* [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload
@ 2016-10-14 12:56 Yonghong Zhu
2016-10-14 13:10 ` Yao, Jiewen
0 siblings, 1 reply; 3+ messages in thread
From: Yonghong Zhu @ 2016-10-14 12:56 UTC (permalink / raw)
To: edk2-devel; +Cc: Liming Gao, Jiewen Yao
The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
mentioned that It is a signature across the image data and the
Monotonic Count value. After clarification, we do the signature
calculation, we put MonotonicCount after Payload.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
---
BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8 ++++----
BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 ++++----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
index b9f8c06..f0b2d8a 100644
--- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
+++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
@@ -195,12 +195,12 @@ if __name__ == '__main__':
args.OtherPublicCertFile.close()
except:
print 'ERROR: test other public cert file %s missing' % (args.OtherPublicCertFileName)
sys.exit(1)
- format = "Q%ds" % len(args.InputFileBuffer)
- FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer)
+ format = "%dsQ" % len(args.InputFileBuffer)
+ FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)
#
# Sign the input file using the specified private key and capture signature from STDOUT
#
Process = subprocess.Popen('%s smime -sign -binary -signer "%s" -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand, args.SignerPrivateCertFileName, args.OtherPublicCertFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -259,12 +259,12 @@ if __name__ == '__main__':
sys.exit(1)
args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
- format = "Q%ds" % len(args.InputFileBuffer)
- FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer)
+ format = "%dsQ" % len(args.InputFileBuffer)
+ FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)
#
# Save output file contents from input file
#
open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
index 3410668..199ebec 100644
--- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
+++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
@@ -167,12 +167,12 @@ if __name__ == '__main__':
pass
if args.Encode:
FullInputFileBuffer = args.InputFileBuffer
if args.MonotonicCountStr:
- format = "Q%ds" % len(args.InputFileBuffer)
- FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer)
+ format = "%dsQ" % len(args.InputFileBuffer)
+ FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)
#
# Sign the input file using the specified private key and capture signature from STDOUT
#
Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
Signature = Process.communicate(input=FullInputFileBuffer)[0]
@@ -210,12 +210,12 @@ if __name__ == '__main__':
print 'ERROR: Public key in input file does not match public key from private key file'
sys.exit(1)
FullInputFileBuffer = args.InputFileBuffer
if args.MonotonicCountStr:
- format = "Q%ds" % len(args.InputFileBuffer)
- FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer)
+ format = "%dsQ" % len(args.InputFileBuffer)
+ FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue)
#
# Write Signature to output file
#
open(args.OutputFileName, 'wb').write(Header.Signature)
--
2.6.1.windows.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload
2016-10-14 12:56 [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload Yonghong Zhu
@ 2016-10-14 13:10 ` Yao, Jiewen
2016-10-17 5:20 ` Gao, Liming
0 siblings, 1 reply; 3+ messages in thread
From: Yao, Jiewen @ 2016-10-14 13:10 UTC (permalink / raw)
To: Zhu, Yonghong, edk2-devel@lists.01.org; +Cc: Gao, Liming
Reviewed-by: jiewen.yao@intel.com
Tested-by: Jiewen.yao@intel.com
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Yonghong Zhu
> Sent: Friday, October 14, 2016 8:57 PM
> To: edk2-devel@lists.01.org
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Gao, Liming
> <liming.gao@intel.com>
> Subject: [edk2] [Patch] BaseTools: Update sign tool to make
> MonotonicCount *after* Payload
>
> The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
> mentioned that It is a signature across the image data and the
> Monotonic Count value. After clarification, we do the signature
> calculation, we put MonotonicCount after Payload.
>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
> ---
> BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8
> ++++----
> BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8
> ++++----
> 2 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> index b9f8c06..f0b2d8a 100644
> --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> @@ -195,12 +195,12 @@ if __name__ == '__main__':
> args.OtherPublicCertFile.close()
> except:
> print 'ERROR: test other public cert file %s missing' %
> (args.OtherPublicCertFileName)
> sys.exit(1)
>
> - format = "Q%ds" % len(args.InputFileBuffer)
> - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> + format = "%dsQ" % len(args.InputFileBuffer)
> + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>
> #
> # Sign the input file using the specified private key and capture
> signature from STDOUT
> #
> Process = subprocess.Popen('%s smime -sign -binary -signer "%s"
> -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand,
> args.SignerPrivateCertFileName, args.OtherPublicCertFileName),
> stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> @@ -259,12 +259,12 @@ if __name__ == '__main__':
> sys.exit(1)
>
> args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
> args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
>
> - format = "Q%ds" % len(args.InputFileBuffer)
> - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> + format = "%dsQ" % len(args.InputFileBuffer)
> + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>
> #
> # Save output file contents from input file
> #
> open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
> diff --git
> a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> index 3410668..199ebec 100644
> --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> @@ -167,12 +167,12 @@ if __name__ == '__main__':
> pass
>
> if args.Encode:
> FullInputFileBuffer = args.InputFileBuffer
> if args.MonotonicCountStr:
> - format = "Q%ds" % len(args.InputFileBuffer)
> - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> + format = "%dsQ" % len(args.InputFileBuffer)
> + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
> #
> # Sign the input file using the specified private key and capture
> signature from STDOUT
> #
> Process = subprocess.Popen('%s sha256 -sign "%s"' %
> (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE,
> stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> Signature = Process.communicate(input=FullInputFileBuffer)[0]
> @@ -210,12 +210,12 @@ if __name__ == '__main__':
> print 'ERROR: Public key in input file does not match public key from
> private key file'
> sys.exit(1)
>
> FullInputFileBuffer = args.InputFileBuffer
> if args.MonotonicCountStr:
> - format = "Q%ds" % len(args.InputFileBuffer)
> - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> + format = "%dsQ" % len(args.InputFileBuffer)
> + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>
> #
> # Write Signature to output file
> #
> open(args.OutputFileName, 'wb').write(Header.Signature)
> --
> 2.6.1.windows.1
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload
2016-10-14 13:10 ` Yao, Jiewen
@ 2016-10-17 5:20 ` Gao, Liming
0 siblings, 0 replies; 3+ messages in thread
From: Gao, Liming @ 2016-10-17 5:20 UTC (permalink / raw)
To: Yao, Jiewen, Zhu, Yonghong, edk2-devel@lists.01.org
Reviewed-by: Liming Gao <liming.gao@intel.com>
> -----Original Message-----
> From: Yao, Jiewen
> Sent: Friday, October 14, 2016 9:11 PM
> To: Zhu, Yonghong <yonghong.zhu@intel.com>; edk2-devel@lists.01.org
> Cc: Gao, Liming <liming.gao@intel.com>
> Subject: RE: [edk2] [Patch] BaseTools: Update sign tool to make
> MonotonicCount *after* Payload
>
> Reviewed-by: jiewen.yao@intel.com
> Tested-by: Jiewen.yao@intel.com
>
>
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Yonghong Zhu
> > Sent: Friday, October 14, 2016 8:57 PM
> > To: edk2-devel@lists.01.org
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Gao, Liming
> > <liming.gao@intel.com>
> > Subject: [edk2] [Patch] BaseTools: Update sign tool to make
> > MonotonicCount *after* Payload
> >
> > The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
> > mentioned that It is a signature across the image data and the
> > Monotonic Count value. After clarification, we do the signature
> > calculation, we put MonotonicCount after Payload.
> >
> > Cc: Liming Gao <liming.gao@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Contributed-under: TianoCore Contribution Agreement 1.0
> > Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
> > ---
> > BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8
> > ++++----
> > BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8
> > ++++----
> > 2 files changed, 8 insertions(+), 8 deletions(-)
> >
> > diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > index b9f8c06..f0b2d8a 100644
> > --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > @@ -195,12 +195,12 @@ if __name__ == '__main__':
> > args.OtherPublicCertFile.close()
> > except:
> > print 'ERROR: test other public cert file %s missing' %
> > (args.OtherPublicCertFileName)
> > sys.exit(1)
> >
> > - format = "Q%ds" % len(args.InputFileBuffer)
> > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > + format = "%dsQ" % len(args.InputFileBuffer)
> > + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> > #
> > # Sign the input file using the specified private key and capture
> > signature from STDOUT
> > #
> > Process = subprocess.Popen('%s smime -sign -binary -signer "%s"
> > -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand,
> > args.SignerPrivateCertFileName, args.OtherPublicCertFileName),
> > stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> > @@ -259,12 +259,12 @@ if __name__ == '__main__':
> > sys.exit(1)
> >
> > args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
> > args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
> >
> > - format = "Q%ds" % len(args.InputFileBuffer)
> > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > + format = "%dsQ" % len(args.InputFileBuffer)
> > + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> > #
> > # Save output file contents from input file
> > #
> > open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
> > diff --git
> > a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > index 3410668..199ebec 100644
> > --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > +++
> b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > @@ -167,12 +167,12 @@ if __name__ == '__main__':
> > pass
> >
> > if args.Encode:
> > FullInputFileBuffer = args.InputFileBuffer
> > if args.MonotonicCountStr:
> > - format = "Q%ds" % len(args.InputFileBuffer)
> > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > + format = "%dsQ" % len(args.InputFileBuffer)
> > + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> > #
> > # Sign the input file using the specified private key and capture
> > signature from STDOUT
> > #
> > Process = subprocess.Popen('%s sha256 -sign "%s"' %
> > (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE,
> > stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> > Signature = Process.communicate(input=FullInputFileBuffer)[0]
> > @@ -210,12 +210,12 @@ if __name__ == '__main__':
> > print 'ERROR: Public key in input file does not match public key from
> > private key file'
> > sys.exit(1)
> >
> > FullInputFileBuffer = args.InputFileBuffer
> > if args.MonotonicCountStr:
> > - format = "Q%ds" % len(args.InputFileBuffer)
> > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > + format = "%dsQ" % len(args.InputFileBuffer)
> > + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> > #
> > # Write Signature to output file
> > #
> > open(args.OutputFileName, 'wb').write(Header.Signature)
> > --
> > 2.6.1.windows.1
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-10-17 5:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-14 12:56 [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload Yonghong Zhu
2016-10-14 13:10 ` Yao, Jiewen
2016-10-17 5:20 ` Gao, Liming
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox