CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- .../Library/AuthVariableLib/AuthService.c | 225 +++++++++++++++--- .../AuthVariableLib/AuthServiceInternal.h | 4 +- .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- .../DxeImageVerificationLib.c | 74 +++--- .../SecureBootConfigDxe.inf | 8 + .../SecureBootConfigImpl.c | 52 +++- .../SecureBootConfigImpl.h | 7 + .../SecureBootConfigStrings.uni | 2 + 9 files changed, 331 insertions(+), 86 deletions(-)
Patch V9: Refine coding format for file AuthService.c Patch V8: Update the patch comments for CryptoPkg. Comment should be <76 characters in each line. Refine coding format. Patch V7: Drop raw RSA3072 and RSA4096. Only use gEfiCertX509Guid for RSA3072 and RSA4096 Do the positive tests and the negative tests below. And got all the expected results. Patch V6: Remove the changes in MdePkg. The changes of patch v6 are in CryptoPkg and SecurityPkg. Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK. This signature type is used to check the supported signature and show the strings. Patch V5: Using define KEY_TYPE_RSASSA to replace the magic number. Patch V4: Determine the RSA algorithm by a supported algorithm list. Patch V3: Select SHA algorithm automaticly for a unsigned efi image. Patch V2: Determine the SHA algorithm by a supported algorithm list. Create SHA context for each algorithm. Test Case: 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI shell. 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI shell. 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI shell. 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell Test Result: Pass Negative Test Case: 1) Enroll a RSA2048 Cert, execute an unsigned efi image. 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image. 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image. 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi image. Test Result: Get "Access Denied" when try to execute the efi image. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Zeyi Chen <zeyi.chen@intel.com> Cc: Fiona Wang <fiona.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Sheng Wei (2): CryptoPkg/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify SecurityPkg/SecureBoot: Support RSA4096 and RSA3072 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- .../Library/AuthVariableLib/AuthService.c | 225 +++++++++++++++--- .../AuthVariableLib/AuthServiceInternal.h | 4 +- .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- .../DxeImageVerificationLib.c | 74 +++--- .../SecureBootConfigDxe.inf | 8 + .../SecureBootConfigImpl.c | 52 +++- .../SecureBootConfigImpl.h | 7 + .../SecureBootConfigStrings.uni | 2 + 9 files changed, 331 insertions(+), 86 deletions(-) -- 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#108352): https://edk2.groups.io/g/devel/message/108352 Mute This Topic: https://groups.io/mt/101207366/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Merged https://github.com/tianocore/edk2/pull/4798 > -----Original Message----- > From: Sheng, W <w.sheng@intel.com> > Sent: Thursday, September 7, 2023 9:57 AM > To: devel@edk2.groups.io > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; > Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang, > Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, > Guomin <guomin.jiang@intel.com>; Kinney, Michael D > <michael.d.kinney@intel.com> > Subject: [PATCH V9 0/2] Support RSA4096 and RSA3072 > > Patch V9: > Refine coding format for file AuthService.c > > Patch V8: > Update the patch comments for CryptoPkg. > Comment should be <76 characters in each line. > Refine coding format. > > Patch V7: > Drop raw RSA3072 and RSA4096. Only use gEfiCertX509Guid for RSA3072 and > RSA4096 > Do the positive tests and the negative tests below. And got all the expected > results. > > Patch V6: > Remove the changes in MdePkg. > The changes of patch v6 are in CryptoPkg and SecurityPkg. > Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK. > This signature type is used to check the supported signature and show the strings. > > Patch V5: > Using define KEY_TYPE_RSASSA to replace the magic number. > > Patch V4: > Determine the RSA algorithm by a supported algorithm list. > > Patch V3: > Select SHA algorithm automaticly for a unsigned efi image. > > Patch V2: > Determine the SHA algorithm by a supported algorithm list. > Create SHA context for each algorithm. > > Test Case: > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI > shell. > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI > shell. > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI > shell. > 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell > > Test Result: > Pass > > Negative Test Case: > 1) Enroll a RSA2048 Cert, execute an unsigned efi image. > 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image. > 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image. > 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi > image. > > Test Result: > Get "Access Denied" when try to execute the efi image. > > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Jian J Wang <jian.j.wang@intel.com> > Cc: Min Xu <min.m.xu@intel.com> > Cc: Zeyi Chen <zeyi.chen@intel.com> > Cc: Fiona Wang <fiona.wang@intel.com> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > Cc: Guomin Jiang <guomin.jiang@intel.com> > Cc: Michael D Kinney <michael.d.kinney@intel.com> > > Sheng Wei (2): > CryptoPkg/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify > SecurityPkg/SecureBoot: Support RSA4096 and RSA3072 > > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 +- > .../Library/AuthVariableLib/AuthService.c | 225 +++++++++++++++--- > .../AuthVariableLib/AuthServiceInternal.h | 4 +- > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- > .../DxeImageVerificationLib.c | 74 +++--- > .../SecureBootConfigDxe.inf | 8 + > .../SecureBootConfigImpl.c | 52 +++- > .../SecureBootConfigImpl.h | 7 + > .../SecureBootConfigStrings.uni | 2 + > 9 files changed, 331 insertions(+), 86 deletions(-) > > -- > 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#108360): https://edk2.groups.io/g/devel/message/108360 Mute This Topic: https://groups.io/mt/101207366/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2024 Red Hat, Inc.