1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384

Sheng Wei posted 2 patches 9 months ago
Failed in applying to current master (apply log)
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
.../Library/AuthVariableLib/AuthService.c     | 218 +++++++++++++++---
.../AuthVariableLib/AuthServiceInternal.h     |   4 +-
.../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
.../DxeImageVerificationLib.c                 |  73 +++---
.../SecureBootConfigDxe.inf                   |   8 +
.../SecureBootConfigImpl.c                    |  91 ++++++--
.../SecureBootConfigImpl.h                    |   7 +
.../SecureBootConfigStrings.uni               |   2 +
9 files changed, 356 insertions(+), 92 deletions(-)
[edk2-devel] [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384
Posted by Sheng Wei 9 months ago 
Patch V6:
Remove the changes in MdePkg.
The changes of patch v6 are in CryptoPkg and SecurityPkg.
Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
This signature type is used to check the supported signature and show the strings.

Patch V5:
Using define KEY_TYPE_RSASSA to replace the magic number.

Patch V4:
Determine the RSA algorithm by a supported algorithm list.

Patch V3:
Select SHA algorithm automaticly for a unsigned efi image.

Patch V2:
Determine the SHA algorithm by a supported algorithm list.
Create SHA context for each algorithm.

Test Case:
1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI shell. 
2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI shell. 
3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI shell. 
4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell

Test Result:
Pass

Negative Test Case:
1) Enroll a RSA2048 Cert, execute an unsigned efi image.
2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi image.

Test Result:
Get "Access Denied" when try to execute the efi image.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>

Sheng Wei (2):
  CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
    ImageTimestampVerify
  SecurityPkg/SecureBoot: Support RSA 512 and RSA 384

 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
 .../Library/AuthVariableLib/AuthService.c     | 218 +++++++++++++++---
 .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
 .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
 .../DxeImageVerificationLib.c                 |  73 +++---
 .../SecureBootConfigDxe.inf                   |   8 +
 .../SecureBootConfigImpl.c                    |  91 ++++++--
 .../SecureBootConfigImpl.h                    |   7 +
 .../SecureBootConfigStrings.uni               |   2 +
 9 files changed, 356 insertions(+), 92 deletions(-)

-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107611): https://edk2.groups.io/g/devel/message/107611
Mute This Topic: https://groups.io/mt/100596018/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384
Posted by Yao, Jiewen 9 months ago 
> Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.

=======
  switch (KeyLenInBytes) {
  case WIN_CERT_UEFI_RSA2048_SIZE:
    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
    break;
  case WIN_CERT_UEFI_RSA3072_SIZE:
  case WIN_CERT_UEFI_RSA4096_SIZE:
    CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
    break;
  default :
    DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
    Status = EFI_UNSUPPORTED;
    goto ON_EXIT;
  }
=======

Sorry that I am not clear on this. I don't mean to use gEfiCertX509Guid to support raw RSA3K or 4K.
I mean to use *drop* raw RSA3K or 4k. And Only use gEfiCertX509Guid for RSA3K or 4K. You don't need to change EnrollRsa2048ToKek().
Please just support RSA3K or 4K in EnrollX509ToKek(), and add test case to validate that.

===========
  if (IsDerEncodeCertificate (FilePostFix)) {
    return EnrollX509ToKek (Private);
  } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
    return EnrollRsa2048ToKek (Private);
  } else {
===========

Thank you
Yao, Jiewen


> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Monday, August 7, 2023 5:10 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang,
> Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang,
> Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>
> Subject: [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384
> 
> Patch V6:
> Remove the changes in MdePkg.
> The changes of patch v6 are in CryptoPkg and SecurityPkg.
> Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
> This signature type is used to check the supported signature and show the strings.
> 
> Patch V5:
> Using define KEY_TYPE_RSASSA to replace the magic number.
> 
> Patch V4:
> Determine the RSA algorithm by a supported algorithm list.
> 
> Patch V3:
> Select SHA algorithm automaticly for a unsigned efi image.
> 
> Patch V2:
> Determine the SHA algorithm by a supported algorithm list.
> Create SHA context for each algorithm.
> 
> Test Case:
> 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI
> shell.
> 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI
> shell.
> 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI
> shell.
> 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell
> 
> Test Result:
> Pass
> 
> Negative Test Case:
> 1) Enroll a RSA2048 Cert, execute an unsigned efi image.
> 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
> 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
> 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi
> image.
> 
> Test Result:
> Get "Access Denied" when try to execute the efi image.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> 
> Sheng Wei (2):
>   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
>     ImageTimestampVerify
>   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> 
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
>  .../Library/AuthVariableLib/AuthService.c     | 218 +++++++++++++++---
>  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
>  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
>  .../DxeImageVerificationLib.c                 |  73 +++---
>  .../SecureBootConfigDxe.inf                   |   8 +
>  .../SecureBootConfigImpl.c                    |  91 ++++++--
>  .../SecureBootConfigImpl.h                    |   7 +
>  .../SecureBootConfigStrings.uni               |   2 +
>  9 files changed, 356 insertions(+), 92 deletions(-)
> 
> --
> 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107617): https://edk2.groups.io/g/devel/message/107617
Mute This Topic: https://groups.io/mt/100596018/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384
Posted by Sheng Wei 8 months, 3 weeks ago 
Hi Jiewen,
Thank you for comments.
I update the patch V6 to V7, drop raw RSA3K and RSA4K. The change is in SecurityPkg.
And I did all the tests which are listed in the cover letter. I got the expected results.
Could you help to review/merge the patches ?
Thank you.
BR
Sheng Wei


> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: 2023年8月7日 19:49
> To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
> Subject: RE: [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384
> 
> > Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
> 
> =======
>   switch (KeyLenInBytes) {
>   case WIN_CERT_UEFI_RSA2048_SIZE:
>     CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
>     break;
>   case WIN_CERT_UEFI_RSA3072_SIZE:
>   case WIN_CERT_UEFI_RSA4096_SIZE:
>     CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
>     break;
>   default :
>     DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
>     Status = EFI_UNSUPPORTED;
>     goto ON_EXIT;
>   }
> =======
> 
> Sorry that I am not clear on this. I don’t mean to use gEfiCertX509Guid to
> support raw RSA3K or 4K.
> I mean to use *drop* raw RSA3K or 4k. And Only use gEfiCertX509Guid for
> RSA3K or 4K. You don’t need to change EnrollRsa2048ToKek().
> Please just support RSA3K or 4K in EnrollX509ToKek(), and add test case to
> validate that.
> 
> ===========
>   if (IsDerEncodeCertificate (FilePostFix)) {
>     return EnrollX509ToKek (Private);
>   } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
>     return EnrollRsa2048ToKek (Private);
>   } else {
> ===========
> 
> Thank you
> Yao, Jiewen
> 
> 
> > -----Original Message-----
> > From: Sheng, W <w.sheng@intel.com>
> > Sent: Monday, August 7, 2023 5:10 PM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > Kinney, Michael D <michael.d.kinney@intel.com>
> > Subject: [PATCH V6 0/2] SecureBoot: Support RSA 512 and RSA 384
> >
> > Patch V6:
> > Remove the changes in MdePkg.
> > The changes of patch v6 are in CryptoPkg and SecurityPkg.
> > Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
> > This signature type is used to check the supported signature and show the
> strings.
> >
> > Patch V5:
> > Using define KEY_TYPE_RSASSA to replace the magic number.
> >
> > Patch V4:
> > Determine the RSA algorithm by a supported algorithm list.
> >
> > Patch V3:
> > Select SHA algorithm automaticly for a unsigned efi image.
> >
> > Patch V2:
> > Determine the SHA algorithm by a supported algorithm list.
> > Create SHA context for each algorithm.
> >
> > Test Case:
> > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image
> > under UEFI shell.
> > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image
> > under UEFI shell.
> > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image
> > under UEFI shell.
> > 4. Enroll an unsigned efi image, execute the unsigned efi image under
> > UEFI shell
> >
> > Test Result:
> > Pass
> >
> > Negative Test Case:
> > 1) Enroll a RSA2048 Cert, execute an unsigned efi image.
> > 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
> > 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
> > 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096
> > signed efi image.
> >
> > Test Result:
> > Get "Access Denied" when try to execute the efi image.
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Min Xu <min.m.xu@intel.com>
> > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > Cc: Fiona Wang <fiona.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> >
> > Sheng Wei (2):
> >   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
> >     ImageTimestampVerify
> >   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> >
> >  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
> >  .../Library/AuthVariableLib/AuthService.c     | 218 +++++++++++++++---
> >  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
> >  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
> >  .../DxeImageVerificationLib.c                 |  73 +++---
> >  .../SecureBootConfigDxe.inf                   |   8 +
> >  .../SecureBootConfigImpl.c                    |  91 ++++++--
> >  .../SecureBootConfigImpl.h                    |   7 +
> >  .../SecureBootConfigStrings.uni               |   2 +
> >  9 files changed, 356 insertions(+), 92 deletions(-)
> >
> > --
> > 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107676): https://edk2.groups.io/g/devel/message/107676
Mute This Topic: https://groups.io/mt/100596018/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.