From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jiewen.yao@intel.com>
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id D9B8A1A1E8B
 for <edk2-devel@lists.01.org>; Fri, 14 Oct 2016 06:11:01 -0700 (PDT)
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
 by orsmga102.jf.intel.com with ESMTP; 14 Oct 2016 06:11:03 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.31,493,1473145200"; d="scan'208";a="1070403485"
Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205])
 by fmsmga002.fm.intel.com with ESMTP; 14 Oct 2016 06:11:01 -0700
Received: from fmsmsx123.amr.corp.intel.com (10.18.125.38) by
 fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Fri, 14 Oct 2016 06:11:01 -0700
Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by
 fmsmsx123.amr.corp.intel.com (10.18.125.38) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Fri, 14 Oct 2016 06:11:00 -0700
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.206]) by
 SHSMSX103.ccr.corp.intel.com ([169.254.4.139]) with mapi id 14.03.0248.002;
 Fri, 14 Oct 2016 21:10:59 +0800
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Zhu, Yonghong" <yonghong.zhu@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Gao, Liming" <liming.gao@intel.com>
Thread-Topic: [edk2] [Patch] BaseTools: Update sign tool to make
 MonotonicCount *after* Payload
Thread-Index: AQHSJhqLj4+40sB3oUayvtxEOXP68qCn7HjQ
Date: Fri, 14 Oct 2016 13:10:58 +0000
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C50386B1955@shsmsx102.ccr.corp.intel.com>
References: <1476449817-11632-1-git-send-email-yonghong.zhu@intel.com>
In-Reply-To: <1476449817-11632-1-git-send-email-yonghong.zhu@intel.com>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 13:11:02 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: jiewen.yao@intel.com
Tested-by: Jiewen.yao@intel.com


> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Yonghong Zhu
> Sent: Friday, October 14, 2016 8:57 PM
> To: edk2-devel@lists.01.org
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Gao, Liming
> <liming.gao@intel.com>
> Subject: [edk2] [Patch] BaseTools: Update sign tool to make
> MonotonicCount *after* Payload
>=20
> The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
> mentioned that It is a signature across the image data and the
> Monotonic Count value. After clarification, we do the signature
> calculation, we put MonotonicCount after Payload.
>=20
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
> ---
>  BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py                 | 8
> ++++----
>  BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8
> ++++----
>  2 files changed, 8 insertions(+), 8 deletions(-)
>=20
> diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> index b9f8c06..f0b2d8a 100644
> --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> @@ -195,12 +195,12 @@ if __name__ =3D=3D '__main__':
>          args.OtherPublicCertFile.close()
>        except:
>          print 'ERROR: test other public cert file %s missing' %
> (args.OtherPublicCertFileName)
>          sys.exit(1)
>=20
> -    format =3D "Q%ds" % len(args.InputFileBuffer)
> -    FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +    format =3D "%dsQ" % len(args.InputFileBuffer)
> +    FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>=20
>      #
>      # Sign the input file using the specified private key and capture
> signature from STDOUT
>      #
>      Process =3D subprocess.Popen('%s smime -sign -binary -signer "%s"
> -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand,
> args.SignerPrivateCertFileName, args.OtherPublicCertFileName),
> stdin=3Dsubprocess.PIPE, stdout=3Dsubprocess.PIPE, stderr=3Dsubprocess.PI=
PE)
> @@ -259,12 +259,12 @@ if __name__ =3D=3D '__main__':
>          sys.exit(1)
>=20
>      args.SignatureBuffer =3D args.InputFileBuffer[0:SignatureSize]
>      args.InputFileBuffer =3D args.InputFileBuffer[SignatureSize:]
>=20
> -    format =3D "Q%ds" % len(args.InputFileBuffer)
> -    FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +    format =3D "%dsQ" % len(args.InputFileBuffer)
> +    FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>=20
>      #
>      # Save output file contents from input file
>      #
>      open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
> diff --git
> a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> index 3410668..199ebec 100644
> --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> @@ -167,12 +167,12 @@ if __name__ =3D=3D '__main__':
>          pass
>=20
>    if args.Encode:
>      FullInputFileBuffer =3D args.InputFileBuffer
>      if args.MonotonicCountStr:
> -      format =3D "Q%ds" % len(args.InputFileBuffer)
> -      FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValu=
e,
> args.InputFileBuffer)
> +      format =3D "%dsQ" % len(args.InputFileBuffer)
> +      FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>      #
>      # Sign the input file using the specified private key and capture
> signature from STDOUT
>      #
>      Process =3D subprocess.Popen('%s sha256 -sign "%s"' %
> (OpenSslCommand, args.PrivateKeyFileName), stdin=3Dsubprocess.PIPE,
> stdout=3Dsubprocess.PIPE, stderr=3Dsubprocess.PIPE)
>      Signature =3D Process.communicate(input=3DFullInputFileBuffer)[0]
> @@ -210,12 +210,12 @@ if __name__ =3D=3D '__main__':
>        print 'ERROR: Public key in input file does not match public key f=
rom
> private key file'
>        sys.exit(1)
>=20
>      FullInputFileBuffer =3D args.InputFileBuffer
>      if args.MonotonicCountStr:
> -      format =3D "Q%ds" % len(args.InputFileBuffer)
> -      FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValu=
e,
> args.InputFileBuffer)
> +      format =3D "%dsQ" % len(args.InputFileBuffer)
> +      FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>=20
>      #
>      # Write Signature to output file
>      #
>      open(args.OutputFileName, 'wb').write(Header.Signature)
> --
> 2.6.1.windows.1
>=20
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel