[edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
Sheng Wei
w.sheng at intel.com
Mon Aug 7 09:17:46 UTC 2023
Hi Jiewen,
I remove the new GUIDs.
I use signature type gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
This signature type is used in below 6 places.
1) Show key name string in KEK delete page UpdateDeletePage()
2) Check supported SignatureType when delete KEK DeleteKeyExchangeKey()
3) Check supported SignatureType when delete KEK DeleteSignature()
4) Show key name when load the Signature LoadSignatureList()
5) Show help info string when load the Signature FormatHelpInfo()
6) Check supported SignatureType CheckSignatureListFormat()
It is no need to change MdePkg.
All the changes are in CryptoPkg and SecurityPkg.
I did the local unit test and raised the patch v6.
Could you help to review/merge the patches ?
Thank you
BR
Sheng Wei
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao at intel.com>
> Sent: 2023年8月3日 16:13
> To: Sheng, W <w.sheng at intel.com>; Gao, Liming
> <gaoliming at byosoft.com.cn>; devel at edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang at intel.com>; Xu, Min M <min.m.xu at intel.com>;
> Chen, Zeyi <zeyi.chen at intel.com>; Wang, Fiona <fiona.wang at intel.com>;
> Lu, Xiaoyu1 <xiaoyu1.lu at intel.com>; Jiang, Guomin
> <guomin.jiang at intel.com>; Kinney, Michael D <michael.d.kinney at intel.com>
> Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> CERT_RSA3072 and CERT_RSA4096
>
> Hey
> We cannot add anything not defined in UEFI spec yet. Thanks Liming to catch
> that.
>
> Can you remove CERT_RSA3072 and CERT_RSA4096?
>
> I think we need to use EFI_CERT_TYPE_PKCS7_GUID + EFI_CERT_X509_GUID
> to support RSA3072 and RSA4096.
> Have you validated that configuration?
>
>
> > -----Original Message-----
> > From: Sheng, W <w.sheng at intel.com>
> > Sent: Thursday, August 3, 2023 3:29 PM
> > To: Gao, Liming <gaoliming at byosoft.com.cn>; devel at edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao at intel.com>; Wang, Jian J
> > <jian.j.wang at intel.com>; Xu, Min M <min.m.xu at intel.com>; Chen, Zeyi
> > <zeyi.chen at intel.com>; Wang, Fiona <fiona.wang at intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu at intel.com>; Jiang, Guomin <guomin.jiang at intel.com>;
> > Kinney, Michael D <michael.d.kinney at intel.com>
> > Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > CERT_RSA3072 and CERT_RSA4096
> >
> > Hi Liming,
> > Sorry for the late response.
> > The two new GUID are not in the public UEFI spec yet.
> > Do we have any process to add these 2 new GUIDs ?
> > Thank you.
> > BR
> > Sheng Wei
> >
> >
> >
> > > -----Original Message-----
> > > From: gaoliming <gaoliming at byosoft.com.cn>
> > > Sent: 2023年8月2日 17:12
> > > To: Sheng, W <w.sheng at intel.com>; devel at edk2.groups.io
> > > Cc: Yao, Jiewen <jiewen.yao at intel.com>; Wang, Jian J
> > > <jian.j.wang at intel.com>; Xu, Min M <min.m.xu at intel.com>; Chen, Zeyi
> > > <zeyi.chen at intel.com>; Wang, Fiona <fiona.wang at intel.com>; Lu,
> > > Xiaoyu1 <xiaoyu1.lu at intel.com>; Jiang, Guomin
> > > <guomin.jiang at intel.com>; Kinney, Michael D
> > > <michael.d.kinney at intel.com>
> > > Subject: 回复: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID
> > > for
> > > CERT_RSA3072 and CERT_RSA4096
> > >
> > > Sheng Wei:
> > > I gave my comments for the patch 1/3 on this morning. Have you got
> > > my response?
> > >
> > > I just want to confirm whether these two new GUID are in the
> > > public UEFI spec or not.
> > >
> > > Thanks
> > > Liming
> > > > -----邮件原件-----
> > > > 发件人: Sheng, W <w.sheng at intel.com>
> > > > 发送时间: 2023年8月2日 16:04
> > > > 收件人: devel at edk2.groups.io; Gao, Liming
> <gaoliming at byosoft.com.cn>
> > > > 抄送: Yao, Jiewen <jiewen.yao at intel.com>; Wang, Jian J
> > > > <jian.j.wang at intel.com>; Xu, Min M <min.m.xu at intel.com>; Chen,
> > > > Zeyi <zeyi.chen at intel.com>; Wang, Fiona <fiona.wang at intel.com>;
> > > > Lu, Xiaoyu1 <xiaoyu1.lu at intel.com>; Jiang, Guomin
> > > > <guomin.jiang at intel.com>; Kinney, Michael D
> > > > <michael.d.kinney at intel.com>
> > > > 主题: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > > > CERT_RSA3072 and CERT_RSA4096
> > > >
> > > > Hi Gao, Liming,
> > > > For this patch group, we have got review-by from Yao, Jiewen on
> > > > patch
> > > > 2/3(CryptoPkg) and patch 3/3(SecurityPkg).
> > > > Do you any comments on the patch 1/3 (MdePkg) ?
> > > > Patch 1/3 is only to add 2 new GUIDs.
> > > > Could you help to merge it ?
> > > >
> > > > Thank you.
> > > > BR
> > > > Sheng Wei
> > > >
> > > > > -----Original Message-----
> > > > > From: Sheng, W
> > > > > Sent: 2023年7月31日 10:02
> > > > > To: 'devel at edk2.groups.io' <devel at edk2.groups.io>; Gao, Liming
> > > > > <gaoliming at byosoft.com.cn>
> > > > > Cc: Yao, Jiewen <jiewen.yao at intel.com>; Wang, Jian J
> > > > > <jian.j.wang at intel.com>; Xu, Min M <min.m.xu at intel.com>; Chen,
> > > > > Zeyi <Zeyi.Chen at intel.com>; Wang, Fiona <fiona.wang at intel.com>;
> > > > > Lu,
> > > > > Xiaoyu1 <xiaoyu1.lu at intel.com>; Jiang, Guomin
> > > > > <Guomin.Jiang at intel.com>; Kinney, Michael D
> > > > > <michael.d.kinney at intel.com>
> > > > > Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add
> > > > > GUID for
> > > > > CERT_RSA3072 and CERT_RSA4096
> > > > >
> > > > > Hi Gao, Liming,
> > > > > Could you help to review and merge this patch to MdePkg?
> > > > > This patch is only to add 2 new GUIDs.
> > > > > These 2 GUIDs will be used for adding RSA3072/RSA4096 cert
> > > > > support for secure boot feature.
> > > > > Thank you.
> > > > > BR
> > > > > Sheng Wei
> > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf
> > > > > > > Of
> > > > > Sheng
> > > > > > > Wei
> > > > > > > Sent: 2023年7月27日 14:35
> > > > > > > To: devel at edk2.groups.io
> > > > > > > Cc: Yao, Jiewen <jiewen.yao at intel.com>; Wang, Jian J
> > > > > > > <jian.j.wang at intel.com>; Xu, Min M <min.m.xu at intel.com>;
> > > > > > > Chen, Zeyi <zeyi.chen at intel.com>; Wang, Fiona
> > > > > > > <fiona.wang at intel.com>; Lu,
> > > > > > > Xiaoyu1 <xiaoyu1.lu at intel.com>; Jiang, Guomin
> > > > > > > <guomin.jiang at intel.com>; Kinney, Michael D
> > > > > > > <michael.d.kinney at intel.com>; Gao, Liming
> > > > <gaoliming at byosoft.com.cn>
> > > > > > > Subject: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add
> > > > > > > GUID for
> > > > > > > CERT_RSA3072 and CERT_RSA4096
> > > > > > >
> > > > > > > Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid
> > > > > > >
> > > > > > > Cc: Jiewen Yao <jiewen.yao at intel.com>
> > > > > > > Cc: Jian J Wang <jian.j.wang at intel.com>
> > > > > > > Cc: Min Xu <min.m.xu at intel.com>
> > > > > > > Cc: Zeyi Chen <zeyi.chen at intel.com>
> > > > > > > Cc: Fiona Wang <fiona.wang at intel.com>
> > > > > > > Cc: Xiaoyu Lu <xiaoyu1.lu at intel.com>
> > > > > > > Cc: Guomin Jiang <guomin.jiang at intel.com>
> > > > > > > Cc: Michael D Kinney <michael.d.kinney at intel.com>
> > > > > > > Cc: Liming Gao <gaoliming at byosoft.com.cn>
> > > > > > > Signed-off-by: Sheng Wei <w.sheng at intel.com>
> > > > > > > ---
> > > > > > > MdePkg/Include/Guid/ImageAuthentication.h | 26
> > > > > > > +++++++++++++++++++++++
> > > > > > > MdePkg/MdePkg.dec | 2 ++
> > > > > > > 2 files changed, 28 insertions(+)
> > > > > > >
> > > > > > > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > index fe83596571..c8ea2c14fb 100644
> > > > > > > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > @@ -144,6 +144,30 @@ typedef struct {
> > > > > > > 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77,
> > > > > > > 0x6e,
> > > 0x85,
> > > > 0xb3,
> > > > > > > 0xb6} \ } +///+/// This identifies a signature containing an
> > > RSA-3072
> > > > key.
> > > > > > The
> > > > > > > key (only the modulus+/// since the public key exponent is
> > > > > > > known to be
> > > > > > > 0x10001) shall be stored in big-endian+/// order.+/// The
> > > > > > > SignatureHeader size shall always be 0. The SignatureSize
> > > > > > > shall always be 16 (size+/// of SignatureOwner component) +
> > > > > > > 384
> > > > > bytes.+///+#define
> > > > > > > EFI_CERT_RSA3072_GUID \+ { \+ 0xedd320c2, 0xb057, 0x4b8e,
> > > > {0xad,
> > > > > > 0x46,
> > > > > > > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \+ }++///+/// This
> > > > > > > identifies a signature containing an RSA-4096 key. The key
> > > > > > > (only the
> > > > > > > modulus+/// since the public key exponent is known to be
> > > > > > > modulus+0x10001)
> > > > > > > shall be stored in big-endian+/// order.+/// The
> > > > > > > SignatureHeader size shall always be 0. The SignatureSize
> > > > > > > shall always be 16 (size+/// of SignatureOwner
> > > > > > component) + 512
> > > > > > > bytes.+///+#define EFI_CERT_RSA4096_GUID \+ { \+
> > > > 0xb23e89a6,
> > > > > 0x8c8b,
> > > > > > > 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \+
> > > > > > > }+ /// /// This identifies a signature containing a RSA-2048
> > > > > > > signature of a
> > > > > > > SHA-256 hash. The /// SignatureHeader size shall always be 0.
> > > > > > > The SignatureSize shall always be
> > > > > > > 16 (size of@@ -330,6 +354,8 @@ typedef struct { extern
> > > > > > > EFI_GUID gEfiImageSecurityDatabaseGuid; extern EFI_GUID
> > > > > > > gEfiCertSha256Guid; extern EFI_GUID
> > > > > > > gEfiCertRsa2048Guid;+extern EFI_GUID
> > > > > > > gEfiCertRsa3072Guid;+extern EFI_GUID gEfiCertRsa4096Guid;
> > > > > > > extern EFI_GUID gEfiCertRsa2048Sha256Guid; extern EFI_GUID
> > > > > > > gEfiCertSha1Guid; extern EFI_GUID
> > > > > > > gEfiCertRsa2048Sha1Guid;diff --git a/MdePkg/MdePkg.dec
> > > > > > > b/MdePkg/MdePkg.dec index
> > > > > > > b85614992b..24e4779d33 100644
> > > > > > > --- a/MdePkg/MdePkg.dec
> > > > > > > +++ b/MdePkg/MdePkg.dec
> > > > > > > @@ -581,6 +581,8 @@
> > > > > > > gEfiImageSecurityDatabaseGuid = { 0xd719b2cb, 0x3d3a,
> > > > > > > 0x4596,
> > > > {0xa3,
> > > > > > > 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }} gEfiCertSha256Guid
> > > > =
> > > > > > > { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36,
> > > > > > > 0x93, 0x43,
> > > > > > 0x28 }}
> > > > > > > gEfiCertRsa2048Guid = { 0x3c5766e8, 0x269c, 0x4e34,
> > > > {0xaa, 0x14,
> > > > > > 0xed,
> > > > > > > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}+ gEfiCertRsa3072Guid =
> > > > > { 0xedd320c2,
> > > > > > > 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}+
> > > > > > > gEfiCertRsa4096Guid = { 0xb23e89a6, 0x8c8b, 0x4412,
> > > > {0x85, 0x73,
> > > > > > 0x15,
> > > > > > > 0x4e, 0x8d, 0x00, 0x98, 0x2c }} gEfiCertRsa2048Sha256Guid =
> > > > > > { 0xe2b36190,
> > > > > > > 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> > > > > > > gEfiCertSha1Guid = { 0x826ca512, 0xcf10, 0x4ac9,
> > > > {0xb1, 0x87, 0xbe,
> > > > > > > 0x1, 0x49, 0x66, 0x31, 0xbd }} gEfiCertRsa2048Sha1Guid =
> > > > > { 0x67f8444f,
> > > > > > > 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60,
> > > > > > > 0x80
> > > > > > > }}--
> > > > > > > 2.26.2.windows.1
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -=-=-=-=-=-=
> > > > > > > Groups.io Links: You receive all messages sent to this group.
> > > > > > > View/Reply Online (#107294):
> > > > > > > https://edk2.groups.io/g/devel/message/107294
> > > > > > > Mute This Topic: https://groups.io/mt/100385942/2558558
> > > > > > > Group Owner: devel+owner at edk2.groups.io
> > > > > > > Unsubscribe: https://edk2.groups.io/g/devel/unsub
> > > > > > > [w.sheng at intel.com]
> > > > > > > - =-=-=-=-=-=
> > > > > > >
> > >
> > >
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107614): https://edk2.groups.io/g/devel/message/107614
Mute This Topic: https://groups.io/mt/100521910/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list