Re: [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload

From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Zhu, Yonghong" <yonghong.zhu@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Gao, Liming" <liming.gao@intel.com>
Subject: Re: [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload
Date: Fri, 14 Oct 2016 13:10:58 +0000	[thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C50386B1955@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <1476449817-11632-1-git-send-email-yonghong.zhu@intel.com>

Reviewed-by: jiewen.yao@intel.com
Tested-by: Jiewen.yao@intel.com


> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Yonghong Zhu
> Sent: Friday, October 14, 2016 8:57 PM
> To: edk2-devel@lists.01.org
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Gao, Liming
> <liming.gao@intel.com>
> Subject: [edk2] [Patch] BaseTools: Update sign tool to make
> MonotonicCount *after* Payload
> 
> The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
> mentioned that It is a signature across the image data and the
> Monotonic Count value. After clarification, we do the signature
> calculation, we put MonotonicCount after Payload.
> 
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
> ---
>  BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py                 | 8
> ++++----
>  BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8
> ++++----
>  2 files changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> index b9f8c06..f0b2d8a 100644
> --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> @@ -195,12 +195,12 @@ if __name__ == '__main__':
>          args.OtherPublicCertFile.close()
>        except:
>          print 'ERROR: test other public cert file %s missing' %
> (args.OtherPublicCertFileName)
>          sys.exit(1)
> 
> -    format = "Q%ds" % len(args.InputFileBuffer)
> -    FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +    format = "%dsQ" % len(args.InputFileBuffer)
> +    FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
> 
>      #
>      # Sign the input file using the specified private key and capture
> signature from STDOUT
>      #
>      Process = subprocess.Popen('%s smime -sign -binary -signer "%s"
> -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand,
> args.SignerPrivateCertFileName, args.OtherPublicCertFileName),
> stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> @@ -259,12 +259,12 @@ if __name__ == '__main__':
>          sys.exit(1)
> 
>      args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
>      args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
> 
> -    format = "Q%ds" % len(args.InputFileBuffer)
> -    FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +    format = "%dsQ" % len(args.InputFileBuffer)
> +    FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
> 
>      #
>      # Save output file contents from input file
>      #
>      open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
> diff --git
> a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> index 3410668..199ebec 100644
> --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> @@ -167,12 +167,12 @@ if __name__ == '__main__':
>          pass
> 
>    if args.Encode:
>      FullInputFileBuffer = args.InputFileBuffer
>      if args.MonotonicCountStr:
> -      format = "Q%ds" % len(args.InputFileBuffer)
> -      FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +      format = "%dsQ" % len(args.InputFileBuffer)
> +      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>      #
>      # Sign the input file using the specified private key and capture
> signature from STDOUT
>      #
>      Process = subprocess.Popen('%s sha256 -sign "%s"' %
> (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE,
> stdout=subprocess.PIPE, stderr=subprocess.PIPE)
>      Signature = Process.communicate(input=FullInputFileBuffer)[0]
> @@ -210,12 +210,12 @@ if __name__ == '__main__':
>        print 'ERROR: Public key in input file does not match public key from
> private key file'
>        sys.exit(1)
> 
>      FullInputFileBuffer = args.InputFileBuffer
>      if args.MonotonicCountStr:
> -      format = "Q%ds" % len(args.InputFileBuffer)
> -      FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +      format = "%dsQ" % len(args.InputFileBuffer)
> +      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
> 
>      #
>      # Write Signature to output file
>      #
>      open(args.OutputFileName, 'wb').write(Header.Signature)
> --
> 2.6.1.windows.1
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel