Merge branch 'master' into openslxopenslx

48 files changed, 873 insertions, 0 deletions

diff --git a/src/crypto/mishmash/cmd_md4.c b/src/crypto/mishmash/cmd_md4.c
new file mode 100644
index 000000000..390a533db
--- /dev/null
+++ b/src/crypto/mishmash/cmd_md4.c
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
+
+#include <ipxe/md4.h>
+#include <hci/digest_cmd.h>
+
+static int md4sum_exec ( int argc, char **argv ) {
+	return digest_exec ( argc, argv, &md4_algorithm );
+}
+
+COMMAND ( md4sum, md4sum_exec );
diff --git a/src/crypto/mishmash/cmd_sha224.c b/src/crypto/mishmash/cmd_sha224.c
new file mode 100644
index 000000000..fd8095937
--- /dev/null
+++ b/src/crypto/mishmash/cmd_sha224.c
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/sha256.h>
+#include <hci/digest_cmd.h>
+
+static int sha224sum_exec ( int argc, char **argv ) {
+	return digest_exec ( argc, argv, &sha224_algorithm );
+}
+
+COMMAND ( sha224sum, sha224sum_exec );
diff --git a/src/crypto/mishmash/cmd_sha256.c b/src/crypto/mishmash/cmd_sha256.c
new file mode 100644
index 000000000..259ae3eac
--- /dev/null
+++ b/src/crypto/mishmash/cmd_sha256.c
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/sha256.h>
+#include <hci/digest_cmd.h>
+
+static int sha256sum_exec ( int argc, char **argv ) {
+	return digest_exec ( argc, argv, &sha256_algorithm );
+}
+
+COMMAND ( sha256sum, sha256sum_exec );
diff --git a/src/crypto/mishmash/cmd_sha384.c b/src/crypto/mishmash/cmd_sha384.c
new file mode 100644
index 000000000..c31154d24
--- /dev/null
+++ b/src/crypto/mishmash/cmd_sha384.c
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/sha512.h>
+#include <hci/digest_cmd.h>
+
+static int sha384sum_exec ( int argc, char **argv ) {
+	return digest_exec ( argc, argv, &sha384_algorithm );
+}
+
+COMMAND ( sha384sum, sha384sum_exec );
diff --git a/src/crypto/mishmash/cmd_sha512.c b/src/crypto/mishmash/cmd_sha512.c
new file mode 100644
index 000000000..b6207f86d
--- /dev/null
+++ b/src/crypto/mishmash/cmd_sha512.c
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/sha512.h>
+#include <hci/digest_cmd.h>
+
+static int sha512sum_exec ( int argc, char **argv ) {
+	return digest_exec ( argc, argv, &sha512_algorithm );
+}
+
+COMMAND ( sha512sum, sha512sum_exec );
diff --git a/src/crypto/mishmash/dhe_rsa_aes_cbc_sha1.c b/src/crypto/mishmash/dhe_rsa_aes_cbc_sha1.c
index 05e409f7a..ec2155001 100644
--- a/src/crypto/mishmash/dhe_rsa_aes_cbc_sha1.c
+++ b/src/crypto/mishmash/dhe_rsa_aes_cbc_sha1.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/dhe_rsa_aes_cbc_sha256.c b/src/crypto/mishmash/dhe_rsa_aes_cbc_sha256.c
index 6ce428642..4e6226e87 100644
--- a/src/crypto/mishmash/dhe_rsa_aes_cbc_sha256.c
+++ b/src/crypto/mishmash/dhe_rsa_aes_cbc_sha256.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/dhe_rsa_aes_gcm_sha256.c b/src/crypto/mishmash/dhe_rsa_aes_gcm_sha256.c
index dc5cad9f8..6bbe4d00d 100644
--- a/src/crypto/mishmash/dhe_rsa_aes_gcm_sha256.c
+++ b/src/crypto/mishmash/dhe_rsa_aes_gcm_sha256.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/dhe_rsa_aes_gcm_sha384.c b/src/crypto/mishmash/dhe_rsa_aes_gcm_sha384.c
index 0448255f3..336feb195 100644
--- a/src/crypto/mishmash/dhe_rsa_aes_gcm_sha384.c
+++ b/src/crypto/mishmash/dhe_rsa_aes_gcm_sha384.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/ecdhe_ecdsa_aes_cbc_sha1.c b/src/crypto/mishmash/ecdhe_ecdsa_aes_cbc_sha1.c
new file mode 100644
index 000000000..0d9fcd15d
--- /dev/null
+++ b/src/crypto/mishmash/ecdhe_ecdsa_aes_cbc_sha1.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <byteswap.h>
+#include <ipxe/ecdsa.h>
+#include <ipxe/aes.h>
+#include <ipxe/sha1.h>
+#include <ipxe/sha256.h>
+#include <ipxe/tls.h>
+
+/** TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher suite */
+struct tls_cipher_suite
+tls_ecdhe_ecdsa_with_aes_128_cbc_sha __tls_cipher_suite ( 05 ) = {
+	.code = htons ( TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ),
+	.key_len = ( 128 / 8 ),
+	.fixed_iv_len = 0,
+	.record_iv_len = AES_BLOCKSIZE,
+	.mac_len = SHA1_DIGEST_SIZE,
+	.exchange = &tls_ecdhe_exchange_algorithm,
+	.pubkey = &ecdsa_algorithm,
+	.cipher = &aes_cbc_algorithm,
+	.digest = &sha1_algorithm,
+	.handshake = &sha256_algorithm,
+};
+
+/** TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite */
+struct tls_cipher_suite
+tls_ecdhe_ecdsa_with_aes_256_cbc_sha __tls_cipher_suite ( 06 ) = {
+	.code = htons ( TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ),
+	.key_len = ( 256 / 8 ),
+	.fixed_iv_len = 0,
+	.record_iv_len = AES_BLOCKSIZE,
+	.mac_len = SHA1_DIGEST_SIZE,
+	.exchange = &tls_ecdhe_exchange_algorithm,
+	.pubkey = &ecdsa_algorithm,
+	.cipher = &aes_cbc_algorithm,
+	.digest = &sha1_algorithm,
+	.handshake = &sha256_algorithm,
+};
diff --git a/src/crypto/mishmash/ecdhe_ecdsa_aes_cbc_sha256.c b/src/crypto/mishmash/ecdhe_ecdsa_aes_cbc_sha256.c
new file mode 100644
index 000000000..4b7cf1620
--- /dev/null
+++ b/src/crypto/mishmash/ecdhe_ecdsa_aes_cbc_sha256.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <byteswap.h>
+#include <ipxe/ecdsa.h>
+#include <ipxe/aes.h>
+#include <ipxe/sha256.h>
+#include <ipxe/tls.h>
+
+/** TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 cipher suite */
+struct tls_cipher_suite
+tls_ecdhe_ecdsa_with_aes_128_cbc_sha256 __tls_cipher_suite ( 03 ) = {
+	.code = htons ( TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ),
+	.key_len = ( 128 / 8 ),
+	.fixed_iv_len = 0,
+	.record_iv_len = AES_BLOCKSIZE,
+	.mac_len = SHA256_DIGEST_SIZE,
+	.exchange = &tls_ecdhe_exchange_algorithm,
+	.pubkey = &ecdsa_algorithm,
+	.cipher = &aes_cbc_algorithm,
+	.digest = &sha256_algorithm,
+	.handshake = &sha256_algorithm,
+};
diff --git a/src/crypto/mishmash/ecdhe_ecdsa_aes_cbc_sha384.c b/src/crypto/mishmash/ecdhe_ecdsa_aes_cbc_sha384.c
new file mode 100644
index 000000000..85373911a
--- /dev/null
+++ b/src/crypto/mishmash/ecdhe_ecdsa_aes_cbc_sha384.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <byteswap.h>
+#include <ipxe/ecdsa.h>
+#include <ipxe/aes.h>
+#include <ipxe/sha512.h>
+#include <ipxe/tls.h>
+
+/** TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 cipher suite */
+struct tls_cipher_suite
+tls_ecdhe_ecdsa_with_aes_256_cbc_sha384 __tls_cipher_suite ( 04 ) = {
+	.code = htons ( TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ),
+	.key_len = ( 256 / 8 ),
+	.fixed_iv_len = 0,
+	.record_iv_len = AES_BLOCKSIZE,
+	.mac_len = SHA384_DIGEST_SIZE,
+	.exchange = &tls_ecdhe_exchange_algorithm,
+	.pubkey = &ecdsa_algorithm,
+	.cipher = &aes_cbc_algorithm,
+	.digest = &sha384_algorithm,
+	.handshake = &sha384_algorithm,
+};
diff --git a/src/crypto/mishmash/ecdhe_ecdsa_aes_gcm_sha256.c b/src/crypto/mishmash/ecdhe_ecdsa_aes_gcm_sha256.c
new file mode 100644
index 000000000..5aeb2f3d9
--- /dev/null
+++ b/src/crypto/mishmash/ecdhe_ecdsa_aes_gcm_sha256.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <byteswap.h>
+#include <ipxe/ecdsa.h>
+#include <ipxe/aes.h>
+#include <ipxe/sha256.h>
