diff options
author | Jiaqi Gao <jiaqi.gao@intel.com> | 2021-04-26 12:31:15 +0800 |
---|---|---|
committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2021-04-26 16:24:32 +0000 |
commit | 5396354b868bd6652600a654bba7df16701ac1cb (patch) | |
tree | adbd75ce839b10914da913b3db02f5635276d3d3 /SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h | |
parent | f2f4c6be2dba3f8e97ac544b9c3da71e9f81b294 (diff) | |
download | edk2-5396354b868bd6652600a654bba7df16701ac1cb.tar.gz edk2-5396354b868bd6652600a654bba7df16701ac1cb.tar.bz2 edk2-5396354b868bd6652600a654bba7df16701ac1cb.zip |
SecurityPkg: Add constraints on PK strength
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3293
Add constraints on the key strength of enrolled platform key(PK), which
must be greater than or equal to 2048 bit. PK key strength is required
by Intel SDL and MSFT, etc. This limitation prevents user from using
weak keys as PK.
The original code to check the certificate file type is placed in a new
function CheckX509Certificate(), which checks if the X.509 certificate
meets the requirements of encode type, RSA-Key strengh, etc.
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jiaqi Gao <jiaqi.gao@intel.com>
Reviewed-by: Min Xu <min.m.xu@intel.com>
Acked-by: Jiewen Yao <jiewen.yao@intel.com>
Diffstat (limited to 'SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h')
-rw-r--r-- | SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h index 1fafae07ac..268f015e8e 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h @@ -93,6 +93,27 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; #define HASHALG_RAW 0x00000004
#define HASHALG_MAX 0x00000004
+//
+// Certificate public key minimum size (bytes)
+//
+#define CER_PUBKEY_MIN_SIZE 256
+
+//
+// Types of errors may occur during certificate enrollment.
+//
+typedef enum {
+ None_Error = 0,
+ //
+ // Unsupported_type indicates the certificate type is not supported.
+ //
+ Unsupported_Type,
+ //
+ // Unqualified_key indicates the key strength of certificate is not
+ // strong enough.
+ //
+ Unqualified_Key,
+ Enroll_Error_Max
+}ENROLL_KEY_ERROR;
typedef struct {
UINTN Signature;
|