From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by ml01.01.org (Postfix) with ESMTP id 90A3D1A1E18 for ; Mon, 15 Aug 2016 01:17:55 -0700 (PDT) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga102.jf.intel.com with ESMTP; 15 Aug 2016 01:17:55 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,524,1464678000"; d="scan'208";a="865544477" Received: from shwdeopenpsi168.ccr.corp.intel.com ([10.239.158.144]) by orsmga003.jf.intel.com with ESMTP; 15 Aug 2016 01:17:54 -0700 From: Yonghong Zhu To: edk2-devel@lists.01.org Cc: Liming Gao Date: Mon, 15 Aug 2016 16:17:38 +0800 Message-Id: <1471249059-95652-3-git-send-email-yonghong.zhu@intel.com> X-Mailer: git-send-email 2.6.1.windows.1 In-Reply-To: <1471249059-95652-1-git-send-email-yonghong.zhu@intel.com> References: <1471249059-95652-1-git-send-email-yonghong.zhu@intel.com> Subject: [Patch 2/3] BaseTools: Rsa2048Sha256Sign add new option to support Monotonic count X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2016 08:17:55 -0000 the EFI_FIRMWARE_IMAGE_AUTHENTICATION struct require the AuthInfo which is a signature across the image data and the Monotonic Count value, so we add the new option to support Monotonic count. Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Yonghong Zhu --- .../Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 31 +++++++++++++++++----- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py index b3254d8..3410668 100644 --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py @@ -1,12 +1,12 @@ ## @file -# This tool encodes and decodes GUIDed FFS sections for a GUID type of +# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a GUID type of # EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 Specification as # {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}} # This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013 # -# Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
+# Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
# This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at # http://opensource.org/licenses/bsd-license.php # @@ -30,11 +30,11 @@ from Common.BuildVersion import gBUILD_VERSION # # Globals for help information # __prog__ = 'Rsa2048Sha256Sign' __version__ = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION) -__copyright__ = 'Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.' +__copyright__ = 'Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.' __usage__ = '%s -e|-d [options] ' % (__prog__) # # GUID for SHA 256 Hash Algorithm from UEFI Specification # @@ -64,10 +64,11 @@ if __name__ == '__main__': parser = argparse.ArgumentParser(prog=__prog__, version=__version__, usage=__usage__, description=__copyright__, conflict_handler='resolve') group = parser.add_mutually_exclusive_group(required=True) group.add_argument("-e", action="store_true", dest='Encode', help='encode file') group.add_argument("-d", action="store_true", dest='Decode', help='decode file') parser.add_argument("-o", "--output", dest='OutputFile', type=str, metavar='filename', help="specify the output filename", required=True) + parser.add_argument("--monotonic-count", dest='MonotonicCountStr', type=str, help="specify the MonotonicCount in FMP capsule.") parser.add_argument("--private-key", dest='PrivateKeyFile', type=argparse.FileType('rb'), help="specify the private key filename. If not specified, a test signing key is used.") parser.add_argument("-v", "--verbose", dest='Verbose', action="store_true", help="increase output messages") parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true", help="reduce output messages") parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]', choices=range(0,10), default=0, help="set debug level") parser.add_argument(metavar="input_file", dest='InputFile', type=argparse.FileType('rb'), help="specify the input filename") @@ -153,17 +154,30 @@ if __name__ == '__main__': while len(PublicKeyHexString) > 0: PublicKey = PublicKey + chr(int(PublicKeyHexString[0:2],16)) PublicKeyHexString=PublicKeyHexString[2:] if Process.returncode <> 0: sys.exit(Process.returncode) - + + if args.MonotonicCountStr: + try: + if args.MonotonicCountStr.upper().startswith('0X'): + args.MonotonicCountValue = (long)(args.MonotonicCountStr, 16) + else: + args.MonotonicCountValue = (long)(args.MonotonicCountStr) + except: + pass + if args.Encode: + FullInputFileBuffer = args.InputFileBuffer + if args.MonotonicCountStr: + format = "Q%ds" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) # # Sign the input file using the specified private key and capture signature from STDOUT # Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - Signature = Process.communicate(input=args.InputFileBuffer)[0] + Signature = Process.communicate(input=FullInputFileBuffer)[0] if Process.returncode <> 0: sys.exit(Process.returncode) # # Write output file that contains hash GUID, Public Key, Signature, and Input data @@ -194,20 +208,25 @@ if __name__ == '__main__': # if Header.PublicKey <> PublicKey: print 'ERROR: Public key in input file does not match public key from private key file' sys.exit(1) + FullInputFileBuffer = args.InputFileBuffer + if args.MonotonicCountStr: + format = "Q%ds" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + # # Write Signature to output file # open(args.OutputFileName, 'wb').write(Header.Signature) # # Verify signature # Process = subprocess.Popen('%s sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - Process.communicate(args.InputFileBuffer) + Process.communicate(input=FullInputFileBuffer) if Process.returncode <> 0: print 'ERROR: Verification failed' os.remove (args.OutputFileName) sys.exit(Process.returncode) -- 2.6.1.windows.1