REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Signed-off-by: Sheng Wei <w.sheng@intel.com>
---
.../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++---
.../AuthVariableLib/AuthServiceInternal.h | 4 +-
.../Library/AuthVariableLib/AuthVariableLib.c | 42 ++--
.../DxeImageVerificationLib.c | 73 +++---
.../SecureBootConfigDxe.inf | 16 ++
.../SecureBootConfigImpl.c | 114 +++++++--
.../SecureBootConfigImpl.h | 7 +
.../SecureBootConfigStrings.uni | 6 +
8 files changed, 391 insertions(+), 91 deletions(-)
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index d81c581d78..4c268a85cd 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Protocol/VariablePolicy.h>
#include <Library/VariablePolicyLib.h>
+#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for hash operations.
+
+ If this interface is not supported, then return zero.
+
+ @return The size, in bytes, of the context buffer required for hash operations.
+ @retval 0 This interface is not supported.
+
+**/
+typedef
+UINTN
+(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
+ VOID
+ );
+
+/**
+ Initializes user-supplied memory pointed by Sha1Context as hash context for
+ subsequent use.
+
+ If HashContext is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[out] HashContext Pointer to Hashcontext being initialized.
+
+ @retval TRUE Hash context initialization succeeded.
+ @retval FALSE Hash context initialization failed.
+ @retval FALSE This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_INIT)(
+ OUT VOID *HashContext
+ );
+
+/**
+ Digests the input data and updates Hash context.
+
+ This function performs Hash digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or discontinuous data streams.
+ Hash context should be already correctly initialized by HashInit(), and should not be finalized
+ by HashFinal(). Behavior with invalid context is undefined.
+
+ If HashContext is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in, out] HashContext Pointer to the Hash context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE SHA-1 data digest succeeded.
+ @retval FALSE SHA-1 data digest failed.
+ @retval FALSE This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_UPDATE)(
+ IN OUT VOID *HashContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ );
+
+/**
+ Completes computation of the Hash digest value.
+
+ This function completes hash computation and retrieves the digest value into
+ the specified memory. After this function has been called, the Hash context cannot
+ be used again.
+ Hash context should be already correctly initialized by HashInit(), and should not be
+ finalized by HashFinal(). Behavior with invalid Hash context is undefined.
+
+ If HashContext is NULL, then return FALSE.
+ If HashValue is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in, out] HashContext Pointer to the Hash context.
+ @param[out] HashValue Pointer to a buffer that receives the Hash digest
+ value.
+
+ @retval TRUE Hash digest computation succeeded.
+ @retval FALSE Hash digest computation failed.
+ @retval FALSE This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_FINAL)(
+ IN OUT VOID *HashContext,
+ OUT UINT8 *HashValue
+ );
+
+typedef struct {
+ UINT32 HashSize;
+ EFI_HASH_GET_CONTEXT_SIZE GetContextSize;
+ EFI_HASH_INIT Init;
+ EFI_HASH_UPDATE Update;
+ EFI_HASH_FINAL Final;
+ VOID **HashShaCtx;
+ UINT8 *OidValue;
+ UINTN OidLength;
+} EFI_HASH_INFO;
+
//
// Public Exponent of RSA Key.
//
CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
-CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
+UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
+UINT8 mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 };
+UINT8 mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 };
+
+EFI_HASH_INFO mHashInfo[] = {
+ {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9},
+ {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9},
+ {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9},
+};
//
// Requirement for different signature type which have been defined in UEFI spec.
@@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] = {
// {SigType, SigHeaderSize, SigDataSize }
{ EFI_CERT_SHA256_GUID, 0, 32 },
{ EFI_CERT_RSA2048_GUID, 0, 256 },
+ { EFI_CERT_RSA3072_GUID, 0, 384 },
+ { EFI_CERT_RSA4096_GUID, 0, 512 },
{ EFI_CERT_RSA2048_SHA256_GUID, 0, 256 },
{ EFI_CERT_SHA1_GUID, 0, 20 },
{ EFI_CERT_RSA2048_SHA1_GUID, 0, 256 },
@@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp (
}
/**
- Calculate SHA256 digest of SignerCert CommonName + ToplevelCert tbsCertificate
+ Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertificate
SignerCert and ToplevelCert are inside the signer certificate chain.
+ @param[in] HashAlgId Hash algorithm index
@param[in] SignerCert A pointer to SignerCert data.
@param[in] SignerCertSize Length of SignerCert data.
@param[in] TopLevelCert A pointer to TopLevelCert data.
@param[in] TopLevelCertSize Length of TopLevelCert data.
- @param[out] Sha256Digest Sha256 digest calculated.
+ @param[out] ShaDigest Sha digest calculated.
@return EFI_ABORTED Digest process failed.
- @return EFI_SUCCESS SHA256 Digest is successfully calculated.
+ @return EFI_SUCCESS SHA Digest is successfully calculated.
**/
EFI_STATUS
-CalculatePrivAuthVarSignChainSHA256Digest (
+CalculatePrivAuthVarSignChainSHADigest (
+ IN UINT8 HashAlgId,
IN UINT8 *SignerCert,
IN UINTN SignerCertSize,
IN UINT8 *TopLevelCert,
IN UINTN TopLevelCertSize,
- OUT UINT8 *Sha256Digest
+ OUT UINT8 *ShaDigest
)
{
UINT8 *TbsCert;
@@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest (
BOOLEAN CryptoStatus;
EFI_STATUS Status;
+ if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
+ DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__, HashAlgId));
+ return EFI_ABORTED;
+ }
+
CertCommonNameSize = sizeof (CertCommonName);
//
@@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
//
// Digest SignerCert CN + TopLevelCert tbsCertificate
//
- ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE);
- CryptoStatus = Sha256Init (mHashCtx);
+ ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize);
+ CryptoStatus = mHashInfo[HashAlgId].Init (*(mHashInfo[HashAlgId].HashShaCtx));
if (!CryptoStatus) {
return EFI_ABORTED;
}
@@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
//
// '\0' is forced in CertCommonName. No overflow issue
//
- CryptoStatus = Sha256Update (
- mHashCtx,
+ CryptoStatus = mHashInfo[HashAlgId].Update (
+ *(mHashInfo[HashAlgId].HashShaCtx),
CertCommonName,
AsciiStrLen (CertCommonName)
);
@@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest (
return EFI_ABORTED;
}
- CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize);
+ CryptoStatus = mHashInfo[HashAlgId].Update (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize);
if (!CryptoStatus) {
return EFI_ABORTED;
}
- CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
+ CryptoStatus = mHashInfo[HashAlgId].Final (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest);
if (!CryptoStatus) {
return EFI_ABORTED;
}
@@ -1516,9 +1638,10 @@ DeleteCertsFromDb (
/**
Insert signer's certificates for common authenticated variable with VariableName
and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to
- time based authenticated variable attributes. CertData is the SHA256 digest of
+ time based authenticated variable attributes. CertData is the SHA digest of
SignerCert CommonName + TopLevelCert tbsCertificate.
+ @param[in] HashAlgId Hash algorithm index.
@param[in] VariableName Name of authenticated Variable.
@param[in] VendorGuid Vendor GUID of authenticated Variable.
@param[in] Attributes Attributes of authenticated variable.
@@ -1536,6 +1659,7 @@ DeleteCertsFromDb (
**/
EFI_STATUS
InsertCertsToDb (
+ IN UINT8 HashAlgId,
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN UINT32 Attributes,
@@ -1556,12 +1680,16 @@ InsertCertsToDb (
UINT32 CertDataSize;
AUTH_CERT_DB_DATA *Ptr;
CHAR16 *DbName;
- UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
+ UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX];
if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) || (TopLevelCert == NULL)) {
return EFI_INVALID_PARAMETER;
}
+ if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
+ return EFI_INVALID_PARAMETER;
+ }
+
if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
//
// Get variable "certdb".
@@ -1618,20 +1746,22 @@ InsertCertsToDb (
// Construct new data content of variable "certdb" or "certdbv".
//
NameSize = (UINT32)StrLen (VariableName);
- CertDataSize = sizeof (Sha256Digest);
+ CertDataSize = mHashInfo[HashAlgId].HashSize;
CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + NameSize * sizeof (CHAR16);
NewCertDbSize = (UINT32)DataSize + CertNodeSize;
if (NewCertDbSize > mMaxCertDbSize) {
return EFI_OUT_OF_RESOURCES;
}
- Status = CalculatePrivAuthVarSignChainSHA256Digest (
+ Status = CalculatePrivAuthVarSignChainSHADigest (
+ HashAlgId,
SignerCert,
SignerCertSize,
TopLevelCert,
TopLevelCertSize,
- Sha256Digest
+ ShaDigest
);
+
if (EFI_ERROR (Status)) {
return Status;
}
@@ -1663,7 +1793,7 @@ InsertCertsToDb (
CopyMem (
(UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16),
- Sha256Digest,
+ ShaDigest,
CertDataSize
);
@@ -1790,6 +1920,36 @@ CleanCertsFromDb (
return Status;
}
+/**
+ Find hash algorithm index
+
+ @param[in] SigData Pointer to the PKCS#7 message
+ @param[in] SigDataSize Length of the PKCS#7 message
+
+ @retval UINT8 Hash Algorithm Index
+**/
+UINT8
+FindHashAlgorithmIndex (
+ IN UINT8 *SigData,
+ IN UINT32 SigDataSize
+)
+{
+ UINT8 i;
+
+ for (i = 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) {
+ if ( ( (SigDataSize >= (13 + mHashInfo[i].OidLength))
+ && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
+ && (CompareMem (SigData + 13, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0)))
+ || (( (SigDataSize >= (32 + mHashInfo[i].OidLength)))
+ && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
+ && (CompareMem (SigData + 32, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0))))
+ {
+ break;
+ }
+ }
+ return i;
+}
+
/**
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
@@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload (
UINTN CertStackSize;
UINT8 *CertsInCertDb;
UINT32 CertsSizeinDb;
- UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
+ UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX];
EFI_CERT_DATA *CertDataPtr;
+ UINT8 HashAlgId;
//
// 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain
@@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload (
//
// SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the
- // signature. Only a digest algorithm of SHA-256 is accepted.
+ // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is accepted.
//
// According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315):
// SignedData ::= SEQUENCE {
@@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload (
//
// Example generated with: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Manual_process
//
+ HashAlgId = FindHashAlgorithmIndex (SigData, SigDataSize);
if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
- if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue)))
- && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
- || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))
- && ( (SigDataSize >= (32 + sizeof (mSha256OidValue)))
- && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
- || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))))
- {
+ if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
return EFI_SECURITY_VIOLATION;
}
}
@@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload (
goto Exit;
}
- if (CertsSizeinDb == SHA256_DIGEST_SIZE) {
+ if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) && (CertsSizeinDb == mHashInfo[HashAlgId].HashSize)) {
//
// Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb
//
CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
- Status = CalculatePrivAuthVarSignChainSHA256Digest (
+ Status = CalculatePrivAuthVarSignChainSHADigest (
+ HashAlgId,
CertDataPtr->CertDataBuffer,
ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
TopLevelCert,
TopLevelCertSize,
- Sha256Digest
+ ShaDigest
);
- if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb, CertsSizeinDb) != 0)) {
+ if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, CertsSizeinDb) != 0)) {
goto Exit;
}
} else {
@@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload (
//
CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
Status = InsertCertsToDb (
+ HashAlgId,
VariableName,
VendorGuid,
Attributes,
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
index b202e613bc..f7bf771d55 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@@ -92,7 +92,9 @@ extern UINT32 mMaxCertDbSize;
extern UINT32 mPlatformMode;
extern UINT8 mVendorKeyState;
-extern VOID *mHashCtx;
+extern VOID *mHashSha256Ctx;
+extern VOID *mHashSha384Ctx;
+extern VOID *mHashSha512Ctx;
extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn;
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index dc61ae840c..19e0004699 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -26,12 +26,14 @@ UINT32 mMaxCertDbSize;
UINT32 mPlatformMode;
UINT8 mVendorKeyState;
-EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID };
+EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID, EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID };
//
// Hash context pointer
//
-VOID *mHashCtx = NULL;
+VOID *mHashSha256Ctx = NULL;
+VOID *mHashSha384Ctx = NULL;
+VOID *mHashSha512Ctx = NULL;
VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
{
@@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
},
};
-VOID **mAuthVarAddressPointer[9];
+VOID **mAuthVarAddressPointer[11];
AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn = NULL;
@@ -120,7 +122,6 @@ AuthVariableLibInitialize (
UINT32 VarAttr;
UINT8 *Data;
UINTN DataSize;
- UINTN CtxSize;
UINT8 SecureBootMode;
UINT8 SecureBootEnable;
UINT8 CustomMode;
@@ -135,9 +136,18 @@ AuthVariableLibInitialize (
//
// Initialize hash context.
//
- CtxSize = Sha256GetContextSize ();
- mHashCtx = AllocateRuntimePool (CtxSize);
- if (mHashCtx == NULL) {
+ mHashSha256Ctx = AllocateRuntimePool (Sha256GetContextSize ());
+ if (mHashSha256Ctx == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ mHashSha384Ctx = AllocateRuntimePool (Sha384GetContextSize ());
+ if (mHashSha384Ctx == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ mHashSha512Ctx = AllocateRuntimePool (Sha512GetContextSize ());
+ if (mHashSha512Ctx == NULL) {
return EFI_OUT_OF_RESOURCES;
}
@@ -356,14 +366,16 @@ AuthVariableLibInitialize (
AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry;
AuthVarLibContextOut->AuthVarEntryCount = ARRAY_SIZE (mAuthVarEntry);
mAuthVarAddressPointer[0] = (VOID **)&mCertDbStore;
- mAuthVarAddressPointer[1] = (VOID **)&mHashCtx;
- mAuthVarAddressPointer[2] = (VOID **)&mAuthVarLibContextIn;
- mAuthVarAddressPointer[3] = (VOID **)&(mAuthVarLibContextIn->FindVariable),
- mAuthVarAddressPointer[4] = (VOID **)&(mAuthVarLibContextIn->FindNextVariable),
- mAuthVarAddressPointer[5] = (VOID **)&(mAuthVarLibContextIn->UpdateVariable),
- mAuthVarAddressPointer[6] = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer),
- mAuthVarAddressPointer[7] = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
- mAuthVarAddressPointer[8] = (VOID **)&(mAuthVarLibContextIn->AtRuntime),
+ mAuthVarAddressPointer[1] = (VOID **)&mHashSha256Ctx;
+ mAuthVarAddressPointer[2] = (VOID **)&mHashSha384Ctx;
+ mAuthVarAddressPointer[3] = (VOID **)&mHashSha512Ctx;
+ mAuthVarAddressPointer[4] = (VOID **)&mAuthVarLibContextIn;
+ mAuthVarAddressPointer[5] = (VOID **)&(mAuthVarLibContextIn->FindVariable),
+ mAuthVarAddressPointer[6] = (VOID **)&(mAuthVarLibContextIn->FindNextVariable),
+ mAuthVarAddressPointer[7] = (VOID **)&(mAuthVarLibContextIn->UpdateVariable),
+ mAuthVarAddressPointer[8] = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer),
+ mAuthVarAddressPointer[9] = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
+ mAuthVarAddressPointer[10] = (VOID **)&(mAuthVarLibContextIn->AtRuntime),
AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE (mAuthVarAddressPointer);
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 5d8dbd5468..88b2d3c6c1 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1620,7 +1620,7 @@ Done:
in the security database "db", and no valid signature nor any hash value of the image may
be reflected in the security database "dbx".
Otherwise, the image is not signed,
- The SHA256 hash value of the image must match a record in the security database "db", and
+ The hash value of the image must match a record in the security database "db", and
not be reflected in the security data base "dbx".
Caution: This function may receive untrusted input.
@@ -1690,6 +1690,8 @@ DxeImageVerificationHandler (
EFI_STATUS VarStatus;
UINT32 VarAttr;
BOOLEAN IsFound;
+ UINT8 HashAlg;
+ BOOLEAN IsFoundInDatabase;
SignatureList = NULL;
SignatureListSize = 0;
@@ -1699,6 +1701,7 @@ DxeImageVerificationHandler (
Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
IsVerified = FALSE;
IsFound = FALSE;
+ IsFoundInDatabase = FALSE;
//
// Check the image type and get policy setting.
@@ -1837,40 +1840,50 @@ DxeImageVerificationHandler (
//
if ((SecDataDir == NULL) || (SecDataDir->Size == 0)) {
//
- // This image is not signed. The SHA256 hash value of the image must match a record in the security database "db",
+ // This image is not signed. The hash value of the image must match a record in the security database "db",
// and not be reflected in the security data base "dbx".
//
- if (!HashPeImage (HASHALG_SHA256)) {
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr));
- goto Failed;
- }
+ HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
+ while (HashAlg > 0) {
+ HashAlg--;
+ if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {
+ continue;
+ }
+ if (!HashPeImage (HashAlg)) {
+ continue;
+ }
- DbStatus = IsSignatureFoundInDatabase (
- EFI_IMAGE_SECURITY_DATABASE1,
- mImageDigest,
- &mCertType,
- mImageDigestSize,
- &IsFound
- );
- if (EFI_ERROR (DbStatus) || IsFound) {
- //
- // Image Hash is in forbidden database (DBX).
- //
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
- goto Failed;
+ DbStatus = IsSignatureFoundInDatabase (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ mImageDigest,
+ &mCertType,
+ mImageDigestSize,
+ &IsFound
+ );
+ if (EFI_ERROR (DbStatus) || IsFound) {
+ //
+ // Image Hash is in forbidden database (DBX).
+ //
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
+ goto Failed;
+ }
+
+ DbStatus = IsSignatureFoundInDatabase (
+ EFI_IMAGE_SECURITY_DATABASE,
+ mImageDigest,
+ &mCertType,
+ mImageDigestSize,
+ &IsFound
+ );
+ if (!EFI_ERROR (DbStatus) && IsFound) {
+ //
+ // Image Hash is in allowed database (DB).
+ //
+ IsFoundInDatabase = TRUE;
+ }
}
- DbStatus = IsSignatureFoundInDatabase (
- EFI_IMAGE_SECURITY_DATABASE,
- mImageDigest,
- &mCertType,
- mImageDigestSize,
- &IsFound
- );
- if (!EFI_ERROR (DbStatus) && IsFound) {
- //
- // Image Hash is in allowed database (DB).
- //
+ if (IsFoundInDatabase) {
return EFI_SUCCESS;
}
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 1671d5be7c..cb52a16c09 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -70,6 +70,14 @@
## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
gEfiCertRsa2048Guid
+ ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
+ ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
+ gEfiCertRsa3072Guid
+
+ ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
+ ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
+ gEfiCertRsa4096Guid
+
## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
gEfiCertX509Guid
@@ -82,6 +90,14 @@
## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
gEfiCertSha256Guid
+ ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
+ ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
+ gEfiCertSha384Guid
+
+ ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
+ ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
+ gEfiCertSha512Guid
+
## SOMETIMES_CONSUMES ## Variable:L"db"
## SOMETIMES_PRODUCES ## Variable:L"db"
## SOMETIMES_CONSUMES ## Variable:L"dbx"
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 0e31502b1b..de9d801109 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -560,7 +560,7 @@ ON_EXIT:
**/
EFI_STATUS
-EnrollRsa2048ToKek (
+EnrollRsaToKek (
IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
)
{
@@ -603,8 +603,19 @@ EnrollRsa2048ToKek (
ASSERT (KeyBlob != NULL);
KeyInfo = (CPL_KEY_INFO *)KeyBlob;
- if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) {
- DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supported.\n"));
+ if (KeyInfo->KeyType == KEY_TYPE_RSASSA) {
+ switch (KeyInfo->KeyLengthInBits / 8) {
+ case WIN_CERT_UEFI_RSA2048_SIZE:
+ case WIN_CERT_UEFI_RSA3072_SIZE:
+ case WIN_CERT_UEFI_RSA4096_SIZE:
+ break;
+ default :
+ DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 and RSA4096 are supported.\n"));
+ Status = EFI_UNSUPPORTED;
+ goto ON_EXIT;
+ }
+ } else {
+ DEBUG ((DEBUG_ERROR, "Unsupported key type : %d, only 0 is supported.\n", KeyInfo->KeyType));
Status = EFI_UNSUPPORTED;
goto ON_EXIT;
}
@@ -632,7 +643,7 @@ EnrollRsa2048ToKek (
//
KekSigListSize = sizeof (EFI_SIGNATURE_LIST)
+ sizeof (EFI_SIGNATURE_DATA) - 1
- + WIN_CERT_UEFI_RSA2048_SIZE;
+ + KeyLenInBytes;
KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
if (KekSigList == NULL) {
@@ -642,17 +653,32 @@ EnrollRsa2048ToKek (
KekSigList->SignatureListSize = sizeof (EFI_SIGNATURE_LIST)
+ sizeof (EFI_SIGNATURE_DATA) - 1
- + WIN_CERT_UEFI_RSA2048_SIZE;
+ + (UINT32) KeyLenInBytes;
KekSigList->SignatureHeaderSize = 0;
- KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 + WIN_CERT_UEFI_RSA2048_SIZE;
- CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
+ KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 + (UINT32) KeyLenInBytes;
+ switch (KeyLenInBytes) {
+ case WIN_CERT_UEFI_RSA2048_SIZE:
+ CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
+ break;
+ case WIN_CERT_UEFI_RSA3072_SIZE:
+ CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
+ break;
+ case WIN_CERT_UEFI_RSA4096_SIZE:
+ CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
+ break;
+ break;
+ default :
+ DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
+ Status = EFI_UNSUPPORTED;
+ goto ON_EXIT;
+ }
KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_SIGNATURE_LIST));
CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
CopyMem (
KEKSigData->SignatureData,
KeyBlob + sizeof (CPL_KEY_INFO),
- WIN_CERT_UEFI_RSA2048_SIZE
+ KeyLenInBytes
);
//
@@ -890,7 +916,7 @@ EnrollKeyExchangeKey (
if (IsDerEncodeCertificate (FilePostFix)) {
return EnrollX509ToKek (Private);
} else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
- return EnrollRsa2048ToKek (Private);
+ return EnrollRsaToKek (Private);
} else {
//
// File type is wrong, simply close it
@@ -1847,7 +1873,7 @@ HashPeImage (
SectionHeader = NULL;
Status = FALSE;
- if (HashAlg != HASHALG_SHA256) {
+ if ((HashAlg >= HASHALG_MAX)) {
return FALSE;
}
@@ -1856,8 +1882,25 @@ HashPeImage (
//
ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
- mImageDigestSize = SHA256_DIGEST_SIZE;
- mCertType = gEfiCertSha256Guid;
+ switch (HashAlg) {
+ case HASHALG_SHA256:
+ mImageDigestSize = SHA256_DIGEST_SIZE;
+ mCertType = gEfiCertSha256Guid;
+ break;
+
+ case HASHALG_SHA384:
+ mImageDigestSize = SHA384_DIGEST_SIZE;
+ mCertType = gEfiCertSha384Guid;
+ break;
+
+ case HASHALG_SHA512:
+ mImageDigestSize = SHA512_DIGEST_SIZE;
+ mCertType = gEfiCertSha512Guid;
+ break;
+
+ default:
+ return FALSE;
+ }
CtxSize = mHash[HashAlg].GetContextSize ();
@@ -2251,6 +2294,7 @@ EnrollImageSignatureToSigDB (
UINT32 Attr;
WIN_CERTIFICATE_UEFI_GUID *GuidCertData;
EFI_TIME Time;
+ UINT32 HashAlg;
Data = NULL;
GuidCertData = NULL;
@@ -2289,8 +2333,20 @@ EnrollImageSignatureToSigDB (
}
if (mSecDataDir->SizeOfCert == 0) {
- if (!HashPeImage (HASHALG_SHA256)) {
- Status = EFI_SECURITY_VIOLATION;
+ Status = EFI_SECURITY_VIOLATION;
+ HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
+ while (HashAlg > 0) {
+ HashAlg--;
+ if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {
+ continue;
+ }
+ if (HashPeImage (HashAlg)) {
+ Status = EFI_SUCCESS;
+ break;
+ }
+ }
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status));
goto ON_EXIT;
}
} else {
@@ -2589,6 +2645,10 @@ UpdateDeletePage (
while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) {
Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
+ } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)) {
+ Help = STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID);
+ } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)) {
+ Help = STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID);
} else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
} else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) {
@@ -2750,6 +2810,8 @@ DeleteKeyExchangeKey (
GuidIndex = 0;
while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
+ CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
+ CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid))
{
CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize));
@@ -2952,6 +3014,8 @@ DeleteSignature (
GuidIndex = 0;
while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
+ CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
+ CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||
CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||
CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) ||
@@ -3758,12 +3822,20 @@ LoadSignatureList (
while ((RemainingSize > 0) && (RemainingSize >= ListWalker->SignatureListSize)) {
if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) {
ListType = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
+ } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072Guid)) {
+ ListType = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
+ } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096Guid)) {
+ ListType = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
} else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)) {
ListType = STRING_TOKEN (STR_LIST_TYPE_X509);
} else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)) {
ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1);
} else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Guid)) {
ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256);
+ } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Guid)) {
+ ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384);
+ } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Guid)) {
+ ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512);
} else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha256Guid)) {
ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
} else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha384Guid)) {
@@ -4001,6 +4073,14 @@ FormatHelpInfo (
ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
IsCert = TRUE;
+ } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)) {
+ ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
+ DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
+ IsCert = TRUE;
+ } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)) {
+ ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
+ DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
+ IsCert = TRUE;
} else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) {
ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509);
DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
@@ -4011,6 +4091,12 @@ FormatHelpInfo (
} else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid)) {
ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256);
DataSize = 32;
+ } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid)) {
+ ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384);
+ DataSize = 48;
+ } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid)) {
+ ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512);
+ DataSize = 64;
} else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Guid)) {
ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
DataSize = 32;
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
index 37c66f1b95..ff6e7301af 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
@@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel;
#define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
#define WIN_CERT_UEFI_RSA2048_SIZE 256
+#define WIN_CERT_UEFI_RSA3072_SIZE 384
+#define WIN_CERT_UEFI_RSA4096_SIZE 512
//
// Support hash types
@@ -98,6 +100,11 @@ extern EFI_IFR_GUID_LABEL *mEndLabel;
//
#define CER_PUBKEY_MIN_SIZE 256
+//
+// Define KeyType for public key storing file
+//
+#define KEY_TYPE_RSASSA 0
+
//
// Types of errors may occur during certificate enrollment.
