Re: [edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
Reviewed-by: Jiewen Yao > -Original Message- > From: Sheng, W > Sent: Thursday, July 27, 2023 2:35 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Wang, Jian J ; > Xu, Min M ; Chen, Zeyi ; Wang, > Fiona > Subject: [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413 > > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Min Xu > Cc: Zeyi Chen > Cc: Fiona Wang > Signed-off-by: Sheng Wei > --- > .../Library/AuthVariableLib/AuthService.c | 220 +++--- > .../AuthVariableLib/AuthServiceInternal.h | 4 +- > .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- > .../DxeImageVerificationLib.c | 73 +++--- > .../SecureBootConfigDxe.inf | 16 ++ > .../SecureBootConfigImpl.c| 114 +++-- > .../SecureBootConfigImpl.h| 7 + > .../SecureBootConfigStrings.uni | 6 + > 8 files changed, 391 insertions(+), 91 deletions(-) > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c > b/SecurityPkg/Library/AuthVariableLib/AuthService.c > index d81c581d78..4c268a85cd 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c > @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include > > #include > > > > +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE > > + > > +/** > > + Retrieves the size, in bytes, of the context buffer required for hash > operations. > > + > > + If this interface is not supported, then return zero. > > + > > + @return The size, in bytes, of the context buffer required for hash > operations. > > + @retval 0 This interface is not supported. > > + > > +**/ > > +typedef > > +UINTN > > +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)( > > + VOID > > + ); > > + > > +/** > > + Initializes user-supplied memory pointed by Sha1Context as hash context for > > + subsequent use. > > + > > + If HashContext is NULL, then return FALSE. > > + If this interface is not supported, then return FALSE. > > + > > + @param[out] HashContext Pointer to Hashcontext being initialized. > > + > > + @retval TRUE Hash context initialization succeeded. > > + @retval FALSE Hash context initialization failed. > > + @retval FALSE This interface is not supported. > > + > > +**/ > > +typedef > > +BOOLEAN > > +(EFIAPI *EFI_HASH_INIT)( > > + OUT VOID *HashContext > > + ); > > + > > +/** > > + Digests the input data and updates Hash context. > > + > > + This function performs Hash digest on a data buffer of the specified size. > > + It can be called multiple times to compute the digest of long or > discontinuous > data streams. > > + Hash context should be already correctly initialized by HashInit(), and > should > not be finalized > > + by HashFinal(). Behavior with invalid context is undefined. > > + > > + If HashContext is NULL, then return FALSE. > > + If this interface is not supported, then return FALSE. > > + > > + @param[in, out] HashContext Pointer to the Hash context. > > + @param[in] Data Pointer to the buffer containing the data to > be > hashed. > > + @param[in] DataSize Size of Data buffer in bytes. > > + > > + @retval TRUE SHA-1 data digest succeeded. > > + @retval FALSE SHA-1 data digest failed. > > + @retval FALSE This interface is not supported. > > + > > +**/ > > +typedef > > +BOOLEAN > > +(EFIAPI *EFI_HASH_UPDATE)( > > + IN OUT VOID*HashContext, > > + IN CONST VOID *Data, > > + IN UINTN DataSize > > + ); > > + > > +/** > > + Completes computation of the Hash digest value. > > + > > + This function completes hash computation and retrieves the digest value > into > > + the specified memory. After this function has been called, the Hash context > cannot > > + be used again. > > + Hash context should be already correctly initialized by HashInit(), and > should > not be > > + finalized by HashFinal(). Behavior with invalid Hash context is undefined. > > + > > + If HashContext is NULL, then return FALSE. > > + If HashValue is NULL, then return FALSE. > > + If this interface is not supported, then return FALSE. > > + > > + @param[in, out] HashContext Pointer to the Hash context. > > + @param[out] HashValuePointer to a buffer that receives the Hash > digest > > +value. > > + > > + @retval TRUE Hash digest computation succeeded. > > + @retval FALSE Hash digest computation failed. > > + @retval FALSE This interface is not supported. > > + > > +**/ > > +typedef > > +BOOLEAN > > +(EFIAPI *EFI_HASH_FINAL)( > > + IN OUT VOID *HashContext, > > + OUT UINT8 *HashValue > > + ); > > + > > +typedef struct { > > + UINT32 HashSize; > > + EFI_HASH_GET_CONTEXT_SIZE
[edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413 Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Zeyi Chen Cc: Fiona Wang Signed-off-by: Sheng Wei --- .../Library/AuthVariableLib/AuthService.c | 220 +++--- .../AuthVariableLib/AuthServiceInternal.h | 4 +- .../Library/AuthVariableLib/AuthVariableLib.c | 42 ++-- .../DxeImageVerificationLib.c | 73 +++--- .../SecureBootConfigDxe.inf | 16 ++ .../SecureBootConfigImpl.c| 114 +++-- .../SecureBootConfigImpl.h| 7 + .../SecureBootConfigStrings.uni | 6 + 8 files changed, 391 insertions(+), 91 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index d81c581d78..4c268a85cd 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE + +/** + Retrieves the size, in bytes, of the context buffer required for hash operations. + + If this interface is not supported, then return zero. + + @return The size, in bytes, of the context buffer required for hash operations. + @retval 0 This interface is not supported. + +**/ +typedef +UINTN +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)( + VOID + ); + +/** + Initializes user-supplied memory pointed by Sha1Context as hash context for + subsequent use. + + If HashContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[out] HashContext Pointer to Hashcontext being initialized. + + @retval TRUE Hash context initialization succeeded. + @retval FALSE Hash context initialization failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EFI_HASH_INIT)( + OUT VOID *HashContext + ); + +/** + Digests the input data and updates Hash context. + + This function performs Hash digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + Hash context should be already correctly initialized by HashInit(), and should not be finalized + by HashFinal(). Behavior with invalid context is undefined. + + If HashContext is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HashContext Pointer to the Hash context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-1 data digest succeeded. + @retval FALSE SHA-1 data digest failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EFI_HASH_UPDATE)( + IN OUT VOID*HashContext, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Completes computation of the Hash digest value. + + This function completes hash computation and retrieves the digest value into + the specified memory. After this function has been called, the Hash context cannot + be used again. + Hash context should be already correctly initialized by HashInit(), and should not be + finalized by HashFinal(). Behavior with invalid Hash context is undefined. + + If HashContext is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in, out] HashContext Pointer to the Hash context. + @param[out] HashValuePointer to a buffer that receives the Hash digest +value. + + @retval TRUE Hash digest computation succeeded. + @retval FALSE Hash digest computation failed. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EFI_HASH_FINAL)( + IN OUT VOID *HashContext, + OUT UINT8 *HashValue + ); + +typedef struct { + UINT32 HashSize; + EFI_HASH_GET_CONTEXT_SIZEGetContextSize; + EFI_HASH_INITInit; + EFI_HASH_UPDATE Update; + EFI_HASH_FINAL Final; + VOID **HashShaCtx; + UINT8*OidValue; + UINTNOidLength; +} EFI_HASH_INFO; + // // Public Exponent of RSA Key. // CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 }; -CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 }; +UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 }; +UINT8 mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 }; +UINT8 mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 }; + +EFI_HASH_INFO mHashInfo[] = { + {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, &mHashSha256Ctx, m