Reviewed-by: Jiewen Yao <jiewen....@intel.com> > -----Original Message----- > From: Sheng, W <w.sh...@intel.com> > Sent: Thursday, July 27, 2023 2:35 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen <jiewen....@intel.com>; Wang, Jian J <jian.j.w...@intel.com>; > Xu, Min M <min.m...@intel.com>; Chen, Zeyi <zeyi.c...@intel.com>; Wang, > Fiona <fiona.w...@intel.com> > Subject: [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413 > > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Jian J Wang <jian.j.w...@intel.com> > Cc: Min Xu <min.m...@intel.com> > Cc: Zeyi Chen <zeyi.c...@intel.com> > Cc: Fiona Wang <fiona.w...@intel.com> > Signed-off-by: Sheng Wei <w.sh...@intel.com> > --- > .../Library/AuthVariableLib/AuthService.c | 220 +++++++++++++++--- > .../AuthVariableLib/AuthServiceInternal.h | 4 +- > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- > .../DxeImageVerificationLib.c | 73 +++--- > .../SecureBootConfigDxe.inf | 16 ++ > .../SecureBootConfigImpl.c | 114 +++++++-- > .../SecureBootConfigImpl.h | 7 + > .../SecureBootConfigStrings.uni | 6 + > 8 files changed, 391 insertions(+), 91 deletions(-) > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c > b/SecurityPkg/Library/AuthVariableLib/AuthService.c > index d81c581d78..4c268a85cd 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c > @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include <Protocol/VariablePolicy.h> > > #include <Library/VariablePolicyLib.h> > > > > +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE > > + > > +/** > > + Retrieves the size, in bytes, of the context buffer required for hash > operations. > > + > > + If this interface is not supported, then return zero. > > + > > + @return The size, in bytes, of the context buffer required for hash > operations. > > + @retval 0 This interface is not supported. > > + > > +**/ > > +typedef > > +UINTN > > +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)( > > + VOID > > + ); > > + > > +/** > > + Initializes user-supplied memory pointed by Sha1Context as hash context for > > + subsequent use. > > + > > + If HashContext is NULL, then return FALSE. > > + If this interface is not supported, then return FALSE. > > + > > + @param[out] HashContext Pointer to Hashcontext being initialized. > > + > > + @retval TRUE Hash context initialization succeeded. > > + @retval FALSE Hash context initialization failed. > > + @retval FALSE This interface is not supported. > > + > > +**/ > > +typedef > > +BOOLEAN > > +(EFIAPI *EFI_HASH_INIT)( > > + OUT VOID *HashContext > > + ); > > + > > +/** > > + Digests the input data and updates Hash context. > > + > > + This function performs Hash digest on a data buffer of the specified size. > > + It can be called multiple times to compute the digest of long or > discontinuous > data streams. > > + Hash context should be already correctly initialized by HashInit(), and > should > not be finalized > > + by HashFinal(). Behavior with invalid context is undefined. > > + > > + If HashContext is NULL, then return FALSE. > > + If this interface is not supported, then return FALSE. > > + > > + @param[in, out] HashContext Pointer to the Hash context. > > + @param[in] Data Pointer to the buffer containing the data to > be > hashed. > > + @param[in] DataSize Size of Data buffer in bytes. > > + > > + @retval TRUE SHA-1 data digest succeeded. > > + @retval FALSE SHA-1 data digest failed. > > + @retval FALSE This interface is not supported. > > + > > +**/ > > +typedef > > +BOOLEAN > > +(EFIAPI *EFI_HASH_UPDATE)( > > + IN OUT VOID *HashContext, > > + IN CONST VOID *Data, > > + IN UINTN DataSize > > + ); > > + > > +/** > > + Completes computation of the Hash digest value. > > + > > + This function completes hash computation and retrieves the digest value > into > > + the specified memory. After this function has been called, the Hash context > cannot > > + be used again. > > + Hash context should be already correctly initialized by HashInit(), and > should > not be > > + finalized by HashFinal(). Behavior with invalid Hash context is undefined. > > + > > + If HashContext is NULL, then return FALSE. > > + If HashValue is NULL, then return FALSE. > > + If this interface is not supported, then return FALSE. > > + > > + @param[in, out] HashContext Pointer to the Hash context. > > + @param[out] HashValue Pointer to a buffer that receives the Hash > digest > > + value. > > + > > + @retval TRUE Hash digest computation succeeded. > > + @retval FALSE Hash digest computation failed. > > + @retval FALSE This interface is not supported. > > + > > +**/ > > +typedef > > +BOOLEAN > > +(EFIAPI *EFI_HASH_FINAL)( > > + IN OUT VOID *HashContext, > > + OUT UINT8 *HashValue > > + ); > > + > > +typedef struct { > > + UINT32 HashSize; > > + EFI_HASH_GET_CONTEXT_SIZE GetContextSize; > > + EFI_HASH_INIT Init; > > + EFI_HASH_UPDATE Update; > > + EFI_HASH_FINAL Final; > > + VOID **HashShaCtx; > > + UINT8 *OidValue; > > + UINTN OidLength; > > +} EFI_HASH_INFO; > > + > > // > > // Public Exponent of RSA Key. > > // > > CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 }; > > > > -CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, > 0x02, 0x01 }; > > +UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, > 0x01 }; > > +UINT8 mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, > 0x02 }; > > +UINT8 mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, > 0x03 }; > > + > > +EFI_HASH_INFO mHashInfo[] = { > > + {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, > Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9}, > > + {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, > Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9}, > > + {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, > Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9}, > > +}; > > > > // > > // Requirement for different signature type which have been defined in UEFI > spec. > > @@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] = { > // {SigType, SigHeaderSize, SigDataSize } > > { EFI_CERT_SHA256_GUID, 0, 32 }, > > { EFI_CERT_RSA2048_GUID, 0, 256 }, > > + { EFI_CERT_RSA3072_GUID, 0, 384 }, > > + { EFI_CERT_RSA4096_GUID, 0, 512 }, > > { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 }, > > { EFI_CERT_SHA1_GUID, 0, 20 }, > > { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 }, > > @@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp ( > } > > > > /** > > - Calculate SHA256 digest of SignerCert CommonName + ToplevelCert > tbsCertificate > > + Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertificate > > SignerCert and ToplevelCert are inside the signer certificate chain. > > > > + @param[in] HashAlgId Hash algorithm index > > @param[in] SignerCert A pointer to SignerCert data. > > @param[in] SignerCertSize Length of SignerCert data. > > @param[in] TopLevelCert A pointer to TopLevelCert data. > > @param[in] TopLevelCertSize Length of TopLevelCert data. > > - @param[out] Sha256Digest Sha256 digest calculated. > > + @param[out] ShaDigest Sha digest calculated. > > > > @return EFI_ABORTED Digest process failed. > > - @return EFI_SUCCESS SHA256 Digest is successfully calculated. > > + @return EFI_SUCCESS SHA Digest is successfully calculated. > > > > **/ > > EFI_STATUS > > -CalculatePrivAuthVarSignChainSHA256Digest ( > > +CalculatePrivAuthVarSignChainSHADigest ( > > + IN UINT8 HashAlgId, > > IN UINT8 *SignerCert, > > IN UINTN SignerCertSize, > > IN UINT8 *TopLevelCert, > > IN UINTN TopLevelCertSize, > > - OUT UINT8 *Sha256Digest > > + OUT UINT8 *ShaDigest > > ) > > { > > UINT8 *TbsCert; > > @@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > BOOLEAN CryptoStatus; > > EFI_STATUS Status; > > > > + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { > > + DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__, > HashAlgId)); > > + return EFI_ABORTED; > > + } > > + > > CertCommonNameSize = sizeof (CertCommonName); > > > > // > > @@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > // > > // Digest SignerCert CN + TopLevelCert tbsCertificate > > // > > - ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE); > > - CryptoStatus = Sha256Init (mHashCtx); > > + ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize); > > + CryptoStatus = mHashInfo[HashAlgId].Init > (*(mHashInfo[HashAlgId].HashShaCtx)); > > if (!CryptoStatus) { > > return EFI_ABORTED; > > } > > @@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > // > > // '\0' is forced in CertCommonName. No overflow issue > > // > > - CryptoStatus = Sha256Update ( > > - mHashCtx, > > + CryptoStatus = mHashInfo[HashAlgId].Update ( > > + *(mHashInfo[HashAlgId].HashShaCtx), > > CertCommonName, > > AsciiStrLen (CertCommonName) > > ); > > @@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest ( > return EFI_ABORTED; > > } > > > > - CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize); > > + CryptoStatus = mHashInfo[HashAlgId].Update > (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize); > > if (!CryptoStatus) { > > return EFI_ABORTED; > > } > > > > - CryptoStatus = Sha256Final (mHashCtx, Sha256Digest); > > + CryptoStatus = mHashInfo[HashAlgId].Final > (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest); > > if (!CryptoStatus) { > > return EFI_ABORTED; > > } > > @@ -1516,9 +1638,10 @@ DeleteCertsFromDb ( > /** > > Insert signer's certificates for common authenticated variable with > VariableName > > and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to > > - time based authenticated variable attributes. CertData is the SHA256 > digest of > > + time based authenticated variable attributes. CertData is the SHA digest of > > SignerCert CommonName + TopLevelCert tbsCertificate. > > > > + @param[in] HashAlgId Hash algorithm index. > > @param[in] VariableName Name of authenticated Variable. > > @param[in] VendorGuid Vendor GUID of authenticated Variable. > > @param[in] Attributes Attributes of authenticated variable. > > @@ -1536,6 +1659,7 @@ DeleteCertsFromDb ( > **/ > > EFI_STATUS > > InsertCertsToDb ( > > + IN UINT8 HashAlgId, > > IN CHAR16 *VariableName, > > IN EFI_GUID *VendorGuid, > > IN UINT32 Attributes, > > @@ -1556,12 +1680,16 @@ InsertCertsToDb ( > UINT32 CertDataSize; > > AUTH_CERT_DB_DATA *Ptr; > > CHAR16 *DbName; > > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; > > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; > > > > if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) > || > (TopLevelCert == NULL)) { > > return EFI_INVALID_PARAMETER; > > } > > > > + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { > > + return EFI_INVALID_PARAMETER; > > + } > > + > > if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) { > > // > > // Get variable "certdb". > > @@ -1618,20 +1746,22 @@ InsertCertsToDb ( > // Construct new data content of variable "certdb" or "certdbv". > > // > > NameSize = (UINT32)StrLen (VariableName); > > - CertDataSize = sizeof (Sha256Digest); > > + CertDataSize = mHashInfo[HashAlgId].HashSize; > > CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + > NameSize * sizeof (CHAR16); > > NewCertDbSize = (UINT32)DataSize + CertNodeSize; > > if (NewCertDbSize > mMaxCertDbSize) { > > return EFI_OUT_OF_RESOURCES; > > } > > > > - Status = CalculatePrivAuthVarSignChainSHA256Digest ( > > + Status = CalculatePrivAuthVarSignChainSHADigest ( > > + HashAlgId, > > SignerCert, > > SignerCertSize, > > TopLevelCert, > > TopLevelCertSize, > > - Sha256Digest > > + ShaDigest > > ); > > + > > if (EFI_ERROR (Status)) { > > return Status; > > } > > @@ -1663,7 +1793,7 @@ InsertCertsToDb ( > > > CopyMem ( > > (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16), > > - Sha256Digest, > > + ShaDigest, > > CertDataSize > > ); > > > > @@ -1790,6 +1920,36 @@ CleanCertsFromDb ( > return Status; > > } > > > > +/** > > + Find hash algorithm index > > + > > + @param[in] SigData Pointer to the PKCS#7 message > > + @param[in] SigDataSize Length of the PKCS#7 message > > + > > + @retval UINT8 Hash Algorithm Index > > +**/ > > +UINT8 > > +FindHashAlgorithmIndex ( > > + IN UINT8 *SigData, > > + IN UINT32 SigDataSize > > +) > > +{ > > + UINT8 i; > > + > > + for (i = 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) { > > + if ( ( (SigDataSize >= (13 + mHashInfo[i].OidLength)) > > + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE) > > + && (CompareMem (SigData + 13, mHashInfo[i].OidValue, > mHashInfo[i].OidLength) == 0))) > > + || (( (SigDataSize >= (32 + mHashInfo[i].OidLength))) > > + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE) > > + && (CompareMem (SigData + 32, mHashInfo[i].OidValue, > mHashInfo[i].OidLength) == 0)))) > > + { > > + break; > > + } > > + } > > + return i; > > +} > > + > > /** > > Process variable with > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set > > > > @@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload ( > UINTN CertStackSize; > > UINT8 *CertsInCertDb; > > UINT32 CertsSizeinDb; > > - UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; > > + UINT8 ShaDigest[SHA_DIGEST_SIZE_MAX]; > > EFI_CERT_DATA *CertDataPtr; > > + UINT8 HashAlgId; > > > > // > > // 1. TopLevelCert is the top-level issuer certificate in signature Signer > Cert > Chain > > @@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload ( > > > // > > // SignedData.digestAlgorithms shall contain the digest algorithm used when > preparing the > > - // signature. Only a digest algorithm of SHA-256 is accepted. > > + // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is > accepted. > > // > > // According to PKCS#7 Definition > (https://www.rfc-editor.org/rfc/rfc2315): > > // SignedData ::= SEQUENCE { > > @@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload ( > // > > // Example generated with: > https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_ > Boot#Manual_process > > // > > + HashAlgId = FindHashAlgorithmIndex (SigData, SigDataSize); > > if ((Attributes & > EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { > > - if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue))) > > - && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) > > - || (CompareMem (SigData + 13, &mSha256OidValue, sizeof > (mSha256OidValue)) != 0))) > > - && ( (SigDataSize >= (32 + sizeof (mSha256OidValue))) > > - && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) > > - || (CompareMem (SigData + 32, &mSha256OidValue, sizeof > (mSha256OidValue)) != 0)))) > > - { > > + if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) { > > return EFI_SECURITY_VIOLATION; > > } > > } > > @@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload ( > goto Exit; > > } > > > > - if (CertsSizeinDb == SHA256_DIGEST_SIZE) { > > + if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) && > (CertsSizeinDb == mHashInfo[HashAlgId].HashSize)) { > > // > > // Check hash of signer cert CommonName + Top-level issuer > tbsCertificate > against data in CertDb > > // > > CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1); > > - Status = CalculatePrivAuthVarSignChainSHA256Digest ( > > + Status = CalculatePrivAuthVarSignChainSHADigest ( > > + HashAlgId, > > CertDataPtr->CertDataBuffer, > > ReadUnaligned32 ((UINT32 > *)&(CertDataPtr->CertDataLength)), > > TopLevelCert, > > TopLevelCertSize, > > - Sha256Digest > > + ShaDigest > > ); > > - if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb, > CertsSizeinDb) != 0)) { > > + if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, > CertsSizeinDb) != 0)) { > > goto Exit; > > } > > } else { > > @@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload ( > // > > CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1); > > Status = InsertCertsToDb ( > > + HashAlgId, > > VariableName, > > VendorGuid, > > Attributes, > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > index b202e613bc..f7bf771d55 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h > @@ -92,7 +92,9 @@ extern UINT32 mMaxCertDbSize; > extern UINT32 mPlatformMode; > > extern UINT8 mVendorKeyState; > > > > -extern VOID *mHashCtx; > > +extern VOID *mHashSha256Ctx; > > +extern VOID *mHashSha384Ctx; > > +extern VOID *mHashSha512Ctx; > > > > extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn; > > > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > index dc61ae840c..19e0004699 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c > @@ -26,12 +26,14 @@ UINT32 mMaxCertDbSize; > UINT32 mPlatformMode; > > UINT8 mVendorKeyState; > > > > -EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID, > EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID }; > > +EFI_GUID mSignatureSupport[] = { EFI_CERT_SHA1_GUID, > EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, > EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID, > EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID }; > > > > // > > // Hash context pointer > > // > > -VOID *mHashCtx = NULL; > > +VOID *mHashSha256Ctx = NULL; > > +VOID *mHashSha384Ctx = NULL; > > +VOID *mHashSha512Ctx = NULL; > > > > VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = { > > { > > @@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = { > }, > > }; > > > > -VOID **mAuthVarAddressPointer[9]; > > +VOID **mAuthVarAddressPointer[11]; > > > > AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn = NULL; > > > > @@ -120,7 +122,6 @@ AuthVariableLibInitialize ( > UINT32 VarAttr; > > UINT8 *Data; > > UINTN DataSize; > > - UINTN CtxSize; > > UINT8 SecureBootMode; > > UINT8 SecureBootEnable; > > UINT8 CustomMode; > > @@ -135,9 +136,18 @@ AuthVariableLibInitialize ( > // > > // Initialize hash context. > > // > > - CtxSize = Sha256GetContextSize (); > > - mHashCtx = AllocateRuntimePool (CtxSize); > > - if (mHashCtx == NULL) { > > + mHashSha256Ctx = AllocateRuntimePool (Sha256GetContextSize ()); > > + if (mHashSha256Ctx == NULL) { > > + return EFI_OUT_OF_RESOURCES; > > + } > > + > > + mHashSha384Ctx = AllocateRuntimePool (Sha384GetContextSize ()); > > + if (mHashSha384Ctx == NULL) { > > + return EFI_OUT_OF_RESOURCES; > > + } > > + > > + mHashSha512Ctx = AllocateRuntimePool (Sha512GetContextSize ()); > > + if (mHashSha512Ctx == NULL) { > > return EFI_OUT_OF_RESOURCES; > > } > > > > @@ -356,14 +366,16 @@ AuthVariableLibInitialize ( > AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry; > > AuthVarLibContextOut->AuthVarEntryCount = ARRAY_SIZE (mAuthVarEntry); > > mAuthVarAddressPointer[0] = (VOID **)&mCertDbStore; > > - mAuthVarAddressPointer[1] = (VOID **)&mHashCtx; > > - mAuthVarAddressPointer[2] = (VOID **)&mAuthVarLibContextIn; > > - mAuthVarAddressPointer[3] = (VOID > **)&(mAuthVarLibContextIn- > >FindVariable), > > - mAuthVarAddressPointer[4] = (VOID > **)&(mAuthVarLibContextIn- > >FindNextVariable), > > - mAuthVarAddressPointer[5] = (VOID > **)&(mAuthVarLibContextIn- > >UpdateVariable), > > - mAuthVarAddressPointer[6] = (VOID > **)&(mAuthVarLibContextIn- > >GetScratchBuffer), > > - mAuthVarAddressPointer[7] = (VOID > **)&(mAuthVarLibContextIn- > >CheckRemainingSpaceForConsistency), > > - mAuthVarAddressPointer[8] = (VOID > **)&(mAuthVarLibContextIn- > >AtRuntime), > > + mAuthVarAddressPointer[1] = (VOID **)&mHashSha256Ctx; > > + mAuthVarAddressPointer[2] = (VOID **)&mHashSha384Ctx; > > + mAuthVarAddressPointer[3] = (VOID **)&mHashSha512Ctx; > > + mAuthVarAddressPointer[4] = (VOID **)&mAuthVarLibContextIn; > > + mAuthVarAddressPointer[5] = (VOID > **)&(mAuthVarLibContextIn- > >FindVariable), > > + mAuthVarAddressPointer[6] = (VOID > **)&(mAuthVarLibContextIn- > >FindNextVariable), > > + mAuthVarAddressPointer[7] = (VOID > **)&(mAuthVarLibContextIn- > >UpdateVariable), > > + mAuthVarAddressPointer[8] = (VOID > **)&(mAuthVarLibContextIn- > >GetScratchBuffer), > > + mAuthVarAddressPointer[9] = (VOID > **)&(mAuthVarLibContextIn- > >CheckRemainingSpaceForConsistency), > > + mAuthVarAddressPointer[10] = (VOID > **)&(mAuthVarLibContextIn- > >AtRuntime), > > AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer; > > AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE > (mAuthVarAddressPointer); > > > > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 5d8dbd5468..88b2d3c6c1 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -1620,7 +1620,7 @@ Done: > in the security database "db", and no valid signature nor any hash > value of the > image may > > be reflected in the security database "dbx". > > Otherwise, the image is not signed, > > - The SHA256 hash value of the image must match a record in the security > database "db", and > > + The hash value of the image must match a record in the security > database > "db", and > > not be reflected in the security data base "dbx". > > > > Caution: This function may receive untrusted input. > > @@ -1690,6 +1690,8 @@ DxeImageVerificationHandler ( > EFI_STATUS VarStatus; > > UINT32 VarAttr; > > BOOLEAN IsFound; > > + UINT8 HashAlg; > > + BOOLEAN IsFoundInDatabase; > > > > SignatureList = NULL; > > SignatureListSize = 0; > > @@ -1699,6 +1701,7 @@ DxeImageVerificationHandler ( > Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED; > > IsVerified = FALSE; > > IsFound = FALSE; > > + IsFoundInDatabase = FALSE; > > > > // > > // Check the image type and get policy setting. > > @@ -1837,40 +1840,50 @@ DxeImageVerificationHandler ( > // > > if ((SecDataDir == NULL) || (SecDataDir->Size == 0)) { > > // > > - // This image is not signed. The SHA256 hash value of the image must > match a > record in the security database "db", > > + // This image is not signed. The hash value of the image must match a > record > in the security database "db", > > // and not be reflected in the security data base "dbx". > > // > > - if (!HashPeImage (HASHALG_SHA256)) { > > - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image > using %s.\n", mHashTypeStr)); > > - goto Failed; > > - } > > + HashAlg = sizeof (mHash) / sizeof (HASH_TABLE); > > + while (HashAlg > 0) { > > + HashAlg--; > > + if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit > == NULL) || (mHash[HashAlg].HashUpdate == NULL) || > (mHash[HashAlg].HashFinal == NULL)) { > > + continue; > > + } > > + if (!HashPeImage (HashAlg)) { > > + continue; > > + } > > > > - DbStatus = IsSignatureFoundInDatabase ( > > - EFI_IMAGE_SECURITY_DATABASE1, > > - mImageDigest, > > - &mCertType, > > - mImageDigestSize, > > - &IsFound > > - ); > > - if (EFI_ERROR (DbStatus) || IsFound) { > > - // > > - // Image Hash is in forbidden database (DBX). > > - // > > - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and > %s > hash of image is forbidden by DBX.\n", mHashTypeStr)); > > - goto Failed; > > + DbStatus = IsSignatureFoundInDatabase ( > > + EFI_IMAGE_SECURITY_DATABASE1, > > + mImageDigest, > > + &mCertType, > > + mImageDigestSize, > > + &IsFound > > + ); > > + if (EFI_ERROR (DbStatus) || IsFound) { > > + // > > + // Image Hash is in forbidden database (DBX). > > + // > > + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed > and %s hash of image is forbidden by DBX.