//
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
index 0d01701de7..1b48acc800 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US "Read the public key of KEK from file"
#string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer"
#string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US "RSA2048_SHA256_GUID"
+#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US "RSA3072_SHA384_GUID"
+#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US "RSA4096_SHA512_GUID"
#string STR_CERT_TYPE_PCKS7_GUID #language en-US "PKCS7_GUID"
#string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_GUID"
#string STR_CERT_TYPE_SHA256_GUID #language en-US "SHA256_GUID"
@@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SHA512_GUID"
#string STR_LIST_TYPE_RSA2048_SHA256 #language en-US "RSA2048_SHA256"
+#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US "RSA3072_SHA384"
+#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US "RSA4096_SHA512"
#string STR_LIST_TYPE_X509 #language en-US "X509"
#string STR_LIST_TYPE_SHA1 #language en-US "SHA1"
#string STR_LIST_TYPE_SHA256 #language en-US "SHA256"
+#string STR_LIST_TYPE_SHA384 #language en-US "SHA384"
+#string STR_LIST_TYPE_SHA512 #language en-US "SHA512"
#string STR_LIST_TYPE_X509_SHA256 #language en-US "X509_SHA256"
#string STR_LIST_TYPE_X509_SHA384 #language en-US "X509_SHA384"
#string STR_LIST_TYPE_X509_SHA512 #language en-US "X509_SHA512"
--
2.26.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107296): https://edk2.groups.io/g/devel/message/107296
Mute This Topic: https://groups.io/mt/100385944/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Thursday, July 27, 2023 2:35 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang,
> Fiona <fiona.wang@intel.com>
> Subject: [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Signed-off-by: Sheng Wei <w.sheng@intel.com>
> ---
> .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++---
> .../AuthVariableLib/AuthServiceInternal.h | 4 +-
> .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++--
> .../DxeImageVerificationLib.c | 73 +++---
> .../SecureBootConfigDxe.inf | 16 ++
> .../SecureBootConfigImpl.c | 114 +++++++--
> .../SecureBootConfigImpl.h | 7 +
> .../SecureBootConfigStrings.uni | 6 +
> 8 files changed, 391 insertions(+), 91 deletions(-)
>
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> index d81c581d78..4c268a85cd 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #include <Protocol/VariablePolicy.h>
>
> #include <Library/VariablePolicyLib.h>
>
>
>
> +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
>
> +
>
> +/**
>
> + Retrieves the size, in bytes, of the context buffer required for hash operations.
>
> +
>
> + If this interface is not supported, then return zero.
>
> +
>
> + @return The size, in bytes, of the context buffer required for hash operations.
>
> + @retval 0 This interface is not supported.
>
> +
>
> +**/
>
> +typedef
>
> +UINTN
>
> +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
>
> + VOID
>
> + );
>
> +
>
> +/**
>
> + Initializes user-supplied memory pointed by Sha1Context as hash context for
>
> + subsequent use.
>
> +
>
> + If HashContext is NULL, then return FALSE.
>
> + If this interface is not supported, then return FALSE.
>
> +
>
> + @param[out] HashContext Pointer to Hashcontext being initialized.
>
> +
>
> + @retval TRUE Hash context initialization succeeded.
>
> + @retval FALSE Hash context initialization failed.
>
> + @retval FALSE This interface is not supported.
>
> +
>
> +**/
>
> +typedef
>
> +BOOLEAN
>
> +(EFIAPI *EFI_HASH_INIT)(
>
> + OUT VOID *HashContext
>
> + );
>
> +
>
> +/**
>
> + Digests the input data and updates Hash context.
>
> +
>
> + This function performs Hash digest on a data buffer of the specified size.
>
> + It can be called multiple times to compute the digest of long or discontinuous
> data streams.
>
> + Hash context should be already correctly initialized by HashInit(), and should
> not be finalized
>
> + by HashFinal(). Behavior with invalid context is undefined.
>
> +
>
> + If HashContext is NULL, then return FALSE.
>
> + If this interface is not supported, then return FALSE.
>
> +
>
> + @param[in, out] HashContext Pointer to the Hash context.
>
> + @param[in] Data Pointer to the buffer containing the data to be
> hashed.
>
> + @param[in] DataSize Size of Data buffer in bytes.
>
> +
>
> + @retval TRUE SHA-1 data digest succeeded.
>
> + @retval FALSE SHA-1 data digest failed.
>
> + @retval FALSE This interface is not supported.
>
> +
>
> +**/
>
> +typedef
>
> +BOOLEAN
>
> +(EFIAPI *EFI_HASH_UPDATE)(
>
> + IN OUT VOID *HashContext,
>
> + IN CONST VOID *Data,
>
> + IN UINTN DataSize
>
> + );
>
> +
>
> +/**
>
> + Completes computation of the Hash digest value.
>
> +
>
> + This function completes hash computation and retrieves the digest value into
>
> + the specified memory. After this function has been called, the Hash context
> cannot
>
> + be used again.
>
> + Hash context should be already correctly initialized by HashInit(), and should
> not be
>
> + finalized by HashFinal(). Behavior with invalid Hash context is undefined.
>
> +
>
> + If HashContext is NULL, then return FALSE.
>
> + If HashValue is NULL, then return FALSE.
>
> + If this interface is not supported, then return FALSE.
>
> +
>
> + @param[in, out] HashContext Pointer to the Hash context.
>
> + @param[out] HashValue Pointer to a buffer that receives the Hash digest
>
> + value.
>
> +
>
> + @retval TRUE Hash digest computation succeeded.
>
> + @retval FALSE Hash digest computation failed.
>
> + @retval FALSE This interface is not supported.
>
> +
>
> +**/
>
> +typedef
>
> +BOOLEAN
>
> +(EFIAPI *EFI_HASH_FINAL)(
>
> + IN OUT VOID *HashContext,
>
> + OUT UINT8 *HashValue
>
> + );
>
> +
>
> +typedef struct {
>
> + UINT32 HashSize;
>
> + EFI_HASH_GET_CONTEXT_SIZE GetContextSize;
>
> + EFI_HASH_INIT Init;
>
> + EFI_HASH_UPDATE Update;
>
> + EFI_HASH_FINAL Final;
>
> + VOID **HashShaCtx;
>
> + UINT8 *OidValue;
>
> + UINTN OidLength;
>
> +} EFI_HASH_INFO;
>
> +
>
> //
>
> // Public Exponent of RSA Key.
