From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by ml01.01.org (Postfix) with ESMTP id E9E031A1E05 for ; Thu, 18 Aug 2016 22:41:14 -0700 (PDT) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP; 18 Aug 2016 22:41:14 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,543,1464678000"; d="scan'208";a="1017136243" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga001.jf.intel.com with ESMTP; 18 Aug 2016 22:41:15 -0700 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.248.2; Thu, 18 Aug 2016 22:41:14 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.147]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.150]) with mapi id 14.03.0248.002; Fri, 19 Aug 2016 13:41:11 +0800 From: "Gao, Liming" To: "Zhu, Yonghong" , "edk2-devel@lists.01.org" Thread-Topic: [Patch 2/3] BaseTools: Rsa2048Sha256Sign add new option to support Monotonic count Thread-Index: AQHR9s2Xw1F6Wo8nWUqUeYWYE1vTLKBPyvaQ Date: Fri, 19 Aug 2016 05:41:10 +0000 Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A1155ECE83@shsmsx102.ccr.corp.intel.com> References: <1471249059-95652-1-git-send-email-yonghong.zhu@intel.com> <1471249059-95652-3-git-send-email-yonghong.zhu@intel.com> In-Reply-To: <1471249059-95652-3-git-send-email-yonghong.zhu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch 2/3] BaseTools: Rsa2048Sha256Sign add new option to support Monotonic count X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2016 05:41:15 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Liming Gao > -----Original Message----- > From: Zhu, Yonghong > Sent: Monday, August 15, 2016 4:18 PM > To: edk2-devel@lists.01.org > Cc: Gao, Liming > Subject: [Patch 2/3] BaseTools: Rsa2048Sha256Sign add new option to > support Monotonic count >=20 > the EFI_FIRMWARE_IMAGE_AUTHENTICATION struct require the AuthInfo > which > is a signature across the image data and the Monotonic Count value, so we > add the new option to support Monotonic count. >=20 > Cc: Liming Gao > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Yonghong Zhu > --- > .../Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 31 > +++++++++++++++++----- > 1 file changed, 25 insertions(+), 6 deletions(-) >=20 > diff --git > a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > index b3254d8..3410668 100644 > --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > @@ -1,12 +1,12 @@ > ## @file > -# This tool encodes and decodes GUIDed FFS sections for a GUID type of > +# This tool encodes and decodes GUIDed FFS sections or FMP capsule for a > GUID type of > # EFI_CERT_TYPE_RSA2048_SHA256_GUID defined in the UEFI 2.4 > Specification as > # {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x= 35, > 0xbf}} > # This tool has been tested with OpenSSL 1.0.1e 11 Feb 2013 > # > -# Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
> +# Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
> # This program and the accompanying materials > # are licensed and made available under the terms and conditions of the = BSD > License > # which accompanies this distribution. The full text of the license may= be > found at > # http://opensource.org/licenses/bsd-license.php > # > @@ -30,11 +30,11 @@ from Common.BuildVersion import gBUILD_VERSION > # > # Globals for help information > # > __prog__ =3D 'Rsa2048Sha256Sign' > __version__ =3D '%s Version %s' % (__prog__, '0.9 ' + gBUILD_VERSION) > -__copyright__ =3D 'Copyright (c) 2013 - 2014, Intel Corporation. All rig= hts > reserved.' > +__copyright__ =3D 'Copyright (c) 2013 - 2016, Intel Corporation. All rig= hts > reserved.' > __usage__ =3D '%s -e|-d [options] ' % (__prog__) >=20 > # > # GUID for SHA 256 Hash Algorithm from UEFI Specification > # > @@ -64,10 +64,11 @@ if __name__ =3D=3D '__main__': > parser =3D