Re: [edk2] UEFIPayload build issue
Hello Zhu, I am indeed using cxfreeze as is normally recommended. It will remove these binaries and use the tools from source. Best Regards, Wim Vervoorn -Original Message- From: Zhu, Yonghong [mailto:yonghong@intel.com] Sent: Friday, September 21, 2018 9:33 AM To: Wim Vervoorn ; edk2-devel@lists.01.org Cc: Zhu, Yonghong Subject: RE: UEFIPayload build issue Hi Wim Vervoorn, May I know your steps? From the error message, seems you freeze the BaseTools to binary exe file, and this failure was caused by the cxfreeze step. We recommend run BaseTools Python from source in Windows. Thanks. Best Regards, Zhu Yonghong -Original Message- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Wim Vervoorn Sent: Friday, September 21, 2018 4:44 AM To: edk2-devel@lists.01.org Subject: [edk2] UEFIPayload build issue Hello, I am trying to build the new UEFIPayload from the staging repo. The build proceeds pretty well but then I got this message: Traceback (most recent call last): File "C:\Python27\lib\site-packages\cx_Freeze\initscripts\Console.py", line 27, in exec(code, m.__dict__) File "GenFds\GenFds.py", line 24, in ValueError: Attempted relative import in non-package build.exe... : error 7000: Failed to execute command GenFds -f C:\git\SlimBootPayload\UEFIPayload\UefiPayloadPkg\UefiPayloadPkg.fdf --conf=c:\git\slimbootpayload\edk2\conf -o c:\git\slimbootpayload\edk2\Build\UefiPayloadPkgX64\DEBUG_VS2015x86 -t VS2015x86 -b DEBUG -p C:\git\SlimBootPayload\UEFIPayload\UefiPayloadPkg\UefiPayloadPkgIA32X64.dsc -a IA32,X64 -D "EFI_SOURCE=c:\\git\\slimbootpayload\\edk2\\edkcompatibilitypkg" -D "EDK_SOURCE=c:\\git\\slimbootpayload\\edk2\\edkcompatibilitypkg" -D "TOOL_CHAIN_TAG=VS2015x86" -D "TOOLCHAIN=VS2015x86" -D "TARGET=DEBUG" -D "FAMILY=MSFT" -D "WORKSPACE=c:\\git\\slimbootpayload\\edk2" -D "EDK_TOOLS_PATH=c:\\git\\slimbootpayload\\edk2\\basetools" -D "BD_ARCH=IA32X64" -D "ARCH=IA32 X64" -D "ECP_SOURCE=c:\\git\\slimbootpayload\\edk2\\edkcompatibilitypkg" [C:\git\SlimBootPayload\edk2] - Failed - So far I haven’t figured out what is causing this issue. It is good to note that use the tools from the master of the edk2 repo (status of today). Suggestions are welcome. Wim Vervoorn ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] UEFIPayload build issue
Hello, I am trying to build the new UEFIPayload from the staging repo. The build proceeds pretty well but then I got this message: Traceback (most recent call last): File "C:\Python27\lib\site-packages\cx_Freeze\initscripts\Console.py", line 27, in exec(code, m.__dict__) File "GenFds\GenFds.py", line 24, in ValueError: Attempted relative import in non-package build.exe... : error 7000: Failed to execute command GenFds -f C:\git\SlimBootPayload\UEFIPayload\UefiPayloadPkg\UefiPayloadPkg.fdf --conf=c:\git\slimbootpayload\edk2\conf -o c:\git\slimbootpayload\edk2\Build\UefiPayloadPkgX64\DEBUG_VS2015x86 -t VS2015x86 -b DEBUG -p C:\git\SlimBootPayload\UEFIPayload\UefiPayloadPkg\UefiPayloadPkgIA32X64.dsc -a IA32,X64 -D "EFI_SOURCE=c:\\git\\slimbootpayload\\edk2\\edkcompatibilitypkg" -D "EDK_SOURCE=c:\\git\\slimbootpayload\\edk2\\edkcompatibilitypkg" -D "TOOL_CHAIN_TAG=VS2015x86" -D "TOOLCHAIN=VS2015x86" -D "TARGET=DEBUG" -D "FAMILY=MSFT" -D "WORKSPACE=c:\\git\\slimbootpayload\\edk2" -D "EDK_TOOLS_PATH=c:\\git\\slimbootpayload\\edk2\\basetools" -D "BD_ARCH=IA32X64" -D "ARCH=IA32 X64" -D "ECP_SOURCE=c:\\git\\slimbootpayload\\edk2\\edkcompatibilitypkg" [C:\git\SlimBootPayload\edk2] - Failed - So far I haven’t figured out what is causing this issue. It is good to note that use the tools from the master of the edk2 repo (status of today). Suggestions are welcome. Wim Vervoorn ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] Timebased Auth Variable driver should ensure AuthAlgorithm is SHA256 before further verification
Hello LONG, Quin, Thank you very much for the quick response. From the discussion it is clear to me where the problem is and how the data can be signed using signtool to prevent this. Do you know if there are any updates to the Linux tools (e.g. efitools) that allow supporting UEFI 2.6 in an easy way? Best Regards, Wim Vervoorn Eltan B.V. Ambachtstraat 23 5481 SM Schijndel The Netherlands T : +31-(0)73-594 46 64 E : wvervo...@eltan.com W : http://www.eltan.com "THIS MESSAGE CONTAINS CONFIDENTIAL INFORMATION. UNLESS YOU ARE THE INTENDED RECIPIENT OF THIS MESSAGE, ANY USE OF THIS MESSAGE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY TELEPHONE +31-(0)73-5944664 OR REPLY EMAIL, AND IMMEDIATELY DELETE THIS MESSAGE AND ALL COPIES." -Original Message- From: Long, Qin [mailto:qin.l...