Reviewed-by: Liming Gao <liming....@intel.com>

> -----Original Message-----
> From: Yao, Jiewen
> Sent: Friday, October 14, 2016 9:11 PM
> To: Zhu, Yonghong <yonghong....@intel.com>; edk2-devel@lists.01.org
> Cc: Gao, Liming <liming....@intel.com>
> Subject: RE: [edk2] [Patch] BaseTools: Update sign tool to make
> MonotonicCount *after* Payload
> 
> Reviewed-by: jiewen....@intel.com
> Tested-by: jiewen....@intel.com
> 
> 
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
> > Yonghong Zhu
> > Sent: Friday, October 14, 2016 8:57 PM
> > To: edk2-devel@lists.01.org
> > Cc: Yao, Jiewen <jiewen....@intel.com>; Gao, Liming
> > <liming....@intel.com>
> > Subject: [edk2] [Patch] BaseTools: Update sign tool to make
> > MonotonicCount *after* Payload
> >
> > The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
> > mentioned that It is a signature across the image data and the
> > Monotonic Count value. After clarification, we do the signature
> > calculation, we put MonotonicCount after Payload.
> >
> > Cc: Liming Gao <liming....@intel.com>
> > Cc: Jiewen Yao <jiewen....@intel.com>
> > Contributed-under: TianoCore Contribution Agreement 1.0
> > Signed-off-by: Yonghong Zhu <yonghong....@intel.com>
> > ---
> >  BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py                 | 8
> > ++++----
> >  BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8
> > ++++----
> >  2 files changed, 8 insertions(+), 8 deletions(-)
> >
> > diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > index b9f8c06..f0b2d8a 100644
> > --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > @@ -195,12 +195,12 @@ if __name__ == '__main__':
> >          args.OtherPublicCertFile.close()
> >        except:
> >          print 'ERROR: test other public cert file %s missing' %
> > (args.OtherPublicCertFileName)
> >          sys.exit(1)
> >
> > -    format = "Q%ds" % len(args.InputFileBuffer)
> > -    FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +    format = "%dsQ" % len(args.InputFileBuffer)
> > +    FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> >      #
> >      # Sign the input file using the specified private key and capture
> > signature from STDOUT
> >      #
> >      Process = subprocess.Popen('%s smime -sign -binary -signer "%s"
> > -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand,
> > args.SignerPrivateCertFileName, args.OtherPublicCertFileName),
> > stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> > @@ -259,12 +259,12 @@ if __name__ == '__main__':
> >          sys.exit(1)
> >
> >      args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
> >      args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
> >
> > -    format = "Q%ds" % len(args.InputFileBuffer)
> > -    FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +    format = "%dsQ" % len(args.InputFileBuffer)
> > +    FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> >      #
> >      # Save output file contents from input file
> >      #
> >      open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
> > diff --git
> > a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > index 3410668..199ebec 100644
> > --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > +++
> b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > @@ -167,12 +167,12 @@ if __name__ == '__main__':
> >          pass
> >
> >    if args.Encode:
> >      FullInputFileBuffer = args.InputFileBuffer
> >      if args.MonotonicCountStr:
> > -      format = "Q%ds" % len(args.InputFileBuffer)
> > -      FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +      format = "%dsQ" % len(args.InputFileBuffer)
> > +      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >      #
> >      # Sign the input file using the specified private key and capture
> > signature from STDOUT
> >      #
> >      Process = subprocess.Popen('%s sha256 -sign "%s"' %
> > (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE,
> > stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> >      Signature = Process.communicate(input=FullInputFileBuffer)[0]
> > @@ -210,12 +210,12 @@ if __name__ == '__main__':
> >        print 'ERROR: Public key in input file does not match public key from
> > private key file'
> >        sys.exit(1)
> >
> >      FullInputFileBuffer = args.InputFileBuffer
> >      if args.MonotonicCountStr:
> > -      format = "Q%ds" % len(args.InputFileBuffer)
> > -      FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +      format = "%dsQ" % len(args.InputFileBuffer)
> > +      FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> >      #
> >      # Write Signature to output file
> >      #
> >      open(args.OutputFileName, 'wb').write(Header.Signature)
> > --
> > 2.6.1.windows.1
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to