1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [PATCH V8 0/2] Support RSA4096 and RSA3072

Sheng Wei posted 2 patches 7 months, 3 weeks ago
Failed in applying to current master (apply log)
There is a newer version of this series
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
.../Library/AuthVariableLib/AuthService.c     | 225 +++++++++++++++---
.../AuthVariableLib/AuthServiceInternal.h     |   4 +-
.../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
.../DxeImageVerificationLib.c                 |  74 +++---
.../SecureBootConfigDxe.inf                   |   8 +
.../SecureBootConfigImpl.c                    |  52 +++-
.../SecureBootConfigImpl.h                    |   7 +
.../SecureBootConfigStrings.uni               |   2 +
9 files changed, 331 insertions(+), 86 deletions(-)
[edk2-devel] [PATCH V8 0/2] Support RSA4096 and RSA3072
Posted by Sheng Wei 7 months, 3 weeks ago 
Patch V8:
Update the patch comments for CryptoPkg.
Comment should be <76 characters in each line.
Refine coding format.

Patch V7:
Drop raw RSA3072 and RSA4096. Only use gEfiCertX509Guid for RSA3072 and RSA4096
Do the positive tests and the negative tests below. And got all the expected results.

Patch V6:
Remove the changes in MdePkg.
The changes of patch v6 are in CryptoPkg and SecurityPkg.
Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
This signature type is used to check the supported signature and show the strings.

Patch V5:
Using define KEY_TYPE_RSASSA to replace the magic number.

Patch V4:
Determine the RSA algorithm by a supported algorithm list.

Patch V3:
Select SHA algorithm automaticly for a unsigned efi image.

Patch V2:
Determine the SHA algorithm by a supported algorithm list.
Create SHA context for each algorithm.

Test Case:
1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI shell. 
2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI shell. 
3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI shell. 
4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell

Test Result:
Pass

Negative Test Case:
1) Enroll a RSA2048 Cert, execute an unsigned efi image.
2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi image.

Test Result:
Get "Access Denied" when try to execute the efi image.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>

Sheng Wei (2):
  CryptoPkg/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify
  SecurityPkg/SecureBoot: Support RSA4096 and RSA3072

 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
 .../Library/AuthVariableLib/AuthService.c     | 225 +++++++++++++++---
 .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
 .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
 .../DxeImageVerificationLib.c                 |  74 +++---
 .../SecureBootConfigDxe.inf                   |   8 +
 .../SecureBootConfigImpl.c                    |  52 +++-
 .../SecureBootConfigImpl.h                    |   7 +
 .../SecureBootConfigStrings.uni               |   2 +
 9 files changed, 331 insertions(+), 86 deletions(-)

-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108312): https://edk2.groups.io/g/devel/message/108312
Mute This Topic: https://groups.io/mt/101188631/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.