From nobody Sun Feb  8 13:04:01 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+107612+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+107612+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
ARC-Seal: i=1; a=rsa-sha256; t=1691399416; cv=none;
	d=zohomail.com; s=zohoarc;
	b=dy/ZhYsT5HepWuCWW0smzKcHvqekQNjH7IMM/tWCBFL+wWW+3GqNTRlTldiZoKlAH1WVqbJ75S82ETTKqv27jsRP+t3lYm8ifQ9k7k2UWM16hbr+aNk5EiuVWokRvJwwfomlxqF+uUG/RnewyFvQhnjk+I4p06WoIl6RkXMARKg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1691399416;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=D5+iQAT10dofA1Wj/31420kUwMFk93fH5TyQM8jKHeA=;
	b=BISm7C7I1OPpKfCEva60oIxRRyOmTQZ3CadKju9NpzfhTnPvSNSxPMllb9kejpmqdiNqnQohq/3ac6LXxm7YI34c5jnvz3ayrAY2trEfProfCmVDXJrKgRuBlqKXr7jUOZTxF316TwC6KsykgJvD1FFwm+Q2onPceeHArel87jA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+107612+1787277+3901457@groups.io;
	dmarc=fail header.from=<w.sheng@intel.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1691399416917145.05662126625066;
 Mon, 7 Aug 2023 02:10:16 -0700 (PDT)
Return-Path: <bounce+27952+107612+1787277+3901457@groups.io>
DKIM-Signature: a=rsa-sha256; bh=51U0/MqNn/asDcvxoyrv87xuT0pVp/M1oP+K/6lDiX4=;
 c=relaxed/simple; d=groups.io;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding;
 s=20140610; t=1691399416; v=1;
 b=D/bSjVck+mnolJQ1F4xweuGu1ZLuqOsACiYFyI4FKZbo6mhbNL40gDrcDue5uaxfRf5IZESH
 Wx2fYe8v/yxtFwTVavSF6CrUP2+vfpRt9ELMiQwz49O1vusYXnGT27PDlhElHYnSszGpYqfH/hM
 j0+1KVWH3j4nZLTVJRmLKpjQ=
X-Received: by 127.0.0.2 with SMTP id 58OqYY1788612xyfKnNXHgd0;
 Mon, 07 Aug 2023 02:10:16 -0700
X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.120])
 by mx.groups.io with SMTP id smtpd.web10.30191.1691399414045121247
 for <devel@edk2.groups.io>;
 Mon, 07 Aug 2023 02:10:16 -0700
X-IronPort-AV: E=McAfee;i="6600,9927,10794"; a="369399181"
X-IronPort-AV: E=Sophos;i="6.01,261,1684825200";
   d="scan'208";a="369399181"
X-Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 07 Aug 2023 02:10:15 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10794"; a="854597579"
X-IronPort-AV: E=Sophos;i="6.01,261,1684825200";
   d="scan'208";a="854597579"
X-Received: from shwdesssddpdwei.ccr.corp.intel.com ([10.239.157.28])
  by orsmga004.jf.intel.com with ESMTP; 07 Aug 2023 02:10:13 -0700
From: "Sheng Wei" <w.sheng@intel.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Zeyi Chen <zeyi.chen@intel.com>,
	Fiona Wang <fiona.wang@intel.com>,
	Xiaoyu Lu <xiaoyu1.lu@intel.com>,
	Guomin Jiang <guomin.jiang@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>
Subject: [edk2-devel] [PATCH V6 1/2] CryptoPkg/Library/BaseCryptLib: add
 sha384 and sha512 to ImageTimestampVerify
Date: Mon,  7 Aug 2023 17:10:06 +0800
Message-Id: <20230807091007.306-2-w.sheng@intel.com>
In-Reply-To: <20230807091007.306-1-w.sheng@intel.com>
References: <20230807091007.306-1-w.sheng@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,w.sheng@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: 
 <https://edk2.groups.io/g/devel/leave/3901457/1787277/102458076/plugh>
X-Gm-Message-State: SGCXvGCY4CLryCjEsGdFsPT8x1787277AA=
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1691399418244100006
Content-Type: text/plain; charset="utf-8"

Register and initialize sha384/sha512 digest algorithms for PKCS#7 Handling.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3413

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>

Change-Id: I208a618e3f6eb12704e528ab842494082de1464d
Signed-off-by: Sheng Wei <w.sheng@intel.com>
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Librar=
y/BaseCryptLib/Pk/CryptTs.c
index 027dbb6842..944bcf8d38 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -591,7 +591,8 @@ ImageTimestampVerify (
   // Register & Initialize necessary digest algorithms for PKCS#7 Handling.
   //
   if ((EVP_add_digest (EVP_md5 ()) =3D=3D 0) || (EVP_add_digest (EVP_sha1 =
()) =3D=3D 0) ||
-      (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || ((EVP_add_digest_alias =
(SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0))
+      (EVP_add_digest (EVP_sha256 ()) =3D=3D 0) || (EVP_add_digest (EVP_sh=
a384 ()) =3D=3D 0) ||
+      (EVP_add_digest (EVP_sha512 ()) =3D=3D 0) || ((EVP_add_digest_alias =
(SN_sha1WithRSAEncryption, SN_sha1WithRSA)) =3D=3D 0))
   {
     return FALSE;
   }
--=20
2.26.2.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107612): https://edk2.groups.io/g/devel/message/107612
Mute This Topic: https://groups.io/mt/100596019/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
From nobody Sun Feb  8 13:04:01 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+107613+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+107613+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
ARC-Seal: i=1; a=rsa-sha256; t=1691399420; cv=none;
	d=zohomail.com; s=zohoarc;
	b=L7Qlt7VAD8H+N2fX4Sl+AYqFBX7EAvuWwxGFE+y5HGcvQJKBJ0sTa7U9NtDTKqp3XwPNY4rC4bA1NU/0tu497O86Iw6CY+O8vzHs3vTWl5Y6yc0gifAdDaeePRP5aX61Asa3tbDgUjVFvQpkPI3ECrT+xxk77Un8+PyqdAbXNpU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1691399420;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=JYxlk1IKDq9tSi1GabomVt8JVJYBS0446CKbn5jVXXM=;
	b=DKHnURWti/jQr7JEJ3YvcKWSMQ6oCogoYg6pE3JngZl5Mw14BcN1WF+nslVzqthhHozBRkPHcbsT0m5Y4AHOc4UKl+VA1PNZhBmQiq6scL5EfQ/8s9WpkW8UTcRKsp2nSWLdJHtaZgV/it3Q3JaqIovxhlgNmwzCS4svyT6q+6c=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+107613+1787277+3901457@groups.io;
	dmarc=fail header.from=<w.sheng@intel.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1691399420777180.99340745639427;
 Mon, 7 Aug 2023 02:10:20 -0700 (PDT)
Return-Path: <bounce+27952+107613+1787277+3901457@groups.io>
DKIM-Signature: a=rsa-sha256; bh=URnFkD+gEXi8+/hHNfRs2f1GUrz+bJxbj/jj701F3k4=;
 c=relaxed/simple; d=groups.io;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding;
 s=20140610; t=1691399420; v=1;
 b=RRtrZCz25WnQNhSP97tltz+6utRASRnVucQDmMTjYh5sMzNcqQWvgCKVn6w936ADpYzLkd5F
 TYJZWccJ9kAi5VLMq0pn8sbcufuEYHvv1Q+m7Uxh1uPkAfC+XPyhWbxqZ42AGsUd9hzpgqs4iYJ
 qXD0I1NvJXjvZQgu3Fyap/Cg=
X-Received: by 127.0.0.2 with SMTP id x5NSYY1788612xzROuLOhMgR;
 Mon, 07 Aug 2023 02:10:20 -0700
X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.120])
 by mx.groups.io with SMTP id smtpd.web10.30191.1691399414045121247
 for <devel@edk2.groups.io>;
 Mon, 07 Aug 2023 02:10:19 -0700
X-IronPort-AV: E=McAfee;i="6600,9927,10794"; a="369399184"
X-IronPort-AV: E=Sophos;i="6.01,261,1684825200";
   d="scan'208";a="369399184"
X-Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 07 Aug 2023 02:10:19 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10794"; a="854597630"
X-IronPort-AV: E=Sophos;i="6.01,261,1684825200";
   d="scan'208";a="854597630"
X-Received: from shwdesssddpdwei.ccr.corp.intel.com ([10.239.157.28])
  by orsmga004.jf.intel.com with ESMTP; 07 Aug 2023 02:10:15 -0700
From: "Sheng Wei" <w.sheng@intel.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Zeyi Chen <zeyi.chen@intel.com>,
	Fiona Wang <fiona.wang@intel.com>
Subject: [edk2-devel] [PATCH V6 2/2] SecurityPkg/SecureBoot: Support RSA 512
 and RSA 384
Date: Mon,  7 Aug 2023 17:10:07 +0800
Message-Id: <20230807091007.306-3-w.sheng@intel.com>
In-Reply-To: <20230807091007.306-1-w.sheng@intel.com>
References: <20230807091007.306-1-w.sheng@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,w.sheng@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: 
 <https://edk2.groups.io/g/devel/leave/3901457/1787277/102458076/plugh>
X-Gm-Message-State: llE2rq4bDRxUrQopPxKj9jEGx1787277AA=
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1691399422144100001
Content-Type: text/plain; charset="utf-8"

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3413

Change-Id: Ic13595ffb0581a178db71d231ba34f17862fa5d8
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Signed-off-by: Sheng Wei <w.sheng@intel.com>
---
 .../Library/AuthVariableLib/AuthService.c     | 218 +++++++++++++++---
 .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
 .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
 .../DxeImageVerificationLib.c                 |  73 +++---
 .../SecureBootConfigDxe.inf                   |   8 +
 .../SecureBootConfigImpl.c                    |  91 ++++++--
 .../SecureBootConfigImpl.h                    |   7 +
 .../SecureBootConfigStrings.uni               |   2 +
 8 files changed, 354 insertions(+), 91 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk=
g/Library/AuthVariableLib/AuthService.c
index d81c581d78..339021b79c 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Protocol/VariablePolicy.h>
 #include <Library/VariablePolicyLib.h>
=20
+#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
+
+/**
+  Retrieves the size, in bytes, of the context buffer required for hash op=
erations.
+
+  If this interface is not supported, then return zero.
+
+  @return  The size, in bytes, of the context buffer required for hash ope=
rations.
+  @retval  0   This interface is not supported.
+
+**/
+typedef
+UINTN
+(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
+  VOID
+  );
+
+/**
+  Initializes user-supplied memory pointed by Sha1Context as hash context =
for
+  subsequent use.
+
+  If HashContext is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[out]  HashContext  Pointer to Hashcontext being initialized.
+
+  @retval TRUE   Hash context initialization succeeded.
+  @retval FALSE  Hash context initialization failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_INIT)(
+  OUT  VOID  *HashContext
+  );
+
+/**
+  Digests the input data and updates Hash context.
+
+  This function performs Hash digest on a data buffer of the specified siz=
e.
+  It can be called multiple times to compute the digest of long or discont=
inuous data streams.
+  Hash context should be already correctly initialized by HashInit(), and =
should not be finalized
+  by HashFinal(). Behavior with invalid context is undefined.
+
+  If HashContext is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in, out]  HashContext  Pointer to the Hash context.
+  @param[in]       Data         Pointer to the buffer containing the data =
to be hashed.
+  @param[in]       DataSize     Size of Data buffer in bytes.
+
+  @retval TRUE   SHA-1 data digest succeeded.
+  @retval FALSE  SHA-1 data digest failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_UPDATE)(
+  IN OUT  VOID        *HashContext,
+  IN      CONST VOID  *Data,
+  IN      UINTN       DataSize
+  );
+
+/**
+  Completes computation of the Hash digest value.
+
+  This function completes hash computation and retrieves the digest value =
into
+  the specified memory. After this function has been called, the Hash cont=
ext cannot
+  be used again.
+  Hash context should be already correctly initialized by HashInit(), and =
should not be
+  finalized by HashFinal(). Behavior with invalid Hash context is undefine=
d.
+
+  If HashContext is NULL, then return FALSE.
+  If HashValue is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in, out]  HashContext  Pointer to the Hash context.
+  @param[out]      HashValue    Pointer to a buffer that receives the Hash=
 digest
+                                value.
+
+  @retval TRUE   Hash digest computation succeeded.
+  @retval FALSE  Hash digest computation failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_FINAL)(
+  IN OUT  VOID   *HashContext,
+  OUT     UINT8  *HashValue
+  );
+
+typedef struct {
+  UINT32                       HashSize;
+  EFI_HASH_GET_CONTEXT_SIZE    GetContextSize;
+  EFI_HASH_INIT                Init;
+  EFI_HASH_UPDATE              Update;
+  EFI_HASH_FINAL               Final;
+  VOID                         **HashShaCtx;
+  UINT8                        *OidValue;
+  UINTN                        OidLength;
+} EFI_HASH_INFO;
+
 //
 // Public Exponent of RSA Key.
 //
 CONST UINT8  mRsaE[] =3D { 0x01, 0x00, 0x01 };
=20
-CONST UINT8  mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0=
x04, 0x02, 0x01 };
+UINT8  mSha256OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0=
x02, 0x01 };
+UINT8  mSha384OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0=
x02, 0x02 };
+UINT8  mSha512OidValue[] =3D { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0=
x02, 0x03 };
+
+EFI_HASH_INFO  mHashInfo[] =3D {
+  {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha=
256Final, &mHashSha256Ctx, mSha256OidValue, 9},
+  {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha=
384Final, &mHashSha384Ctx, mSha384OidValue, 9},
+  {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha=
512Final, &mHashSha512Ctx, mSha512OidValue, 9},
+};
=20
 //
 // Requirement for different signature type which have been defined in UEF=
I spec.
@@ -1090,26 +1203,28 @@ AuthServiceInternalCompareTimeStamp (
 }
=20
 /**
-  Calculate SHA256 digest of SignerCert CommonName + ToplevelCert tbsCerti=
ficate
+  Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertific=
ate
   SignerCert and ToplevelCert are inside the signer certificate chain.
=20
+  @param[in]  HashAlgId           Hash algorithm index
   @param[in]  SignerCert          A pointer to SignerCert data.
   @param[in]  SignerCertSize      Length of SignerCert data.
   @param[in]  TopLevelCert        A pointer to TopLevelCert data.
   @param[in]  TopLevelCertSize    Length of TopLevelCert data.
-  @param[out] Sha256Digest       Sha256 digest calculated.
+  @param[out] ShaDigest           Sha digest calculated.
=20
   @return EFI_ABORTED          Digest process failed.
-  @return EFI_SUCCESS          SHA256 Digest is successfully calculated.
+  @return EFI_SUCCESS          SHA Digest is successfully calculated.
=20
 **/
 EFI_STATUS
-CalculatePrivAuthVarSignChainSHA256Digest (
+CalculatePrivAuthVarSignChainSHADigest (
+  IN     UINT8  HashAlgId,
   IN     UINT8  *SignerCert,
   IN     UINTN  SignerCertSize,
   IN     UINT8  *TopLevelCert,
   IN     UINTN  TopLevelCertSize,
-  OUT    UINT8  *Sha256Digest
+  OUT    UINT8  *ShaDigest
   )
 {
   UINT8       *TbsCert;
@@ -1119,6 +1234,11 @@ CalculatePrivAuthVarSignChainSHA256Digest (
   BOOLEAN     CryptoStatus;
   EFI_STATUS  Status;
=20
+  if (HashAlgId >=3D (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
+    DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__, Ha=
shAlgId));
+    return EFI_ABORTED;
+  }
+
   CertCommonNameSize =3D sizeof (CertCommonName);
=20
   //
@@ -1141,8 +1261,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
   //
   // Digest SignerCert CN + TopLevelCert tbsCertificate
   //
-  ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE);
-  CryptoStatus =3D Sha256Init (mHashCtx);
+  ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize);
+  CryptoStatus =3D mHashInfo[HashAlgId].Init (*(mHashInfo[HashAlgId].HashS=
haCtx));
   if (!CryptoStatus) {
     return EFI_ABORTED;
   }
@@ -1150,8 +1270,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
   //
   // '\0' is forced in CertCommonName. No overflow issue
   //
-  CryptoStatus =3D Sha256Update (
-                   mHashCtx,
+  CryptoStatus =3D mHashInfo[HashAlgId].Update (
+                   *(mHashInfo[HashAlgId].HashShaCtx),
                    CertCommonName,
                    AsciiStrLen (CertCommonName)
                    );
@@ -1159,12 +1279,12 @@ CalculatePrivAuthVarSignChainSHA256Digest (
     return EFI_ABORTED;
   }
=20
-  CryptoStatus =3D Sha256Update (mHashCtx, TbsCert, TbsCertSize);
+  CryptoStatus =3D mHashInfo[HashAlgId].Update (*(mHashInfo[HashAlgId].Has=
hShaCtx), TbsCert, TbsCertSize);
   if (!CryptoStatus) {
     return EFI_ABORTED;
   }
=20
-  CryptoStatus =3D Sha256Final (mHashCtx, Sha256Digest);
+  CryptoStatus =3D mHashInfo[HashAlgId].Final (*(mHashInfo[HashAlgId].Hash=
ShaCtx), ShaDigest);
   if (!CryptoStatus) {
     return EFI_ABORTED;
   }
@@ -1516,9 +1636,10 @@ DeleteCertsFromDb (
 /**
   Insert signer's certificates for common authenticated variable with Vari=
ableName
   and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to
-  time based authenticated variable attributes. CertData is the SHA256 dig=
est of
+  time based authenticated variable attributes. CertData is the SHA digest=
 of
   SignerCert CommonName + TopLevelCert tbsCertificate.
=20
+  @param[in]  HashAlgId         Hash algorithm index.
   @param[in]  VariableName      Name of authenticated Variable.
   @param[in]  VendorGuid        Vendor GUID of authenticated Variable.
   @param[in]  Attributes        Attributes of authenticated variable.
@@ -1536,6 +1657,7 @@ DeleteCertsFromDb (
 **/
 EFI_STATUS
 InsertCertsToDb (
+  IN     UINT8     HashAlgId,
   IN     CHAR16    *VariableName,
   IN     EFI_GUID  *VendorGuid,
   IN     UINT32    Attributes,
@@ -1556,12 +1678,16 @@ InsertCertsToDb (
   UINT32             CertDataSize;
   AUTH_CERT_DB_DATA  *Ptr;
   CHAR16             *DbName;
-  UINT8              Sha256Digest[SHA256_DIGEST_SIZE];
+  UINT8              ShaDigest[SHA_DIGEST_SIZE_MAX];
=20
   if ((VariableName =3D=3D NULL) || (VendorGuid =3D=3D NULL) || (SignerCer=
t =3D=3D NULL) || (TopLevelCert =3D=3D NULL)) {
     return EFI_INVALID_PARAMETER;
   }
=20
+  if (HashAlgId >=3D (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
+    return EFI_INVALID_PARAMETER;
+  }
+
   if ((Attributes & EFI_VARIABLE_NON_VOLATILE) !=3D 0) {
     //
     // Get variable "certdb".
@@ -1618,20 +1744,22 @@ InsertCertsToDb (
   // Construct new data content of variable "certdb" or "certdbv".
   //
   NameSize      =3D (UINT32)StrLen (VariableName);
-  CertDataSize  =3D sizeof (Sha256Digest);
+  CertDataSize  =3D mHashInfo[HashAlgId].HashSize;
   CertNodeSize  =3D sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + Na=
meSize * sizeof (CHAR16);
   NewCertDbSize =3D (UINT32)DataSize + CertNodeSize;
   if (NewCertDbSize > mMaxCertDbSize) {
     return EFI_OUT_OF_RESOURCES;
   }
=20
-  Status =3D CalculatePrivAuthVarSignChainSHA256Digest (
+  Status =3D CalculatePrivAuthVarSignChainSHADigest (
+             HashAlgId,
              SignerCert,
              SignerCertSize,
              TopLevelCert,
              TopLevelCertSize,
-             Sha256Digest
+             ShaDigest
              );
+
   if (EFI_ERROR (Status)) {
     return Status;
   }
@@ -1663,7 +1791,7 @@ InsertCertsToDb (
=20
   CopyMem (
     (UINT8 *)Ptr +  sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16=
),
-    Sha256Digest,
+    ShaDigest,
     CertDataSize
     );
=20
@@ -1790,6 +1918,36 @@ CleanCertsFromDb (
   return Status;
 }
=20
+/**
+  Find hash algorithm index
+
+  @param[in]  SigData      Pointer to the PKCS#7 message
+  @param[in]  SigDataSize  Length of the PKCS#7 message
+
+  @retval UINT8        Hash Algorithm Index
+**/
+UINT8
+FindHashAlgorithmIndex (
+  IN     UINT8         *SigData,
+  IN     UINT32        SigDataSize
+)
+{
+  UINT8 i;
+
+  for (i =3D 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) {
+    if (  (  (SigDataSize >=3D (13 + mHashInfo[i].OidLength))
+          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) =3D=3D TWO_BYTE_ENCODE)
+            && (CompareMem (SigData + 13, mHashInfo[i].OidValue, mHashInfo=
[i].OidLength) =3D=3D 0)))
+      || ((  (SigDataSize >=3D (32 +  mHashInfo[i].OidLength)))
+        && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) =3D=3D TWO_BYTE_ENCODE)
+          && (CompareMem (SigData + 32, mHashInfo[i].OidValue, mHashInfo[i=
].OidLength) =3D=3D 0))))
+    {
+      break;
+    }
+  }
+  return i;
+}
+
 /**
   Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS=
 set
=20
@@ -1857,8 +2015,9 @@ VerifyTimeBasedPayload (
   UINTN                          CertStackSize;
   UINT8                          *CertsInCertDb;
   UINT32                         CertsSizeinDb;
-  UINT8                          Sha256Digest[SHA256_DIGEST_SIZE];
+  UINT8                          ShaDigest[SHA_DIGEST_SIZE_MAX];
   EFI_CERT_DATA                  *CertDataPtr;
+  UINT8                          HashAlgId;
=20
   //
   // 1. TopLevelCert is the top-level issuer certificate in signature Sign=
er Cert Chain
@@ -1928,7 +2087,7 @@ VerifyTimeBasedPayload (
=20
   //
   // SignedData.digestAlgorithms shall contain the digest algorithm used w=
hen preparing the
-  // signature. Only a digest algorithm of SHA-256 is accepted.
