From: Yonghong Zhu <yonghong.zhu@intel.com>
To: edk2-devel@lists.01.org
Cc: Liming Gao <liming.gao@intel.com>
Subject: [Patch 2/3] BaseTools: Rsa2048Sha256Sign add new option to support Monotonic count
Date: Mon, 15 Aug 2016 16:17:38 +0800 [thread overview]
Message-ID: <1471249059-95652-3-git-send-email-yonghong.zhu@intel.com> (raw)
In-Reply-To: <1471249059-95652-1-git-send-email-yonghong.zhu@intel.com>
the EFI_FIRMWARE_IMAGE_AUTHENTICATION struct require the AuthInfo which
is a signature across the image data and the Monotonic Count value, so we
add the new option to support Monotonic count.
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
---
.../Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 31 +++++++++++++++++-----
1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
index b3254d8..3410668 100644
--- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
+++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
@@ -1,12 +1,12 @@
## @file
-# This tool encodes and decodes GUIDed FFS sections for a GUID type of
+# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a GUID type of
# EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 Specification as
# {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}}
# This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013
#
-# Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
#
@@ -30,11 +30,11 @@ from Common.BuildVersion import gBUILD_VERSION
#
# Globals for help information
#
__prog__ = 'Rsa2048Sha256Sign'
__version__ = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION)
-__copyright__ = 'Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.'
+__copyright__ = 'Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.'
__usage__ = '%s -e|-d [options] <input_file>' % (__prog__)
#
# GUID for SHA 256 Hash Algorithm from UEFI Specification
#
@@ -64,10 +64,11 @@ if __name__ == '__main__':
parser = argparse.ArgumentParser(prog=__prog__, version=__version__, usage=__usage__, description=__copyright__, conflict_handler='resolve')
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-e", action="store_true", dest='Encode', help='encode file')
group.add_argument("-d", action="store_true", dest='Decode', help='decode file')
parser.add_argument("-o", "--output", dest='OutputFile', type=str, metavar='filename', help="specify the output filename", required=True)
+ parser.add_argument("--monotonic-count", dest='MonotonicCountStr', type=str, help="specify the MonotonicCount in FMP capsule.")
parser.add_argument("--private-key", dest='PrivateKeyFile', type=argparse.FileType('rb'), help="specify the private key filename. If not specified, a test signing key is used.")
parser.add_argument("-v", "--verbose", dest='Verbose', action="store_true", help="increase output messages")
parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true", help="reduce output messages")
parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]', choices=range(0,10), default=0, help="set debug level")
parser.add_argument(metavar="input_file", dest='InputFile', type=argparse.FileType('rb'), help="specify the input filename")
@@ -153,17 +154,30 @@ if __name__ == '__main__':
while len(PublicKeyHexString) > 0:
PublicKey = PublicKey + chr(int(PublicKeyHexString[0:2],16))
PublicKeyHexString=PublicKeyHexString[2:]
if Process.returncode <> 0:
sys.exit(Process.returncode)
-
+
+ if args.MonotonicCountStr:
+ try:
+ if args.MonotonicCountStr.upper().startswith('0X'):
+ args.MonotonicCountValue = (long)(args.MonotonicCountStr, 16)
+ else:
+ args.MonotonicCountValue = (long)(args.MonotonicCountStr)
+ except:
+ pass
+
if args.Encode:
+ FullInputFileBuffer = args.InputFileBuffer
+ if args.MonotonicCountStr:
+ format = "Q%ds" % len(args.InputFileBuffer)
+ FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer)
#
# Sign the input file using the specified private key and capture signature from STDOUT
#
Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- Signature = Process.communicate(input=args.InputFileBuffer)[0]
+ Signature = Process.communicate(input=FullInputFileBuffer)[0]
if Process.returncode <> 0:
sys.exit(Process.returncode)
#
# Write output file that contains hash GUID, Public Key, Signature, and Input data
@@ -194,20 +208,25 @@ if __name__ == '__main__':
#
if Header.PublicKey <> PublicKey:
print 'ERROR: Public key in input file does not match public key from private key file'
sys.exit(1)
+ FullInputFileBuffer = args.InputFileBuffer
+ if args.MonotonicCountStr:
+ format = "Q%ds" % len(args.InputFileBuffer)
+ FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer)
+
#
# Write Signature to output file
#
open(args.OutputFileName, 'wb').write(Header.Signature)
#
# Verify signature
#
Process = subprocess.Popen('%s sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- Process.communicate(args.InputFileBuffer)
+ Process.communicate(input=FullInputFileBuffer)
if Process.returncode <> 0:
print 'ERROR: Verification failed'
os.remove (args.OutputFileName)
sys.exit(Process.returncode)
--
2.6.1.windows.1
next prev parent reply other threads:[~2016-08-15 8:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-15 8:17 [Patch 0/3] BaseTools: Add the support for FMP capsule generate auth info Yonghong Zhu
2016-08-15 8:17 ` [Patch 1/3] BaseTools: Add the PKCS7 tool Yonghong Zhu
2016-08-15 8:32 ` Yao, Jiewen
2016-08-15 8:34 ` Zhu, Yonghong
2016-08-15 8:17 ` Yonghong Zhu [this message]
2016-08-19 5:41 ` [Patch 2/3] BaseTools: Rsa2048Sha256Sign add new option to support Monotonic count Gao, Liming
2016-08-15 8:17 ` [Patch 3/3] BaseTools: FMP capsule add the support to generate auth info Yonghong Zhu
2016-08-19 5:41 ` Gao, Liming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1471249059-95652-3-git-send-email-yonghong.zhu@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox