Re: [edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384

2023-07-27 Thread Yao, Jiewen 
Reviewed-by: Jiewen Yao 

> -Original Message-
> From: Sheng, W 
> Sent: Thursday, July 27, 2023 2:35 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Wang, Jian J ;
> Xu, Min M ; Chen, Zeyi ; Wang,
> Fiona 
> Subject: [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413
> 
> Cc: Jiewen Yao 
> Cc: Jian J Wang 
> Cc: Min Xu 
> Cc: Zeyi Chen 
> Cc: Fiona Wang 
> Signed-off-by: Sheng Wei 
> ---
>  .../Library/AuthVariableLib/AuthService.c | 220 +++---
>  .../AuthVariableLib/AuthServiceInternal.h |   4 +-
>  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
>  .../DxeImageVerificationLib.c |  73 +++---
>  .../SecureBootConfigDxe.inf   |  16 ++
>  .../SecureBootConfigImpl.c| 114 +++--
>  .../SecureBootConfigImpl.h|   7 +
>  .../SecureBootConfigStrings.uni   |   6 +
>  8 files changed, 391 insertions(+), 91 deletions(-)
> 
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> index d81c581d78..4c268a85cd 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #include 
> 
>  #include 
> 
> 
> 
> +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
> 
> +
> 
> +/**
> 
> +  Retrieves the size, in bytes, of the context buffer required for hash 
> operations.
> 
> +
> 
> +  If this interface is not supported, then return zero.
> 
> +
> 
> +  @return  The size, in bytes, of the context buffer required for hash 
> operations.
> 
> +  @retval  0   This interface is not supported.
> 
> +
> 
> +**/
> 
> +typedef
> 
> +UINTN
> 
> +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
> 
> +  VOID
> 
> +  );
> 
> +
> 
> +/**
> 
> +  Initializes user-supplied memory pointed by Sha1Context as hash context for
> 
> +  subsequent use.
> 
> +
> 
> +  If HashContext is NULL, then return FALSE.
> 
> +  If this interface is not supported, then return FALSE.
> 
> +
> 
> +  @param[out]  HashContext  Pointer to Hashcontext being initialized.
> 
> +
> 
> +  @retval TRUE   Hash context initialization succeeded.
> 
> +  @retval FALSE  Hash context initialization failed.
> 
> +  @retval FALSE  This interface is not supported.
> 
> +
> 
> +**/
> 
> +typedef
> 
> +BOOLEAN
> 
> +(EFIAPI *EFI_HASH_INIT)(
> 
> +  OUT  VOID  *HashContext
> 
> +  );
> 
> +
> 
> +/**
> 
> +  Digests the input data and updates Hash context.
> 
> +
> 
> +  This function performs Hash digest on a data buffer of the specified size.
> 
> +  It can be called multiple times to compute the digest of long or 
> discontinuous
> data streams.
> 
> +  Hash context should be already correctly initialized by HashInit(), and 
> should
> not be finalized
> 
> +  by HashFinal(). Behavior with invalid context is undefined.
> 
> +
> 
> +  If HashContext is NULL, then return FALSE.
> 
> +  If this interface is not supported, then return FALSE.
> 
> +
> 
> +  @param[in, out]  HashContext  Pointer to the Hash context.
> 
> +  @param[in]   Data Pointer to the buffer containing the data to 
> be
> hashed.
> 
> +  @param[in]   DataSize Size of Data buffer in bytes.
> 
> +
> 
> +  @retval TRUE   SHA-1 data digest succeeded.
> 
> +  @retval FALSE  SHA-1 data digest failed.
> 
> +  @retval FALSE  This interface is not supported.
> 
> +
> 
> +**/
> 
> +typedef
> 
> +BOOLEAN
> 
> +(EFIAPI *EFI_HASH_UPDATE)(
> 
> +  IN OUT  VOID*HashContext,
> 
> +  IN  CONST VOID  *Data,
> 
> +  IN  UINTN   DataSize
> 
> +  );
> 
> +
> 
> +/**
> 
> +  Completes computation of the Hash digest value.
> 
> +
> 
> +  This function completes hash computation and retrieves the digest value 
> into
> 
> +  the specified memory. After this function has been called, the Hash context
> cannot
> 
> +  be used again.
> 
> +  Hash context should be already correctly initialized by HashInit(), and 
> should
> not be
> 
> +  finalized by HashFinal(). Behavior with invalid Hash context is undefined.
> 
> +
> 
> +  If HashContext is NULL, then return FALSE.
> 
> +  If HashValue is NULL, then return FALSE.
> 
> +  If this interface is not supported, then return FALSE.
> 
> +
> 
> +  @param[in, out]  HashContext  Pointer to the Hash context.
> 
> +  @param[out]  HashValuePointer to a buffer that receives the Hash 
> digest
> 
> +value.
> 
> +
> 
> +  @retval TRUE   Hash digest computation succeeded.
> 
> +  @retval FALSE  Hash digest computation failed.
> 
> +  @retval FALSE  This interface is not supported.
> 
> +
> 
> +**/
> 
> +typedef
> 
> +BOOLEAN
> 
> +(EFIAPI *EFI_HASH_FINAL)(
> 
> +  IN OUT  VOID   *HashContext,
> 
> +  OUT UINT8  *HashValue
> 
> +  );
> 
> +
> 
> +typedef struct {
> 
> +  UINT32   HashSize;
> 
> +  EFI_HASH_GET_CONTEXT_SIZE

[edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384

2023-07-26 Thread Sheng Wei 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Min Xu 
Cc: Zeyi Chen 
Cc: Fiona Wang 
Signed-off-by: Sheng Wei 
---
 .../Library/AuthVariableLib/AuthService.c | 220 +++---
 .../AuthVariableLib/AuthServiceInternal.h |   4 +-
 .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
 .../DxeImageVerificationLib.c |  73 +++---
 .../SecureBootConfigDxe.inf   |  16 ++
 .../SecureBootConfigImpl.c| 114 +++--
 .../SecureBootConfigImpl.h|   7 +
 .../SecureBootConfigStrings.uni   |   6 +
 8 files changed, 391 insertions(+), 91 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c 
b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index d81c581d78..4c268a85cd 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include 
 #include 
 
+#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
+
+/**
+  Retrieves the size, in bytes, of the context buffer required for hash 
operations.
+
+  If this interface is not supported, then return zero.
+
+  @return  The size, in bytes, of the context buffer required for hash 
operations.
+  @retval  0   This interface is not supported.
+
+**/
+typedef
+UINTN
+(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
+  VOID
+  );
+
+/**
+  Initializes user-supplied memory pointed by Sha1Context as hash context for
+  subsequent use.
+
+  If HashContext is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[out]  HashContext  Pointer to Hashcontext being initialized.
+
+  @retval TRUE   Hash context initialization succeeded.
+  @retval FALSE  Hash context initialization failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_INIT)(
+  OUT  VOID  *HashContext
+  );
+
+/**
+  Digests the input data and updates Hash context.
+
+  This function performs Hash digest on a data buffer of the specified size.
+  It can be called multiple times to compute the digest of long or 
discontinuous data streams.
+  Hash context should be already correctly initialized by HashInit(), and 
should not be finalized
+  by HashFinal(). Behavior with invalid context is undefined.
+
+  If HashContext is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in, out]  HashContext  Pointer to the Hash context.
+  @param[in]   Data Pointer to the buffer containing the data to 
be hashed.
+  @param[in]   DataSize Size of Data buffer in bytes.
+
+  @retval TRUE   SHA-1 data digest succeeded.
+  @retval FALSE  SHA-1 data digest failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_UPDATE)(
+  IN OUT  VOID*HashContext,
+  IN  CONST VOID  *Data,
+  IN  UINTN   DataSize
+  );
+
+/**
+  Completes computation of the Hash digest value.
+
+  This function completes hash computation and retrieves the digest value into
+  the specified memory. After this function has been called, the Hash context 
cannot
+  be used again.
+  Hash context should be already correctly initialized by HashInit(), and 
should not be
+  finalized by HashFinal(). Behavior with invalid Hash context is undefined.
+
+  If HashContext is NULL, then return FALSE.
+  If HashValue is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in, out]  HashContext  Pointer to the Hash context.
+  @param[out]  HashValuePointer to a buffer that receives the Hash 
digest
+value.
+
+  @retval TRUE   Hash digest computation succeeded.
+  @retval FALSE  Hash digest computation failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_FINAL)(
+  IN OUT  VOID   *HashContext,
+  OUT UINT8  *HashValue
+  );
+
+typedef struct {
+  UINT32   HashSize;
+  EFI_HASH_GET_CONTEXT_SIZEGetContextSize;
+  EFI_HASH_INITInit;
+  EFI_HASH_UPDATE  Update;
+  EFI_HASH_FINAL   Final;
+  VOID **HashShaCtx;
+  UINT8*OidValue;
+  UINTNOidLength;
+} EFI_HASH_INFO;
+
 //
 // Public Exponent of RSA Key.
 //
 CONST UINT8  mRsaE[] = { 0x01, 0x00, 0x01 };
 
-CONST UINT8  mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 
0x02, 0x01 };
+UINT8  mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 
0x01 };
+UINT8  mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 
0x02 };
+UINT8  mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 
0x03 };
+
+EFI_HASH_INFO  mHashInfo[] = {
+  {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, 
Sha256Final, &mHashSha256Ctx, m