1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384

Sheng Wei posted 3 patches 9 months, 1 week ago
Failed in applying to current master (apply log)
There is a newer version of this series
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
MdePkg/MdePkg.dec                             |   2 +
.../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
.../AuthVariableLib/AuthServiceInternal.h     |   4 +-
.../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
.../DxeImageVerificationLib.c                 |  73 +++---
.../SecureBootConfigDxe.inf                   |  16 ++
.../SecureBootConfigImpl.c                    | 114 +++++++--
.../SecureBootConfigImpl.h                    |   7 +
.../SecureBootConfigStrings.uni               |   6 +
11 files changed, 421 insertions(+), 92 deletions(-)
[edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
Posted by Sheng Wei 9 months, 1 week ago 
Patch V5:
Using define KEY_TYPE_RSASSA to replace the magic number.

Patch V4:
Determine the RSA algorithm by a supported algorithm list.

Patch V3:
Select SHA algorithm automaticly for a unsigned efi image.

Patch V2:
Determine the SHA algorithm by a supported algorithm list.
Create SHA context for each algorithm.

Test Case:
1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI shell. 
2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI shell. 
3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI shell. 
4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell

Test Result:
Pass

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>

Sheng Wei (3):
  MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
  CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
    ImageTimestampVerify
  SecurityPkg/SecureBoot: Support RSA 512 and RSA 384

 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
 MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
 MdePkg/MdePkg.dec                             |   2 +
 .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
 .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
 .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
 .../DxeImageVerificationLib.c                 |  73 +++---
 .../SecureBootConfigDxe.inf                   |  16 ++
 .../SecureBootConfigImpl.c                    | 114 +++++++--
 .../SecureBootConfigImpl.h                    |   7 +
 .../SecureBootConfigStrings.uni               |   6 +
 11 files changed, 421 insertions(+), 92 deletions(-)

-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107293): https://edk2.groups.io/g/devel/message/107293
Mute This Topic: https://groups.io/mt/100385941/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
Posted by Yao, Jiewen 9 months, 1 week ago 
Thanks. May I know what *negative* test you have done?


> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Thursday, July 27, 2023 2:35 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang,
> Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang,
> Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
> Subject: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> 
> Patch V5:
> Using define KEY_TYPE_RSASSA to replace the magic number.
> 
> Patch V4:
> Determine the RSA algorithm by a supported algorithm list.
> 
> Patch V3:
> Select SHA algorithm automaticly for a unsigned efi image.
> 
> Patch V2:
> Determine the SHA algorithm by a supported algorithm list.
> Create SHA context for each algorithm.
> 
> Test Case:
> 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI
> shell.
> 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI
> shell.
> 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI
> shell.
> 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell
> 
> Test Result:
> Pass
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> 
> Sheng Wei (3):
>   MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
>   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
>     ImageTimestampVerify
>   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> 
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
>  MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
>  MdePkg/MdePkg.dec                             |   2 +
>  .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
>  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
>  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
>  .../DxeImageVerificationLib.c                 |  73 +++---
>  .../SecureBootConfigDxe.inf                   |  16 ++
>  .../SecureBootConfigImpl.c                    | 114 +++++++--
>  .../SecureBootConfigImpl.h                    |   7 +
>  .../SecureBootConfigStrings.uni               |   6 +
>  11 files changed, 421 insertions(+), 92 deletions(-)
> 
> --
> 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107300): https://edk2.groups.io/g/devel/message/107300
Mute This Topic: https://groups.io/mt/100385941/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
Posted by Sheng Wei 9 months, 1 week ago 
Here are my negative tests.
1) Enroll a RSA2048 Cert, execute an unsigned efi image.
2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi image.

Test Result:
Get "Access Denied" when try to execute the efi image.

Thank you.
BR
Sheng Wei

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: 2023年7月27日 17:45
> To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
> Subject: RE: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> 
> Thanks. May I know what *negative* test you have done?
> 
> 
> > -----Original Message-----
> > From: Sheng, W <w.sheng@intel.com>
> > Sent: Thursday, July 27, 2023 2:35 PM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> > <gaoliming@byosoft.com.cn>
> > Subject: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> >
> > Patch V5:
> > Using define KEY_TYPE_RSASSA to replace the magic number.
> >
> > Patch V4:
> > Determine the RSA algorithm by a supported algorithm list.
> >
> > Patch V3:
> > Select SHA algorithm automaticly for a unsigned efi image.
> >
> > Patch V2:
> > Determine the SHA algorithm by a supported algorithm list.
> > Create SHA context for each algorithm.
> >
> > Test Case:
> > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image
> > under UEFI shell.
> > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image
> > under UEFI shell.
> > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image
> > under UEFI shell.
> > 4. Enroll an unsigned efi image, execute the unsigned efi image under
> > UEFI shell
> >
> > Test Result:
> > Pass
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Min Xu <min.m.xu@intel.com>
> > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > Cc: Fiona Wang <fiona.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> >
> > Sheng Wei (3):
> >   MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
> >   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
> >     ImageTimestampVerify
> >   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> >
> >  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
> >  MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
> >  MdePkg/MdePkg.dec                             |   2 +
> >  .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
> >  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
> >  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
> >  .../DxeImageVerificationLib.c                 |  73 +++---
> >  .../SecureBootConfigDxe.inf                   |  16 ++
> >  .../SecureBootConfigImpl.c                    | 114 +++++++--
> >  .../SecureBootConfigImpl.h                    |   7 +
> >  .../SecureBootConfigStrings.uni               |   6 +
> >  11 files changed, 421 insertions(+), 92 deletions(-)
> >
> > --
> > 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107306): https://edk2.groups.io/g/devel/message/107306
Mute This Topic: https://groups.io/mt/100385941/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
Posted by Yao, Jiewen 9 months, 1 week ago 
OK. Thanks!

> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Friday, July 28, 2023 9:50 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu,
> Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> <gaoliming@byosoft.com.cn>
> Subject: RE: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> 
> Here are my negative tests.
> 1) Enroll a RSA2048 Cert, execute an unsigned efi image.
> 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
> 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
> 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi
> image.
> 
> Test Result:
> Get "Access Denied" when try to execute the efi image.
> 
> Thank you.
> BR
> Sheng Wei
> 
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: 2023年7月27日 17:45
> > To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> > Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> > Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > <guomin.jiang@intel.com>; Kinney, Michael D
> > <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
> > Subject: RE: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> >
> > Thanks. May I know what *negative* test you have done?
> >
> >
> > > -----Original Message-----
> > > From: Sheng, W <w.sheng@intel.com>
> > > Sent: Thursday, July 27, 2023 2:35 PM
> > > To: devel@edk2.groups.io
> > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> > > <gaoliming@byosoft.com.cn>
> > > Subject: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> > >
> > > Patch V5:
> > > Using define KEY_TYPE_RSASSA to replace the magic number.
> > >
> > > Patch V4:
> > > Determine the RSA algorithm by a supported algorithm list.
> > >
> > > Patch V3:
> > > Select SHA algorithm automaticly for a unsigned efi image.
> > >
> > > Patch V2:
> > > Determine the SHA algorithm by a supported algorithm list.
> > > Create SHA context for each algorithm.
> > >
> > > Test Case:
> > > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image
> > > under UEFI shell.
> > > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image
> > > under UEFI shell.
> > > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image
> > > under UEFI shell.
> > > 4. Enroll an unsigned efi image, execute the unsigned efi image under
> > > UEFI shell
> > >
> > > Test Result:
> > > Pass
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Min Xu <min.m.xu@intel.com>
> > > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > > Cc: Fiona Wang <fiona.wang@intel.com>
> > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > >
> > > Sheng Wei (3):
> > >   MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
> > >   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
> > >     ImageTimestampVerify
> > >   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> > >
> > >  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
> > >  MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
> > >  MdePkg/MdePkg.dec                             |   2 +
> > >  .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
> > >  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
> > >  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
> > >  .../DxeImageVerificationLib.c                 |  73 +++---
> > >  .../SecureBootConfigDxe.inf                   |  16 ++
> > >  .../SecureBootConfigImpl.c                    | 114 +++++++--
> > >  .../SecureBootConfigImpl.h                    |   7 +
> > >  .../SecureBootConfigStrings.uni               |   6 +
> > >  11 files changed, 421 insertions(+), 92 deletions(-)
> > >
> > > --
> > > 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107308): https://edk2.groups.io/g/devel/message/107308
Mute This Topic: https://groups.io/mt/100385941/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.