How to fill EFI_VARIABLE_AUTHENTICATION_2 descriptor properly

[phlamorim@riseup.net]

[-- Attachment #1.1: Type: text/plain, Size: 2106 bytes --]

I want to create an Authenticated Variable like described in UEFI specification 2.8 on tópic 8.2.2(8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor). I understood the first step but im stucked from step 2 to 6.

On the second step i should compute a Hash of the serialization of some parameters of the SetVariable() call, the serialization here means to concatenate bytes of each variable and then compute the Hash? The algorithm to compute de hash is not specified til this moment. The pseudo-code example is *digest=hash(VariableName,VendorGuid,* *Attributes, TimeStamp, DataNew_variable_content);* by reading past i assume the allowed algorithm is SHA256 which is quoted on step 4.b.

In the third step i should sign the digest value computed in the second step, using a selected signature scheme and they show an example: *(e.g. PKCS #1 v1.5)* , i don't know which methods we have to do this task but i assume we have some tool or feature in openssl which can handle this task. Read past again i found *Only a digest encryption algorithm of RSA with PKCS #1 v1.5 padding (RSASSA_PKCS1v1_5).
is accepted* sayd on step 4.g. Then im assumed its needed to use PKCS #1 v.15 in this step.

In the fourth step the spec ask to create a DER-encoded PKCS #7 version 1.5 SignedData with a st of rules to fill SignedData and SignerInfo.

The steps 5 and 6 is just about to construct the Data parameter following the properly rules before the call to SetVariable(). I want to know if we have the used algorithms in the Crypto and Security Pkg, and if i asssumed the used algorithms in the steps 2 to 4 correctly. Iam new to all those cryptography concepts so any resource and code example on setting a new Authenticated variable will be appreciated.

I attached an example of what i believe the UEFI Application should do to set a new time based authenticated variable, the steps from 2 to 6 are just comments in somekind of pseudo-code. Let me know if this is the correct path and if i should use external tools out of UEFI preboot enviroment to do the computations.

Regards, Paulo Amorim.

[-- Attachment #1.2: Type: text/html, Size: 2246 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: authvar.c --]
[-- Type: text/x-csrc; name="authvar.c", Size: 1306 bytes --]

#include <Uefi/UefiMultiPhase.h>
#include <Guid/WinCertificate.h>
#include <Guid/ImageAuthentication.h>

EFI_STATUS
EFIAPI
UefiMain(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)
{
	UINT8 *Payload = NULL;
	
	/* Step 1 */
	EFI_VARIABLE_AUTHENTICATION_2 AuthDesc2;

	SystemTable->RuntimeServices->GetTime(&AuthDesc2.TimeStamp);
	AuthDesc2.TimeStamp.Pad1 		 = 0;
	AuthDesc2.TimeStamp.Nanosecond 	 = 0;
	AuthDesc2.TimeStamp.TimeZone 	 = 0;
	AuthDesc2.TimeStamp.Daylight 	 = 0;
	AuthDesc2.TimeStamp.Pad2 		 = 0;

	AuthDesc2.AuthInfo.CertType = EFI_CERT_TYPE_PKCS7_GUID;

	/* Step 2	
	hash = sha256(
		VariableName ||
		VendorGuid ||
		Attributes || 
		AuthDesc2.TimeStamp || 
		NewValue
	);
	*/
	
	/* Step 3
	signed_hash = pkcs#1-1.5(hash);
	*/

	/* Step 4
	DERencPKCS7 = DERenc-pkcs#7-1.5(signed_hash);
	*/

	/* Step 5
	AuthDesc2.AuthInfo.CertData	= DERencPKCS7;
	*/

	/* Step 6
	//Make Payload point to a region allocated with size of AuthDesc2 + NewDataSize
	
	Payload = Concatenate(AuthDesc2, VariableNewData);
	*/

	SystemTable->RuntimeServices->SetVariable(
		"variable_name",
		&VendorGuid,
		EFI_VARIABLE_NON_VOLATILE |
		EFI_VARIABLE_BOOTSERVICE_ACCESS |
		EFI_VARIABLE_RUNTIME_ACCESS |
		EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
		PayloadSize,
		Payload
	);

	return EFI_SUCCESS;
}