From 46510f36ab721b501b2bc8fc3f1409d2dc091561 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 14 Jan 2026 15:51:07 +0000
Subject: [PATCH] [build] Mark MD4 and MD5 as forbidden for UEFI Secure Boot

A past security review identified MD4 and MD5 support as features that
ought to be disabled by default.  (There is zero impact on UEFI Secure
Boot itself from having these algorithms enabled: this was just a side
comment in the review.)

As noted in the resulting commit 7f2006a ("[crypto] Disable MD5 as an
OID-identifiable algorithm by default"), the actual MD5 code will
almost certainly still be present in the binary due to its implicit
use by various features.  Disabling MD5 support via config/crypto.h
simply removes the OID-identified algorithm, which prevents it from
being used as an explicitly identified algorithm (e.g. in an X.509
certificate digest).

Match the intent of this review comment by marking the OID-identified
algorithms for MD4 and MD5 as forbidden for UEFI Secure Boot.

Extend this to also disable the "md4sum" command and the use of the
md5WithRSAEncryption OID-identified algorithm.  (The "md5sum" command
is left enabled for historical reasons, and we have no definition for
md4WithRSAEncryption anyway.)

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/crypto/mishmash/cmd_md4.c | 1 +
 src/crypto/mishmash/oid_md4.c | 1 +
 src/crypto/mishmash/oid_md5.c | 1 +
 src/crypto/mishmash/rsa_md5.c | 1 +
 4 files changed, 4 insertions(+)

diff --git a/src/crypto/mishmash/cmd_md4.c b/src/crypto/mishmash/cmd_md4.c
index 8991b0250..390a533db 100644
--- a/src/crypto/mishmash/cmd_md4.c
+++ b/src/crypto/mishmash/cmd_md4.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #include <ipxe/md4.h>
 #include <hci/digest_cmd.h>
diff --git a/src/crypto/mishmash/oid_md4.c b/src/crypto/mishmash/oid_md4.c
index d42f2df19..03b893d47 100644
--- a/src/crypto/mishmash/oid_md4.c
+++ b/src/crypto/mishmash/oid_md4.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #include <ipxe/md4.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_md5.c b/src/crypto/mishmash/oid_md5.c
index f56dd8b8d..0095fbe0e 100644
--- a/src/crypto/mishmash/oid_md5.c
+++ b/src/crypto/mishmash/oid_md5.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #include <ipxe/md5.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/rsa_md5.c b/src/crypto/mishmash/rsa_md5.c
index 051afe264..00808c23f 100644
--- a/src/crypto/mishmash/rsa_md5.c
+++ b/src/crypto/mishmash/rsa_md5.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #include <ipxe/rsa.h>
 #include <ipxe/md5.h>