+#include <ipxe/tls.h>
+
+/** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite */
+struct tls_cipher_suite
+tls_ecdhe_ecdsa_with_aes_128_gcm_sha256 __tls_cipher_suite ( 01 ) = {
+	.code = htons ( TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ),
+	.key_len = ( 128 / 8 ),
+	.fixed_iv_len = 4,
+	.record_iv_len = 8,
+	.mac_len = 0,
+	.exchange = &tls_ecdhe_exchange_algorithm,
+	.pubkey = &ecdsa_algorithm,
+	.cipher = &aes_gcm_algorithm,
+	.digest = &sha256_algorithm,
+	.handshake = &sha256_algorithm,
+};
diff --git a/src/crypto/mishmash/ecdhe_ecdsa_aes_gcm_sha384.c b/src/crypto/mishmash/ecdhe_ecdsa_aes_gcm_sha384.c
new file mode 100644
index 000000000..3dc6149d7
--- /dev/null
+++ b/src/crypto/mishmash/ecdhe_ecdsa_aes_gcm_sha384.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <byteswap.h>
+#include <ipxe/ecdsa.h>
+#include <ipxe/aes.h>
+#include <ipxe/sha512.h>
+#include <ipxe/tls.h>
+
+/** TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite */
+struct tls_cipher_suite
+tls_ecdhe_ecdsa_with_aes_256_gcm_sha384 __tls_cipher_suite ( 02 ) = {
+	.code = htons ( TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ),
+	.key_len = ( 256 / 8 ),
+	.fixed_iv_len = 4,
+	.record_iv_len = 8,
+	.mac_len = 0,
+	.exchange = &tls_ecdhe_exchange_algorithm,
+	.pubkey = &ecdsa_algorithm,
+	.cipher = &aes_gcm_algorithm,
+	.digest = &sha384_algorithm,
+	.handshake = &sha384_algorithm,
+};
diff --git a/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha1.c b/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha1.c
index c23f65cc0..46b42ac1e 100644
--- a/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha1.c
+++ b/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha1.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha256.c b/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha256.c
index 431e2e304..dd524ec78 100644
--- a/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha256.c
+++ b/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha256.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha384.c b/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha384.c
index c52976809..7524d1ccc 100644
--- a/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha384.c
+++ b/src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha384.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha256.c b/src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha256.c
index 4f4e38c69..978be2a4c 100644
--- a/src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha256.c
+++ b/src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha256.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha384.c b/src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha384.c
index 0bc7c305f..5ca6f0457 100644
--- a/src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha384.c
+++ b/src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha384.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/ecdsa_sha224.c b/src/crypto/mishmash/ecdsa_sha224.c
new file mode 100644
index 000000000..92aa881cd
--- /dev/null
+++ b/src/crypto/mishmash/ecdsa_sha224.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/ecdsa.h>
+#include <ipxe/sha256.h>
+#include <ipxe/asn1.h>
+#include <ipxe/tls.h>
+
+/** "ecdsa-with-SHA224" object identifier */
+static uint8_t oid_ecdsa_with_sha224[] = { ASN1_OID_ECDSA_WITH_SHA224 };
+
+/** "ecdsa-with-SHA224" OID-identified algorithm */
+struct asn1_algorithm ecdsa_with_sha224_algorithm __asn1_algorithm = {
+	.name = "ecdsaWithSHA224",
+	.pubkey = &ecdsa_algorithm,
+	.digest = &sha224_algorithm,
+	.oid = ASN1_CURSOR ( oid_ecdsa_with_sha224 ),
+};
+
+/** ECDSA with SHA-224 signature hash algorithm */
+struct tls_signature_hash_algorithm
+tls_ecdsa_sha224 __tls_sig_hash_algorithm = {
+	.code = {
+		.signature = TLS_ECDSA_ALGORITHM,
+		.hash = TLS_SHA224_ALGORITHM,
+	},
+	.pubkey = &ecdsa_algorithm,
+	.digest = &sha224_algorithm,
+};
diff --git a/src/crypto/mishmash/ecdsa_sha256.c b/src/crypto/mishmash/ecdsa_sha256.c
new file mode 100644
index 000000000..025d6ec73
--- /dev/null
+++ b/src/crypto/mishmash/ecdsa_sha256.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/ecdsa.h>
+#include <ipxe/sha256.h>
+#include <ipxe/asn1.h>
+#include <ipxe/tls.h>
+
+/** "ecdsa-with-SHA256" object identifier */
+static uint8_t oid_ecdsa_with_sha256[] = { ASN1_OID_ECDSA_WITH_SHA256 };
+
+/** "ecdsa-with-SHA256" OID-identified algorithm */
+struct asn1_algorithm ecdsa_with_sha256_algorithm __asn1_algorithm = {
+	.name = "ecdsaWithSHA256",
+	.pubkey = &ecdsa_algorithm,
+	.digest = &sha256_algorithm,
+	.oid = ASN1_CURSOR ( oid_ecdsa_with_sha256 ),
+};
+
+/** ECDSA with SHA-256 signature hash algorithm */
+struct tls_signature_hash_algorithm
+tls_ecdsa_sha256 __tls_sig_hash_algorithm = {
+	.code = {
+		.signature = TLS_ECDSA_ALGORITHM,
+		.hash = TLS_SHA256_ALGORITHM,
+	},
+	.pubkey = &ecdsa_algorithm,
+	.digest = &sha256_algorithm,
+};
diff --git a/src/crypto/mishmash/ecdsa_sha384.c b/src/crypto/mishmash/ecdsa_sha384.c
new file mode 100644
index 000000000..d7a0ca5d6
--- /dev/null
+++ b/src/crypto/mishmash/ecdsa_sha384.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/ecdsa.h>
+#include <ipxe/sha512.h>
+#include <ipxe/asn1.h>
+#include <ipxe/tls.h>
+
+/** "ecdsa-with-SHA384" object identifier */
+static uint8_t oid_ecdsa_with_sha384[] = { ASN1_OID_ECDSA_WITH_SHA384 };
+
+/** "ecdsa-with-SHA384" OID-identified algorithm */
+struct asn1_algorithm ecdsa_with_sha384_algorithm __asn1_algorithm = {
+	.name = "ecdsaWithSHA384",
+	.pubkey = &ecdsa_algorithm,
+	.digest = &sha384_algorithm,
+	.oid = ASN1_CURSOR ( oid_ecdsa_with_sha384 ),
+};
+
+/** ECDSA with SHA-384 signature hash algorithm */
+struct tls_signature_hash_algorithm
+tls_ecdsa_sha384 __tls_sig_hash_algorithm = {
+	.code = {
+		.signature = TLS_ECDSA_ALGORITHM,
+		.hash = TLS_SHA384_ALGORITHM,
+	},
+	.pubkey = &ecdsa_algorithm,
+	.digest = &sha384_algorithm,
+};
diff --git a/src/crypto/mishmash/ecdsa_sha512.c b/src/crypto/mishmash/ecdsa_sha512.c
new file mode 100644
index 000000000..15391abf2
--- /dev/null
+++ b/src/crypto/mishmash/ecdsa_sha512.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/ecdsa.h>
+#include <ipxe/sha512.h>
+#include <ipxe/asn1.h>
+#include <ipxe/tls.h>
+
+/** "ecdsa-with-SHA512" object identifier */
+static uint8_t oid_ecdsa_with_sha512[] = { ASN1_OID_ECDSA_WITH_SHA512 };
+
+/** "ecdsa-with-SHA512" OID-identified algorithm */
+struct asn1_algorithm ecdsa_with_sha512_algorithm __asn1_algorithm = {
+	.name = "ecdsaWithSHA512",
+	.pubkey = &ecdsa_algorithm,
+	.digest = &sha512_algorithm,
+	.oid = ASN1_CURSOR ( oid_ecdsa_with_sha512 ),
+};
+
+/** ECDSA with SHA-512 signature hash algorithm */
+struct tls_signature_hash_algorithm
+tls_ecdsa_sha512 __tls_sig_hash_algorithm = {
+	.code = {
+		.signature = TLS_ECDSA_ALGORITHM,
+		.hash = TLS_SHA512_ALGORITHM,
+	},
+	.pubkey = &ecdsa_algorithm,
+	.digest = &sha512_algorithm,
+};
diff --git a/src/crypto/mishmash/oid_aes_cbc.c b/src/crypto/mishmash/oid_aes_cbc.c
new file mode 100644
index 000000000..d5b81541a
--- /dev/null
+++ b/src/crypto/mishmash/oid_aes_cbc.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/aes.h>
+#include <ipxe/asn1.h>
+
+/** "aes128-cbc" object identifier */
+static uint8_t oid_aes_128_cbc[] = { ASN1_OID_AES128_CBC };
+
+/** "aes192-cbc" object identifier */
+static uint8_t oid_aes_192_cbc[] = { ASN1_OID_AES192_CBC };
+
+/** "aes256-cbc" object identifier */
+static uint8_t oid_aes_256_cbc[] = { ASN1_OID_AES256_CBC };
+
+/** "aes128-cbc" OID-identified algorithm */
+struct asn1_algorithm aes_128_cbc_algorithm __asn1_algorithm = {
+	.name = "aes128-cbc",
+	.cipher = &aes_cbc_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_128_cbc ),
+	.parse = asn1_parse_cbc,
+};
+
+/** "aes192-cbc" OID-identified algorithm */
+struct asn1_algorithm aes_192_cbc_algorithm __asn1_algorithm = {
+	.name = "aes192-cbc",
+	.cipher = &aes_cbc_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_192_cbc ),
+	.parse = asn1_parse_cbc,
+};
+
+/** "aes256-cbc" OID-identified algorithm */
+struct asn1_algorithm aes_256_cbc_algorithm __asn1_algorithm = {
+	.name = "aes256-cbc",
+	.cipher = &aes_cbc_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_256_cbc ),
+	.parse = asn1_parse_cbc,
+};
diff --git a/src/crypto/mishmash/oid_aes_gcm.c b/src/crypto/mishmash/oid_aes_gcm.c
new file mode 100644
index 000000000..6be1a132d
--- /dev/null
+++ b/src/crypto/mishmash/oid_aes_gcm.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <ipxe/aes.h>
+#include <ipxe/asn1.h>
+
+/** "aes128-gcm" object identifier */
+static uint8_t oid_aes_128_gcm[] = { ASN1_OID_AES128_GCM };
+
+/** "aes192-gcm" object identifier */
+static uint8_t oid_aes_192_gcm[] = { ASN1_OID_AES192_GCM };
+
+/** "aes256-gcm" object identifier */
+static uint8_t oid_aes_256_gcm[] = { ASN1_OID_AES256_GCM };
+
+/** "aes128-gcm" OID-identified algorithm */
+struct asn1_algorithm aes_128_gcm_algorithm __asn1_algorithm = {
+	.name = "aes128-gcm",
+	.cipher = &aes_gcm_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_128_gcm ),
+	.parse = asn1_parse_gcm,
+};
+
+/** "aes192-gcm" OID-identified algorithm */
+struct asn1_algorithm aes_192_gcm_algorithm __asn1_algorithm = {
+	.name = "aes192-gcm",
+	.cipher = &aes_gcm_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_192_gcm ),
+	.parse = asn1_parse_gcm,
+};
+
+/** "aes256-gcm" OID-identified algorithm */
+struct asn1_algorithm aes_256_gcm_algorithm __asn1_algorithm = {
+	.name = "aes256-gcm",
+	.cipher = &aes_gcm_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_256_gcm ),
+	.parse = asn1_parse_gcm,
+};
diff --git a/src/crypto/mishmash/oid_md4.c b/src/crypto/mishmash/oid_md4.c
index d42f2df19..03b893d47 100644
--- a/src/crypto/mishmash/oid_md4.c
+++ b/src/crypto/mishmash/oid_md4.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #include <ipxe/md4.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_md5.c b/src/crypto/mishmash/oid_md5.c
index f56dd8b8d..0095fbe0e 100644
--- a/src/crypto/mishmash/oid_md5.c
+++ b/src/crypto/mishmash/oid_md5.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #include <ipxe/md5.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_p256.c b/src/crypto/mishmash/oid_p256.c
new file mode 100644
index 000000000..81ae1d11e
--- /dev/null
+++ b/src/crypto/mishmash/oid_p256.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <byteswap.h>
+#include <ipxe/p256.h>
+#include <ipxe/asn1.h>
+#include <ipxe/tls.h>
+
+/** "prime256v1" object identifier */
+static uint8_t oid_prime256v1[] = { ASN1_OID_PRIME256V1 };
+
+/** "prime256v1" OID-identified algorithm */
+struct asn1_algorithm prime256v1_algorithm __asn1_algorithm = {
+	.name = "prime256v1",
+	.curve = &p256_curve,
+	.oid = ASN1_CURSOR ( oid_prime256v1 ),
+};
+
+/** P-256 named curve */
+struct tls_named_curve tls_secp256r1_named_curve __tls_named_curve ( 01 ) = {
+	.curve = &p256_curve,
+	.code = htons ( TLS_NAMED_CURVE_SECP256R1 ),
+	.format = TLS_POINT_FORMAT_UNCOMPRESSED,
+	.pre_master_secret_len = P256_LEN,
+};
diff --git a/src/crypto/mishmash/oid_p384.c b/src/crypto/mishmash/oid_p384.c
new file mode 100644
index 000000000..a7d36aee4
--- /dev/null
+++ b/src/crypto/mishmash/oid_p384.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
+
+#include <byteswap.h>
+#include <ipxe/p384.h>
+#include <ipxe/asn1.h>
+#include <ipxe/tls.h>
+
+/** "secp384r1" object identifier */
+static uint8_t oid_secp384r1[] = { ASN1_OID_SECP384R1 };
+
+/** "secp384r1" OID-identified algorithm */
+struct asn1_algorithm secp384r1_algorithm __asn1_algorithm = {
+	.name = "secp384r1",
+	.curve = &p384_curve,
+	.oid = ASN1_CURSOR ( oid_secp384r1 ),
+};
+
+/** P-384 named curve */
+struct tls_named_curve tls_secp384r1_named_curve __tls_named_curve ( 01 ) = {
+	.curve = &p384_curve,
+	.code = htons ( TLS_NAMED_CURVE_SECP384R1 ),
+	.format = TLS_POINT_FORMAT_UNCOMPRESSED,
+	.pre_master_secret_len = P384_LEN,
+};
diff --git a/src/crypto/mishmash/oid_rsa.c b/src/crypto/mishmash/oid_rsa.c
index 582022628..02bb59edb 100644
--- a/src/crypto/mishmash/oid_rsa.c
+++ b/src/crypto/mishmash/oid_rsa.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/rsa.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_sha1.c b/src/crypto/mishmash/oid_sha1.c
index 5dae6d27c..5ddd2aba8 100644
--- a/src/crypto/mishmash/oid_sha1.c
+++ b/src/crypto/mishmash/oid_sha1.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/sha1.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_sha224.c b/src/crypto/mishmash/oid_sha224.c
index ee7ed22e4..6658bda56 100644
--- a/src/crypto/mishmash/oid_sha224.c
+++ b/src/crypto/mishmash/oid_sha224.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/sha256.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_sha256.c b/src/crypto/mishmash/oid_sha256.c
index 963fddb63..8da40a70b 100644
--- a/src/crypto/mishmash/oid_sha256.c
+++ b/src/crypto/mishmash/oid_sha256.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/sha256.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_sha384.c b/src/crypto/mishmash/oid_sha384.c
index 81ff48bbf..57c1ab53b 100644
--- a/src/crypto/mishmash/oid_sha384.c
+++ b/src/crypto/mishmash/oid_sha384.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/sha512.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_sha512.c b/src/crypto/mishmash/oid_sha512.c
index 78bae48b4..73d7cb78f 100644
--- a/src/crypto/mishmash/oid_sha512.c
+++ b/src/crypto/mishmash/oid_sha512.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/sha512.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_sha512_224.c b/src/crypto/mishmash/oid_sha512_224.c
index 6f61f9cac..a6291097b 100644
--- a/src/crypto/mishmash/oid_sha512_224.c
+++ b/src/crypto/mishmash/oid_sha512_224.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/sha512.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_sha512_256.c b/src/crypto/mishmash/oid_sha512_256.c
index bce4762e4..d36199372 100644
