The GUID im using is 301d199a-4dc1-4b26-b557-a012d83d7a52 and the variable names are file_name and file_hash, im using the following script to generate my key/cert.
genkeys.sh: https://pastebin.com/iYEFLQD7

The payloads im trying to write is generated using a small script which receive a single parameter which is a file name, the script just create two files, file_name.txt with the file name converted to CHAR16 and file_hash.txt with the SHA512 of the contents of the file. Then the script uses sbvarsign to sign both, creating file_name.signed and file_hash.signed using the previous generated keys.
create_auth_var_files.sh: https://pastebin.com/XhV9RbEB

Then with the payloads(file_name.signed and file_hash.signed) in the same directory of my UEFI Application i run the application from the UEFI Shell, which open these files, copy to a buffer and use them when calling SetVariable.
TestPkg.c: https://pastebin.com/LbYvvrWH

The to16 is just a poor program to turn the passed parameter to auth_create_var_files.sh in a valid CHAR16 string, as following https://pastebin.com/AhjdzQrC.

The UEFI Application is just the TestPkg.c, i can upload the .inf and .dsc files too if you want, and warn me if you want more information.

Em 26/11/2019 03:08, Eugene Khoruzhenko escreveu:

No, we do not have access to the manufacturer's PK/KEK, so I created my own keys and certs. Theoretically, to debug this you can send me the GUID/Name and payload you are trying to write, I can check if I can write your variable with my tool and signing. Then I could look at your code and compare with mine and see why it does not work. If your code works on my devices, maybe the specific model you have has some issue? BTW, try the other vendors, like Lenovo and HP. I only cannot promise when I will be able to get to it with holidays approaching and many other things to do...