argparse.ArgumentParser(prog=3D__prog__, version=3D__versio= n__, > usage=3D__usage__, description=3D__copyright__, conflict_handler=3D'resol= ve') > group =3D parser.add_mutually_exclusive_group(required=3DTrue) > group.add_argument("-e", action=3D"store_true", dest=3D'Encode', > help=3D'encode file') > group.add_argument("-d", action=3D"store_true", dest=3D'Decode', > help=3D'decode file') > parser.add_argument("-o", "--output", dest=3D'OutputFile', type=3Dstr, > metavar=3D'filename', help=3D"specify the output filename", required=3DTr= ue) > + parser.add_argument("--monotonic-count", dest=3D'MonotonicCountStr', > type=3Dstr, help=3D"specify the MonotonicCount in FMP capsule.") > parser.add_argument("--private-key", dest=3D'PrivateKeyFile', > type=3Dargparse.FileType('rb'), help=3D"specify the private key filename.= If not > specified, a test signing key is used.") > parser.add_argument("-v", "--verbose", dest=3D'Verbose', > action=3D"store_true", help=3D"increase output messages") > parser.add_argument("-q", "--quiet", dest=3D'Quiet', action=3D"store_t= rue", > help=3D"reduce output messages") > parser.add_argument("--debug", dest=3D'Debug', type=3Dint, metavar=3D'= [0-9]', > choices=3Drange(0,10), default=3D0, help=3D"set debug level") > parser.add_argument(metavar=3D"input_file", dest=3D'InputFile', > type=3Dargparse.FileType('rb'), help=3D"specify the input filename") > @@ -153,17 +154,30 @@ if __name__ =3D=3D '__main__': > while len(PublicKeyHexString) > 0: > PublicKey =3D PublicKey + chr(int(PublicKeyHexString[0:2],16)) > PublicKeyHexString=3DPublicKeyHexString[2:] > if Process.returncode <> 0: > sys.exit(Process.returncode) > - > + > + if args.MonotonicCountStr: > + try: > + if args.MonotonicCountStr.upper().startswith('0X'): > + args.MonotonicCountValue =3D (long)(args.MonotonicCountStr, 16) > + else: > + args.MonotonicCountValue =3D (long)(args.MonotonicCountStr) > + except: > + pass > + > if args.Encode: > + FullInputFileBuffer =3D args.InputFileBuffer > + if args.MonotonicCountStr: > + format =3D "Q%ds" % len(args.InputFileBuffer) > + FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValu= e, > args.InputFileBuffer) > # > # Sign the input file using the specified private key and capture si= gnature > from STDOUT > # > Process =3D subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslComman= d, > args.PrivateKeyFileName), stdin=3Dsubprocess.PIPE, stdout=3Dsubprocess.PI= PE, > stderr=3Dsubprocess.PIPE) > - Signature =3D Process.communicate(input=3Dargs.InputFileBuffer)[0] > + Signature =3D Process.communicate(input=3DFullInputFileBuffer)[0] > if Process.returncode <> 0: > sys.exit(Process.returncode) >=20 > # > # Write output file that contains hash GUID, Public Key, Signature, = and > Input data > @@ -194,20 +208,25 @@ if __name__ =3D=3D '__main__': > # > if Header.PublicKey <> PublicKey: > print 'ERROR: Public key in input file does not match public key f= rom > private key file' > sys.exit(1) >=20 > + FullInputFileBuffer =3D args.InputFileBuffer > + if args.MonotonicCountStr: > + format =3D "Q%ds" % len(args.InputFileBuffer) > + FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValu= e, > args.InputFileBuffer) > + > # > # Write Signature to output file > # > open(args.OutputFileName, 'wb').write(Header.Signature) >=20 > # > # Verify signature > # > Process =3D subprocess.Popen('%s sha256 -prverify "%s" -signature %s= ' % > (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), > stdin=3Dsubprocess.PIPE, stdout=3Dsubprocess.PIPE, stderr=3Dsubprocess.PI= PE) > - Process.communicate(args.InputFileBuffer) > + Process.communicate(input=3DFullInputFileBuffer) > if Process.returncode <> 0: > print 'ERROR: Verification failed' > os.remove (args.OutputFileName) > sys.exit(Process.returncode) >=20 > -- > 2.6.1.windows.1