Description – Intel Extensible Firmware Interface User Manual

Protocols

— Network Support

Version 1.10

12/01/02

15-85

//*******************************************************
// BIS_ALG_ID
//*******************************************************
typedef UINT16 BIS_ALG_ID;

This type represents a digital signature algorithm. A digital signature algorithm is often composed
of a particular combination of secure hash algorithm and encryption algorithm. This type also
allows for digital signature algorithms that cannot be decomposed. Predefined values for this
type are as defined below.

//*******************************************************
// BIS_ALG_ID predefined values
// Currently defined values for EFI_BIS_SIGNATURE_INFO.
// AlgorithmID. The exact numeric values come from “Common
// Data Security Architecture (CDSA) Specification.”
//*******************************************************
#define BIS_ALG_DSA (41) //CSSM_ALGID_DSA
#define BIS_ALG_RSA_MD5 (42) //CSSM_ALGID_MD5_WITH_RSA

These values represent the two digital signature algorithms predefined for BIS. Each
implementation of BIS must support at least one of these digital signature algorithms. Values for
the digital signature algorithms are chosen by an industry group known as The Open Group.
Developers planning to support additional digital signature algorithms or define new digital
signature algorithms should refer to The Open Group for interoperable values to use.

Description

This function retrieves a list of digital certificate identifier, digital signature algorithm, hash
algorithm, and key-length combinations that the platform supports. The list is an array of
(certificate id, algorithm id, key length) triples, where the certificate id is derived from the
platform’s Boot Object Authorization Certificate as described in the Related Definition for

BIS_CERT_ID

above, the algorithm id represents the combination of signature algorithm and

hash algorithm, and the key length is expressed in bits. The number of array elements can be
computed using the

Length

field of the retrieved

EFI_BIS_DATA*

.

The retrieved list is in order of preference. A digital signature algorithm for which the platform has
a currently configured Boot Object Authorization Certificate is preferred over any digital signature
algorithm for which there is not a currently configured Boot Object Authorization Certificate. Thus
the first element in the list has a

CertificateID

representing a Boot Object Authorization

Certificate if the platform has one configured. Otherwise the

CertificateID

of the first

element in the list is one of the reserved values representing a digital signature algorithm.