I want to create an Authenticated Variable like described in UEFI specif= ication 2.8 on tópic 8.2.2(8.2.2 Using the EFI_VARIABLE_AUTHENTICATI= ON_2 descriptor). I understood the first step but im stucked from step 2 to= 6.
On the second step i should compute a Hash of the serialization of some= parameters of the SetVariable() call, the serialization here means to conc= atenate bytes of each variable and then compute the Hash? The algorithm to = compute de hash is not specified til this moment. The pseudo-code example i= s digest=3Dhash(VariableName,VendorGuid,Attributes= , TimeStamp, DataNew_variable_content); by reading past i assume t= he allowed algorithm is SHA256 which is quoted on step 4.b.
In the third step i should sign the digest value computed in the second=
step, using a selected signature scheme and they show an example: =
(e.g. PKCS #1 v1.5), i don't know which methods we have to do this=
task but i assume we have some tool or feature in openssl which can handle=
this task. Read past again i found Only a digest encryption a=
lgorithm of RSA with PKCS #1 v1.5 padding (RSASSA_PKCS1v1_5).
is accep=
ted sayd on step 4.g. Then im assumed its needed to use PKCS #1 v.=
15 in this step.
In the fourth step the spec ask to create a DER-encoded PKCS #7 version= 1.5 SignedData with a st of rules to fill SignedData and SignerInfo.
The steps 5 and 6 is just about to construct the Data parameter followi= ng the properly rules before the call to SetVariable(). I want to know if w= e have the used algorithms in the Crypto and Security Pkg, and if i asssume= d the used algorithms in the steps 2 to 4 correctly. Iam new to all those c= ryptography concepts so any resource and code example on setting a new Auth= enticated variable will be appreciated.
I attached an example of what i believe the UEFI Application should do = to set a new time based authenticated variable, the steps from 2 to 6 are j= ust comments in somekind of pseudo-code. Let me know if this is the correct= path and if i should use external tools out of UEFI preboot enviroment to = do the computations.
Regards, Paulo Amorim.
--PTVLHvzVrSlOeWFab1TY-- --WOIZieTcExmWy7m8QuCV Content-Type: text/x-csrc; name="authvar.c" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="authvar.c" I2luY2x1ZGUgPFVlZmkvVWVmaU11bHRpUGhhc2UuaD4KI2luY2x1ZGUgPEd1aWQvV2luQ2VydGlm aWNhdGUuaD4KI2luY2x1ZGUgPEd1aWQvSW1hZ2VBdXRoZW50aWNhdGlvbi5oPgoKRUZJX1NUQVRV UwpFRklBUEkKVWVmaU1haW4oRUZJX0hBTkRMRSBJbWFnZUhhbmRsZSwgRUZJX1NZU1RFTV9UQUJM RSAqU3lzdGVtVGFibGUpCnsKCVVJTlQ4ICpQYXlsb2FkID0gTlVMTDsKCQoJLyogU3RlcCAxICov CglFRklfVkFSSUFCTEVfQVVUSEVOVElDQVRJT05fMiBBdXRoRGVzYzI7CgoJU3lzdGVtVGFibGUt PlJ1bnRpbWVTZXJ2aWNlcy0+R2V0VGltZSgmQXV0aERlc2MyLlRpbWVTdGFtcCk7CglBdXRoRGVz YzIuVGltZVN0YW1wLlBhZDEgCQkgPSAwOwoJQXV0aERlc2MyLlRpbWVTdGFtcC5OYW5vc2Vjb25k IAkgPSAwOwoJQXV0aERlc2MyLlRpbWVTdGFtcC5UaW1lWm9uZSAJID0gMDsKCUF1dGhEZXNjMi5U aW1lU3RhbXAuRGF5bGlnaHQgCSA9IDA7CglBdXRoRGVzYzIuVGltZVN0YW1wLlBhZDIgCQkgPSAw OwoKCUF1dGhEZXNjMi5BdXRoSW5mby5DZXJ0VHlwZSA9IEVGSV9DRVJUX1RZUEVfUEtDUzdfR1VJ RDsKCgkvKiBTdGVwIDIJCgloYXNoID0gc2hhMjU2KAoJCVZhcmlhYmxlTmFtZSB8fAoJCVZlbmRv ckd1aWQgfHwKCQlBdHRyaWJ1dGVzIHx8IAoJCUF1dGhEZXNjMi5UaW1lU3RhbXAgfHwgCgkJTmV3 VmFsdWUKCSk7CgkqLwoJCgkvKiBTdGVwIDMKCXNpZ25lZF9oYXNoID0gcGtjcyMxLTEuNShoYXNo KTsKCSovCgoJLyogU3RlcCA0CglERVJlbmNQS0NTNyA9IERFUmVuYy1wa2NzIzctMS41KHNpZ25l ZF9oYXNoKTsKCSovCgoJLyogU3RlcCA1CglBdXRoRGVzYzIuQXV0aEluZm8uQ2VydERhdGEJPSBE RVJlbmNQS0NTNzsKCSovCgoJLyogU3RlcCA2CgkvL01ha2UgUGF5bG9hZCBwb2ludCB0byBhIHJl Z2lvbiBhbGxvY2F0ZWQgd2l0aCBzaXplIG9mIEF1dGhEZXNjMiArIE5ld0RhdGFTaXplCgkKCVBh eWxvYWQgPSBDb25jYXRlbmF0ZShBdXRoRGVzYzIsIFZhcmlhYmxlTmV3RGF0YSk7CgkqLwoKCVN5 c3RlbVRhYmxlLT5SdW50aW1lU2VydmljZXMtPlNldFZhcmlhYmxlKAoJCSJ2YXJpYWJsZV9uYW1l IiwKCQkmVmVuZG9yR3VpZCwKCQlFRklfVkFSSUFCTEVfTk9OX1ZPTEFUSUxFIHwKCQlFRklfVkFS SUFCTEVfQk9PVFNFUlZJQ0VfQUNDRVNTIHwKCQlFRklfVkFSSUFCTEVfUlVOVElNRV9BQ0NFU1Mg fAoJCUVGSV9WQVJJQUJMRV9USU1FX0JBU0VEX0FVVEhFTlRJQ0FURURfV1JJVEVfQUNDRVNTLAoJ CVBheWxvYWRTaXplLAoJCVBheWxvYWQKCSk7CgoJcmV0dXJuIEVGSV9TVUNDRVNTOwp9Cg== --WOIZieTcExmWy7m8QuCV--