public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Gao, Liming" <liming.gao@intel.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
	"Zhu, Yonghong" <yonghong.zhu@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload
Date: Mon, 17 Oct 2016 05:20:34 +0000	[thread overview]
Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14B4951C8@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C50386B1955@shsmsx102.ccr.corp.intel.com>

Reviewed-by: Liming Gao <liming.gao@intel.com>

> -----Original Message-----
> From: Yao, Jiewen
> Sent: Friday, October 14, 2016 9:11 PM
> To: Zhu, Yonghong <yonghong.zhu@intel.com>; edk2-devel@lists.01.org
> Cc: Gao, Liming <liming.gao@intel.com>
> Subject: RE: [edk2] [Patch] BaseTools: Update sign tool to make
> MonotonicCount *after* Payload
> 
> Reviewed-by: jiewen.yao@intel.com
> Tested-by: Jiewen.yao@intel.com
> 
> 
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Yonghong Zhu
> > Sent: Friday, October 14, 2016 8:57 PM
> > To: edk2-devel@lists.01.org
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Gao, Liming
> > <liming.gao@intel.com>
> > Subject: [edk2] [Patch] BaseTools: Update sign tool to make
> > MonotonicCount *after* Payload
> >
> > The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
> > mentioned that It is a signature across the image data and the
> > Monotonic Count value. After clarification, we do the signature
> > calculation, we put MonotonicCount after Payload.
> >
> > Cc: Liming Gao <liming.gao@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Contributed-under: TianoCore Contribution Agreement 1.0
> > Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
> > ---
> >  BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py                 | 8
> > ++++----
> >  BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8
> > ++++----
> >  2 files changed, 8 insertions(+), 8 deletions(-)
> >
> > diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > index b9f8c06..f0b2d8a 100644
> > --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > @@ -195,12 +195,12 @@ if __name__ == '__main__':
> >          args.OtherPublicCertFile.close()
> >        except:
> >          print 'ERROR: test other public cert file %s missing' %
> > (args.OtherPublicCertFileName)
> >          sys.exit(1)
> >
> > -    format = "Q%ds" % len(args.InputFileBuffer)
> > -    FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +    format = "%dsQ" % len(args.InputFileBuffer)
> > +    FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> >      #
> >      # Sign the input file using the specified private key and capture
> > signature from STDOUT
> >      #
> >      Process = subprocess.Popen('%s smime -sign -binary -signer "%s"
> > -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand,
> > args.SignerPrivateCertFileName, args.OtherPublicCertFileName),
> > stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> > @@ -259,12 +259,12 @@ if __name__ == '__main__':
> >          sys.exit(1)
> >
> >      args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
> >      args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
> >
> > -    format = "Q%ds" % len(args.InputFileBuffer)
> > -    FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +    format = "%dsQ" % len(args.InputFileBuffer)
> > +    FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> >      #
> >      # Save output file contents from input file
> >      #
> >      open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
> > diff --git
> > a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > index 3410668..199ebec 100644
> > --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > +++
> b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > @@ -167,12 +167,12 @@ if __name__ == '__main__':
> >          pass
> >
> >    if args.Encode:
> >      FullInputFileBuffer = args.InputFileBuffer
> >      if args.MonotonicCountStr:
> > -      format = "Q%ds" % len(args.InputFileBuffer)
> > -      FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +      format = "%dsQ" % len(args.InputFileBuffer)
> > +      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >      #
> >      # Sign the input file using the specified private key and capture
> > signature from STDOUT
> >      #
> >      Process = subprocess.Popen('%s sha256 -sign "%s"' %
> > (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE,
> > stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> >      Signature = Process.communicate(input=FullInputFileBuffer)[0]
> > @@ -210,12 +210,12 @@ if __name__ == '__main__':
> >        print 'ERROR: Public key in input file does not match public key from
> > private key file'
> >        sys.exit(1)
> >
> >      FullInputFileBuffer = args.InputFileBuffer
> >      if args.MonotonicCountStr:
> > -      format = "Q%ds" % len(args.InputFileBuffer)
> > -      FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +      format = "%dsQ" % len(args.InputFileBuffer)
> > +      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> >      #
> >      # Write Signature to output file
> >      #
> >      open(args.OutputFileName, 'wb').write(Header.Signature)
> > --
> > 2.6.1.windows.1
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel


      reply	other threads:[~2016-10-17  5:20 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-14 12:56 [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload Yonghong Zhu
2016-10-14 13:10 ` Yao, Jiewen
2016-10-17  5:20   ` Gao, Liming [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A89E2EF3DFEDB4C8BFDE51014F606A14B4951C8@shsmsx102.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox