SecurityPkg/SecureBoot: Support RSA4096 and RSA3072

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Signed-off-by: Sheng Wei <w.sheng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

4 files changed, 64 insertions, 5 deletions

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 1671d5be7c..0602acf702 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -82,6 +82,14 @@
   ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.

   gEfiCertSha256Guid

 

+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.

+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.

+  gEfiCertSha384Guid

+

+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.

+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.

+  gEfiCertSha512Guid

+

   ## SOMETIMES_CONSUMES      ## Variable:L"db"

   ## SOMETIMES_PRODUCES      ## Variable:L"db"

   ## SOMETIMES_CONSUMES      ## Variable:L"dbx"

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 0e31502b1b..2c11129526 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -1847,7 +1847,7 @@ HashPeImage (
   SectionHeader = NULL;

   Status        = FALSE;

 

-  if (HashAlg != HASHALG_SHA256) {

+  if ((HashAlg >= HASHALG_MAX)) {

     return FALSE;

   }

 

@@ -1856,8 +1856,25 @@ HashPeImage (
   //

   ZeroMem (mImageDigest, MAX_DIGEST_SIZE);

 

-  mImageDigestSize = SHA256_DIGEST_SIZE;

-  mCertType        = gEfiCertSha256Guid;

+  switch (HashAlg) {

+    case HASHALG_SHA256:

+      mImageDigestSize = SHA256_DIGEST_SIZE;

+      mCertType        = gEfiCertSha256Guid;

+      break;

+

+    case HASHALG_SHA384:

+      mImageDigestSize = SHA384_DIGEST_SIZE;

+      mCertType        = gEfiCertSha384Guid;

+      break;

+

+    case HASHALG_SHA512:

+      mImageDigestSize = SHA512_DIGEST_SIZE;

+      mCertType        = gEfiCertSha512Guid;

+      break;

+

+    default:

+      return FALSE;

+  }

 

   CtxSize = mHash[HashAlg].GetContextSize ();

 

@@ -2251,6 +2268,7 @@ EnrollImageSignatureToSigDB (
   UINT32                     Attr;

   WIN_CERTIFICATE_UEFI_GUID  *GuidCertData;

   EFI_TIME                   Time;

+  UINT32                     HashAlg;

 

   Data         = NULL;

   GuidCertData = NULL;

@@ -2289,8 +2307,22 @@ EnrollImageSignatureToSigDB (
   }

 

   if (mSecDataDir->SizeOfCert == 0) {

-    if (!HashPeImage (HASHALG_SHA256)) {

-      Status =  EFI_SECURITY_VIOLATION;

+    Status  = EFI_SECURITY_VIOLATION;

+    HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);

+    while (HashAlg > 0) {

+      HashAlg--;

+      if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {

+        continue;

+      }

+

+      if (HashPeImage (HashAlg)) {

+        Status = EFI_SUCCESS;

+        break;

+      }

+    }

+

+    if (EFI_ERROR (Status)) {

+      DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status));

       goto ON_EXIT;

     }

   } else {

@@ -3764,6 +3796,10 @@ LoadSignatureList (
       ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1);

     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Guid)) {

       ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256);

+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Guid)) {

+      ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384);

+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Guid)) {

+      ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512);

     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha256Guid)) {

       ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);

     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha384Guid)) {

@@ -4011,6 +4047,12 @@ FormatHelpInfo (
   } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid)) {

     ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256);

     DataSize   = 32;

+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid)) {

+    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384);

+    DataSize   = 48;

+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid)) {

+    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512);

+    DataSize   = 64;

   } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Guid)) {

     ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);

     DataSize   = 32;

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
index 37c66f1b95..ff6e7301af 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
@@ -82,6 +82,8 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
 #define MAX_DIGEST_SIZE  SHA512_DIGEST_SIZE

 

 #define WIN_CERT_UEFI_RSA2048_SIZE  256

+#define WIN_CERT_UEFI_RSA3072_SIZE  384

+#define WIN_CERT_UEFI_RSA4096_SIZE  512

 

 //

 // Support hash types

@@ -99,6 +101,11 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
 #define CER_PUBKEY_MIN_SIZE  256

 

 //

+// Define KeyType for public key storing file

+//

+#define KEY_TYPE_RSASSA  0

+

+//

 // Types of errors may occur during certificate enrollment.

 //

 typedef enum {

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
index 0d01701de7..177c585837 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -124,6 +124,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #string STR_LIST_TYPE_X509                        #language en-US "X509"

 #string STR_LIST_TYPE_SHA1                        #language en-US "SHA1"

 #string STR_LIST_TYPE_SHA256                      #language en-US "SHA256"

+#string STR_LIST_TYPE_SHA384                      #language en-US "SHA384"

+#string STR_LIST_TYPE_SHA512                      #language en-US "SHA512"

 #string STR_LIST_TYPE_X509_SHA256                 #language en-US "X509_SHA256"

 #string STR_LIST_TYPE_X509_SHA384                 #language en-US "X509_SHA384"

 #string STR_LIST_TYPE_X509_SHA512                 #language en-US "X509_SHA512"