From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:400e:c05::22a; helo=mail-pg0-x22a.google.com; envelope-from=df7729@gmail.com; receiver=edk2-devel@lists.01.org Received: from mail-pg0-x22a.google.com (mail-pg0-x22a.google.com [IPv6:2607:f8b0:400e:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5F31C2033D1B7 for ; Wed, 2 May 2018 09:26:27 -0700 (PDT) Received: by mail-pg0-x22a.google.com with SMTP id z4-v6so10990542pgu.13 for ; Wed, 02 May 2018 09:26:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=U8Whll/H0dJ2lJG2JS186gI8w7HdIhXweb//+7rXANk=; b=rjuQb40TyDOLb4/bAetHMDJJTMNuaLIS2h3+K/u+Ks/ulP0NC6qT5VOl02RAciB0Wm NkbUuFpK3VdnZ40cgnFJdvXvLY79AncGlzEpuA3Q3VL+fOWYVvX7JCI/iq7HTUgGn5gs kxU5JtxUBKFABkAUMoqyLK+ePBhmJt0yDa/BAMNCO0GMAvutzLcETbPN+jyX2/qpqyrr 1JCHH0xxhTq9GVWdB6sVpelyTuNQWBuY0oxnww332kccPdqJNOwMhynt+TdnWT9epBgv uyoql0H5tRu+uub19war2ugq0XT1e8Mfn8k3KTxleTpZE6YxcYZewKiaMeP6THD7hEc7 4hbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=U8Whll/H0dJ2lJG2JS186gI8w7HdIhXweb//+7rXANk=; b=FrF00H6RahyyOJOUwzDmCwmvTxnGNH4/cSFmYSkxrZD9ACzf3WD+Ypl505viE6J5W9 fYdoM1U0erTYGTtr3IaN/QGBAVXpz8ZPADNSHQtakDPw/EZ/80gwLdLrAMRWVBZ67vAP 3+bAp3RVbisbb+T9D/xaaJr3CeW1kFk26+UkU2ZOiqkkxAcyVMVheKJQzabICWxAILEJ KriTsJgi9Qhs5RIkNTlQSnslPZ6D4xrhZxxfYE8NaC6VroYguHnWXy/d693StkQ4LFKg Wp4QtiZk0qfcHkmWUEYlkkYf55VX/pbOlIRhvjNq8k9JcpqbKydPGDeXmfY1Z42zOoDv 59sg== X-Gm-Message-State: ALQs6tA4fwTRUbWkuo1Te015DjIhdRaWSYmibax8tuqM5ruRM1jCXrw/ WoAnrIMXQ2wuxsO7Y5bEwbnJpXyP1/owDuOvl5U= X-Google-Smtp-Source: AB8JxZqq/KZNfmzcwEX3QHU3cruibXvKo5VBmBaW59zhz1Yo1en0M+tUkJxy94l8rOVx1+9CAC6E7ZC0T+EXAyyAeqU= X-Received: by 2002:a17:902:2924:: with SMTP id g33-v6mr20935325plb.26.1525278386951; Wed, 02 May 2018 09:26:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.236.172.9 with HTTP; Wed, 2 May 2018 09:26:26 -0700 (PDT) In-Reply-To: References: From: "David F." Date: Wed, 2 May 2018 09:26:26 -0700 Message-ID: To: Laszlo Ersek Cc: edk2 developers list X-Content-Filtered-By: Mailman/MimeDel 2.1.26 Subject: Re: Set "db" variable in secure boot setup mode still requires generating PKCS#7? X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2018 16:26:27 -0000 Content-Type: text/plain; charset="UTF-8" This Intel mobo didn't like? This is the code snippet that builds it: // calc size of header (with no certdata) and crt file data to add size_t authhdrsize; size_t siglisthdrsize; if (applyrawdata) { authhdrsize=0; siglisthdrsize=0; } else { authhdrsize=offsetof(EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)+offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData); siglisthdrsize=sizeof(EFI_SIGNATURE_LIST)+offsetof(EFI_SIGNATURE_DATA, SignatureData); } size_t tempbufsize=ffinfo.FileSize+authhdrsize+siglisthdrsize; BYTE *tempbuf; if ((tempbuf=new BYTE [tempbufsize])!=NULL) { // variable to determine where to read file BYTE *certdata=tempbuf; // determine if need to prefix .crt for kek/db entries if (!applyrawdata) { // zero header part of buffer so all are init to zero memset(tempbuf, 0, authhdrsize+siglisthdrsize); // // setup EFI_VARIABLE_AUTHENTICATION_2 header // EFI_VARIABLE_AUTHENTICATION_2 *efivarauth2=(EFI_VARIABLE_AUTHENTICATION_2 *) tempbuf; // setup time TimeTToUEFITimeGMT(time(NULL), &efivarauth2->TimeStamp); efivarauth2->TimeStamp.Nanosecond=0; // setup authinfo (without any CertData) efivarauth2->AuthInfo.Hdr.dwLength=offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData); efivarauth2->AuthInfo.Hdr.wRevision=0x200; efivarauth2->AuthInfo.Hdr.wCertificateType=WIN_CERT_TYPE_EFI_GUID; efivarauth2->AuthInfo.CertType=gEfiCertPkcs7Guid; // // setup EFI_SIGNATURE_LIST // EFI_SIGNATURE_LIST *efisiglist=(EFI_SIGNATURE_LIST *) (tempbuf+authhdrsize); efisiglist->SignatureType=gEfiCertX509Guid; efisiglist->SignatureListSize=(uint32_t)(ffinfo.FileSize+siglisthdrsize); efisiglist->SignatureHeaderSize=0; efisiglist->SignatureSize=ffinfo.FileSize+offsetof(EFI_SIGNATURE_DATA, SignatureData); // // setup EFI_SIGNATURE_DATA (no owner) // EFI_SIGNATURE_DATA *efisigdata=(EFI_SIGNATURE_DATA *) ((BYTE*)efisiglist+sizeof(EFI_SIGNATURE_LIST)+efisiglist->SignatureHeaderSize); certdata=efisigdata->SignatureData; } // Read file to buffer if ((errcode=FSOpenReadCloseFile(openpath, certdata, 0, ffinfo.FileSize, NULL, filesys))==ERROR_NONE) { // have the data, now write it to the correct variable uint32_t varattr=EFI_VARIABLE_NON_VOLATILE| EFI_VARIABLE_BOOTSERVICE_ACCESS| EFI_VARIABLE_RUNTIME_ACCESS| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; if (!rparam) { varattr|=EFI_VARIABLE_APPEND_WRITE; } // update variable errcode=UEFISetVariable(varname, guidstr, tempbuf, tempbufsize, varattr); } // clean up delete[] tempbuf; } On Wed, May 2, 2018 at 3:21 AM, Laszlo Ersek wrote: > On 05/01/18 23:13, David F. wrote: > > Hi, > > > > Had a fairly simple task of wanting to install the latest MS .crt > > files for KEK, and their two files for the "db" (the Windows CA and > > UEFI CA) in a system placed in setup/custom mode. However, even > > though it seemed to take the KEK, it never took the "db", always had a > > problem on a DH77KC mobo (dumped data headers looked as expected). Now > > when I constructed it, I thought I could leave out any PKCS#7 data > > (set the expected CertType but in the Hdr dwLength only included > > CertType and not any CertData), > > Right, I've stumbled upon that too. According to the UEFI spec, dwLength > should include CertData too, but edk2 does *not* accept that. This can > be seen e.g. in > "SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/ > SecureBootConfigImpl.c", > function CreateTimeBasedPayload(): > > > // > > // In Setup mode or Custom mode, the variable does not need to be > signed but the > > // parameters to the SetVariable() call still need to be prepared as > authenticated > > // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor > without certificate > > // data in it. > > // > > ... > > DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF > (WIN_CERTIFICATE_UEFI_GUID, CertData); > > Back to your email: > > On 05/01/18 23:13, David F. wrote: > > but looking at the algo in UEFI Spec 2.6 page 245, it looks like we'd > > always have to generate the hash, sign it, create all the PKCS stuff > > even in setup mode? That would surely unnecessarily bloat any apps > > that really only need to update things in setup mode wouldn't it? So > > to confirm, that is a requirement even in setup mode? If so, why? > > It's not a requirement; see the code comment I quoted above. > > Thanks, > Laszlo >