From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <df7729@gmail.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=2607:f8b0:400e:c05::22a; helo=mail-pg0-x22a.google.com;
 envelope-from=df7729@gmail.com; receiver=edk2-devel@lists.01.org 
Received: from mail-pg0-x22a.google.com (mail-pg0-x22a.google.com
 [IPv6:2607:f8b0:400e:c05::22a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 5F31C2033D1B7
 for <edk2-devel@lists.01.org>; Wed,  2 May 2018 09:26:27 -0700 (PDT)
Received: by mail-pg0-x22a.google.com with SMTP id z4-v6so10990542pgu.13
 for <edk2-devel@lists.01.org>; Wed, 02 May 2018 09:26:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=U8Whll/H0dJ2lJG2JS186gI8w7HdIhXweb//+7rXANk=;
 b=rjuQb40TyDOLb4/bAetHMDJJTMNuaLIS2h3+K/u+Ks/ulP0NC6qT5VOl02RAciB0Wm
 NkbUuFpK3VdnZ40cgnFJdvXvLY79AncGlzEpuA3Q3VL+fOWYVvX7JCI/iq7HTUgGn5gs
 kxU5JtxUBKFABkAUMoqyLK+ePBhmJt0yDa/BAMNCO0GMAvutzLcETbPN+jyX2/qpqyrr
 1JCHH0xxhTq9GVWdB6sVpelyTuNQWBuY0oxnww332kccPdqJNOwMhynt+TdnWT9epBgv
 uyoql0H5tRu+uub19war2ugq0XT1e8Mfn8k3KTxleTpZE6YxcYZewKiaMeP6THD7hEc7
 4hbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=U8Whll/H0dJ2lJG2JS186gI8w7HdIhXweb//+7rXANk=;
 b=FrF00H6RahyyOJOUwzDmCwmvTxnGNH4/cSFmYSkxrZD9ACzf3WD+Ypl505viE6J5W9
 fYdoM1U0erTYGTtr3IaN/QGBAVXpz8ZPADNSHQtakDPw/EZ/80gwLdLrAMRWVBZ67vAP
 3+bAp3RVbisbb+T9D/xaaJr3CeW1kFk26+UkU2ZOiqkkxAcyVMVheKJQzabICWxAILEJ
 KriTsJgi9Qhs5RIkNTlQSnslPZ6D4xrhZxxfYE8NaC6VroYguHnWXy/d693StkQ4LFKg
 Wp4QtiZk0qfcHkmWUEYlkkYf55VX/pbOlIRhvjNq8k9JcpqbKydPGDeXmfY1Z42zOoDv
 59sg==
X-Gm-Message-State: ALQs6tA4fwTRUbWkuo1Te015DjIhdRaWSYmibax8tuqM5ruRM1jCXrw/
 WoAnrIMXQ2wuxsO7Y5bEwbnJpXyP1/owDuOvl5U=
X-Google-Smtp-Source: AB8JxZqq/KZNfmzcwEX3QHU3cruibXvKo5VBmBaW59zhz1Yo1en0M+tUkJxy94l8rOVx1+9CAC6E7ZC0T+EXAyyAeqU=
X-Received: by 2002:a17:902:2924:: with SMTP id
 g33-v6mr20935325plb.26.1525278386951; 
 Wed, 02 May 2018 09:26:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.236.172.9 with HTTP; Wed, 2 May 2018 09:26:26 -0700 (PDT)
In-Reply-To: <c611fa4c-97fd-42f9-242f-5c71137af2a9@redhat.com>
References: <CAGRSmLsfL7REVS9EtJD7FwNbHp-ZvP2-jOB3SWw-rX9axxf08w@mail.gmail.com>
 <c611fa4c-97fd-42f9-242f-5c71137af2a9@redhat.com>
From: "David F." <df7729@gmail.com>
Date: Wed, 2 May 2018 09:26:26 -0700
Message-ID: <CAGRSmLvbPknkhe3gGh_Ogy0qJtdZxcbfJid5szD-LJAUOO_nVA@mail.gmail.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: edk2 developers list <edk2-devel@lists.01.org>
X-Content-Filtered-By: Mailman/MimeDel 2.1.26
Subject: Re: Set "db" variable in secure boot setup mode still requires generating PKCS#7?
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 16:26:27 -0000
Content-Type: text/plain; charset="UTF-8"

This Intel mobo didn't like?  This is the code snippet that builds it:

// calc size of header (with no certdata) and crt file data to add
size_t authhdrsize;
size_t siglisthdrsize;

if (applyrawdata) {
  authhdrsize=0;
  siglisthdrsize=0;
}
else {
  authhdrsize=offsetof(EFI_VARIABLE_AUTHENTICATION_2,
AuthInfo)+offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData);
  siglisthdrsize=sizeof(EFI_SIGNATURE_LIST)+offsetof(EFI_SIGNATURE_DATA,
SignatureData);
}
size_t tempbufsize=ffinfo.FileSize+authhdrsize+siglisthdrsize;

BYTE *tempbuf;
if ((tempbuf=new BYTE [tempbufsize])!=NULL) {
  // variable to determine where to read file
  BYTE *certdata=tempbuf;
  // determine if need to prefix .crt for kek/db entries
  if (!applyrawdata) {
    // zero header part of buffer so all are init to zero
    memset(tempbuf, 0, authhdrsize+siglisthdrsize);
    //
    // setup EFI_VARIABLE_AUTHENTICATION_2  header
    //
    EFI_VARIABLE_AUTHENTICATION_2
*efivarauth2=(EFI_VARIABLE_AUTHENTICATION_2 *) tempbuf;
    // setup time
    TimeTToUEFITimeGMT(time(NULL), &efivarauth2->TimeStamp);
    efivarauth2->TimeStamp.Nanosecond=0;
    // setup authinfo (without any CertData)
    efivarauth2->AuthInfo.Hdr.dwLength=offsetof(WIN_CERTIFICATE_UEFI_GUID,
CertData);
    efivarauth2->AuthInfo.Hdr.wRevision=0x200;
    efivarauth2->AuthInfo.Hdr.wCertificateType=WIN_CERT_TYPE_EFI_GUID;
    efivarauth2->AuthInfo.CertType=gEfiCertPkcs7Guid;
    //
    // setup EFI_SIGNATURE_LIST
    //
    EFI_SIGNATURE_LIST *efisiglist=(EFI_SIGNATURE_LIST *)
(tempbuf+authhdrsize);
    efisiglist->SignatureType=gEfiCertX509Guid;

efisiglist->SignatureListSize=(uint32_t)(ffinfo.FileSize+siglisthdrsize);
    efisiglist->SignatureHeaderSize=0;
    efisiglist->SignatureSize=ffinfo.FileSize+offsetof(EFI_SIGNATURE_DATA,
SignatureData);
    //
    // setup EFI_SIGNATURE_DATA  (no owner)
    //
    EFI_SIGNATURE_DATA *efisigdata=(EFI_SIGNATURE_DATA *)
((BYTE*)efisiglist+sizeof(EFI_SIGNATURE_LIST)+efisiglist->SignatureHeaderSize);
    certdata=efisigdata->SignatureData;
  }
  // Read file to buffer
  if ((errcode=FSOpenReadCloseFile(openpath, certdata, 0, ffinfo.FileSize,
NULL, filesys))==ERROR_NONE) {
    // have the data, now write it to the correct variable
    uint32_t varattr=EFI_VARIABLE_NON_VOLATILE|
                     EFI_VARIABLE_BOOTSERVICE_ACCESS|
                     EFI_VARIABLE_RUNTIME_ACCESS|
                     EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
    if (!rparam) {
      varattr|=EFI_VARIABLE_APPEND_WRITE;
    }

    // update variable
    errcode=UEFISetVariable(varname, guidstr, tempbuf, tempbufsize,
varattr);
  }
  // clean up
  delete[] tempbuf;
}


On Wed, May 2, 2018 at 3:21 AM, Laszlo Ersek <lersek@redhat.com> wrote:

> On 05/01/18 23:13, David F. wrote:
> > Hi,
> >
> > Had a fairly simple task of wanting to install the latest MS .crt
> > files for KEK, and their two files for the "db" (the Windows CA and
> > UEFI CA) in a system placed in setup/custom mode.  However, even
> > though it seemed to take the KEK, it never took the "db", always had a
> > problem on a DH77KC mobo (dumped data headers looked as expected). Now
> > when I constructed it, I thought I could leave out any PKCS#7 data
> > (set the expected CertType but in the Hdr dwLength only included
> > CertType and not any CertData),
>
> Right, I've stumbled upon that too. According to the UEFI spec, dwLength
> should include CertData too, but edk2 does *not* accept that. This can
> be seen e.g. in
> "SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/
> SecureBootConfigImpl.c",
> function CreateTimeBasedPayload():
>
> >   //
> >   // In Setup mode or Custom mode, the variable does not need to be
> signed but the
> >   // parameters to the SetVariable() call still need to be prepared as
> authenticated
> >   // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor
> without certificate
> >   // data in it.
> >   //
> > ...
> >   DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF
> (WIN_CERTIFICATE_UEFI_GUID, CertData);
>
> Back to your email:
>
> On 05/01/18 23:13, David F. wrote:
> > but looking at the algo in UEFI Spec 2.6 page 245, it looks like we'd
> > always have to generate the hash, sign it, create all the PKCS stuff
> > even in setup mode?    That would surely unnecessarily bloat any apps
> > that really only need to update things in setup mode wouldn't it?   So
> > to confirm, that is a requirement even in setup mode?    If so, why?
>
> It's not a requirement; see the code comment I quoted above.
>
> Thanks,
> Laszlo
>