From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D9B8A1A1E8B for ; Fri, 14 Oct 2016 06:11:01 -0700 (PDT) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga102.jf.intel.com with ESMTP; 14 Oct 2016 06:11:03 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,493,1473145200"; d="scan'208";a="1070403485" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga002.fm.intel.com with ESMTP; 14 Oct 2016 06:11:01 -0700 Received: from fmsmsx123.amr.corp.intel.com (10.18.125.38) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.248.2; Fri, 14 Oct 2016 06:11:01 -0700 Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by fmsmsx123.amr.corp.intel.com (10.18.125.38) with Microsoft SMTP Server (TLS) id 14.3.248.2; Fri, 14 Oct 2016 06:11:00 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.206]) by SHSMSX103.ccr.corp.intel.com ([169.254.4.139]) with mapi id 14.03.0248.002; Fri, 14 Oct 2016 21:10:59 +0800 From: "Yao, Jiewen" To: "Zhu, Yonghong" , "edk2-devel@lists.01.org" CC: "Gao, Liming" Thread-Topic: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload Thread-Index: AQHSJhqLj4+40sB3oUayvtxEOXP68qCn7HjQ Date: Fri, 14 Oct 2016 13:10:58 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C50386B1955@shsmsx102.ccr.corp.intel.com> References: <1476449817-11632-1-git-send-email-yonghong.zhu@intel.com> In-Reply-To: <1476449817-11632-1-git-send-email-yonghong.zhu@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Oct 2016 13:11:02 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: jiewen.yao@intel.com Tested-by: Jiewen.yao@intel.com > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Yonghong Zhu > Sent: Friday, October 14, 2016 8:57 PM > To: edk2-devel@lists.01.org > Cc: Yao, Jiewen ; Gao, Liming > > Subject: [edk2] [Patch] BaseTools: Update sign tool to make > MonotonicCount *after* Payload >=20 > The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec > mentioned that It is a signature across the image data and the > Monotonic Count value. After clarification, we do the signature > calculation, we put MonotonicCount after Payload. >=20 > Cc: Liming Gao > Cc: Jiewen Yao > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Yonghong Zhu > --- > BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8 > ++++---- > BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 > ++++---- > 2 files changed, 8 insertions(+), 8 deletions(-) >=20 > diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > index b9f8c06..f0b2d8a 100644 > --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > @@ -195,12 +195,12 @@ if __name__ =3D=3D '__main__': > args.OtherPublicCertFile.close() > except: > print 'ERROR: test other public cert file %s missing' % > (args.OtherPublicCertFileName) > sys.exit(1) >=20 > - format =3D "Q%ds" % len(args.InputFileBuffer) > - FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValue, > args.InputFileBuffer) > + format =3D "%dsQ" % len(args.InputFileBuffer) > + FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer, > args.MonotonicCountValue) >=20 > # > # Sign the input file using the specified private key and capture > signature from STDOUT > # > Process =3D subprocess.Popen('%s smime -sign -binary -signer "%s" > -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand, > args.SignerPrivateCertFileName, args.OtherPublicCertFileName), > stdin=3Dsubprocess.PIPE, stdout=3Dsubprocess.PIPE, stderr=3Dsubprocess.PI= PE) > @@ -259,12 +259,12 @@ if __name__ =3D=3D '__main__': > sys.exit(1) >=20 > args.SignatureBuffer =3D args.InputFileBuffer[0:SignatureSize] > args.InputFileBuffer =3D args.InputFileBuffer[SignatureSize:] >=20 > - format =3D "Q%ds" % len(args.InputFileBuffer) > - FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValue, > args.InputFileBuffer) > + format =3D "%dsQ" % len(args.InputFileBuffer) > + FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer, > args.MonotonicCountValue) >=20 > # > # Save output file contents from input file > # > open(args.OutputFileName, 'wb').write(FullInputFileBuffer) > diff --git > a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > index 3410668..199ebec 100644 > --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > @@ -167,12 +167,12 @@ if __name__ =3D=3D '__main__': > pass >=20 > if args.Encode: > FullInputFileBuffer =3D args.InputFileBuffer > if args.MonotonicCountStr: > - format =3D "Q%ds" % len(args.InputFileBuffer) > - FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValu= e, > args.InputFileBuffer) > + format =3D "%dsQ" % len(args.InputFileBuffer) > + FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer, > args.MonotonicCountValue) > # > # Sign the input file using the specified private key and capture > signature from STDOUT > # > Process =3D subprocess.Popen('%s sha256 -sign "%s"' % > (OpenSslCommand, args.PrivateKeyFileName), stdin=3Dsubprocess.PIPE, > stdout=3Dsubprocess.PIPE, stderr=3Dsubprocess.PIPE) > Signature =3D Process.communicate(input=3DFullInputFileBuffer)[0] > @@ -210,12 +210,12 @@ if __name__ =3D=3D '__main__': > print 'ERROR: Public key in input file does not match public key f= rom > private key file' > sys.exit(1) >=20 > FullInputFileBuffer =3D args.InputFileBuffer > if args.MonotonicCountStr: > - format =3D "Q%ds" % len(args.InputFileBuffer) > - FullInputFileBuffer =3D struct.pack(format,args.MonotonicCountValu= e, > args.InputFileBuffer) > + format =3D "%dsQ" % len(args.InputFileBuffer) > + FullInputFileBuffer =3D struct.pack(format, args.InputFileBuffer, > args.MonotonicCountValue) >=20 > # > # Write Signature to output file > # > open(args.OutputFileName, 'wb').write(Header.Signature) > -- > 2.6.1.windows.1 >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel