From: "Bob Feng" <bob.c.feng@intel.com>
To: "Gao, Liming" <gaoliming@byosoft.com.cn>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"Lin, Jason1" <jason1.lin@intel.com>
Cc: "Chen, Christine" <yuwei.chen@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
"Chiang, Dakota" <dakota.chiang@intel.com>
Subject: Re: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file
Date: Mon, 25 Jul 2022 15:10:56 +0000 [thread overview]
Message-ID: <PH7PR11MB586336DF0EA20390E35B0405C9959@PH7PR11MB5863.namprd11.prod.outlook.com> (raw)
In-Reply-To: <002901d89fde$c23bba80$46b32f80$@byosoft.com.cn>
Created the PR for merge. https://github.com/tianocore/edk2/pull/3137
-----Original Message-----
From: gaoliming <gaoliming@byosoft.com.cn>
Sent: Monday, July 25, 2022 12:27 PM
To: devel@edk2.groups.io; Lin, Jason1 <jason1.lin@intel.com>
Cc: Feng, Bob C <bob.c.feng@intel.com>; Chen, Christine <yuwei.chen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Chiang, Dakota <dakota.chiang@intel.com>
Subject: 回复: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file
Jason:
Thanks for you to add the detail usage model in BZ 3928. I have no other comments. Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Thanks
Liming
> -----邮件原件-----
> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Lin, Jason1
> 发送时间: 2022年7月8日 19:42
> 收件人: devel@edk2.groups.io
> 抄送: Jason1 Lin <jason1.lin@intel.com>; Bob Feng
> <bob.c.feng@intel.com>; Liming Gao <gaoliming@byosoft.com.cn>; Yuwei
> Chen <yuwei.chen@intel.com>; Michael D Kinney
> <michael.d.kinney@intel.com>; Dakota Chiang <dakota.chiang@intel.com>
> 主题: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for
> signtool
to
> input subject name to sign capsule file
>
> From: Jason1 Lin <jason1.lin@intel.com>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928
>
> Windows-based system using signtool.exe to sign the capsule.
> Add the support to using "--subject-name" argument to assign the
> subject name used to sign the capsule file.
> This argument would pass to signtool.exe as a part of input argument
> with "/n" flag.
>
> NOTE: If using signtool.exe to sign capsule at least need to
> choose one of "--pfx-file" and "--subject-name"
> argument to input the value.
>
> Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Dakota Chiang <dakota.chiang@intel.com>
> ---
> BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43
> ++++++++++++++++----
> 1 file changed, 34 insertions(+), 9 deletions(-)
>
> diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> index b8039db878..35435946c6 100644
> --- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> +++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> @@ -10,7 +10,7 @@
> # keep the tool as simple as possible, it has the following limitations:
>
> # * Do not support vendor code bytes in a capsule.
>
> #
>
> -# Copyright (c) 2018 - 2019, Intel Corporation. All rights
> reserved.<BR>
>
> +# Copyright (c) 2018 - 2022, Intel Corporation. All rights
> +reserved.<BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #
>
>
>
> @@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader
> import FmpPayloadHeaderClass
> # Globals for help information
>
> #
>
> __prog__ = 'GenerateCapsule'
>
> -__version__ = '0.9'
>
> -__copyright__ = 'Copyright (c) 2018, Intel Corporation. All rights
reserved.'
>
> +__version__ = '0.10'
>
> +__copyright__ = 'Copyright (c) 2022, Intel Corporation. All rights
> reserved.'
>
> __description__ = 'Generate a capsule.\n'
>
>
>
> -def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
>
> +def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName,
> +Verbose
=
> False):
>
> #
>
> # Create a temporary directory
>
> #
>
> @@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath,
> PfxFile, Verbose = False):
> Command = Command + '"{Path}" '.format (Path = os.path.join
(ToolPath,
> 'signtool.exe'))
>
> Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData
> /p7co 1.2.840.113549.1.7.2 '
>
> Command = Command + '/p7 {TempDir} '.format (TempDir =
> TempDirectoryName)
>
> - Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
>
> + if PfxFile is not None:
>
> + Command = Command + '/f {PfxFile} '.format (PfxFile =
> + PfxFile)
>
> + if SubjectName is not None:
>
> + Command = Command + '/n {SubjectName} '.format
> (SubjectName = SubjectName)
>
> Command = Command + TempFileName
>
> if Verbose:
>
> print (Command)
>
> @@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath,
> PfxFile, Verbose = False):
> shutil.rmtree (TempDirectoryName)
>
> return Signature
>
>
>
> -def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile,
> Verbose
=
> False):
>
> +def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile,
SubjectName,
> Verbose = False):
>
> print ('signtool verify is not supported.')
>
> raise ValueError ('GenerateCapsule: error: signtool verify is not
> supported.')
