[edk2-devel] [PATCH V9 0/2] Support RSA4096 and RSA3072

Sheng Wei posted 2 patches 7 months, 1 week ago
Failed in applying to current master (apply log)
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
.../Library/AuthVariableLib/AuthService.c     | 225 +++++++++++++++---
.../AuthVariableLib/AuthServiceInternal.h     |   4 +-
.../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
.../DxeImageVerificationLib.c                 |  74 +++---
.../SecureBootConfigDxe.inf                   |   8 +
.../SecureBootConfigImpl.c                    |  52 +++-
.../SecureBootConfigImpl.h                    |   7 +
.../SecureBootConfigStrings.uni               |   2 +
9 files changed, 331 insertions(+), 86 deletions(-)
[edk2-devel] [PATCH V9 0/2] Support RSA4096 and RSA3072
Posted by Sheng Wei 7 months, 1 week ago
Patch V9:
Refine coding format for file AuthService.c

Patch V8:
Update the patch comments for CryptoPkg.
Comment should be <76 characters in each line.
Refine coding format.

Patch V7:
Drop raw RSA3072 and RSA4096. Only use gEfiCertX509Guid for RSA3072 and RSA4096
Do the positive tests and the negative tests below. And got all the expected results.

Patch V6:
Remove the changes in MdePkg.
The changes of patch v6 are in CryptoPkg and SecurityPkg.
Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
This signature type is used to check the supported signature and show the strings.

Patch V5:
Using define KEY_TYPE_RSASSA to replace the magic number.

Patch V4:
Determine the RSA algorithm by a supported algorithm list.

Patch V3:
Select SHA algorithm automaticly for a unsigned efi image.

Patch V2:
Determine the SHA algorithm by a supported algorithm list.
Create SHA context for each algorithm.

Test Case:
1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI shell. 
2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI shell. 
3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI shell. 
4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell

Test Result:
Pass

Negative Test Case:
1) Enroll a RSA2048 Cert, execute an unsigned efi image.
2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi image.

Test Result:
Get "Access Denied" when try to execute the efi image.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>

Sheng Wei (2):
  CryptoPkg/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify
  SecurityPkg/SecureBoot: Support RSA4096 and RSA3072

 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
 .../Library/AuthVariableLib/AuthService.c     | 225 +++++++++++++++---
 .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
 .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
 .../DxeImageVerificationLib.c                 |  74 +++---
 .../SecureBootConfigDxe.inf                   |   8 +
 .../SecureBootConfigImpl.c                    |  52 +++-
 .../SecureBootConfigImpl.h                    |   7 +
 .../SecureBootConfigStrings.uni               |   2 +
 9 files changed, 331 insertions(+), 86 deletions(-)

-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108352): https://edk2.groups.io/g/devel/message/108352
Mute This Topic: https://groups.io/mt/101207366/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V9 0/2] Support RSA4096 and RSA3072
Posted by Yao, Jiewen 7 months, 1 week ago
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

Merged https://github.com/tianocore/edk2/pull/4798

> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Thursday, September 7, 2023 9:57 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang,
> Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang,
> Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>
> Subject: [PATCH V9 0/2] Support RSA4096 and RSA3072
> 
> Patch V9:
> Refine coding format for file AuthService.c
> 
> Patch V8:
> Update the patch comments for CryptoPkg.
> Comment should be <76 characters in each line.
> Refine coding format.
> 
> Patch V7:
> Drop raw RSA3072 and RSA4096. Only use gEfiCertX509Guid for RSA3072 and
> RSA4096
> Do the positive tests and the negative tests below. And got all the expected
> results.
> 
> Patch V6:
> Remove the changes in MdePkg.
> The changes of patch v6 are in CryptoPkg and SecurityPkg.
> Set signature type to gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
> This signature type is used to check the supported signature and show the strings.
> 
> Patch V5:
> Using define KEY_TYPE_RSASSA to replace the magic number.
> 
> Patch V4:
> Determine the RSA algorithm by a supported algorithm list.
> 
> Patch V3:
> Select SHA algorithm automaticly for a unsigned efi image.
> 
> Patch V2:
> Determine the SHA algorithm by a supported algorithm list.
> Create SHA context for each algorithm.
> 
> Test Case:
> 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI
> shell.
> 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI
> shell.
> 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI
> shell.
> 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell
> 
> Test Result:
> Pass
> 
> Negative Test Case:
> 1) Enroll a RSA2048 Cert, execute an unsigned efi image.
> 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
> 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
> 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi
> image.
> 
> Test Result:
> Get "Access Denied" when try to execute the efi image.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> 
> Sheng Wei (2):
>   CryptoPkg/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify
>   SecurityPkg/SecureBoot: Support RSA4096 and RSA3072
> 
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
>  .../Library/AuthVariableLib/AuthService.c     | 225 +++++++++++++++---
>  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
>  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
>  .../DxeImageVerificationLib.c                 |  74 +++---
>  .../SecureBootConfigDxe.inf                   |   8 +
>  .../SecureBootConfigImpl.c                    |  52 +++-
>  .../SecureBootConfigImpl.h                    |   7 +
>  .../SecureBootConfigStrings.uni               |   2 +
>  9 files changed, 331 insertions(+), 86 deletions(-)
> 
> --
> 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108360): https://edk2.groups.io/g/devel/message/108360
Mute This Topic: https://groups.io/mt/101207366/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-