@intel.com] Sent: Monday, December 11, 2017 4:56 PM To: Wim Vervoorn <wvervo...@eltan.com>; edk2-devel@lists.01.org Subject: RE: Timebased Auth Variable driver should ensure AuthAlgorithm is SHA256 before further verification Hi, Wim Vervoorn, Yes, the logic here is a little tricky. We wouldn't like to introduce the full ASN.1 parse interfaces to handle the encoding data check. So as the comments states, the digestAlgorithms field usually has the fixed offset (based on two bytes of length encoding) in one PKCS#7 signedData structure. So the new codes (added by that commit) used this assumption to check the Sha256 OID directly. // // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the // signature. Only a digest algorithm of SHA-256 is accepted. // //According to PKCS#7 Definition: //SignedData ::= SEQUENCE { //version Version, //digestAlgorithms DigestAlgorithmIdentifiers, //contentInfo ContentInfo, // } //The DigestAlgorithmIdentifiers can be used to determine the hash algorithm //in VARIABLE_AUTHENTICATION_2 descriptor. //This field has the fixed offset (+13) and be calculated based on two bytes of length encoding. // .. One typical ASN.1 structure of PKCS7 Signature is ContentInfo { contentType = 1.2.840.113549.1.7.2 //(signedData) content { SignedData { version = 1 ... } } } But please note, the PKCS#7 signedData definition for Authenticated Variable in UEFI spec didn't include the contentType fields. So if you used some third-party tool (e.g. OpenSSL) to generate the signedData, you need to strip-off some bytes. See more discussion & clarifications from https://bugzilla.tianocore.org/show_bug.cgi?id=586 And share us the binary data for more analysis if you still have verification issues. Best Regards & Thanks, LONG, Qin -Original Message- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Wim Vervoorn Sent: Monday, December 11, 2017 6:40 PM To: edk2-devel@lists.01.org Subject: [edk2] Timebased Auth Variable driver should ensure AuthAlgorithm is SHA256 before further verification Hello, We ran into issues with the Timebased Authenticated variable handling. In commit: c035e37335ae43229d7e68de74a65f2c01ebc0af This was added. This assumed the very first tag will be the Sha256 Oid. We have noticed situations where this is the case. The question is if the check below represents the specification and the tools generating the databuffer should be changed. Or if this check is not correct. It seems to me that the data should be parsed to check for the correct OID and not assume this is the first one if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { if (SigDataSize >= (13 + sizeof (mSha256OidValue))) { if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) || (CompareMem (SigData + 13, , sizeof (mSha256OidValue)) != 0)) { return EFI_SECURITY_VIOLATION; } } } Modified: SecurityPkg/Library/AuthVariableLib/AuthService.c Modified: SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h Best Regards, Wim Vervoorn Eltan B.V. Ambachtstraat 23 5481 SM Schijndel The Netherlands T : +31-(0)73-594 46 64 E : wvervo...@eltan.com W : http://www.eltan.com "THIS MESSAGE CONTAINS CONFIDENTIAL INFORMATION. UNLESS YOU ARE THE INTENDED RECIPIENT OF THIS MESSAGE, ANY USE OF THIS MESSAGE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY TELEPHONE +31-(0)73-5944664 OR REPLY EMAIL, AND IMMEDIATELY DELETE THIS MESSAGE AND ALL COPIES." ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] Timebased Auth Variable driver should ensure AuthAlgorithm is SHA256 before further verification
Hello, We ran into issues with the Timebased Authenticated variable handling. In commit: c035e37335ae43229d7e68de74a65f2c01ebc0af This was added. This assumed the very first tag will be the Sha256 Oid. We have noticed situations where this is the case. The question is if the check below represents the specification and the tools generating the databuffer should be changed. Or if this check is not correct. It seems to me that the data should be parsed to check for the correct OID and not assume this is the first one if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { if (SigDataSize >= (13 + sizeof (mSha256OidValue))) { if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) || (CompareMem (SigData + 13, , sizeof (mSha256OidValue)) != 0)) { return EFI_SECURITY_VIOLATION; } } } Modified: SecurityPkg/Library/AuthVariableLib/AuthService.c Modified: SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h Best Regards, Wim Vervoorn Eltan B.V. Ambachtstraat 23 5481 SM Schijndel The Netherlands T : +31-(0)73-594 46 64 E : wvervo...@eltan.com W : http://www.eltan.com "THIS MESSAGE CONTAINS CONFIDENTIAL INFORMATION. UNLESS YOU ARE THE INTENDED RECIPIENT OF THIS MESSAGE, ANY USE OF THIS MESSAGE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY TELEPHONE +31-(0)73-5944664 OR REPLY EMAIL, AND IMMEDIATELY DELETE THIS MESSAGE AND ALL COPIES." ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] UserIdentification in Security Package