+  // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is =
accepted.
   //
   //    According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc=
2315):
   //        SignedData ::=3D SEQUENCE {
@@ -1972,14 +2131,9 @@ VerifyTimeBasedPayload (
   //
   // Example generated with: https://wiki.archlinux.org/title/Unified_Exte=
nsible_Firmware_Interface/Secure_Boot#Manual_process
   //
+  HashAlgId =3D FindHashAlgorithmIndex (SigData, SigDataSize);
   if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=
=3D 0) {
-    if (  (  (SigDataSize >=3D (13 + sizeof (mSha256OidValue)))
-          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE)
-             || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha2=
56OidValue)) !=3D 0)))
-       && (  (SigDataSize >=3D (32 + sizeof (mSha256OidValue)))
-          && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE)
-             || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha2=
56OidValue)) !=3D 0))))
-    {
+    if (HashAlgId >=3D (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
       return EFI_SECURITY_VIOLATION;
     }
   }
@@ -2170,19 +2324,20 @@ VerifyTimeBasedPayload (
         goto Exit;
       }
=20
-      if (CertsSizeinDb =3D=3D SHA256_DIGEST_SIZE) {
+      if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) && (=
CertsSizeinDb =3D=3D mHashInfo[HashAlgId].HashSize)) {
         //
         // Check hash of signer cert CommonName + Top-level issuer tbsCert=
ificate against data in CertDb
         //
         CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1);
-        Status      =3D CalculatePrivAuthVarSignChainSHA256Digest (
+        Status      =3D CalculatePrivAuthVarSignChainSHADigest (
+                        HashAlgId,
                         CertDataPtr->CertDataBuffer,
                         ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertData=
Length)),
                         TopLevelCert,
                         TopLevelCertSize,
-                        Sha256Digest
+                        ShaDigest
                         );
-        if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb=
, CertsSizeinDb) !=3D 0)) {
+        if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, C=
ertsSizeinDb) !=3D 0)) {
           goto Exit;
         }
       } else {
@@ -2215,6 +2370,7 @@ VerifyTimeBasedPayload (
       //
       CertDataPtr =3D (EFI_CERT_DATA *)(SignerCerts + 1);
       Status      =3D InsertCertsToDb (
+                      HashAlgId,
                       VariableName,
                       VendorGuid,
                       Attributes,
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/Se=
curityPkg/Library/AuthVariableLib/AuthServiceInternal.h
index b202e613bc..f7bf771d55 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@@ -92,7 +92,9 @@ extern UINT32  mMaxCertDbSize;
 extern UINT32  mPlatformMode;
 extern UINT8   mVendorKeyState;
=20
-extern VOID  *mHashCtx;
+extern VOID  *mHashSha256Ctx;
+extern VOID  *mHashSha384Ctx;
+extern VOID  *mHashSha512Ctx;
=20
 extern AUTH_VAR_LIB_CONTEXT_IN  *mAuthVarLibContextIn;
=20
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/Securi=
tyPkg/Library/AuthVariableLib/AuthVariableLib.c
index dc61ae840c..0e71693f5d 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -26,12 +26,14 @@ UINT32  mMaxCertDbSize;
 UINT32  mPlatformMode;
 UINT8   mVendorKeyState;
=20
-EFI_GUID  mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GU=
ID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID };
+EFI_GUID  mSignatureSupport[] =3D { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GU=
ID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, EFI_CERT_RSA2048_GUID, EFI_=
CERT_X509_GUID };
=20
 //
 // Hash context pointer
 //
-VOID  *mHashCtx =3D NULL;
+VOID  *mHashSha256Ctx =3D NULL;
+VOID  *mHashSha384Ctx =3D NULL;
+VOID  *mHashSha512Ctx =3D NULL;
=20
 VARIABLE_ENTRY_PROPERTY  mAuthVarEntry[] =3D {
   {
@@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY  mAuthVarEntry[] =3D {
   },
 };
=20
-VOID  **mAuthVarAddressPointer[9];
+VOID  **mAuthVarAddressPointer[11];
=20
 AUTH_VAR_LIB_CONTEXT_IN  *mAuthVarLibContextIn =3D NULL;
=20
@@ -120,7 +122,6 @@ AuthVariableLibInitialize (
   UINT32      VarAttr;
   UINT8       *Data;
   UINTN       DataSize;
-  UINTN       CtxSize;
   UINT8       SecureBootMode;
   UINT8       SecureBootEnable;
   UINT8       CustomMode;
@@ -135,9 +136,18 @@ AuthVariableLibInitialize (
   //
   // Initialize hash context.
   //
-  CtxSize  =3D Sha256GetContextSize ();
-  mHashCtx =3D AllocateRuntimePool (CtxSize);
-  if (mHashCtx =3D=3D NULL) {
+  mHashSha256Ctx =3D AllocateRuntimePool (Sha256GetContextSize ());
+  if (mHashSha256Ctx =3D=3D NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  mHashSha384Ctx =3D AllocateRuntimePool (Sha384GetContextSize ());
+  if (mHashSha384Ctx =3D=3D NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  mHashSha512Ctx =3D AllocateRuntimePool (Sha512GetContextSize ());
+  if (mHashSha512Ctx =3D=3D NULL) {
     return EFI_OUT_OF_RESOURCES;
   }
=20
@@ -356,14 +366,16 @@ AuthVariableLibInitialize (
   AuthVarLibContextOut->AuthVarEntry        =3D mAuthVarEntry;
   AuthVarLibContextOut->AuthVarEntryCount   =3D ARRAY_SIZE (mAuthVarEntry);
   mAuthVarAddressPointer[0]                 =3D (VOID **)&mCertDbStore;
-  mAuthVarAddressPointer[1]                 =3D (VOID **)&mHashCtx;
-  mAuthVarAddressPointer[2]                 =3D (VOID **)&mAuthVarLibConte=
xtIn;
-  mAuthVarAddressPointer[3]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->FindVariable),
-  mAuthVarAddressPointer[4]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->FindNextVariable),
-  mAuthVarAddressPointer[5]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->UpdateVariable),
-  mAuthVarAddressPointer[6]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->GetScratchBuffer),
-  mAuthVarAddressPointer[7]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->CheckRemainingSpaceForConsistency),
-  mAuthVarAddressPointer[8]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->AtRuntime),
+  mAuthVarAddressPointer[1]                 =3D (VOID **)&mHashSha256Ctx;
+  mAuthVarAddressPointer[2]                 =3D (VOID **)&mHashSha384Ctx;
+  mAuthVarAddressPointer[3]                 =3D (VOID **)&mHashSha512Ctx;
+  mAuthVarAddressPointer[4]                 =3D (VOID **)&mAuthVarLibConte=
xtIn;
+  mAuthVarAddressPointer[5]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->FindVariable),
+  mAuthVarAddressPointer[6]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->FindNextVariable),
+  mAuthVarAddressPointer[7]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->UpdateVariable),
+  mAuthVarAddressPointer[8]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->GetScratchBuffer),
+  mAuthVarAddressPointer[9]                 =3D (VOID **)&(mAuthVarLibCont=
extIn->CheckRemainingSpaceForConsistency),
+  mAuthVarAddressPointer[10]                 =3D (VOID **)&(mAuthVarLibCon=
textIn->AtRuntime),
   AuthVarLibContextOut->AddressPointer      =3D mAuthVarAddressPointer;
   AuthVarLibContextOut->AddressPointerCount =3D ARRAY_SIZE (mAuthVarAddres=
sPointer);
=20
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index 5d8dbd5468..88b2d3c6c1 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1620,7 +1620,7 @@ Done:
       in the security database "db", and no valid signature nor any hash v=
alue of the image may
       be reflected in the security database "dbx".
     Otherwise, the image is not signed,
-      The SHA256 hash value of the image must match a record in the securi=
ty database "db", and
+      The hash value of the image must match a record in the security data=
base "db", and
       not be reflected in the security data base "dbx".
=20
   Caution: This function may receive untrusted input.
@@ -1690,6 +1690,8 @@ DxeImageVerificationHandler (
   EFI_STATUS                    VarStatus;
   UINT32                        VarAttr;
   BOOLEAN                       IsFound;
+  UINT8                         HashAlg;
+  BOOLEAN                       IsFoundInDatabase;
=20
   SignatureList     =3D NULL;
   SignatureListSize =3D 0;
@@ -1699,6 +1701,7 @@ DxeImageVerificationHandler (
   Action            =3D EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
   IsVerified        =3D FALSE;
   IsFound           =3D FALSE;
+  IsFoundInDatabase =3D FALSE;
=20
   //
   // Check the image type and get policy setting.
@@ -1837,40 +1840,50 @@ DxeImageVerificationHandler (
   //
   if ((SecDataDir =3D=3D NULL) || (SecDataDir->Size =3D=3D 0)) {
     //
-    // This image is not signed. The SHA256 hash value of the image must m=
atch a record in the security database "db",
+    // This image is not signed. The hash value of the image must match a =
record in the security database "db",
     // and not be reflected in the security data base "dbx".
     //
-    if (!HashPeImage (HASHALG_SHA256)) {
-      DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this im=
age using %s.\n", mHashTypeStr));
-      goto Failed;
-    }
+    HashAlg =3D sizeof (mHash) / sizeof (HASH_TABLE);
+    while (HashAlg > 0) {
+      HashAlg--;
+      if ((mHash[HashAlg].GetContextSize =3D=3D NULL) || (mHash[HashAlg].H=
ashInit =3D=3D NULL) || (mHash[HashAlg].HashUpdate =3D=3D NULL) || (mHash[H=
ashAlg].HashFinal =3D=3D NULL)) {
+        continue;
+      }
+      if (!HashPeImage (HashAlg)) {
+        continue;
+      }
=20
-    DbStatus =3D IsSignatureFoundInDatabase (
-                 EFI_IMAGE_SECURITY_DATABASE1,
-                 mImageDigest,
-                 &mCertType,
-                 mImageDigestSize,
-                 &IsFound
-                 );
-    if (EFI_ERROR (DbStatus) || IsFound) {
-      //
-      // Image Hash is in forbidden database (DBX).