>
> //
>
> CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
>
>
>
> -CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
> 0x02, 0x01 };
>
> +UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
> 0x01 };
>
> +UINT8 mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
> 0x02 };
>
> +UINT8 mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
> 0x03 };
>
> +
>
> +EFI_HASH_INFO mHashInfo[] = {
>
> + {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update,
> Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9},
>
> + {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update,
> Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9},
>
> + {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update,
> Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9},
>
> +};
>
>
>
> //
>
> // Requirement for different signature type which have been defined in UEFI
> spec.
>
> @@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] = {
> // {SigType, SigHeaderSize, SigDataSize }
>
> { EFI_CERT_SHA256_GUID, 0, 32 },
>
> { EFI_CERT_RSA2048_GUID, 0, 256 },
>
> + { EFI_CERT_RSA3072_GUID, 0, 384 },
>
> + { EFI_CERT_RSA4096_GUID, 0, 512 },
>
> { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 },
>
> { EFI_CERT_SHA1_GUID, 0, 20 },
>
> { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 },
>
> @@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp (
> }
>
>
>
> /**
>
> - Calculate SHA256 digest of SignerCert CommonName + ToplevelCert
> tbsCertificate
>
> + Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertificate
>
> SignerCert and ToplevelCert are inside the signer certificate chain.
>
>
>
> + @param[in] HashAlgId Hash algorithm index
>
> @param[in] SignerCert A pointer to SignerCert data.
>
> @param[in] SignerCertSize Length of SignerCert data.
>
> @param[in] TopLevelCert A pointer to TopLevelCert data.
>
> @param[in] TopLevelCertSize Length of TopLevelCert data.
>
> - @param[out] Sha256Digest Sha256 digest calculated.
>
> + @param[out] ShaDigest Sha digest calculated.
>
>
>
> @return EFI_ABORTED Digest process failed.
>
> - @return EFI_SUCCESS SHA256 Digest is successfully calculated.
>
> + @return EFI_SUCCESS SHA Digest is successfully calculated.
>
>
>
> **/
>
> EFI_STATUS
>
> -CalculatePrivAuthVarSignChainSHA256Digest (
>
> +CalculatePrivAuthVarSignChainSHADigest (
>
> + IN UINT8 HashAlgId,
>
> IN UINT8 *SignerCert,
>
> IN UINTN SignerCertSize,
>
> IN UINT8 *TopLevelCert,
>
> IN UINTN TopLevelCertSize,
>
> - OUT UINT8 *Sha256Digest
>
> + OUT UINT8 *ShaDigest
>
> )
>
> {
>
> UINT8 *TbsCert;
>
> @@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> BOOLEAN CryptoStatus;
>
> EFI_STATUS Status;
>
>
>
> + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
>
> + DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__,
> HashAlgId));
>
> + return EFI_ABORTED;
>
> + }
>
> +
>
> CertCommonNameSize = sizeof (CertCommonName);
>
>
>
> //
>
> @@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> //
>
> // Digest SignerCert CN + TopLevelCert tbsCertificate
>
> //
>
> - ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE);
>
> - CryptoStatus = Sha256Init (mHashCtx);
>
> + ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize);
>
> + CryptoStatus = mHashInfo[HashAlgId].Init
> (*(mHashInfo[HashAlgId].HashShaCtx));
>
> if (!CryptoStatus) {
>
> return EFI_ABORTED;
>
> }
>
> @@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> //
>
> // '\0' is forced in CertCommonName. No overflow issue
>
> //
>
> - CryptoStatus = Sha256Update (
>
> - mHashCtx,
>
> + CryptoStatus = mHashInfo[HashAlgId].Update (
>
> + *(mHashInfo[HashAlgId].HashShaCtx),
>
> CertCommonName,
>
> AsciiStrLen (CertCommonName)
>
> );
>
> @@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest (
> return EFI_ABORTED;
>
> }
>
>
>
> - CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize);
>
> + CryptoStatus = mHashInfo[HashAlgId].Update
> (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize);
>
> if (!CryptoStatus) {
>
> return EFI_ABORTED;
>
> }
>
>
>
> - CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
>
> + CryptoStatus = mHashInfo[HashAlgId].Final
> (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest);
>
> if (!CryptoStatus) {
>
> return EFI_ABORTED;
>
> }
>
> @@ -1516,9 +1638,10 @@ DeleteCertsFromDb (
> /**
>
> Insert signer's certificates for common authenticated variable with
> VariableName
>
> and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to
>
> - time based authenticated variable attributes. CertData is the SHA256 digest of
>
> + time based authenticated variable attributes. CertData is the SHA digest of
>
> SignerCert CommonName + TopLevelCert tbsCertificate.
>
>
>
> + @param[in] HashAlgId Hash algorithm index.
>
> @param[in] VariableName Name of authenticated Variable.
>
> @param[in] VendorGuid Vendor GUID of authenticated Variable.
>
> @param[in] Attributes Attributes of authenticated variable.
>
> @@ -1536,6 +1659,7 @@ DeleteCertsFromDb (
> **/
>
> EFI_STATUS
>
> InsertCertsToDb (
>
> + IN UINT8 HashAlgId,
>
> IN CHAR16 *VariableName,
>
> IN EFI_GUID *VendorGuid,
>
> IN UINT32 Attributes,
>
> @@ -1556,12 +1680,16 @@ InsertCertsToDb (
> UINT32 CertDataSize;
>
> AUTH_CERT_DB_DATA *Ptr;
>
> CHAR16 *DbName;
>
> - UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
>
> + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX];
>
>
>
> if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) ||
> (TopLevelCert == NULL)) {
>
> return EFI_INVALID_PARAMETER;
>
> }
>
>
>
> + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
>
> + return EFI_INVALID_PARAMETER;
>
> + }
>
> +
>
> if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
>
> //
>
> // Get variable "certdb".
>
> @@ -1618,20 +1746,22 @@ InsertCertsToDb (
> // Construct new data content of variable "certdb" or "certdbv".
>
> //
>
> NameSize = (UINT32)StrLen (VariableName);
>
> - CertDataSize = sizeof (Sha256Digest);
>
> + CertDataSize = mHashInfo[HashAlgId].HashSize;
>
> CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize +
> NameSize * sizeof (CHAR16);
>
> NewCertDbSize = (UINT32)DataSize + CertNodeSize;
>
> if (NewCertDbSize > mMaxCertDbSize) {
>
> return EFI_OUT_OF_RESOURCES;
>
> }
>
>
>
> - Status = CalculatePrivAuthVarSignChainSHA256Digest (
>
> + Status = CalculatePrivAuthVarSignChainSHADigest (
>
> + HashAlgId,
>
> SignerCert,
>
> SignerCertSize,
>
> TopLevelCert,
>
> TopLevelCertSize,
>
> - Sha256Digest
>
> + ShaDigest
>
> );
>
> +
>
> if (EFI_ERROR (Status)) {
>
> return Status;
>
> }
>
> @@ -1663,7 +1793,7 @@ InsertCertsToDb (
>
>
> CopyMem (
>
> (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16),
>
> - Sha256Digest,
>
> + ShaDigest,
>
> CertDataSize
>
> );
>
>
>
> @@ -1790,6 +1920,36 @@ CleanCertsFromDb (
> return Status;
>
> }
>
>
>
> +/**
>
> + Find hash algorithm index
>
> +
>
> + @param[in] SigData Pointer to the PKCS#7 message
>
> + @param[in] SigDataSize Length of the PKCS#7 message
>
> +
>
> + @retval UINT8 Hash Algorithm Index
>
> +**/
>
> +UINT8
>
> +FindHashAlgorithmIndex (
>
> + IN UINT8 *SigData,
>
> + IN UINT32 SigDataSize
>
> +)
>
> +{
>
> + UINT8 i;
>
> +
>
> + for (i = 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) {
>
> + if ( ( (SigDataSize >= (13 + mHashInfo[i].OidLength))
>
> + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
>
> + && (CompareMem (SigData + 13, mHashInfo[i].OidValue,
> mHashInfo[i].OidLength) == 0)))
>
> + || (( (SigDataSize >= (32 + mHashInfo[i].OidLength)))
>
> + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
>
> + && (CompareMem (SigData + 32, mHashInfo[i].OidValue,
> mHashInfo[i].OidLength) == 0))))
>
> + {
>
> + break;
>
> + }
>
> + }
>
> + return i;
>
> +}
>
> +
>
> /**
>
> Process variable with
> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
>
>
>
> @@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload (
> UINTN CertStackSize;
>
> UINT8 *CertsInCertDb;
>
> UINT32 CertsSizeinDb;
>
> - UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
>
> + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX];
>
> EFI_CERT_DATA *CertDataPtr;
>
> + UINT8 HashAlgId;
>
>
>
> //
>
> // 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert
> Chain
>
> @@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload (
>
>
> //
>
> // SignedData.digestAlgorithms shall contain the digest algorithm used when
> preparing the
>
> - // signature. Only a digest algorithm of SHA-256 is accepted.
>
> + // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is
> accepted.
>
> //
>
> // According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315):
>
> // SignedData ::= SEQUENCE {
>
> @@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload (
> //
>
> // Example generated with:
> https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_
> Boot#Manual_process
>
> //
>
> + HashAlgId = FindHashAlgorithmIndex (SigData, SigDataSize);
>
> if ((Attributes &
> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
>
> - if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue)))
>
> - && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
>
> - || (CompareMem (SigData + 13, &mSha256OidValue, sizeof
> (mSha256OidValue)) != 0)))
>
> - && ( (SigDataSize >= (32 + sizeof (mSha256OidValue)))
>
> - && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
>
> - || (CompareMem (SigData + 32, &mSha256OidValue, sizeof
> (mSha256OidValue)) != 0))))
>
> - {
>
> + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
>
> return EFI_SECURITY_VIOLATION;
>
> }
>
> }
>
> @@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload (
> goto Exit;
>
> }
>
>
>
> - if (CertsSizeinDb == SHA256_DIGEST_SIZE) {
>
> + if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) &&
> (CertsSizeinDb == mHashInfo[HashAlgId].HashSize)) {
>
> //
>
> // Check hash of signer cert CommonName + Top-level issuer tbsCertificate
> against data in CertDb
>
> //
>
> CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
>
> - Status = CalculatePrivAuthVarSignChainSHA256Digest (
>
> + Status = CalculatePrivAuthVarSignChainSHADigest (
>
> + HashAlgId,
>
> CertDataPtr->CertDataBuffer,
>
> ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
>
> TopLevelCert,
>
> TopLevelCertSize,
>
> - Sha256Digest
>
> + ShaDigest
>
> );
>
> - if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb,
> CertsSizeinDb) != 0)) {
>
> + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb,
> CertsSizeinDb) != 0)) {
>
> goto Exit;
>
> }
>
> } else {
>
> @@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload (
> //
>
> CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
>
> Status = InsertCertsToDb (
>
> + HashAlgId,
>
> VariableName,
>
> VendorGuid,
>
> Attributes,
>
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> index b202e613bc..f7bf771d55 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> @@ -92,7 +92,9 @@ extern UINT32 mMaxCertDbSize;
> extern UINT32 mPlatformMode;
>
> extern UINT8 mVendorKeyState;
>
>
>
> -extern VOID *mHashCtx;
>
> +extern VOID *mHashSha256Ctx;
>
> +extern VOID *mHashSha384Ctx;
>
> +extern VOID *mHashSha512Ctx;
>
>
>
> extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn;
>
>
>
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> index dc61ae840c..19e0004699 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> @@ -26,12 +26,14 @@ UINT32 mMaxCertDbSize;
> UINT32 mPlatformMode;
>
> UINT8 mVendorKeyState;
>
>
>
> -EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID,
> EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID };
>
> +EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID,
> EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID,
> EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID,
> EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID };
>
>
>
> //
>
> // Hash context pointer
>
> //
>
> -VOID *mHashCtx = NULL;
>
> +VOID *mHashSha256Ctx = NULL;
>
> +VOID *mHashSha384Ctx = NULL;
>
> +VOID *mHashSha512Ctx = NULL;
>
>
>
> VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
>
> {
>
> @@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
> },
>
> };
>
>
>
> -VOID **mAuthVarAddressPointer[9];
>
> +VOID **mAuthVarAddressPointer[11];
>
>
>
> AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn = NULL;
>
>
>
> @@ -120,7 +122,6 @@ AuthVariableLibInitialize (
> UINT32 VarAttr;
>
> UINT8 *Data;
>
> UINTN DataSize;
>
> - UINTN CtxSize;
>
> UINT8 SecureBootMode;
>
> UINT8 SecureBootEnable;
>
> UINT8 CustomMode;
>
> @@ -135,9 +136,18 @@ AuthVariableLibInitialize (
> //
>
> // Initialize hash context.
>
> //
>
> - CtxSize = Sha256GetContextSize ();
>
> - mHashCtx = AllocateRuntimePool (CtxSize);
>
> - if (mHashCtx == NULL) {
>
> + mHashSha256Ctx = AllocateRuntimePool (Sha256GetContextSize ());
>
> + if (mHashSha256Ctx == NULL) {
>
> + return EFI_OUT_OF_RESOURCES;
>
> + }
>
> +
>
> + mHashSha384Ctx = AllocateRuntimePool (Sha384GetContextSize ());
>
> + if (mHashSha384Ctx == NULL) {
>
> + return EFI_OUT_OF_RESOURCES;
>
> + }
>
> +
>
> + mHashSha512Ctx = AllocateRuntimePool (Sha512GetContextSize ());
>
> + if (mHashSha512Ctx == NULL) {
>
> return EFI_OUT_OF_RESOURCES;
>
> }
>
>
>
> @@ -356,14 +366,16 @@ AuthVariableLibInitialize (
> AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry;
>
> AuthVarLibContextOut->AuthVarEntryCount = ARRAY_SIZE (mAuthVarEntry);
>
> mAuthVarAddressPointer[0] = (VOID **)&mCertDbStore;
>
> - mAuthVarAddressPointer[1] = (VOID **)&mHashCtx;
>
> - mAuthVarAddressPointer[2] = (VOID **)&mAuthVarLibContextIn;
>
> - mAuthVarAddressPointer[3] = (VOID **)&(mAuthVarLibContextIn-
> >FindVariable),
>
> - mAuthVarAddressPointer[4] = (VOID **)&(mAuthVarLibContextIn-
> >FindNextVariable),
>
> - mAuthVarAddressPointer[5] = (VOID **)&(mAuthVarLibContextIn-
> >UpdateVariable),
>
> - mAuthVarAddressPointer[6] = (VOID **)&(mAuthVarLibContextIn-
> >GetScratchBuffer),
>
> - mAuthVarAddressPointer[7] = (VOID **)&(mAuthVarLibContextIn-
> >CheckRemainingSpaceForConsistency),
>
> - mAuthVarAddressPointer[8] = (VOID **)&(mAuthVarLibContextIn-
> >AtRuntime),
>
> + mAuthVarAddressPointer[1] = (VOID **)&mHashSha256Ctx;
>
> + mAuthVarAddressPointer[2] = (VOID **)&mHashSha384Ctx;
>
> + mAuthVarAddressPointer[3] = (VOID **)&mHashSha512Ctx;
>
> + mAuthVarAddressPointer[4] = (VOID **)&mAuthVarLibContextIn;
>
> + mAuthVarAddressPointer[5] = (VOID **)&(mAuthVarLibContextIn-
> >FindVariable),
>
> + mAuthVarAddressPointer[6] = (VOID **)&(mAuthVarLibContextIn-
> >FindNextVariable),
>
> + mAuthVarAddressPointer[7] = (VOID **)&(mAuthVarLibContextIn-
> >UpdateVariable),
>
> + mAuthVarAddressPointer[8] = (VOID **)&(mAuthVarLibContextIn-
> >GetScratchBuffer),
>
> + mAuthVarAddressPointer[9] = (VOID **)&(mAuthVarLibContextIn-
> >CheckRemainingSpaceForConsistency),
>
> + mAuthVarAddressPointer[10] = (VOID **)&(mAuthVarLibContextIn-
> >AtRuntime),
>
> AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
>
> AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE
> (mAuthVarAddressPointer);
>
>
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 5d8dbd5468..88b2d3c6c1 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1620,7 +1620,7 @@ Done:
> in the security database "db", and no valid signature nor any hash value of the
> image may
>
> be reflected in the security database "dbx".
>
> Otherwise, the image is not signed,
>
> - The SHA256 hash value of the image must match a record in the security
> database "db", and
>
> + The hash value of the image must match a record in the security database
> "db", and
>
> not be reflected in the security data base "dbx".
>
>
>
> Caution: This function may receive untrusted input.
>
> @@ -1690,6 +1690,8 @@ DxeImageVerificationHandler (
> EFI_STATUS VarStatus;
>
> UINT32 VarAttr;
>
> BOOLEAN IsFound;
>
> + UINT8 HashAlg;
>
> + BOOLEAN IsFoundInDatabase;
>
>
>
> SignatureList = NULL;
>
> SignatureListSize = 0;
>
> @@ -1699,6 +1701,7 @@ DxeImageVerificationHandler (
> Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
>
> IsVerified = FALSE;
>
> IsFound = FALSE;
>
> + IsFoundInDatabase = FALSE;
>
>
>
> //
>
> // Check the image type and get policy setting.
>
> @@ -1837,40 +1840,50 @@ DxeImageVerificationHandler (
> //
>
> if ((SecDataDir == NULL) || (SecDataDir->Size == 0)) {
>
> //
>
> - // This image is not signed. The SHA256 hash value of the image must match a
> record in the security database "db",
>
> + // This image is not signed. The hash value of the image must match a record
> in the security database "db",
>
> // and not be reflected in the security data base "dbx".
>
> //
>
> - if (!HashPeImage (HASHALG_SHA256)) {
>
> - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image
> using %s.\n", mHashTypeStr));
>
> - goto Failed;
>
> - }
>
> + HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
>
> + while (HashAlg > 0) {
>
> + HashAlg--;
>
> + if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit
> == NULL) || (mHash[HashAlg].HashUpdate == NULL) ||
> (mHash[HashAlg].HashFinal == NULL)) {
>
> + continue;
>
> + }
>
> + if (!HashPeImage (HashAlg)) {
>
> + continue;
>
> + }
>
>
>
> - DbStatus = IsSignatureFoundInDatabase (
>
> - EFI_IMAGE_SECURITY_DATABASE1,
>
> - mImageDigest,
>
> - &mCertType,
>
> - mImageDigestSize,
>
> - &IsFound
>
> - );
>
> - if (EFI_ERROR (DbStatus) || IsFound) {
>
> - //
>
> - // Image Hash is in forbidden database (DBX).
>
> - //
>
> - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s
> hash of image is forbidden by DBX.\n", mHashTypeStr));
>
> - goto Failed;
>
> + DbStatus = IsSignatureFoundInDatabase (
>
> + EFI_IMAGE_SECURITY_DATABASE1,
>
> + mImageDigest,
>
> + &mCertType,
>
> + mImageDigestSize,
>
> + &IsFound
>
> + );
>
> + if (EFI_ERROR (DbStatus) || IsFound) {
>
> + //
>
> + // Image Hash is in forbidden database (DBX).
>
> + //
>
> + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed
> and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
>
> + goto Failed;
>
> + }
>
> +
>
> + DbStatus = IsSignatureFoundInDatabase (
>
> + EFI_IMAGE_SECURITY_DATABASE,
>
> + mImageDigest,
>
> + &mCertType,
>
> + mImageDigestSize,
>
> + &IsFound
>
> + );
>
> + if (!EFI_ERROR (DbStatus) && IsFound) {
>
> + //
>
> + // Image Hash is in allowed database (DB).
>
> + //
>
> + IsFoundInDatabase = TRUE;
>
> + }
>
> }
>
>
>
> - DbStatus = IsSignatureFoundInDatabase (
>
> - EFI_IMAGE_SECURITY_DATABASE,
>
> - mImageDigest,
>
> - &mCertType,
>
> - mImageDigestSize,
>
> - &IsFound
>
> - );
>
> - if (!EFI_ERROR (DbStatus) && IsFound) {
>
> - //
>
> - // Image Hash is in allowed database (DB).
>
> - //
>
> + if (IsFoundInDatabase) {
>
> return EFI_SUCCESS;
>
> }
>
>
>
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf
> index 1671d5be7c..cb52a16c09 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf
> @@ -70,6 +70,14 @@
> ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the
> signature.
>
> gEfiCertRsa2048Guid
>
>
>
> + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the
> signature.
>
> + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the
> signature.
>
> + gEfiCertRsa3072Guid
>
> +
>
> + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the
> signature.
>
> + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the
> signature.
>
> + gEfiCertRsa4096Guid
>
> +
>
> ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the
> signature.
>
> ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the
> signature.
>
> gEfiCertX509Guid
>
> @@ -82,6 +90,14 @@
> ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the
> signature.
>
> gEfiCertSha256Guid
>
>
>
> + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the
> signature.
>
> + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the
> signature.
>
> + gEfiCertSha384Guid
>
> +
>
> + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the
> signature.
>
> + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the
> signature.
>
> + gEfiCertSha512Guid
>
> +
>
> ## SOMETIMES_CONSUMES ## Variable:L"db"
>
> ## SOMETIMES_PRODUCES ## Variable:L"db"
>
> ## SOMETIMES_CONSUMES ## Variable:L"dbx"
>
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c
> index 0e31502b1b..de9d801109 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c
> @@ -560,7 +560,7 @@ ON_EXIT:
>
>
> **/
>
> EFI_STATUS
>
> -EnrollRsa2048ToKek (
>
> +EnrollRsaToKek (
>
> IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
>
> )
>
> {
>
> @@ -603,8 +603,19 @@ EnrollRsa2048ToKek (
>
>
> ASSERT (KeyBlob != NULL);
>
> KeyInfo = (CPL_KEY_INFO *)KeyBlob;
>
> - if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) {
>
> - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is
> supported.\n"));
>
> + if (KeyInfo->KeyType == KEY_TYPE_RSASSA) {
>
> + switch (KeyInfo->KeyLengthInBits / 8) {
>
> + case WIN_CERT_UEFI_RSA2048_SIZE:
>
> + case WIN_CERT_UEFI_RSA3072_SIZE:
>
> + case WIN_CERT_UEFI_RSA4096_SIZE:
>
> + break;
>
> + default :
>
> + DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072
> and RSA4096 are supported.\n"));
>
> + Status = EFI_UNSUPPORTED;
>
> + goto ON_EXIT;
>
> + }
>
> + } else {
>
> + DEBUG ((DEBUG_ERROR, "Unsupported key type : %d, only 0 is
> supported.\n", KeyInfo->KeyType));
>
> Status = EFI_UNSUPPORTED;
>
> goto ON_EXIT;
>
> }
>
> @@ -632,7 +643,7 @@ EnrollRsa2048ToKek (
> //
>
> KekSigListSize = sizeof (EFI_SIGNATURE_LIST)
>
> + sizeof (EFI_SIGNATURE_DATA) - 1
>
> - + WIN_CERT_UEFI_RSA2048_SIZE;
>
> + + KeyLenInBytes;
>
>
>
> KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
>
> if (KekSigList == NULL) {
>
> @@ -642,17 +653,32 @@ EnrollRsa2048ToKek (
>
>
> KekSigList->SignatureListSize = sizeof (EFI_SIGNATURE_LIST)
>
> + sizeof (EFI_SIGNATURE_DATA) - 1
>
> - + WIN_CERT_UEFI_RSA2048_SIZE;
>
> + + (UINT32) KeyLenInBytes;
>
> KekSigList->SignatureHeaderSize = 0;
>
> - KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 +
> WIN_CERT_UEFI_RSA2048_SIZE;
>
> - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
>
> + KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 + (UINT32)
> KeyLenInBytes;
>
> + switch (KeyLenInBytes) {
>
> + case WIN_CERT_UEFI_RSA2048_SIZE:
>
> + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
>
> + break;
>
> + case WIN_CERT_UEFI_RSA3072_SIZE:
>
> + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
>
> + break;
>
> + case WIN_CERT_UEFI_RSA4096_SIZE:
>
> + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
>
> + break;
>
> + break;
>
> + default :
>
> + DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
>
> + Status = EFI_UNSUPPORTED;
>
> + goto ON_EXIT;
>
> + }
>
>
>
> KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof
> (EFI_SIGNATURE_LIST));
>
> CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
>
> CopyMem (
>
> KEKSigData->SignatureData,
>
> KeyBlob + sizeof (CPL_KEY_INFO),
>
> - WIN_CERT_UEFI_RSA2048_SIZE
>
> + KeyLenInBytes
>
> );
>
>
>
> //
>
> @@ -890,7 +916,7 @@ EnrollKeyExchangeKey (
> if (IsDerEncodeCertificate (FilePostFix)) {
>
> return EnrollX509ToKek (Private);
>
> } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
>
> - return EnrollRsa2048ToKek (Private);
>
> + return EnrollRsaToKek (Private);
>
> } else {
>
> //
>
> // File type is wrong, simply close it
>
> @@ -1847,7 +1873,7 @@ HashPeImage (
> SectionHeader = NULL;
>
> Status = FALSE;
>
>
>
> - if (HashAlg != HASHALG_SHA256) {
>
> + if ((HashAlg >= HASHALG_MAX)) {
>
> return FALSE;
>
> }
>
>
>
> @@ -1856,8 +1882,25 @@ HashPeImage (
> //
>
> ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
>
>
>
> - mImageDigestSize = SHA256_DIGEST_SIZE;
>
> - mCertType = gEfiCertSha256Guid;
>
> + switch (HashAlg) {
>
> + case HASHALG_SHA256:
>
> + mImageDigestSize = SHA256_DIGEST_SIZE;
>
> + mCertType = gEfiCertSha256Guid;
>
> + break;
>
> +
>
> + case HASHALG_SHA384:
>
> + mImageDigestSize = SHA384_DIGEST_SIZE;
>
> + mCertType = gEfiCertSha384Guid;
>
> + break;
>
> +
>
> + case HASHALG_SHA512:
>
> + mImageDigestSize = SHA512_DIGEST_SIZE;
>
> + mCertType = gEfiCertSha512Guid;
>
> + break;
>
> +
>
> + default:
>
> + return FALSE;
>
> + }
>
>
>
> CtxSize = mHash[HashAlg].GetContextSize ();
>
>
>
> @@ -2251,6 +2294,7 @@ EnrollImageSignatureToSigDB (
> UINT32 Attr;
>
> WIN_CERTIFICATE_UEFI_GUID *GuidCertData;
>
> EFI_TIME Time;
>
> + UINT32 HashAlg;
>
>
>
> Data = NULL;
>
> GuidCertData = NULL;
>
> @@ -2289,8 +2333,20 @@ EnrollImageSignatureToSigDB (
> }
>
>
>
> if (mSecDataDir->SizeOfCert == 0) {
>
> - if (!HashPeImage (HASHALG_SHA256)) {
>
> - Status = EFI_SECURITY_VIOLATION;
>
> + Status = EFI_SECURITY_VIOLATION;
>
> + HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
>
> + while (HashAlg > 0) {
>
> + HashAlg--;
>
> + if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit
> == NULL) || (mHash[HashAlg].HashUpdate == NULL) ||
> (mHash[HashAlg].HashFinal == NULL)) {
>
> + continue;
>
> + }
>
> + if (HashPeImage (HashAlg)) {
>
> + Status = EFI_SUCCESS;
>
> + break;
>
> + }
>
> + }
>
> + if (EFI_ERROR (Status)) {
>
> + DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status));
>
> goto ON_EXIT;
>
> }
>
> } else {
>
> @@ -2589,6 +2645,10 @@ UpdateDeletePage (
> while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
>
> if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) {
>
> Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
>
> + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)) {
>
> + Help = STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID);
>
> + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)) {
>
> + Help = STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID);
>
> } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
>
> Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
>
> } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) {
>
> @@ -2750,6 +2810,8 @@ DeleteKeyExchangeKey (
> GuidIndex = 0;
>
> while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
>
> if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
>
> + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
>
> + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
>
> CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid))
>
> {
>
> CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + CertList-
> >SignatureHeaderSize));
>
> @@ -2952,6 +3014,8 @@ DeleteSignature (
> GuidIndex = 0;
>
> while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
>
> if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
>
> + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
>
> + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
>
> CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||
>
> CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||
>
> CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) ||
>
> @@ -3758,12 +3822,20 @@ LoadSignatureList (
> while ((RemainingSize > 0) && (RemainingSize >= ListWalker->SignatureListSize))
> {
>
> if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) {
>
> ListType = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
>
> + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072Guid))
> {
>
> + ListType = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
>
> + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096Guid))
> {
>
> + ListType = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
>
> } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)) {
>
> ListType = STRING_TOKEN (STR_LIST_TYPE_X509);
>
> } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)) {
>
> ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1);
>
> } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Guid)) {
>
> ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256);
>
> + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Guid)) {
>
> + ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384);
>
> + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Guid)) {
>
> + ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512);
>
> } else if (CompareGuid (&ListWalker->SignatureType,
> &gEfiCertX509Sha256Guid)) {
>
> ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
>
> } else if (CompareGuid (&ListWalker->SignatureType,
> &gEfiCertX509Sha384Guid)) {
>
> @@ -4001,6 +4073,14 @@ FormatHelpInfo (
> ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
>
> DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
>
> IsCert = TRUE;
>
> + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)) {
>
> + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
>
> + DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
>
> + IsCert = TRUE;
>
> + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)) {
>
> + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
>
> + DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
>
> + IsCert = TRUE;
>
> } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) {
>
> ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509);
>
> DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID);
>
> @@ -4011,6 +4091,12 @@ FormatHelpInfo (
> } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid)) {
>
> ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256);
>
> DataSize = 32;
>
> + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid)) {
>
> + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384);
>
> + DataSize = 48;
>
> + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid)) {
>
> + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512);
>
> + DataSize = 64;
>
> } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Guid))
> {
>
> ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
>
> DataSize = 32;
>
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.h
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.h
> index 37c66f1b95..ff6e7301af 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.h
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.h
> @@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel;
> #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
>
>
>
> #define WIN_CERT_UEFI_RSA2048_SIZE 256
>
> +#define WIN_CERT_UEFI_RSA3072_SIZE 384
>
> +#define WIN_CERT_UEFI_RSA4096_SIZE 512
>
>
>
> //
>
> // Support hash types
>
> @@ -98,6 +100,11 @@ extern EFI_IFR_GUID_LABEL *mEndLabel;
> //
>
> #define CER_PUBKEY_MIN_SIZE 256
>
>
>
> +//
>
> +// Define KeyType for public key storing file
>
> +//
>
> +#define KEY_TYPE_RSASSA 0
>
> +
>
> //
>
> // Types of errors may occur during certificate enrollment.
>
> //
>
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr
> ings.uni
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr
> ings.uni
> index 0d01701de7..1b48acc800 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr
> ings.uni
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr
> ings.uni
> @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US
> "Read the public key of KEK from file"
>
> #string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer"
>
> #string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US
> "RSA2048_SHA256_GUID"
>
> +#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US
> "RSA3072_SHA384_GUID"
>
> +#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US
> "RSA4096_SHA512_GUID"
>
> #string STR_CERT_TYPE_PCKS7_GUID #language en-US "PKCS7_GUID"
>
> #string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_GUID"
>
> #string STR_CERT_TYPE_SHA256_GUID #language en-US
> "SHA256_GUID"
>
> @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US
> "X509_SHA512_GUID"
>
>
>
> #string STR_LIST_TYPE_RSA2048_SHA256 #language en-US
> "RSA2048_SHA256"
>
> +#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US
> "RSA3072_SHA384"
>
> +#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US
> "RSA4096_SHA512"
>
> #string STR_LIST_TYPE_X509 #language en-US "X509"
>
> #string STR_LIST_TYPE_SHA1 #language en-US "SHA1"
>
> #string STR_LIST_TYPE_SHA256 #language en-US "SHA256"
>
> +#string STR_LIST_TYPE_SHA384 #language en-US "SHA384"
>
> +#string STR_LIST_TYPE_SHA512 #language en-US "SHA512"
>
> #string STR_LIST_TYPE_X509_SHA256 #language en-US "X509_SHA256"
>
> #string STR_LIST_TYPE_X509_SHA384 #language en-US "X509_SHA384"
>
> #string STR_LIST_TYPE_X509_SHA512 #language en-US "X509_SHA512"
>
> --
> 2.26.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107309): https://edk2.groups.io/g/devel/message/107309
Mute This Topic: https://groups.io/mt/100385944/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2026 Red Hat, Inc.