From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id DA43F1A1EC4 for ; Fri, 14 Oct 2016 05:57:30 -0700 (PDT) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga101.fm.intel.com with ESMTP; 14 Oct 2016 05:57:30 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,493,1473145200"; d="scan'208";a="1044660684" Received: from shwdeopenpsi168.ccr.corp.intel.com ([10.239.158.144]) by orsmga001.jf.intel.com with ESMTP; 14 Oct 2016 05:57:29 -0700 From: Yonghong Zhu To: edk2-devel@lists.01.org Cc: Liming Gao , Jiewen Yao Date: Fri, 14 Oct 2016 20:56:57 +0800 Message-Id: <1476449817-11632-1-git-send-email-yonghong.zhu@intel.com> X-Mailer: git-send-email 2.6.1.windows.1 Subject: [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Oct 2016 12:57:31 -0000 The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec mentioned that It is a signature across the image data and the Monotonic Count value. After clarification, we do the signature calculation, we put MonotonicCount after Payload. Cc: Liming Gao Cc: Jiewen Yao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Yonghong Zhu --- BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8 ++++---- BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py index b9f8c06..f0b2d8a 100644 --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py @@ -195,12 +195,12 @@ if __name__ == '__main__': args.OtherPublicCertFile.close() except: print 'ERROR: test other public cert file %s missing' % (args.OtherPublicCertFileName) sys.exit(1) - format = "Q%ds" % len(args.InputFileBuffer) - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + format = "%dsQ" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Sign the input file using the specified private key and capture signature from STDOUT # Process = subprocess.Popen('%s smime -sign -binary -signer "%s" -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand, args.SignerPrivateCertFileName, args.OtherPublicCertFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -259,12 +259,12 @@ if __name__ == '__main__': sys.exit(1) args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize] args.InputFileBuffer = args.InputFileBuffer[SignatureSize:] - format = "Q%ds" % len(args.InputFileBuffer) - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + format = "%dsQ" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Save output file contents from input file # open(args.OutputFileName, 'wb').write(FullInputFileBuffer) diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py index 3410668..199ebec 100644 --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py @@ -167,12 +167,12 @@ if __name__ == '__main__': pass if args.Encode: FullInputFileBuffer = args.InputFileBuffer if args.MonotonicCountStr: - format = "Q%ds" % len(args.InputFileBuffer) - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + format = "%dsQ" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Sign the input file using the specified private key and capture signature from STDOUT # Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) Signature = Process.communicate(input=FullInputFileBuffer)[0] @@ -210,12 +210,12 @@ if __name__ == '__main__': print 'ERROR: Public key in input file does not match public key from private key file' sys.exit(1) FullInputFileBuffer = args.InputFileBuffer if args.MonotonicCountStr: - format = "Q%ds" % len(args.InputFileBuffer) - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + format = "%dsQ" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Write Signature to output file # open(args.OutputFileName, 'wb').write(Header.Signature) -- 2.6.1.windows.1