-      //
-      DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed an=
d %s hash of image is forbidden by DBX.\n", mHashTypeStr));
-      goto Failed;
+      DbStatus =3D IsSignatureFoundInDatabase (
+                   EFI_IMAGE_SECURITY_DATABASE1,
+                   mImageDigest,
+                   &mCertType,
+                   mImageDigestSize,
+                   &IsFound
+                   );
+      if (EFI_ERROR (DbStatus) || IsFound) {
+        //
+        // Image Hash is in forbidden database (DBX).
+        //
+        DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed =
and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
+        goto Failed;
+      }
+
+      DbStatus =3D IsSignatureFoundInDatabase (
+                   EFI_IMAGE_SECURITY_DATABASE,
+                   mImageDigest,
+                   &mCertType,
+                   mImageDigestSize,
+                   &IsFound
+                   );
+      if (!EFI_ERROR (DbStatus) && IsFound) {
+        //
+        // Image Hash is in allowed database (DB).
+        //
+        IsFoundInDatabase =3D TRUE;
+      }
     }
=20
-    DbStatus =3D IsSignatureFoundInDatabase (
-                 EFI_IMAGE_SECURITY_DATABASE,
-                 mImageDigest,
-                 &mCertType,
-                 mImageDigestSize,
-                 &IsFound
-                 );
-    if (!EFI_ERROR (DbStatus) && IsFound) {
-      //
-      // Image Hash is in allowed database (DB).
-      //
+    if (IsFoundInDatabase) {
       return EFI_SUCCESS;
     }
=20
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec=
ureBootConfigDxe.inf
index 1671d5be7c..0602acf702 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gDxe.inf
@@ -82,6 +82,14 @@
   ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type o=
f the signature.
   gEfiCertSha256Guid
=20
+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type o=
f the signature.
+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type o=
f the signature.
+  gEfiCertSha384Guid
+
+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type o=
f the signature.
+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type o=
f the signature.
+  gEfiCertSha512Guid
+
   ## SOMETIMES_CONSUMES      ## Variable:L"db"
   ## SOMETIMES_PRODUCES      ## Variable:L"db"
   ## SOMETIMES_CONSUMES      ## Variable:L"dbx"
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu=
reBootConfigImpl.c
index 0e31502b1b..9d28bbdfa4 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.c
@@ -560,7 +560,7 @@ ON_EXIT:
=20
 **/
 EFI_STATUS
-EnrollRsa2048ToKek (
+EnrollRsaToKek (
   IN SECUREBOOT_CONFIG_PRIVATE_DATA  *Private
   )
 {
@@ -603,8 +603,19 @@ EnrollRsa2048ToKek (
=20
   ASSERT (KeyBlob !=3D NULL);
   KeyInfo =3D (CPL_KEY_INFO *)KeyBlob;
-  if (KeyInfo->KeyLengthInBits / 8 !=3D WIN_CERT_UEFI_RSA2048_SIZE) {
-    DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supporte=
d.\n"));
+  if (KeyInfo->KeyType =3D=3D KEY_TYPE_RSASSA) {
+    switch (KeyInfo->KeyLengthInBits / 8) {
+    case WIN_CERT_UEFI_RSA2048_SIZE:
+    case WIN_CERT_UEFI_RSA3072_SIZE:
+    case WIN_CERT_UEFI_RSA4096_SIZE:
+      break;
+    default :
+      DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 =
and RSA4096 are supported.\n"));
+      Status =3D EFI_UNSUPPORTED;
+      goto ON_EXIT;
+    }
+  } else {
+    DEBUG ((DEBUG_ERROR, "Unsupported key type : %d, only 0 is supported.\=
n", KeyInfo->KeyType));
     Status =3D EFI_UNSUPPORTED;
     goto ON_EXIT;
   }
@@ -632,7 +643,7 @@ EnrollRsa2048ToKek (
   //
   KekSigListSize =3D sizeof (EFI_SIGNATURE_LIST)
                    + sizeof (EFI_SIGNATURE_DATA) - 1
-                   + WIN_CERT_UEFI_RSA2048_SIZE;
+                   + KeyLenInBytes;
=20
   KekSigList =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
   if (KekSigList =3D=3D NULL) {
@@ -642,17 +653,29 @@ EnrollRsa2048ToKek (
=20
   KekSigList->SignatureListSize =3D sizeof (EFI_SIGNATURE_LIST)
                                   + sizeof (EFI_SIGNATURE_DATA) - 1
-                                  + WIN_CERT_UEFI_RSA2048_SIZE;
+                                  + (UINT32) KeyLenInBytes;
   KekSigList->SignatureHeaderSize =3D 0;
-  KekSigList->SignatureSize       =3D sizeof (EFI_SIGNATURE_DATA) - 1 + WI=
N_CERT_UEFI_RSA2048_SIZE;
-  CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
+  KekSigList->SignatureSize       =3D sizeof (EFI_SIGNATURE_DATA) - 1 + (U=
INT32) KeyLenInBytes;
+  switch (KeyLenInBytes) {
+  case WIN_CERT_UEFI_RSA2048_SIZE:
+    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
+    break;
+  case WIN_CERT_UEFI_RSA3072_SIZE:
+  case WIN_CERT_UEFI_RSA4096_SIZE:
+    CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
+    break;
+  default :
+    DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
+    Status =3D EFI_UNSUPPORTED;
+    goto ON_EXIT;
+  }
=20
   KEKSigData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_=
SIGNATURE_LIST));
   CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
   CopyMem (
     KEKSigData->SignatureData,
     KeyBlob + sizeof (CPL_KEY_INFO),
-    WIN_CERT_UEFI_RSA2048_SIZE
+    KeyLenInBytes
     );
=20
   //
@@ -890,7 +913,7 @@ EnrollKeyExchangeKey (
   if (IsDerEncodeCertificate (FilePostFix)) {
