The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec mentioned that It is a signature across the image data and the Monotonic Count value. After clarification, we do the signature calculation, we put MonotonicCount after Payload.
Cc: Liming Gao <liming....@intel.com> Cc: Jiewen Yao <jiewen....@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Yonghong Zhu <yonghong....@intel.com> --- BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8 ++++---- BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py index b9f8c06..f0b2d8a 100644 --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py @@ -195,12 +195,12 @@ if __name__ == '__main__': args.OtherPublicCertFile.close() except: print 'ERROR: test other public cert file %s missing' % (args.OtherPublicCertFileName) sys.exit(1) - format = "Q%ds" % len(args.InputFileBuffer) - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + format = "%dsQ" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Sign the input file using the specified private key and capture signature from STDOUT # Process = subprocess.Popen('%s smime -sign -binary -signer "%s" -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand, args.SignerPrivateCertFileName, args.OtherPublicCertFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -259,12 +259,12 @@ if __name__ == '__main__': sys.exit(1) args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize] args.InputFileBuffer = args.InputFileBuffer[SignatureSize:] - format = "Q%ds" % len(args.InputFileBuffer) - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + format = "%dsQ" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Save output file contents from input file # open(args.OutputFileName, 'wb').write(FullInputFileBuffer) diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py index 3410668..199ebec 100644 --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py @@ -167,12 +167,12 @@ if __name__ == '__main__': pass if args.Encode: FullInputFileBuffer = args.InputFileBuffer if args.MonotonicCountStr: - format = "Q%ds" % len(args.InputFileBuffer) - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + format = "%dsQ" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Sign the input file using the specified private key and capture signature from STDOUT # Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) Signature = Process.communicate(input=FullInputFileBuffer)[0] @@ -210,12 +210,12 @@ if __name__ == '__main__': print 'ERROR: Public key in input file does not match public key from private key file' sys.exit(1) FullInputFileBuffer = args.InputFileBuffer if args.MonotonicCountStr: - format = "Q%ds" % len(args.InputFileBuffer) - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + format = "%dsQ" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Write Signature to output file # open(args.OutputFileName, 'wb').write(Header.Signature) -- 2.6.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel