From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) by mx.groups.io with SMTP id smtpd.web12.13291.1574781752698544734 for ; Tue, 26 Nov 2019 07:22:33 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@riseup.net header.s=squak header.b=CooC5Uqf; spf=pass (domain: riseup.net, ip: 198.252.153.129, mailfrom: phlamorim@riseup.net) Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 47MnhS0qrJzDvG3; Tue, 26 Nov 2019 07:22:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1574781752; bh=l/3OQZtDJXVy1KUeleH6f8Bml7Av5qiSdv3ROIjP6PI=; h=Subject:To:References:From:Date:In-Reply-To:From; b=CooC5UqfwDJLCEHUTin2UGqp4GJJwmPi9akmitrfTTZqcbWYddq5Gjoy5geyFlNQM 6m/03QhTW/wNlTlAFJxrjR909ea5prlQUdXSQwrL2RGobDLv4a0R54Ll96kfU+lCDe VTUAFWHpI1PPedMhUqIadBYaPQUiBEJcUzkS+xhE= X-Riseup-User-ID: D52F7E994C0AF9F625227EC527D8D7FFCE464193D82FF7AD50D8D43DA49C3FE0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 47MnhR2ZfqzJqWS; Tue, 26 Nov 2019 07:22:31 -0800 (PST) Subject: Re: [edk2-devel] Interpretation of specification To: devel@edk2.groups.io, sun2sirius@gmail.com References: <8bcef1fa-c8a4-2b1b-dcd3-adb45cc7254e@riseup.net> <17919.1574748523014243625@groups.io> From: "Paulo Henrique Lacerda de Amorim" Message-ID: <0daf62c6-f746-9e3c-bc01-e32b11161b6f@riseup.net> Date: Tue, 26 Nov 2019 12:22:28 -0300 MIME-Version: 1.0 In-Reply-To: <17919.1574748523014243625@groups.io> Content-Type: multipart/alternative; boundary="------------6DA6216AF0F7E7FF5EA4F433" Content-Language: en-US --------------6DA6216AF0F7E7FF5EA4F433 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable The GUID im using is 301d199a-4dc1-4b26-b557-a012d83d7a52 and the variable names are file_name and file_hash, im using the following script to generate my key/cert. genkeys.sh: https://pastebin.com/iYEFLQD7 The payloads im trying to write is generated using a small script which receive a single parameter which is a file name, the script just create two files, file_name.txt with the file name converted to CHAR16 and file_hash.txt with the SHA512 of the contents of the file. Then the script uses sbvarsign to sign both, creating file_name.signed and file_hash.signed using the previous generated keys. create_auth_var_files.sh: https://pastebin.com/XhV9RbEB Then with the payloads(file_name.signed and file_hash.signed) in the same directory of my UEFI Application i run the application from the UEFI Shell, which open these files, copy to a buffer and use them when calling SetVariable. TestPkg.c: https://pastebin.com/LbYvvrWH The to16 is just a poor program to turn the passed parameter to auth_create_var_files.sh in a valid CHAR16 string, as following https://pastebin.com/AhjdzQrC. The UEFI Application is just the TestPkg.c, i can upload the .inf and .dsc files too if you want, and warn me if you want more information. Em 26/11/2019 03:08, Eugene Khoruzhenko escreveu: > No, we do not have access to the manufacturer's PK/KEK, so I created > my own keys and certs. Theoretically, to debug this you can send me > the GUID/Name and payload you are trying to write, I can check if I > can write your variable with my tool and signing. Then I could look at > your code and compare with mine and see why it does not work. If your > code works on my devices, maybe the specific model you have has some > issue? BTW, try the other vendors, like Lenovo and HP.=C2=A0I only canno= t > promise when I will be able to get to it with holidays approaching and > many other things to do... >=20 --------------6DA6216AF0F7E7FF5EA4F433 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

The GUID im using is 301d199a-4dc1-4b26-b557-a012d83d7a52 and the variable names are file_name and file_hash, im using the following script to generate my key/cert.
genkeys.sh: https://pastebin.com/iYEFLQD7

The payloads im trying to write is generated using a small script which receive a single parameter which is a file name, the script just create two files, file_name.txt with the file name converted to CHAR16 and file_hash.txt with the SHA512 of the contents of the file. Then the script uses sbvarsign to sign both, creating file_name.signed and file_hash.signed using the previous generated keys.
create_auth_var_files.sh: https://pastebin.com/XhV9RbEB


Then with the payloads(file_name.signed and file_hash.signed) in the same directory of my UEFI Application i run the application from the UEFI Shell, which open these files, copy to a buffer and use them when calling SetVariable.
TestPkg.c: https://pastebin.com/LbYvvrWH

The to16 is just a poor program to turn the passed parameter to auth_create_var_files.sh in a valid CHAR16 string, as following https://pastebin.com/AhjdzQrC.

The UEFI Application is just the TestPkg.c, i can upload the .inf and .dsc files too if you want, and warn me if you want more information.

Em 26/11/2019 03:08, Eugene Khoruzhenko escreveu:
No, we do not have access to the manufacturer's PK/KEK, so I created my own keys and certs. Theoretically, to debug this you can send me the GUID/Name and payload you are trying to write, I can check if I can write your variable with my tool and signing. Then I could look at your code and compare with mine and see why it does not work. If your code works on my devices, maybe the specific model you have has some issue? BTW, try the other vendors, like Lenovo and HP.=C2=A0I only cannot promise when I will = be able to get to it with holidays approaching and many other things to do...
--------------6DA6216AF0F7E7FF5EA4F433--