From: "David F." <df7729@gmail.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: edk2 developers list <edk2-devel@lists.01.org>
Subject: Re: Set "db" variable in secure boot setup mode still requires generating PKCS#7?
Date: Wed, 2 May 2018 09:26:26 -0700 [thread overview]
Message-ID: <CAGRSmLvbPknkhe3gGh_Ogy0qJtdZxcbfJid5szD-LJAUOO_nVA@mail.gmail.com> (raw)
In-Reply-To: <c611fa4c-97fd-42f9-242f-5c71137af2a9@redhat.com>
This Intel mobo didn't like? This is the code snippet that builds it:
// calc size of header (with no certdata) and crt file data to add
size_t authhdrsize;
size_t siglisthdrsize;
if (applyrawdata) {
authhdrsize=0;
siglisthdrsize=0;
}
else {
authhdrsize=offsetof(EFI_VARIABLE_AUTHENTICATION_2,
AuthInfo)+offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData);
siglisthdrsize=sizeof(EFI_SIGNATURE_LIST)+offsetof(EFI_SIGNATURE_DATA,
SignatureData);
}
size_t tempbufsize=ffinfo.FileSize+authhdrsize+siglisthdrsize;
BYTE *tempbuf;
if ((tempbuf=new BYTE [tempbufsize])!=NULL) {
// variable to determine where to read file
BYTE *certdata=tempbuf;
// determine if need to prefix .crt for kek/db entries
if (!applyrawdata) {
// zero header part of buffer so all are init to zero
memset(tempbuf, 0, authhdrsize+siglisthdrsize);
//
// setup EFI_VARIABLE_AUTHENTICATION_2 header
//
EFI_VARIABLE_AUTHENTICATION_2
*efivarauth2=(EFI_VARIABLE_AUTHENTICATION_2 *) tempbuf;
// setup time
TimeTToUEFITimeGMT(time(NULL), &efivarauth2->TimeStamp);
efivarauth2->TimeStamp.Nanosecond=0;
// setup authinfo (without any CertData)
efivarauth2->AuthInfo.Hdr.dwLength=offsetof(WIN_CERTIFICATE_UEFI_GUID,
CertData);
efivarauth2->AuthInfo.Hdr.wRevision=0x200;
efivarauth2->AuthInfo.Hdr.wCertificateType=WIN_CERT_TYPE_EFI_GUID;
efivarauth2->AuthInfo.CertType=gEfiCertPkcs7Guid;
//
// setup EFI_SIGNATURE_LIST
//
EFI_SIGNATURE_LIST *efisiglist=(EFI_SIGNATURE_LIST *)
(tempbuf+authhdrsize);
efisiglist->SignatureType=gEfiCertX509Guid;
efisiglist->SignatureListSize=(uint32_t)(ffinfo.FileSize+siglisthdrsize);
efisiglist->SignatureHeaderSize=0;
efisiglist->SignatureSize=ffinfo.FileSize+offsetof(EFI_SIGNATURE_DATA,
SignatureData);
//
// setup EFI_SIGNATURE_DATA (no owner)
//
EFI_SIGNATURE_DATA *efisigdata=(EFI_SIGNATURE_DATA *)
((BYTE*)efisiglist+sizeof(EFI_SIGNATURE_LIST)+efisiglist->SignatureHeaderSize);
certdata=efisigdata->SignatureData;
}
// Read file to buffer
if ((errcode=FSOpenReadCloseFile(openpath, certdata, 0, ffinfo.FileSize,
NULL, filesys))==ERROR_NONE) {
// have the data, now write it to the correct variable
uint32_t varattr=EFI_VARIABLE_NON_VOLATILE|
EFI_VARIABLE_BOOTSERVICE_ACCESS|
EFI_VARIABLE_RUNTIME_ACCESS|
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
if (!rparam) {
varattr|=EFI_VARIABLE_APPEND_WRITE;
}
// update variable
errcode=UEFISetVariable(varname, guidstr, tempbuf, tempbufsize,
varattr);
}
// clean up
delete[] tempbuf;
}
On Wed, May 2, 2018 at 3:21 AM, Laszlo Ersek <lersek@redhat.com> wrote:
> On 05/01/18 23:13, David F. wrote:
> > Hi,
> >
> > Had a fairly simple task of wanting to install the latest MS .crt
> > files for KEK, and their two files for the "db" (the Windows CA and
> > UEFI CA) in a system placed in setup/custom mode. However, even
> > though it seemed to take the KEK, it never took the "db", always had a
> > problem on a DH77KC mobo (dumped data headers looked as expected). Now
> > when I constructed it, I thought I could leave out any PKCS#7 data
> > (set the expected CertType but in the Hdr dwLength only included
> > CertType and not any CertData),
>
> Right, I've stumbled upon that too. According to the UEFI spec, dwLength
> should include CertData too, but edk2 does *not* accept that. This can
> be seen e.g. in
> "SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/
> SecureBootConfigImpl.c",
> function CreateTimeBasedPayload():
>
> > //
> > // In Setup mode or Custom mode, the variable does not need to be
> signed but the
> > // parameters to the SetVariable() call still need to be prepared as
> authenticated
> > // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor
> without certificate
> > // data in it.
> > //
> > ...
> > DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF
> (WIN_CERTIFICATE_UEFI_GUID, CertData);
>
> Back to your email:
>
> On 05/01/18 23:13, David F. wrote:
> > but looking at the algo in UEFI Spec 2.6 page 245, it looks like we'd
> > always have to generate the hash, sign it, create all the PKCS stuff
> > even in setup mode? That would surely unnecessarily bloat any apps
> > that really only need to update things in setup mode wouldn't it? So
> > to confirm, that is a requirement even in setup mode? If so, why?
>
> It's not a requirement; see the code comment I quoted above.
>
> Thanks,
> Laszlo
>
next prev parent reply other threads:[~2018-05-02 16:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-01 21:13 Set "db" variable in secure boot setup mode still requires generating PKCS#7? David F.
2018-05-01 21:25 ` Bill Paul
2018-05-02 2:23 ` David F.
2018-05-02 10:21 ` Laszlo Ersek
2018-05-02 16:26 ` David F. [this message]
2018-05-03 3:09 ` Long, Qin
2018-05-20 19:54 ` David F.
2018-05-21 1:46 ` Zhang, Chao B
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGRSmLvbPknkhe3gGh_Ogy0qJtdZxcbfJid5szD-LJAUOO_nVA@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox