From nobody Mon Feb 9 16:02:37 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+68569+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+68569+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1607538827; cv=none; d=zohomail.com; s=zohoarc; b=Uf14WZJIE0OJHA3v8+Qz9HwWanRJCNSgV6+FFa13SAERyQsHwxGBy/aE9JZr8A1LxckQqEBata9elQ/mpMF6xdgYdya/Dzb2vGsvjEvN1PgqXfU1cFKSD0EcJF55C3pa7/ECIlruZuF4c3/d5NqXge6TXuJPGuYd9SetIUZ8HQg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1607538827; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=exZTlLX3ByWgasGWDlsIdI8PDYjWe7F6WUfroeG5z8M=; b=R+j/14ABY+0RSLCTp6IVHJlcKL9yLxsn/FFNYukoVdRqZs2qTY40PylzQwf0ArY6BGgIkwgzm6DY1TbGKmjYuFY2M0DQADnVHyDBWWDV08WmTJ1EP6ogaYi2LKCyabQ+wMPrG9Hr5LDYyYv4ZIxKU85s5FzeAduRR+CNOkKPodI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+68569+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1607538827255291.76439779689053; Wed, 9 Dec 2020 10:33:47 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id mFoxYY1788612xkaQOQRtYZf; Wed, 09 Dec 2020 10:33:46 -0800 X-Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web09.199.1607538825216147333 for ; Wed, 09 Dec 2020 10:33:46 -0800 IronPort-SDR: CreBqDdpZHDmBDmEQuq16y0Bn2Wxzq240oLe/yLhf9cv3k0E4GCmrzCnoTUqnUB/BXiFeF8QdR 7LefjKabOpNg== X-IronPort-AV: E=McAfee;i="6000,8403,9830"; a="161177005" X-IronPort-AV: E=Sophos;i="5.78,405,1599548400"; d="scan'208";a="161177005" X-Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Dec 2020 10:33:44 -0800 IronPort-SDR: RtF9qLzE9UM2yTdacZd9s8T7CrwpONQod2tZZX5bAV4D1FTOYQFJmPvdddvUZkoO/oCVH0b6aS UzfYxGSbfYDA== X-IronPort-AV: E=Sophos;i="5.78,405,1599548400"; d="scan'208";a="364253181" X-Received: from drwadhaw-mobl.gar.corp.intel.com ([10.252.166.106]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Dec 2020 10:33:41 -0800 From: "Wadhawan, Divneil R" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Michael D Kinney Subject: [edk2-devel] [Patch 2/2] SecurityPkg: Add support for SHA-384/SHA-512 digest algos Date: Thu, 10 Dec 2020 00:02:43 +0530 Message-Id: <20201209183243.30504-3-divneil.r.wadhawan@intel.com> In-Reply-To: <20201209183243.30504-1-divneil.r.wadhawan@intel.com> References: <20201209183243.30504-1-divneil.r.wadhawan@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,divneil.r.wadhawan@intel.com X-Gm-Message-State: 8CecciJUcOxBXFjs7f0XZL59x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1607538826; bh=ryw6zHNx/UnHp8s7HpBRx1k2oZQJlfG5TGgrOpLeW+4=; h=Cc:Date:From:Reply-To:Subject:To; b=V9p7qbLx8VIimydX6xgPY+n++D4Fqu9zstAxUOSMpw+Swydo3weXR/mNstudq0hgFBG zgEpTSTMDLy3r525NewSWY9XVCRRQlUiNYiOkTTH0BnVpepzAn+QblhqphXec6JSUYUKb e0niLRblH63cTe6nBJbyCUJ/RaLh/wlFt04= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" o Existing implementation of Authenticated Variables only support SHA-256 digest algorithms in signing scheme. o This has been extended to support SHA-384 and SHA-512 algorithms Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Michael D Kinney Signed-off-by: Divneil Rai Wadhawan --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 8 +++-- AuthVariableDigestUpdate.md | 41 +++++++++++++++++++= ++++ 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 AuthVariableDigestUpdate.md diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk= g/Library/AuthVariableLib/AuthService.c index 4fb609504d..8f024c42a8 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -35,6 +35,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent CONST UINT8 mRsaE[] =3D { 0x01, 0x00, 0x01 }; =20 CONST UINT8 mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x= 04, 0x02, 0x01 }; +CONST UINT8 mSha384OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x= 04, 0x02, 0x02 }; +CONST UINT8 mSha512OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x= 04, 0x02, 0x03 }; =20 // // Requirement for different signature type which have been defined in UEF= I spec. @@ -1901,7 +1903,7 @@ VerifyTimeBasedPayload ( =20 // // SignedData.digestAlgorithms shall contain the digest algorithm used w= hen preparing the - // signature. Only a digest algorithm of SHA-256 is accepted. + // signature. Digest algorithm of SHA-256, SHA-384, SHA-512 are accepted. // // According to PKCS#7 Definition: // SignedData ::=3D SEQUENCE { @@ -1916,7 +1918,9 @@ VerifyTimeBasedPayload ( if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != =3D 0) { if (SigDataSize >=3D (13 + sizeof (mSha256OidValue))) { if (((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE) || - (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256Oid= Value)) !=3D 0)) { + ((CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256Oi= dValue)) !=3D 0) && + (CompareMem (SigData + 13, &mSha384OidValue, sizeof (mSha384Oi= dValue)) !=3D 0) && + (CompareMem (SigData + 13, &mSha512OidValue, sizeof (mSha512Oi= dValue)) !=3D 0))) { return EFI_SECURITY_VIOLATION; } } diff --git a/AuthVariableDigestUpdate.md b/AuthVariableDigestUpdate.md new file mode 100644 index 0000000000..10992845a4 --- /dev/null +++ b/AuthVariableDigestUpdate.md @@ -0,0 +1,41 @@ +# Title: Digest Algorithm flexibility in Authenticated Variable signatures + +# Status: Draft + +# Document: UEFI Specification Version 2.8 + +# License + +SPDX-License-Identifier: CC-BY-4.0 + +# Submitter: [TianoCore Community](https://www.tianocore.org) + +# Summary of the change +EFI_VARIABLE_AUTHENTICATION_2 specifies the SignedData.digestAlgorithms to= be always +SHA256. The implication is that the signing algorithm can use RSA keys gre= ater than +2048 bits, but the digest algorithm remains SHA256. The proposed change is= to allow +digest algorithm to be greater than SHA256. + +# Benefits of the change +This brings agility to the signing mechanism of Authenticated variables by= allowing +it to sign a larger digest. + +# Impact of the change +There is no impact on the existing Authenticated variables. + +# Detailed description of the change [normative updates] + +Bold text indicates the proposed change + +8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor +When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is s= et, then the Data buffer shall begin with an instance of a complete (and se= rialized) ... + +Construct a DER-encoded PKCS #7 version 1.5 SignedData (see [RFC2315]) wit= h the signed content as follows: + +a. SignedData.version shall be set to 1 + +b. SignedData.digestAlgorithms shall contain the digest algorithm used whe= n preparing the signature. Only a digest algorithm greater than or equal= to SHA-256 is accepted. + + +# Special Instructions +NA --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#68569): https://edk2.groups.io/g/devel/message/68569 Mute This Topic: https://groups.io/mt/78836226/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-