From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E12471A1E29 for ; Sun, 16 Oct 2016 22:20:37 -0700 (PDT) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga103.fm.intel.com with ESMTP; 16 Oct 2016 22:20:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,356,1473145200"; d="scan'208";a="1071349456" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga002.fm.intel.com with ESMTP; 16 Oct 2016 22:20:37 -0700 Received: from fmsmsx126.amr.corp.intel.com (10.18.125.43) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sun, 16 Oct 2016 22:20:37 -0700 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by FMSMSX126.amr.corp.intel.com (10.18.125.43) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sun, 16 Oct 2016 22:20:36 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.206]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.2]) with mapi id 14.03.0248.002; Mon, 17 Oct 2016 13:20:35 +0800 From: "Gao, Liming" To: "Yao, Jiewen" , "Zhu, Yonghong" , "edk2-devel@lists.01.org" Thread-Topic: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload Thread-Index: AQHSJhqLE5UV+U+rVkmPsSATEdFMQqCnZn0AgAS5m+A= Date: Mon, 17 Oct 2016 05:20:34 +0000 Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14B4951C8@shsmsx102.ccr.corp.intel.com> References: <1476449817-11632-1-git-send-email-yonghong.zhu@intel.com> <74D8A39837DF1E4DA445A8C0B3885C50386B1955@shsmsx102.ccr.corp.intel.com> In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C50386B1955@shsmsx102.ccr.corp.intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2016 05:20:38 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Liming Gao > -----Original Message----- > From: Yao, Jiewen > Sent: Friday, October 14, 2016 9:11 PM > To: Zhu, Yonghong ; edk2-devel@lists.01.org > Cc: Gao, Liming > Subject: RE: [edk2] [Patch] BaseTools: Update sign tool to make > MonotonicCount *after* Payload >=20 > Reviewed-by: jiewen.yao@intel.com > Tested-by: Jiewen.yao@intel.com >=20 >=20 > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Yonghong Zhu > > Sent: Friday, October 14, 2016 8:57 PM > > To: edk2-devel@lists.01.org > > Cc: Yao, Jiewen ; Gao, Liming > > > > Subject: [edk2] [Patch] BaseTools: Update sign tool to make > > MonotonicCount *after* Payload > > > > The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec > > mentioned that It is a signature across the image data and the > > Monotonic Count value. After clarification, we do the signature > > calculation, we put MonotonicCount after Payload. > > > > Cc: Liming Gao > > Cc: Jiewen Yao > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Yonghong Zhu > > --- > > BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8 > > ++++---- > > BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 > > ++++---- > > 2 files changed, 8 insertions(+), 8 deletions(-) > > > > diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > index b9f8c06..f0b2d8a 100644 > > --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > @@ -195,12 +195,12 @@ if __name__ =3D=3D '__main__': > > args.OtherPublicCertFile.close() > > except: > > print 'ERROR: test other public cert file %s missing' % > > (args.OtherPublicCertFileName) > > sys.exit(1) > > > > - format =3D "Q%ds" % len(args.InputFileBuffer) > > - FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValu= e, > > args.InputFileBuffer) > > + format =3D "%dsQ" % len(args.InputFileBuffer) > > + FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer, > > args.MonotonicCountValue) > > > > # > > # Sign the input file using the specified private key and capture > > signature from STDOUT > > # > > Process =3D subprocess.Popen('%s smime -sign -binary -signer "%s" > > -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand, > > args.SignerPrivateCertFileName, args.OtherPublicCertFileName), > > stdin=3Dsubprocess.PIPE, stdout=3Dsubprocess.PIPE, stderr=3Dsubprocess.= PIPE) > > @@ -259,12 +259,12 @@ if __name__ =3D=3D '__main__': > > sys.exit(1) > > > > args.SignatureBuffer =3D args.InputFileBuffer[0:SignatureSize] > > args.InputFileBuffer =3D args.InputFileBuffer[SignatureSize:] > > > > - format =3D "Q%ds" % len(args.InputFileBuffer) > > - FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValu= e, > > args.InputFileBuffer) > > + format =3D "%dsQ" % len(args.InputFileBuffer) > > + FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer, > > args.MonotonicCountValue) > > > > # > > # Save output file contents from input file > > # > > open(args.OutputFileName, 'wb').write(FullInputFileBuffer) > > diff --git > > a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > index 3410668..199ebec 100644 > > --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > +++ > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > @@ -167,12 +167,12 @@ if __name__ =3D=3D '__main__': > > pass > > > > if args.Encode: > > FullInputFileBuffer =3D args.InputFileBuffer > > if args.MonotonicCountStr: > > - format =3D "Q%ds" % len(args.InputFileBuffer) > > - FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountVa= lue, > > args.InputFileBuffer) > > + format =3D "%dsQ" % len(args.InputFileBuffer) > > + FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer= , > > args.MonotonicCountValue) > > # > > # Sign the input file using the specified private key and capture > > signature from STDOUT > > # > > Process =3D subprocess.Popen('%s sha256 -sign "%s"' % > > (OpenSslCommand, args.PrivateKeyFileName), stdin=3Dsubprocess.PIPE, > > stdout=3Dsubprocess.PIPE, stderr=3Dsubprocess.PIPE) > > Signature =3D Process.communicate(input=3DFullInputFileBuffer)[0] > > @@ -210,12 +210,12 @@ if __name__ =3D=3D '__main__': > > print 'ERROR: Public key in input file does not match public key= from > > private key file' > > sys.exit(1) > > > > FullInputFileBuffer =3D args.InputFileBuffer > > if args.MonotonicCountStr: > > - format =3D "Q%ds" % len(args.InputFileBuffer) > > - FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountVa= lue, > > args.InputFileBuffer) > > + format =3D "%dsQ" % len(args.InputFileBuffer) > > + FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer= , > > args.MonotonicCountValue) > > > > # > > # Write Signature to output file > > # > > open(args.OutputFileName, 'wb').write(Header.Signature) > > -- > > 2.6.1.windows.1 > > > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel