The GUID im using is 301d199a-4dc1-4b26-b557-a012d83d7a52 and the
variable names are file_name and file_hash, im using the following
script to generate my key/cert.
genkeys.sh: https://pastebin.com/iYEFLQD7

The payloads im trying to write is generated using a small script which
receive a single parameter which is a file name, the script just create
two files, file_name.txt with the file name converted to CHAR16 and
file_hash.txt with the SHA512 of the contents of the file. Then the
script uses sbvarsign to sign both, creating file_name.signed and
file_hash.signed using the previous generated keys.
create_auth_var_files.sh: https://pastebin.com/XhV9RbEB


Then with the payloads(file_name.signed and file_hash.signed) in the
same directory of my UEFI Application i run the application from the
UEFI Shell, which open these files, copy to a buffer and use them when
calling SetVariable.
TestPkg.c: https://pastebin.com/LbYvvrWH

The to16 is just a poor program to turn the passed parameter to
auth_create_var_files.sh in a valid CHAR16 string, as following
https://pastebin.com/AhjdzQrC.

The UEFI Application is just the TestPkg.c, i can upload the .inf and
.dsc files too if you want, and warn me if you want more information.

Em 26/11/2019 03:08, Eugene Khoruzhenko escreveu:
> No, we do not have access to the manufacturer's PK/KEK, so I created
> my own keys and certs. Theoretically, to debug this you can send me
> the GUID/Name and payload you are trying to write, I can check if I
> can write your variable with my tool and signing. Then I could look at
> your code and compare with mine and see why it does not work. If your
> code works on my devices, maybe the specific model you have has some
> issue? BTW, try the other vendors, like Lenovo and HP. I only cannot
> promise when I will be able to get to it with holidays approaching and
> many other things to do...
>