From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: [edk2-devel] Interpretation of specification To: Paulo Henrique Lacerda de Amorim ,devel@edk2.groups.io From: "Eugene Khoruzhenko" X-Originating-Location: Redmond, Washington, US (50.35.77.204) X-Originating-Platform: Windows Chrome 79 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Tue, 07 Jan 2020 10:13:13 -0800 References: In-Reply-To: Message-ID: <6038.1578420793574513591@groups.io> Content-Type: multipart/alternative; boundary="o4B3RBLW7dAjIq6Nfj2d" --o4B3RBLW7dAjIq6Nfj2d Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable I think I may have found the problem. I can write the file_name.signed crea= ted by your scripts in NT32 emulated environment and in EDKII on Minnow boa= rd that I build myself. However, I cannot write the file_name.signed on a c= ommercial device. I can write the same authenticate variable with the same = Name/GUID and same cert/key on a device when I create the payload in a UEFI= Shell app. So the only difference is creating the signed payload by sbvars= ign in Ubuntu vs doing it in UEFI. I compared both the working and non-work= ing payloads and the main difference I see is in the timestamp. For some re= ason sbvarsign writes the Year as 0x0078 (120) vs the UEFI app writing 0x07= e4 (2020). The month/day/hour/min seems to be OK, but the year is really of= f in the sbvarsign's payload. I cannot prove it, but I think the commercial= firmware may be having a sanity check for the timestamp date/time, e.g. co= mpare with the device manufacture date. Since sbvarsign does not allow sett= ing a timestamp separately, I cannot force it to create a payload with the = correct year. --o4B3RBLW7dAjIq6Nfj2d Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable I think I may have found the problem. I can write the file_name.signed crea= ted by your scripts in NT32 emulated environment and in EDKII on Minnow boa= rd that I build myself. However, I cannot write the file_name.signed on a c= ommercial device. I can write the same authenticate variable with the same = Name/GUID and same cert/key on a device when I create the payload in a UEFI= Shell app. So the only difference is creating the signed payload by <= span style=3D"color: #000000; font-family: Menlo, Monaco, Consolas, 'Courie= r New', monospace; font-size: 13px;">sbvarsign in Ubuntu vs doi= ng it in UEFI. I compared both the working and non-working payloads and the= main difference I see is in the timestamp. For some reason sbvarsign write= s the Year as 0x0078 (120) vs the UEFI app writing 0x07e4 (2020). The month= /day/hour/min seems to be OK, but the year is really off in the sbvarsign's= payload. I cannot prove it, but I think the commercial firmware may be hav= ing a sanity check for the timestamp date/time, e.g. compare with the devic= e manufacture date. Since sbvarsign does not allow setting a timestamp sepa= rately, I cannot force it to create a payload with the correct year. --o4B3RBLW7dAjIq6Nfj2d--