\n", mHashTypeStr)); > > + goto Failed; > > + } > > + > > + DbStatus = IsSignatureFoundInDatabase ( > > + EFI_IMAGE_SECURITY_DATABASE, > > + mImageDigest, > > + &mCertType, > > + mImageDigestSize, > > + &IsFound > > + ); > > + if (!EFI_ERROR (DbStatus) && IsFound) { > > + // > > + // Image Hash is in allowed database (DB). > > + // > > + IsFoundInDatabase = TRUE; > > + } > > } > > > > - DbStatus = IsSignatureFoundInDatabase ( > > - EFI_IMAGE_SECURITY_DATABASE, > > - mImageDigest, > > - &mCertType, > > - mImageDigestSize, > > - &IsFound > > - ); > > - if (!EFI_ERROR (DbStatus) && IsFound) { > > - // > > - // Image Hash is in allowed database (DB). > > - // > > + if (IsFoundInDatabase) { > > return EFI_SUCCESS; > > } > > > > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx > e.inf > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx > e.inf > index 1671d5be7c..cb52a16c09 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx > e.inf > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx > e.inf > @@ -70,6 +70,14 @@ > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of > the > signature. > > gEfiCertRsa2048Guid > > > > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of > the > signature. > > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of > the > signature. > > + gEfiCertRsa3072Guid > > + > > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of > the > signature. > > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of > the > signature. > > + gEfiCertRsa4096Guid > > + > > ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of > the > signature. > > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of > the > signature. > > gEfiCertX509Guid > > @@ -82,6 +90,14 @@ > ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of > the > signature. > > gEfiCertSha256Guid > > > > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of > the > signature. > > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of > the > signature. > > + gEfiCertSha384Guid > > + > > + ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of > the > signature. > > + ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of > the > signature. > > + gEfiCertSha512Guid > > + > > ## SOMETIMES_CONSUMES ## Variable:L"db" > > ## SOMETIMES_PRODUCES ## Variable:L"db" > > ## SOMETIMES_CONSUMES ## Variable:L"dbx" > > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.c > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.c > index 0e31502b1b..de9d801109 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.c > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.c > @@ -560,7 +560,7 @@ ON_EXIT: > > > **/ > > EFI_STATUS > > -EnrollRsa2048ToKek ( > > +EnrollRsaToKek ( > > IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private > > ) > > { > > @@ -603,8 +603,19 @@ EnrollRsa2048ToKek ( > > > ASSERT (KeyBlob != NULL); > > KeyInfo = (CPL_KEY_INFO *)KeyBlob; > > - if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) { > > - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is > supported.\n")); > > + if (KeyInfo->KeyType == KEY_TYPE_RSASSA) { > > + switch (KeyInfo->KeyLengthInBits / 8) { > > + case WIN_CERT_UEFI_RSA2048_SIZE: > > + case WIN_CERT_UEFI_RSA3072_SIZE: > > + case WIN_CERT_UEFI_RSA4096_SIZE: > > + break; > > + default : > > + DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 > and RSA4096 are supported.\n")); > > + Status = EFI_UNSUPPORTED; > > + goto ON_EXIT; > > + } > > + } else { > > + DEBUG ((DEBUG_ERROR, "Unsupported key type : %d, only 0 is > supported.\n", KeyInfo->KeyType)); > > Status = EFI_UNSUPPORTED; > > goto ON_EXIT; > > } > > @@ -632,7 +643,7 @@ EnrollRsa2048ToKek ( > // > > KekSigListSize = sizeof (EFI_SIGNATURE_LIST) > > + sizeof (EFI_SIGNATURE_DATA) - 1 > > - + WIN_CERT_UEFI_RSA2048_SIZE; > > + + KeyLenInBytes; > > > > KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize); > > if (KekSigList == NULL) { > > @@ -642,17 +653,32 @@ EnrollRsa2048ToKek ( > > > KekSigList->SignatureListSize = sizeof (EFI_SIGNATURE_LIST) > > + sizeof (EFI_SIGNATURE_DATA) - 1 > > - + WIN_CERT_UEFI_RSA2048_SIZE; > > + + (UINT32) KeyLenInBytes; > > KekSigList->SignatureHeaderSize = 0; > > - KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 + > WIN_CERT_UEFI_RSA2048_SIZE; > > - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); > > + KekSigList->SignatureSize = sizeof (EFI_SIGNATURE_DATA) - 1 + > (UINT32) > KeyLenInBytes; > > + switch (KeyLenInBytes) { > > + case WIN_CERT_UEFI_RSA2048_SIZE: > > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); > > + break; > > + case WIN_CERT_UEFI_RSA3072_SIZE: > > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid); > > + break; > > + case WIN_CERT_UEFI_RSA4096_SIZE: > > + CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid); > > + break; > > + break; > > + default : > > + DEBUG ((DEBUG_ERROR, "Unsupported key length.\n")); > > + Status = EFI_UNSUPPORTED; > > + goto ON_EXIT; > > + } > > > > KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof > (EFI_SIGNATURE_LIST)); > > CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID); > > CopyMem ( > > KEKSigData->SignatureData, > > KeyBlob + sizeof (CPL_KEY_INFO), > > - WIN_CERT_UEFI_RSA2048_SIZE > > + KeyLenInBytes > > ); > > > > // > > @@ -890,7 +916,7 @@ EnrollKeyExchangeKey ( > if (IsDerEncodeCertificate (FilePostFix)) { > > return EnrollX509ToKek (Private); > > } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) { > > - return EnrollRsa2048ToKek (Private); > > + return EnrollRsaToKek (Private); > > } else { > > // > > // File type is wrong, simply close it > > @@ -1847,7 +1873,7 @@ HashPeImage ( > SectionHeader = NULL; > > Status = FALSE; > > > > - if (HashAlg != HASHALG_SHA256) { > > + if ((HashAlg >= HASHALG_MAX)) { > > return FALSE; > > } > > > > @@ -1856,8 +1882,25 @@ HashPeImage ( > // > > ZeroMem (mImageDigest, MAX_DIGEST_SIZE); > > > > - mImageDigestSize = SHA256_DIGEST_SIZE; > > - mCertType = gEfiCertSha256Guid; > > + switch (HashAlg) { > > + case HASHALG_SHA256: > > + mImageDigestSize = SHA256_DIGEST_SIZE; > > + mCertType = gEfiCertSha256Guid; > > + break; > > + > > + case HASHALG_SHA384: > > + mImageDigestSize = SHA384_DIGEST_SIZE; > > + mCertType = gEfiCertSha384Guid; > > + break; > > + > > + case HASHALG_SHA512: > > + mImageDigestSize = SHA512_DIGEST_SIZE; > > + mCertType = gEfiCertSha512Guid; > > + break; > > + > > + default: > > + return FALSE; > > + } > > > > CtxSize = mHash[HashAlg].GetContextSize (); > > > > @@ -2251,6 +2294,7 @@ EnrollImageSignatureToSigDB ( > UINT32 Attr; > > WIN_CERTIFICATE_UEFI_GUID *GuidCertData; > > EFI_TIME Time; > > + UINT32 HashAlg; > > > > Data = NULL; > > GuidCertData = NULL; > > @@ -2289,8 +2333,20 @@ EnrollImageSignatureToSigDB ( > } > > > > if (mSecDataDir->SizeOfCert == 0) { > > - if (!HashPeImage (HASHALG_SHA256)) { > > - Status = EFI_SECURITY_VIOLATION; > > + Status = EFI_SECURITY_VIOLATION; > > + HashAlg = sizeof (mHash) / sizeof (HASH_TABLE); > > + while (HashAlg > 0) { > > + HashAlg--; > > + if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit > == NULL) || (mHash[HashAlg].HashUpdate == NULL) || > (mHash[HashAlg].HashFinal == NULL)) { > > + continue; > > + } > > + if (HashPeImage (HashAlg)) { > > + Status = EFI_SUCCESS; > > + break; > > + } > > + } > > + if (EFI_ERROR (Status)) { > > + DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status)); > > goto ON_EXIT; > > } > > } else { > > @@ -2589,6 +2645,10 @@ UpdateDeletePage ( > while ((ItemDataSize > 0) && (ItemDataSize >= > CertList->SignatureListSize)) { > > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) { > > Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID); > > + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)) > { > > + Help = STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID); > > + } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)) > { > > + Help = STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID); > > } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { > > Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID); > > } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) { > > @@ -2750,6 +2810,8 @@ DeleteKeyExchangeKey ( > GuidIndex = 0; > > while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) { > > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || > > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) || > > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) || > > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) > > { > > CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + > CertList- > >SignatureHeaderSize)); > > @@ -2952,6 +3014,8 @@ DeleteSignature ( > GuidIndex = 0; > > while ((ItemDataSize > 0) && (ItemDataSize >= > CertList->SignatureListSize)) { > > if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || > > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) || > > + CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) || > > CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) || > > CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) || > > CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) || > > @@ -3758,12 +3822,20 @@ LoadSignatureList ( > while ((RemainingSize > 0) && (RemainingSize >= > ListWalker->SignatureListSize)) > { > > if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) { > > ListType = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); > > + } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertRsa3072Guid)) > { > > + ListType = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); > > + } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertRsa4096Guid)) > { > > + ListType = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); > > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)) { > > ListType = STRING_TOKEN (STR_LIST_TYPE_X509); > > } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)) { > > ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1); > > } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertSha256Guid)) { > > ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256); > > + } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertSha384Guid)) { > > + ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384); > > + } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertSha512Guid)) { > > + ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512); > > } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertX509Sha256Guid)) { > > ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); > > } else if (CompareGuid (&ListWalker->SignatureType, > &gEfiCertX509Sha384Guid)) { > > @@ -4001,6 +4073,14 @@ FormatHelpInfo ( > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); > > DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID); > > IsCert = TRUE; > > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)) { > > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384); > > + DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID); > > + IsCert = TRUE; > > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)) { > > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512); > > + DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID); > > + IsCert = TRUE; > > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) { > > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509); > > DataSize = ListEntry->SignatureSize - sizeof (EFI_GUID); > > @@ -4011,6 +4091,12 @@ FormatHelpInfo ( > } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid)) { > > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256); > > DataSize = 32; > > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid)) { > > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384); > > + DataSize = 48; > > + } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid)) { > > + ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512); > > + DataSize = 64; > > } else if (CompareGuid (&ListEntry->SignatureType, > &gEfiCertX509Sha256Guid)) > { > > ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); > > DataSize = 32; > > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.h > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.h > index 37c66f1b95..ff6e7301af 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.h > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.h > @@ -82,6 +82,8 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; > #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE > > > > #define WIN_CERT_UEFI_RSA2048_SIZE 256 > > +#define WIN_CERT_UEFI_RSA3072_SIZE 384 > > +#define WIN_CERT_UEFI_RSA4096_SIZE 512 > > > > // > > // Support hash types > > @@ -98,6 +100,11 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; > // > > #define CER_PUBKEY_MIN_SIZE 256 > > > > +// > > +// Define KeyType for public key storing file > > +// > > +#define KEY_TYPE_RSASSA 0 > > + > > // > > // Types of errors may occur during certificate enrollment. > > // > > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr > ings.uni > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr > ings.uni > index 0d01701de7..1b48acc800 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr > ings.uni > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr > ings.uni > @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US > "Read the public key of KEK from file" > > #string STR_FILE_EXPLORER_TITLE #language en-US "File > Explorer" > > #string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US > "RSA2048_SHA256_GUID" > > +#string STR_CERT_TYPE_RSA3072_SHA384_GUID #language en-US > "RSA3072_SHA384_GUID" > > +#string STR_CERT_TYPE_RSA4096_SHA512_GUID #language en-US > "RSA4096_SHA512_GUID" > > #string STR_CERT_TYPE_PCKS7_GUID #language en-US > "PKCS7_GUID" > > #string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_GUID" > > #string STR_CERT_TYPE_SHA256_GUID #language en-US > "SHA256_GUID" > > @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US > "X509_SHA512_GUID" > > > > #string STR_LIST_TYPE_RSA2048_SHA256 #language en-US > "RSA2048_SHA256" > > +#string STR_LIST_TYPE_RSA3072_SHA384 #language en-US > "RSA3072_SHA384" > > +#string STR_LIST_TYPE_RSA4096_SHA512 #language en-US > "RSA4096_SHA512" > > #string STR_LIST_TYPE_X509 #language en-US "X509" > > #string STR_LIST_TYPE_SHA1 #language en-US "SHA1" > > #string STR_LIST_TYPE_SHA256 #language en-US "SHA256" > > +#string STR_LIST_TYPE_SHA384 #language en-US "SHA384" > > +#string STR_LIST_TYPE_SHA512 #language en-US "SHA512" > > #string STR_LIST_TYPE_X509_SHA256 #language en-US > "X509_SHA256" > > #string STR_LIST_TYPE_X509_SHA384 #language en-US > "X509_SHA384" > > #string STR_LIST_TYPE_X509_SHA512 #language en-US > "X509_SHA512" > > -- > 2.26.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#107309): https://edk2.groups.io/g/devel/message/107309 Mute This Topic: https://groups.io/mt/100385944/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