--- a/src/crypto/mishmash/oid_sha512_256.c
+++ b/src/crypto/mishmash/oid_sha512_256.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/sha512.h>
 #include <ipxe/asn1.h>
diff --git a/src/crypto/mishmash/oid_x25519.c b/src/crypto/mishmash/oid_x25519.c
index 2f8aa065b..2907eb461 100644
--- a/src/crypto/mishmash/oid_x25519.c
+++ b/src/crypto/mishmash/oid_x25519.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/x25519.h>
@@ -42,4 +43,5 @@ struct asn1_algorithm x25519_algorithm __asn1_algorithm = {
 struct tls_named_curve tls_x25519_named_curve __tls_named_curve ( 01 ) = {
 	.curve = &x25519_curve,
 	.code = htons ( TLS_NAMED_CURVE_X25519 ),
+	.pre_master_secret_len = sizeof ( struct x25519_value ),
 };
diff --git a/src/crypto/mishmash/rsa_aes_cbc_sha1.c b/src/crypto/mishmash/rsa_aes_cbc_sha1.c
index 0862fb5ac..35f5f6eb7 100644
--- a/src/crypto/mishmash/rsa_aes_cbc_sha1.c
+++ b/src/crypto/mishmash/rsa_aes_cbc_sha1.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/rsa_aes_cbc_sha256.c b/src/crypto/mishmash/rsa_aes_cbc_sha256.c
index e5928db82..22705df7e 100644
--- a/src/crypto/mishmash/rsa_aes_cbc_sha256.c
+++ b/src/crypto/mishmash/rsa_aes_cbc_sha256.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/rsa_aes_gcm_sha256.c b/src/crypto/mishmash/rsa_aes_gcm_sha256.c
index b18bbd844..d3fd00f1e 100644
--- a/src/crypto/mishmash/rsa_aes_gcm_sha256.c
+++ b/src/crypto/mishmash/rsa_aes_gcm_sha256.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/rsa_aes_gcm_sha384.c b/src/crypto/mishmash/rsa_aes_gcm_sha384.c
index 06558aaed..908db086a 100644
--- a/src/crypto/mishmash/rsa_aes_gcm_sha384.c
+++ b/src/crypto/mishmash/rsa_aes_gcm_sha384.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <byteswap.h>
 #include <ipxe/rsa.h>
diff --git a/src/crypto/mishmash/rsa_md5.c b/src/crypto/mishmash/rsa_md5.c
index 051afe264..00808c23f 100644
--- a/src/crypto/mishmash/rsa_md5.c
+++ b/src/crypto/mishmash/rsa_md5.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( FORBIDDEN );
 
 #include <ipxe/rsa.h>
 #include <ipxe/md5.h>
diff --git a/src/crypto/mishmash/rsa_sha1.c b/src/crypto/mishmash/rsa_sha1.c
index 264f871f1..8907ac08a 100644
--- a/src/crypto/mishmash/rsa_sha1.c
+++ b/src/crypto/mishmash/rsa_sha1.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/rsa.h>
 #include <ipxe/sha1.h>
diff --git a/src/crypto/mishmash/rsa_sha224.c b/src/crypto/mishmash/rsa_sha224.c
index 1465a033d..b676d41f3 100644
--- a/src/crypto/mishmash/rsa_sha224.c
+++ b/src/crypto/mishmash/rsa_sha224.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/rsa.h>
 #include <ipxe/sha256.h>
diff --git a/src/crypto/mishmash/rsa_sha256.c b/src/crypto/mishmash/rsa_sha256.c
index 7283c3e29..8a6a7a5cf 100644
--- a/src/crypto/mishmash/rsa_sha256.c
+++ b/src/crypto/mishmash/rsa_sha256.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/rsa.h>
 #include <ipxe/sha256.h>
diff --git a/src/crypto/mishmash/rsa_sha384.c b/src/crypto/mishmash/rsa_sha384.c
index 6f8c29b29..cc1878bd4 100644
--- a/src/crypto/mishmash/rsa_sha384.c
+++ b/src/crypto/mishmash/rsa_sha384.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/rsa.h>
 #include <ipxe/sha512.h>
diff --git a/src/crypto/mishmash/rsa_sha512.c b/src/crypto/mishmash/rsa_sha512.c
index bb4463a5a..9c995e1c8 100644
--- a/src/crypto/mishmash/rsa_sha512.c
+++ b/src/crypto/mishmash/rsa_sha512.c
@@ -22,6 +22,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+FILE_SECBOOT ( PERMITTED );
 
 #include <ipxe/rsa.h>
 #include <ipxe/sha512.h>