From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <yonghong.zhu@intel.com>
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
 (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id DA43F1A1EC4
 for <edk2-devel@lists.01.org>; Fri, 14 Oct 2016 05:57:30 -0700 (PDT)
Received: from orsmga001.jf.intel.com ([10.7.209.18])
 by fmsmga101.fm.intel.com with ESMTP; 14 Oct 2016 05:57:30 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.31,493,1473145200"; d="scan'208";a="1044660684"
Received: from shwdeopenpsi168.ccr.corp.intel.com ([10.239.158.144])
 by orsmga001.jf.intel.com with ESMTP; 14 Oct 2016 05:57:29 -0700
From: Yonghong Zhu <yonghong.zhu@intel.com>
To: edk2-devel@lists.01.org
Cc: Liming Gao <liming.gao@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>
Date: Fri, 14 Oct 2016 20:56:57 +0800
Message-Id: <1476449817-11632-1-git-send-email-yonghong.zhu@intel.com>
X-Mailer: git-send-email 2.6.1.windows.1
Subject: [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 12:57:31 -0000

The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
mentioned that It is a signature across the image data and the
Monotonic Count value. After clarification, we do the signature
calculation, we put MonotonicCount after Payload.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
---
 BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py                 | 8 ++++----
 BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
index b9f8c06..f0b2d8a 100644
--- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
+++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
@@ -195,12 +195,12 @@ if __name__ == '__main__':
         args.OtherPublicCertFile.close()
       except:
         print 'ERROR: test other public cert file %s missing' % (args.OtherPublicCertFileName)
         sys.exit(1)
 
-    format = "Q%ds" % len(args.InputFileBuffer)
-    FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer)
+    format = "%dsQ" % len(args.InputFileBuffer)
+    FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)
 
     #
     # Sign the input file using the specified private key and capture signature from STDOUT
     #
     Process = subprocess.Popen('%s smime -sign -binary -signer "%s" -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand, args.SignerPrivateCertFileName, args.OtherPublicCertFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -259,12 +259,12 @@ if __name__ == '__main__':
         sys.exit(1)
 
     args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
     args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
 
-    format = "Q%ds" % len(args.InputFileBuffer)
-    FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer)
+    format = "%dsQ" % len(args.InputFileBuffer)
+    FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)
 
     #
     # Save output file contents from input file
     #
     open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
index 3410668..199ebec 100644
--- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
+++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
@@ -167,12 +167,12 @@ if __name__ == '__main__':
         pass
 
   if args.Encode:
     FullInputFileBuffer = args.InputFileBuffer
     if args.MonotonicCountStr:
-      format = "Q%ds" % len(args.InputFileBuffer)
-      FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer)
+      format = "%dsQ" % len(args.InputFileBuffer)
+      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)
     # 
     # Sign the input file using the specified private key and capture signature from STDOUT
     #
     Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     Signature = Process.communicate(input=FullInputFileBuffer)[0]
@@ -210,12 +210,12 @@ if __name__ == '__main__':
       print 'ERROR: Public key in input file does not match public key from private key file'
       sys.exit(1)
 
     FullInputFileBuffer = args.InputFileBuffer
     if args.MonotonicCountStr:
-      format = "Q%ds" % len(args.InputFileBuffer)
-      FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer)
+      format = "%dsQ" % len(args.InputFileBuffer)
+      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)
 
     #
     # Write Signature to output file
     #
     open(args.OutputFileName, 'wb').write(Header.Signature)
-- 
2.6.1.windows.1