From: "Gao, Liming" <liming.gao@intel.com>
To: "Zhu, Yonghong" <yonghong.zhu@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: [Patch 2/3] BaseTools: Rsa2048Sha256Sign add new option to support Monotonic count
Date: Fri, 19 Aug 2016 05:41:10 +0000 [thread overview]
Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A1155ECE83@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <1471249059-95652-3-git-send-email-yonghong.zhu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
> -----Original Message-----
> From: Zhu, Yonghong
> Sent: Monday, August 15, 2016 4:18 PM
> To: edk2-devel@lists.01.org
> Cc: Gao, Liming <liming.gao@intel.com>
> Subject: [Patch 2/3] BaseTools: Rsa2048Sha256Sign add new option to
> support Monotonic count
>
> the EFI_FIRMWARE_IMAGE_AUTHENTICATION struct require the AuthInfo
> which
> is a signature across the image data and the Monotonic Count value, so we
> add the new option to support Monotonic count.
>
> Cc: Liming Gao <liming.gao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
> ---
> .../Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 31
> +++++++++++++++++-----
> 1 file changed, 25 insertions(+), 6 deletions(-)
>
> diff --git
> a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> index b3254d8..3410668 100644
> --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> @@ -1,12 +1,12 @@
> ## @file
> -# This tool encodes and decodes GUIDed FFS sections for a GUID type of
> +# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a
> GUID type of
> # EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4
> Specification as
> # {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35,
> 0xbf}}
> # This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013
> #
> -# Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
> # This program and the accompanying materials
> # are licensed and made available under the terms and conditions of the BSD
> License
> # which accompanies this distribution. The full text of the license may be
> found at
> # http://opensource.org/licenses/bsd-license.php
> #
> @@ -30,11 +30,11 @@ from Common.BuildVersion import gBUILD_VERSION
> #
> # Globals for help information
> #
> __prog__ = 'Rsa2048Sha256Sign'
> __version__ = '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION)
> -__copyright__ = 'Copyright (c) 2013 - 2014, Intel Corporation. All rights
> reserved.'
> +__copyright__ = 'Copyright (c) 2013 - 2016, Intel Corporation. All rights
> reserved.'
> __usage__ = '%s -e|-d [options] <input_file>' % (__prog__)
>
> #
> # GUID for SHA 256 Hash Algorithm from UEFI Specification
> #
> @@ -64,10 +64,11 @@ if __name__ == '__main__':
> parser = argparse.ArgumentParser(prog=__prog__, version=__version__,
> usage=__usage__, description=__copyright__, conflict_handler='resolve')
> group = parser.add_mutually_exclusive_group(required=True)
> group.add_argument("-e", action="store_true", dest='Encode',
> help='encode file')
> group.add_argument("-d", action="store_true", dest='Decode',
> help='decode file')
> parser.add_argument("-o", "--output", dest='OutputFile', type=str,
> metavar='filename', help="specify the output filename", required=True)
> + parser.add_argument("--monotonic-count", dest='MonotonicCountStr',
> type=str, help="specify the MonotonicCount in FMP capsule.")
> parser.add_argument("--private-key", dest='PrivateKeyFile',
> type=argparse.FileType('rb'), help="specify the private key filename. If not
> specified, a test signing key is used.")
> parser.add_argument("-v", "--verbose", dest='Verbose',
> action="store_true", help="increase output messages")
> parser.add_argument("-q", "--quiet", dest='Quiet', action="store_true",
> help="reduce output messages")
> parser.add_argument("--debug", dest='Debug', type=int, metavar='[0-9]',
> choices=range(0,10), default=0, help="set debug level")
> parser.add_argument(metavar="input_file", dest='InputFile',
> type=argparse.FileType('rb'), help="specify the input filename")
> @@ -153,17 +154,30 @@ if __name__ == '__main__':
> while len(PublicKeyHexString) > 0:
> PublicKey = PublicKey + chr(int(PublicKeyHexString[0:2],16))
> PublicKeyHexString=PublicKeyHexString[2:]
> if Process.returncode <> 0:
> sys.exit(Process.returncode)
> -
> +
> + if args.MonotonicCountStr:
> + try:
> + if args.MonotonicCountStr.upper().startswith('0X'):
> + args.MonotonicCountValue = (long)(args.MonotonicCountStr, 16)
> + else:
> + args.MonotonicCountValue = (long)(args.MonotonicCountStr)
> + except:
> + pass
> +
> if args.Encode:
> + FullInputFileBuffer = args.InputFileBuffer
> + if args.MonotonicCountStr:
> + format = "Q%ds" % len(args.InputFileBuffer)
> + FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> #
> # Sign the input file using the specified private key and capture signature
> from STDOUT
> #
> Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand,
> args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE,
> stderr=subprocess.PIPE)
> - Signature = Process.communicate(input=args.InputFileBuffer)[0]
> + Signature = Process.communicate(input=FullInputFileBuffer)[0]
> if Process.returncode <> 0:
> sys.exit(Process.returncode)
>
> #
> # Write output file that contains hash GUID, Public Key, Signature, and
> Input data
> @@ -194,20 +208,25 @@ if __name__ == '__main__':
> #
> if Header.PublicKey <> PublicKey:
> print 'ERROR: Public key in input file does not match public key from
> private key file'
> sys.exit(1)
>
> + FullInputFileBuffer = args.InputFileBuffer
> + if args.MonotonicCountStr:
> + format = "Q%ds" % len(args.InputFileBuffer)
> + FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +
> #
> # Write Signature to output file
> #
> open(args.OutputFileName, 'wb').write(Header.Signature)
>
> #
> # Verify signature
> #
> Process = subprocess.Popen('%s sha256 -prverify "%s" -signature %s' %
> (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName),
> stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> - Process.communicate(args.InputFileBuffer)
> + Process.communicate(input=FullInputFileBuffer)
> if Process.returncode <> 0:
> print 'ERROR: Verification failed'
> os.remove (args.OutputFileName)
> sys.exit(Process.returncode)
>
> --
> 2.6.1.windows.1
next prev parent reply other threads:[~2016-08-19 5:41 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-15 8:17 [Patch 0/3] BaseTools: Add the support for FMP capsule generate auth info Yonghong Zhu
2016-08-15 8:17 ` [Patch 1/3] BaseTools: Add the PKCS7 tool Yonghong Zhu
2016-08-15 8:32 ` Yao, Jiewen
2016-08-15 8:34 ` Zhu, Yonghong
2016-08-15 8:17 ` [Patch 2/3] BaseTools: Rsa2048Sha256Sign add new option to support Monotonic count Yonghong Zhu
2016-08-19 5:41 ` Gao, Liming [this message]
2016-08-15 8:17 ` [Patch 3/3] BaseTools: FMP capsule add the support to generate auth info Yonghong Zhu
2016-08-19 5:41 ` Gao, Liming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A89E2EF3DFEDB4C8BFDE51014F606A1155ECE83@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox