From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web10.6553.1657280504852935205 for ; Fri, 08 Jul 2022 04:41:44 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=Ty9QnCEC; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: jason1.lin@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1657280504; x=1688816504; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=OQBRT4NgKczaZmRqM32YIaw6UIC5sSTkx9E+xNAB4Rk=; b=Ty9QnCECs5ixvrtV0yWqEhzujSup5QctsVOeX8ExvYzpn7lalryT5O3a Uvui3iegtBhhFwg2ciKqdNBPao7rNQeNlNtLqnz8Hu21sr7bN2VfEhVA4 bMWfqlnk6iC7UQsfoTbb102OSvGj3ULNROl60pDyldRNnJF24anNH8b1r N3aUpDy/Xq1835r52WzLp34V0fsOnFUCNYf2nHfjwUjPCvZ502BfvjBf9 wWEsXs6kWVyhIlo/swzgksX2FnXWpbOxPUm39+vh+rsIxTIm4pFyBIAXG AvwQsagCRDlKuF6r4z6ALTKdeRikntoolp72szW4TB3eCd53vcJbCnaTm g==; X-IronPort-AV: E=McAfee;i="6400,9594,10401"; a="267292970" X-IronPort-AV: E=Sophos;i="5.92,255,1650956400"; d="scan'208";a="267292970" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jul 2022 04:41:44 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,255,1650956400"; d="scan'208";a="544182821" Received: from linjaso1-desk1.gar.corp.intel.com ([10.5.215.41]) by orsmga003.jf.intel.com with ESMTP; 08 Jul 2022 04:41:42 -0700 From: "Lin, Jason1" To: devel@edk2.groups.io Cc: Jason1 Lin , Bob Feng , Liming Gao , Yuwei Chen , Michael D Kinney , Dakota Chiang Subject: [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file Date: Fri, 8 Jul 2022 19:41:39 +0800 Message-Id: <20220708114139.2015-1-jason1.lin@intel.com> X-Mailer: git-send-email 2.34.1.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Jason1 Lin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3928 Windows-based system using signtool.exe to sign the capsule. Add the support to using "--subject-name" argument to assign the subject name used to sign the capsule file. This argument would pass to signtool.exe as a part of input argument with "/n" flag. NOTE: If using signtool.exe to sign capsule at least need to choose one of "--pfx-file" and "--subject-name" argument to input the value. Signed-off-by: Jason1 Lin Cc: Bob Feng Cc: Liming Gao Cc: Yuwei Chen Cc: Michael D Kinney Cc: Dakota Chiang --- BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43 ++++++++++++++++--= -- 1 file changed, 34 insertions(+), 9 deletions(-) diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py b/BaseTools= /Source/Python/Capsule/GenerateCapsule.py index b8039db878..35435946c6 100644 --- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py +++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py @@ -10,7 +10,7 @@ # keep the tool as simple as possible, it has the following limitations:=0D # * Do not support vendor code bytes in a capsule.=0D #=0D -# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.
=0D +# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.
=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D =0D @@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader import FmpPa= yloadHeaderClass # Globals for help information=0D #=0D __prog__ =3D 'GenerateCapsule'=0D -__version__ =3D '0.9'=0D -__copyright__ =3D 'Copyright (c) 2018, Intel Corporation. All rights res= erved.'=0D +__version__ =3D '0.10'=0D +__copyright__ =3D 'Copyright (c) 2022, Intel Corporation. All rights res= erved.'=0D __description__ =3D 'Generate a capsule.\n'=0D =0D -def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose =3D False):=0D +def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose = =3D False):=0D #=0D # Create a temporary directory=0D #=0D @@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Ver= bose =3D False): Command =3D Command + '"{Path}" '.format (Path =3D os.path.join (ToolP= ath, 'signtool.exe'))=0D Command =3D Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co = 1.2.840.113549.1.7.2 '=0D Command =3D Command + '/p7 {TempDir} '.format (TempDir =3D TempDirecto= ryName)=0D - Command =3D Command + '/f {PfxFile} '.format (PfxFile =3D PfxFile)=0D + if PfxFile is not None:=0D + Command =3D Command + '/f {PfxFile} '.format (PfxFile =3D PfxFile)= =0D + if SubjectName is not None:=0D + Command =3D Command + '/n {SubjectName} '.format (SubjectName =3D = SubjectName)=0D Command =3D Command + TempFileName=0D if Verbose:=0D print (Command)=0D @@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Ve= rbose =3D False): shutil.rmtree (TempDirectoryName)=0D return Signature=0D =0D -def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose = =3D False):=0D +def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, SubjectNa= me, Verbose =3D False):=0D print ('signtool verify is not supported.')=0D raise ValueError ('GenerateCapsule: error: signtool verify is not supp= orted.')=0D =0D @@ -249,6 +252,7 @@ if __name__ =3D=3D '__main__': HardwareInstance =3D ConvertJsonValue (Config, 'Ha= rdwareInstance', ValidateUnsignedInteger, Required =3D False, Default =3D 0= )=0D MonotonicCount =3D ConvertJsonValue (Config, 'Mo= notonicCount', ValidateUnsignedInteger, Required =3D False, Default =3D 0)= =0D SignToolPfxFile =3D ConvertJsonValue (Config, 'Si= gnToolPfxFile', os.path.expandvars, Required =3D False, Default =3D None, O= pen =3D True)=0D + SignToolSubjectName =3D ConvertJsonValue (Config, 'Si= gnToolSubjectName', os.path.expandvars, Required =3D False, Default =3D Non= e, Open =3D True)=0D OpenSslSignerPrivateCertFile =3D ConvertJsonValue (Config, 'Op= enSslSignerPrivateCertFile', os.path.expandvars, Required =3D False, Defaul= t =3D None, Open =3D True)=0D OpenSslOtherPublicCertFile =3D ConvertJsonValue (Config, 'Op= enSslOtherPublicCertFile', os.path.expandvars, Required =3D False, Default = =3D None, Open =3D True)=0D OpenSslTrustedPublicCertFile =3D ConvertJsonValue (Config, 'Op= enSslTrustedPublicCertFile', os.path.expandvars, Required =3D False, Defaul= t =3D None, Open =3D True)=0D @@ -264,6 +268,7 @@ if __name__ =3D=3D '__main__': HardwareInstance,=0D UpdateImageIndex,=0D SignToolPfxFile,=0D + SignToolSubjectName,=0D OpenSslSignerPrivateCertFile,= =0D OpenSslOtherPublicCertFile,=0D OpenSslTrustedPublicCertFile,= =0D @@ -303,6 +308,7 @@ if __name__ =3D=3D '__main__': UpdateImageIndex =3D ConvertJsonValue (Config, 'Up= dateImageIndex', ValidateUnsignedInteger, Required =3D False, Default =3D 1= )=0D MonotonicCount =3D ConvertJsonValue (Config, 'Mo= notonicCount', ValidateUnsignedInteger, Required =3D False, Default =3D 0)= =0D SignToolPfxFile =3D ConvertJsonValue (Config, 'Si= gnToolPfxFile', os.path.expandvars, Required =3D False, Default =3D None, O= pen =3D True)=0D + SignToolSubjectName =3D ConvertJsonValue (Config, 'Si= gnToolSubjectName', os.path.expandvars, Required =3D False, Default =3D Non= e, Open =3D True)=0D OpenSslSignerPrivateCertFile =3D ConvertJsonValue (Config, 'Op= enSslSignerPrivateCertFile', os.path.expandvars, Required =3D False, Defaul= t =3D None, Open =3D True)=0D OpenSslOtherPublicCertFile =3D ConvertJsonValue (Config, 'Op= enSslOtherPublicCertFile', os.path.expandvars, Required =3D False, Default = =3D None, Open =3D True)=0D OpenSslTrustedPublicCertFile =3D ConvertJsonValue (Config, 'Op= enSslTrustedPublicCertFile', os.path.expandvars, Required =3D False, Defaul= t =3D None, Open =3D True)=0D @@ -329,6 +335,7 @@ if __name__ =3D=3D '__main__': HardwareInstance,=0D UpdateImageIndex,=0D SignToolPfxFile,=0D + SignToolSubjectName,=0D OpenSslSignerPrivateCertFile,= =0D OpenSslOtherPublicCertFile,=0D OpenSslTrustedPublicCertFile,= =0D @@ -348,6 +355,7 @@ if __name__ =3D=3D '__main__': "HardwareInstance": str(PayloadDescripto= r.HardwareInstance),=0D "UpdateImageIndex": str(PayloadDescripto= r.UpdateImageIndex),=0D "SignToolPfxFile": str(PayloadDescriptor= .SignToolPfxFile),=0D + "SignToolSubjectName": str(PayloadDescri= ptor.SignToolSubjectName),=0D "OpenSslSignerPrivateCertFile": str(Payl= oadDescriptor.OpenSslSignerPrivateCertFile),=0D "OpenSslOtherPublicCertFile": str(Payloa= dDescriptor.OpenSslOtherPublicCertFile),=0D "OpenSslTrustedPublicCertFile": str(Payl= oadDescriptor.OpenSslTrustedPublicCertFile),=0D @@ -363,6 +371,8 @@ if __name__ =3D=3D '__main__': for PayloadField in PayloadSection:=0D if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:=0D del PayloadField ['SignToolPfxFile']=0D + if PayloadJsonDescriptorList[Index].SignToolSubjectName is Non= e:=0D + del PayloadField ['SignToolSubjectName']=0D if PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFi= le is None:=0D del PayloadField ['OpenSslSignerPrivateCertFile']=0D if PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile= is None:=0D @@ -402,6 +412,9 @@ if __name__ =3D=3D '__main__': if args.SignToolPfxFile:=0D print ('GenerateCapsule: error: Argument --pfx-file conflicts = with Argument -j')=0D sys.exit (1)=0D + if args.SignToolSubjectName:=0D + print ('GenerateCapsule: error: Argument --SubjectName conflic= ts with Argument -j')=0D + sys.exit (1)=0D if args.OpenSslSignerPrivateCertFile:=0D print ('GenerateCapsule: error: Argument --signer-private-cert= conflicts with Argument -j')=0D sys.exit (1)=0D @@ -425,6 +438,7 @@ if __name__ =3D=3D '__main__': HardwareInstance =3D 0,=0D UpdateImageIndex =3D 1,=0D SignToolPfxFile =3D None,=0D + SignToolSubjectName =3D None,=0D OpenSslSignerPrivateCertFile =3D None,=0D OpenSslOtherPublicCertFile =3D None,=0D OpenSslTrustedPublicCertFile =3D None,=0D @@ -439,13 +453,15 @@ if __name__ =3D=3D '__main__': self.HardwareInstance =3D HardwareInstance=0D self.UpdateImageIndex =3D UpdateImageIndex=0D self.SignToolPfxFile =3D SignToolPfxFile=0D + self.SignToolSubjectName =3D SignToolSubjectName=0D self.OpenSslSignerPrivateCertFile =3D OpenSslSignerPrivateCert= File=0D self.OpenSslOtherPublicCertFile =3D OpenSslOtherPublicCertFi= le=0D self.OpenSslTrustedPublicCertFile =3D OpenSslTrustedPublicCert= File=0D self.SigningToolPath =3D SigningToolPath=0D self.DepexExp =3D DepexExp=0D =0D - self.UseSignTool =3D self.SignToolPfxFile is not None=0D + self.UseSignTool =3D (self.SignToolPfxFile is not None or=0D + self.SignToolSubjectName is not None)=0D self.UseOpenSsl =3D (self.OpenSslSignerPrivateCertFile is not= None and=0D self.OpenSslOtherPublicCertFile is not Non= e and=0D self.OpenSslTrustedPublicCertFile is not N= one)=0D @@ -504,8 +520,9 @@ if __name__ =3D=3D '__main__': raise argparse.ArgumentTypeError ('--update-image-= index must be an integer in range 0x0..0xff')=0D =0D if self.UseSignTool:=0D - self.SignToolPfxFile.close()=0D - self.SignToolPfxFile =3D self.SignToolPfxFile.name=0D + if self.SignToolPfxFile is not None:=0D + self.SignToolPfxFile.close()=0D + self.SignToolPfxFile =3D self.SignToolPfxFile.name=0D if self.UseOpenSsl:=0D self.OpenSslSignerPrivateCertFile.close()=0D self.OpenSslOtherPublicCertFile.close()=0D @@ -548,6 +565,7 @@ if __name__ =3D=3D '__main__': args.HardwareInstance,=0D args.UpdateImageIndex,=0D args.SignToolPfxFile,=0D + args.SignToolSubjectName,=0D args.OpenSslSignerPrivateCertF= ile,=0D args.OpenSslOtherPublicCertFil= e,=0D args.OpenSslTrustedPublicCertF= ile,=0D @@ -590,6 +608,7 @@ if __name__ =3D=3D '__main__': Result + struct.pack ('