From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 9FA85941C35 for ; Thu, 21 Nov 2024 18:41:53 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=SID33Xnwo2oQ4Qr+5RuKfz14w+781Mz8vrsXrTfXqFw=; c=relaxed/simple; d=groups.io; h=Feedback-ID:Message-ID:Date:MIME-Version:User-Agent:Subject:To:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20240830; t=1732214513; v=1; x=1732473712; b=I7Z85CaUrMVQQppDL3dgyV6YQqOwpJvfdPeLtZOfGdvGJ/Fi2Vaw21YLlt8CqgSkE4NHM/cO sZLzH2Lwi5KYnTRpOPcRqFPnyMxKka9XSEIwzbRxg0HU0JkOkd89RmNUOWXA8rZdEkPX1H/wQaf YS4TZTofNFgyNxOs6Sev0aMIqZ3UGOaIiip+fInU3NupF8koifjbs9umNCOWRiklcdMbkM7FzjN ZYTtjkS/fHQVCJxNSV9TD/9dZWmt8IkFr2E4qQRftbpIU2m+PlyZnEgQtmlXvHR+7MhZ3ynNr3t wJPG0rsFHzSM2ophp2FsDq3AzYo1gmY8/ZQ6Aw7p1FI9g== X-Received: by 127.0.0.2 with SMTP id 1j5aYY7687511xYC92nBBAxf; Thu, 21 Nov 2024 10:41:52 -0800 X-Received: from fout-a1-smtp.messagingengine.com (fout-a1-smtp.messagingengine.com [103.168.172.144]) by mx.groups.io with SMTP id smtpd.web11.6133.1732214511209276194 for ; Thu, 21 Nov 2024 10:41:51 -0800 X-Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfout.phl.internal (Postfix) with ESMTP id 62B2C13806B3; Thu, 21 Nov 2024 13:41:50 -0500 (EST) X-Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-12.internal (MEProxy); Thu, 21 Nov 2024 13:41:50 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrfeeigdduudefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfg fuvfhfhfgjtgfgsehtjeertddtvdejnecuhfhrohhmpeftvggsvggttggrucevrhgrnhcu oehrvggsvggttggrsegsshguihhordgtohhmqeenucggtffrrghtthgvrhhnpefgleekle dujeduteejgedtvdetvdejjeffgedtjefhueejgeetvefhuddufeejteenucffohhmrghi nhepvdduqddutddrtggrsgenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehrvggsvggttggrsegsshguihhordgtohhmpdhnsggprhgtphhtthho pedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeguvghvvghlsegvughkvddrgh hrohhuphhsrdhiohdprhgtphhtthhopehjrghmvghsrdhlrghsthesrghmugdrtghomh X-ME-Proxy: Feedback-ID: i5b994698:Fastmail X-Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 21 Nov 2024 13:41:49 -0500 (EST) Message-ID: <6011bbdb-028d-46c1-9e52-2b55819686de@bsdio.com> Date: Thu, 21 Nov 2024 11:41:34 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [edk2-devel] Capsule validation tool? To: devel@edk2.groups.io, james.last@amd.com References: From: "Rebecca Cran" In-Reply-To: Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Thu, 21 Nov 2024 10:41:51 -0800 Resent-From: rebecca@bsdio.com Reply-To: devel@edk2.groups.io,rebecca@bsdio.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: XUh7X0YeyfVVbhRVKYFJYuu7x7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240830 header.b=I7Z85CaU; dmarc=none; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io Not sure if you want to use the same tool again, but GenerateCapsule can=20 be used to validate them too - it runs 'openssl smime -verify'. e.g.: bcran@delano:/tiano> GenerateCapsule --signer-private-cert=20 certs/cert.pem --other-public-cert certs/intermediate.pub.pem=20 --trusted-public-cert certs/root.pub.pem -d=20 ./Build/ComHpcAlt/comhpcalt_host_debug_24.11.21-10.cap -o out.bin bcran@delano:/tiano> When there's no output verification passed. Otherwise a message will be=20 displayed (though the exit code is still 0, which I guess is a bug). If=20 I edit the capsule file or pass in the wrong certificate file, then I get: Verification failure E06A93BAFFFF0000:error:10800075:PKCS7 routines:PKCS7_verify:certificate=20 verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: unable to get=20 local issuer certificate GenerateCapsule: warning: payload verification failed Index =3D 1 GenerateCapsule: error: openssl failed. Otherwise, similar to Mike's suggestion of using CapsuleApp you can also=20 build a cabinet file and run e.g. "fwupdtool install=20 comhpcalt_host_debug_24.11.21-10.cab" from the test machine to check if=20 the verification succeeds and the capsule gets installed. Rebecca On 11/18/24 12:15 PM, james.last via groups.io wrote: > We're working on a tool similar to GenerateCapsule but uses HSM-based=20 > keys to perform the signing instead of a local key file. Is there a=20 > standalone tool or recommended method to validate the capsules are=20 > generated correctly using the cert chain? -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#120812): https://edk2.groups.io/g/devel/message/120812 Mute This Topic: https://groups.io/mt/109651149/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-