Reviewed-by: Liming Gao <[email protected]>
> -----Original Message----- > From: Yao, Jiewen > Sent: Friday, October 14, 2016 9:11 PM > To: Zhu, Yonghong <[email protected]>; [email protected] > Cc: Gao, Liming <[email protected]> > Subject: RE: [edk2] [Patch] BaseTools: Update sign tool to make > MonotonicCount *after* Payload > > Reviewed-by: [email protected] > Tested-by: [email protected] > > > > -----Original Message----- > > From: edk2-devel [mailto:[email protected]] On Behalf Of > > Yonghong Zhu > > Sent: Friday, October 14, 2016 8:57 PM > > To: [email protected] > > Cc: Yao, Jiewen <[email protected]>; Gao, Liming > > <[email protected]> > > Subject: [edk2] [Patch] BaseTools: Update sign tool to make > > MonotonicCount *after* Payload > > > > The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec > > mentioned that It is a signature across the image data and the > > Monotonic Count value. After clarification, we do the signature > > calculation, we put MonotonicCount after Payload. > > > > Cc: Liming Gao <[email protected]> > > Cc: Jiewen Yao <[email protected]> > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Yonghong Zhu <[email protected]> > > --- > > BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8 > > ++++---- > > BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 > > ++++---- > > 2 files changed, 8 insertions(+), 8 deletions(-) > > > > diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > index b9f8c06..f0b2d8a 100644 > > --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > @@ -195,12 +195,12 @@ if __name__ == '__main__': > > args.OtherPublicCertFile.close() > > except: > > print 'ERROR: test other public cert file %s missing' % > > (args.OtherPublicCertFileName) > > sys.exit(1) > > > > - format = "Q%ds" % len(args.InputFileBuffer) > > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > > args.InputFileBuffer) > > + format = "%dsQ" % len(args.InputFileBuffer) > > + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, > > args.MonotonicCountValue) > > > > # > > # Sign the input file using the specified private key and capture > > signature from STDOUT > > # > > Process = subprocess.Popen('%s smime -sign -binary -signer "%s" > > -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand, > > args.SignerPrivateCertFileName, args.OtherPublicCertFileName), > > stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) > > @@ -259,12 +259,12 @@ if __name__ == '__main__': > > sys.exit(1) > > > > args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize] > > args.InputFileBuffer = args.InputFileBuffer[SignatureSize:] > > > > - format = "Q%ds" % len(args.InputFileBuffer) > > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > > args.InputFileBuffer) > > + format = "%dsQ" % len(args.InputFileBuffer) > > + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, > > args.MonotonicCountValue) > > > > # > > # Save output file contents from input file > > # > > open(args.OutputFileName, 'wb').write(FullInputFileBuffer) > > diff --git > > a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > index 3410668..199ebec 100644 > > --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > +++ > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > @@ -167,12 +167,12 @@ if __name__ == '__main__': > > pass > > > > if args.Encode: > > FullInputFileBuffer = args.InputFileBuffer > > if args.MonotonicCountStr: > > - format = "Q%ds" % len(args.InputFileBuffer) > > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > > args.InputFileBuffer) > > + format = "%dsQ" % len(args.InputFileBuffer) > > + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, > > args.MonotonicCountValue) > > # > > # Sign the input file using the specified private key and capture > > signature from STDOUT > > # > > Process = subprocess.Popen('%s sha256 -sign "%s"' % > > (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, > > stdout=subprocess.PIPE, stderr=subprocess.PIPE) > > Signature = Process.communicate(input=FullInputFileBuffer)[0] > > @@ -210,12 +210,12 @@ if __name__ == '__main__': > > print 'ERROR: Public key in input file does not match public key from > > private key file' > > sys.exit(1) > > > > FullInputFileBuffer = args.InputFileBuffer > > if args.MonotonicCountStr: > > - format = "Q%ds" % len(args.InputFileBuffer) > > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > > args.InputFileBuffer) > > + format = "%dsQ" % len(args.InputFileBuffer) > > + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, > > args.MonotonicCountValue) > > > > # > > # Write Signature to output file > > # > > open(args.OutputFileName, 'wb').write(Header.Signature) > > -- > > 2.6.1.windows.1 > > > > _______________________________________________ > > edk2-devel mailing list > > [email protected] > > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