>
>
>
> @@ -249,6 +252,7 @@ if __name__ == '__main__':
> HardwareInstance = ConvertJsonValue
> (Config, 'HardwareInstance', ValidateUnsignedInteger, Required =
> False, Default = 0)
>
> MonotonicCount = ConvertJsonValue
> (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
> = 0)
>
> SignToolPfxFile = ConvertJsonValue (Config,
> 'SignToolPfxFile', os.path.expandvars, Required = False, Default =
> None,
Open
> = True)
>
> + SignToolSubjectName = ConvertJsonValue (Config,
> 'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
> Open = True)
>
> OpenSslSignerPrivateCertFile = ConvertJsonValue (Config,
> 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> OpenSslOtherPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
> None, Open = True)
>
> OpenSslTrustedPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> @@ -264,6 +268,7 @@ if __name__ == '__main__':
> HardwareInstance,
>
> UpdateImageIndex,
>
> SignToolPfxFile,
>
> +
> SignToolSubjectName,
>
>
> OpenSslSignerPrivateCertFile,
>
>
> OpenSslOtherPublicCertFile,
>
>
> OpenSslTrustedPublicCertFile,
>
> @@ -303,6 +308,7 @@ if __name__ == '__main__':
> UpdateImageIndex = ConvertJsonValue
> (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required =
> False, Default = 1)
>
> MonotonicCount = ConvertJsonValue
> (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
> = 0)
>
> SignToolPfxFile = ConvertJsonValue (Config,
> 'SignToolPfxFile', os.path.expandvars, Required = False, Default =
> None,
Open
> = True)
>
> + SignToolSubjectName = ConvertJsonValue (Config,
> 'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
> Open = True)
>
> OpenSslSignerPrivateCertFile = ConvertJsonValue (Config,
> 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> OpenSslOtherPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
> None, Open = True)
>
> OpenSslTrustedPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> @@ -329,6 +335,7 @@ if __name__ == '__main__':
> HardwareInstance,
>
> UpdateImageIndex,
>
> SignToolPfxFile,
>
> +
> SignToolSubjectName,
>
>
> OpenSslSignerPrivateCertFile,
>
>
> OpenSslOtherPublicCertFile,
>
>
> OpenSslTrustedPublicCertFile,
>
> @@ -348,6 +355,7 @@ if __name__ == '__main__':
> "HardwareInstance":
> str(PayloadDescriptor.HardwareInstance),
>
> "UpdateImageIndex":
> str(PayloadDescriptor.UpdateImageIndex),
>
> "SignToolPfxFile":
> str(PayloadDescriptor.SignToolPfxFile),
>
> + "SignToolSubjectName":
> str(PayloadDescriptor.SignToolSubjectName),
>
> "OpenSslSignerPrivateCertFile":
> str(PayloadDescriptor.OpenSslSignerPrivateCertFile),
>
> "OpenSslOtherPublicCertFile":
> str(PayloadDescriptor.OpenSslOtherPublicCertFile),
>
> "OpenSslTrustedPublicCertFile":
> str(PayloadDescriptor.OpenSslTrustedPublicCertFile),
>
> @@ -363,6 +371,8 @@ if __name__ == '__main__':
> for PayloadField in PayloadSection:
>
> if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:
>
> del PayloadField ['SignToolPfxFile']
>
> + if PayloadJsonDescriptorList[Index].SignToolSubjectName
> + is
> None:
>
> + del PayloadField ['SignToolSubjectName']
>
> if
> PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None:
>
> del PayloadField ['OpenSslSignerPrivateCertFile']
>
> if
> PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:
>
> @@ -402,6 +412,9 @@ if __name__ == '__main__':
> if args.SignToolPfxFile:
>
> print ('GenerateCapsule: error: Argument --pfx-file
> conflicts with Argument -j')
>
> sys.exit (1)
>
> + if args.SignToolSubjectName:
>
> + print ('GenerateCapsule: error: Argument --SubjectName
> conflicts with Argument -j')
>
> + sys.exit (1)
>
> if args.OpenSslSignerPrivateCertFile:
>
> print ('GenerateCapsule: error: Argument
> --signer-private-cert conflicts with Argument -j')
>
> sys.exit (1)
>
> @@ -425,6 +438,7 @@ if __name__ == '__main__':
> HardwareInstance = 0,
>
> UpdateImageIndex = 1,
>
> SignToolPfxFile = None,
>
> + SignToolSubjectName = None,
>
> OpenSslSignerPrivateCertFile = None,
>
> OpenSslOtherPublicCertFile = None,
>
> OpenSslTrustedPublicCertFile = None,
>
> @@ -439,13 +453,15 @@ if __name__ == '__main__':
> self.HardwareInstance = HardwareInstance
>
> self.UpdateImageIndex = UpdateImageIndex
>
> self.SignToolPfxFile = SignToolPfxFile
>
> + self.SignToolSubjectName = SignToolSubjectName
>
> self.OpenSslSignerPrivateCertFile =
> OpenSslSignerPrivateCertFile
>
> self.OpenSslOtherPublicCertFile =
> OpenSslOtherPublicCertFile
>
> self.OpenSslTrustedPublicCertFile =
> OpenSslTrustedPublicCertFile
>
> self.SigningToolPath = SigningToolPath
>
> self.DepexExp = DepexExp
>
>
>
> - self.UseSignTool = self.SignToolPfxFile is not None
>
> + self.UseSignTool = (self.SignToolPfxFile is not None or
>
> + self.SignToolSubjectName is not
> None)
>
> self.UseOpenSsl = (self.OpenSslSignerPrivateCertFile is
> not None and
>
> self.OpenSslOtherPublicCertFile is
> not None and
>
> self.OpenSslTrustedPublicCertFile is
> not None)
>
> @@ -504,8 +520,9 @@ if __name__ == '__main__':
> raise argparse.ArgumentTypeError
> ('--update-image-index must be an integer in range 0x0..0xff')
>
>
>
> if self.UseSignTool:
>
> - self.SignToolPfxFile.close()
>
> - self.SignToolPfxFile = self.SignToolPfxFile.name
>
> + if self.SignToolPfxFile is not None:
>
> + self.SignToolPfxFile.close()
>
> + self.SignToolPfxFile = self.SignToolPfxFile.name
>
> if self.UseOpenSsl:
>
> self.OpenSslSignerPrivateCertFile.close()
>
> self.OpenSslOtherPublicCertFile.close()
>
> @@ -548,6 +565,7 @@ if __name__ == '__main__':
>
> args.HardwareInstance,
>
>
> args.UpdateImageIndex,
>
> args.SignToolPfxFile,
>
> +
> args.SignToolSubjectName,
>
>
> args.OpenSslSignerPrivateCertFile,
>
>
> args.OpenSslOtherPublicCertFile,
>
>
> args.OpenSslTrustedPublicCertFile,
>
> @@ -590,6 +608,7 @@ if __name__ == '__main__':
> Result + struct.pack ('<Q',
> SinglePayloadDescriptor.MonotonicCount),
>
> SinglePayloadDescriptor.SigningToolPath,
>
> SinglePayloadDescriptor.SignToolPfxFile,
>
> +
> SinglePayloadDescriptor.SignToolSubjectName,
>
> Verbose = args.Verbose
>
> )
>
> else:
>
> @@ -671,6 +690,7 @@ if __name__ == '__main__':
>
> args.HardwareInstance,
>
>
> args.UpdateImageIndex,
>
> args.SignToolPfxFile,
>
> +
> args.SignSubjectName,
>
>
> args.OpenSslSignerPrivateCertFile,
>
>
> args.OpenSslOtherPublicCertFile,
>
>
> args.OpenSslTrustedPublicCertFile,
>
> @@ -715,6 +735,7 @@ if __name__ == '__main__':
>
> HardwareInstance,
>
>
> UpdateImageIndex,
>
>
> PayloadDescriptorList[Index].SignToolPfxFile,
>
> +
> PayloadDescriptorList[Index].SignToolSubjectName,
>
>
> PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
>
> @@ -753,6 +774,7 @@ if __name__ == '__main__':
>
> HardwareInstance,
>
>
> UpdateImageIndex,
>
>
> PayloadDescriptorList[Index].SignToolPfxFile,
>
> +
> PayloadDescriptorList[Index].SignToolSubjectName,
>
>
> PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
>
> @@ -785,6 +807,7 @@ if __name__ == '__main__':
>
> FmpAuthHeader.CertData,
>
>
> SinglePayloadDescriptor.SigningToolPath,
>
>
> SinglePayloadDescriptor.SignToolPfxFile,
>
> +
> SinglePayloadDescriptor.SignToolSubjectName,
>
> Verbose = args.Verbose
>
> )
>
> else:
>
> @@ -968,6 +991,8 @@ if __name__ == '__main__':
>
>
> parser.add_argument ("--pfx-file", dest='SignToolPfxFile',
> type=argparse.FileType('rb'),
>
> help="signtool PFX certificate filename.")
>
> + parser.add_argument ("--subject-name",
> + dest='SignToolSubjectName',
>
> + help="signtool certificate subject name.")
>
>
>
> parser.add_argument ("--signer-private-cert",
> dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),
>
> help="OpenSSL signer private certificate
> filename.")
>
> --
> 2.37.0.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#91180):
> https://edk2.groups.io/g/devel/message/91180
> Mute This Topic: https://groups.io/mt/92249403/4905953
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub
> [gaoliming@byosoft.com.cn]
> -=-=-=-=-=-=
>
prev parent reply other threads:[~2022-07-25 15:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-08 11:41 [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file Lin, Jason1
2022-07-09 14:17 ` Bob Feng
2022-07-25 4:26 ` 回复: [edk2-devel] " gaoliming
2022-07-25 15:10 ` Bob Feng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PH7PR11MB586336DF0EA20390E35B0405C9959@PH7PR11MB5863.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox