | 16 ++ > > > .../SecureBootConfigImpl.c | 114 +++++++-- > > > .../SecureBootConfigImpl.h | 7 + > > > .../SecureBootConfigStrings.uni | 6 + > > > 11 files changed, 421 insertions(+), 92 deletions(-) > > > > > > -- > > > 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#107308): https://edk2.groups.io/g/devel/message/107308 Mute This Topic: https://groups.io/mt/100385941/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2024 Red Hat, Inc.