     return EnrollX509ToKek (Private);
   } else if (CompareMem (FilePostFix, L".pbk", 4) =3D=3D 0) {
-    return EnrollRsa2048ToKek (Private);
+    return EnrollRsaToKek (Private);
   } else {
     //
     // File type is wrong, simply close it
@@ -1847,7 +1870,7 @@ HashPeImage (
   SectionHeader =3D NULL;
   Status        =3D FALSE;
=20
-  if (HashAlg !=3D HASHALG_SHA256) {
+  if ((HashAlg >=3D HASHALG_MAX)) {
     return FALSE;
   }
=20
@@ -1856,8 +1879,25 @@ HashPeImage (
   //
   ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
=20
-  mImageDigestSize =3D SHA256_DIGEST_SIZE;
-  mCertType        =3D gEfiCertSha256Guid;
+   switch (HashAlg) {
+    case HASHALG_SHA256:
+      mImageDigestSize =3D SHA256_DIGEST_SIZE;
+      mCertType        =3D gEfiCertSha256Guid;
+      break;
+
+    case HASHALG_SHA384:
+      mImageDigestSize =3D SHA384_DIGEST_SIZE;
+      mCertType        =3D gEfiCertSha384Guid;
+      break;
+
+    case HASHALG_SHA512:
+      mImageDigestSize =3D SHA512_DIGEST_SIZE;
+      mCertType        =3D gEfiCertSha512Guid;
+      break;
+
+    default:
+      return FALSE;
+  }
=20
   CtxSize =3D mHash[HashAlg].GetContextSize ();
=20
@@ -2251,6 +2291,7 @@ EnrollImageSignatureToSigDB (
   UINT32                     Attr;
   WIN_CERTIFICATE_UEFI_GUID  *GuidCertData;
   EFI_TIME                   Time;
+  UINT32                     HashAlg;
=20
   Data         =3D NULL;
   GuidCertData =3D NULL;
@@ -2289,8 +2330,20 @@ EnrollImageSignatureToSigDB (
   }
=20
   if (mSecDataDir->SizeOfCert =3D=3D 0) {
-    if (!HashPeImage (HASHALG_SHA256)) {
-      Status =3D  EFI_SECURITY_VIOLATION;
+    Status =3D EFI_SECURITY_VIOLATION;
+    HashAlg =3D sizeof (mHash) / sizeof (HASH_TABLE);
+    while (HashAlg > 0) {
+      HashAlg--;
+      if ((mHash[HashAlg].GetContextSize =3D=3D NULL) || (mHash[HashAlg].H=
ashInit =3D=3D NULL) || (mHash[HashAlg].HashUpdate =3D=3D NULL) || (mHash[H=
ashAlg].HashFinal =3D=3D NULL)) {
+        continue;
+      }
+      if (HashPeImage (HashAlg)) {
+        Status =3D EFI_SUCCESS;
+        break;
+      }
+    }
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status));
       goto ON_EXIT;
     }
   } else {
@@ -3764,6 +3817,10 @@ LoadSignatureList (
       ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA1);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Gui=
d)) {
       ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA256);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Gui=
d)) {
+      ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA384);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Gui=
d)) {
+      ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA512);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha25=
6Guid)) {
       ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha38=
4Guid)) {
@@ -4011,6 +4068,12 @@ FormatHelpInfo (
   } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid))=
 {
     ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA256);
     DataSize   =3D 32;
+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid))=
 {
+    ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA384);
+    DataSize   =3D 48;
+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid))=
 {
+    ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_SHA512);
+    DataSize   =3D 64;
   } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Gu=
id)) {
     ListTypeId =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
     DataSize   =3D 32;
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu=
reBootConfigImpl.h
index 37c66f1b95..ff6e7301af 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.h
@@ -82,6 +82,8 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
 #define MAX_DIGEST_SIZE  SHA512_DIGEST_SIZE
=20
 #define WIN_CERT_UEFI_RSA2048_SIZE  256
+#define WIN_CERT_UEFI_RSA3072_SIZE  384
+#define WIN_CERT_UEFI_RSA4096_SIZE  512
=20
 //
 // Support hash types
@@ -98,6 +100,11 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
 //
 #define CER_PUBKEY_MIN_SIZE  256
=20
+//
+// Define KeyType for public key storing file
+//
+#define KEY_TYPE_RSASSA  0
+
 //
 // Types of errors may occur during certificate enrollment.
 //
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe=
/SecureBootConfigStrings.uni
index 0d01701de7..177c585837 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gStrings.uni
@@ -124,6 +124,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #string STR_LIST_TYPE_X509                        #language en-US "X509"
 #string STR_LIST_TYPE_SHA1                        #language en-US "SHA1"
 #string STR_LIST_TYPE_SHA256                      #language en-US "SHA256"
+#string STR_LIST_TYPE_SHA384                      #language en-US "SHA384"
+#string STR_LIST_TYPE_SHA512                      #language en-US "SHA512"
 #string STR_LIST_TYPE_X509_SHA256                 #language en-US "X509_SH=
A256"
 #string STR_LIST_TYPE_X509_SHA384                 #language en-US "X509_SH=
A384"
 #string STR_LIST_TYPE_X509_SHA512                 #language en-US "X509_SH=
A512"
--=20
2.26.2.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107613): https://edk2.groups.io/g/devel/message/107613
Mute This Topic: https://groups.io/mt/100596020/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-