Hello, I am trying to make the UserIdentification from the security package to work or at least see how this behaves. At this point I am missing out on something to get this working in my tree. Can you point out what needs to be done to give this a try? At this point I added the stuff to the dsc and fdf file but I am wondering if this should be sufficient or if I need to implement additional items. Best regards, Wim Vervoorn ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] HiiSetToDefaults behavior
Hello Dandan, Thanks for the clarification. So I assume there is no way that will cause this call to leave certain fields as they are. Is this correct? Best Regards, Wim Vervoorn Eltan B.V. Ambachtstraat 23 5481 SM Schijndel The Netherlands T : +31-(0)73-594 46 64 E : wvervo...@eltan.com W : http://www.eltan.com "THIS MESSAGE CONTAINS CONFIDENTIAL INFORMATION. UNLESS YOU ARE THE INTENDED RECIPIENT OF THIS MESSAGE, ANY USE OF THIS MESSAGE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY TELEPHONE +31-(0)73-5944664 OR REPLY EMAIL, AND IMMEDIATELY DELETE THIS MESSAGE AND ALL COPIES." -Original Message- From: Bi, Dandan [mailto:dandan...@intel.com] Sent: Friday, August 25, 2017 10:57 AM To: Wim Vervoorn <wvervo...@eltan.com>; edk2-devel@lists.01.org Subject: RE: HiiSetToDefaults behavior Hi Wim Vervoorn, Current behavior of HiiSetToDefaults(): 1. For Question has the specified type default value, will set the default value to storage for the Question. 2. For Question without the specified type default, other type default value can be shared.(such as: standard default doesn't exit, but Manufacturing Default exits, Manufacturing Default value can be shared with standard default) 3. For Question without any types of default value, current implementation will (a) set first option value as the default value of oneof (b) set minimum value as the default value of numeric Thanks, Dandan -Original Message- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Wim Vervoorn Sent: Friday, August 25, 2017 4:13 PM To: edk2-devel@lists.01.org Subject: [edk2] HiiSetToDefaults behavior Hello, I have a question about the expect behavior of HiiSetToDefaults(). So far I haven't been able to find a clear definition of what this should do. What I expect is that this call would only touch the items that have a default defined. So what I would think is that Test2OfValue below would become 1 and Test1OfValue would be untouched as long as it's value is either 0 or 1 and become 1 if this is not the case. What seems to happen is that for Test1OfValue the first item is used as the default. oneof name = Test1OneOf, // Define reference name for Question varid = lIfrNVData.Test1OfValue, // Use "DataStructure.Member" to reference Buffer Storage prompt = STRING_TOKEN(STR_TEST1_PROMPT), help= STRING_TOKEN(STR_TEST1_HELP), // // Define an option (EFI_IFR_ONE_OF_OPTION) // option text = STRING_TOKEN(STR_ENABLE), value = 1, flags = 0; option text = STRING_TOKEN(STR_DISABLE), value = 0, flags = 0; endoneof; oneof name = Test2OneOf, // Define reference name for Question varid = lIfrNVData.Test2OfValue, // Use "DataStructure.Member" to reference Buffer Storage prompt = STRING_TOKEN(STR_TEST2_PROMPT), help= STRING_TOKEN(STR_TEST2_HELP), // // Define an option (EFI_IFR_ONE_OF_OPTION) // option text = STRING_TOKEN(STR_ENABLE), value = 1, flags = DEFAULT; option text = STRING_TOKEN(STR_DISABLE), value = 0, flags = 0; endoneof; Best Regards, Wim Vervoorn Eltan B.V. Ambachtstraat 23 5481 SM Schijndel The Netherlands T : +31-(0)73-594 46 64 E : wvervo...@eltan.com W : http://www.eltan.com<http://www.eltan.com/> "THIS MESSAGE CONTAINS CONFIDENTIAL INFORMATION. UNLESS YOU ARE THE INTENDED RECIPIENT OF THIS MESSAGE, ANY USE OF THIS MESSAGE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY TELEPHONE +31-(0)73-5944664 OR REPLY EMAIL, AND IMMEDIATELY DELETE THIS MESSAGE AND ALL COPIES." ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] HiiSetToDefaults behavior
Hello, I have a question about the expect behavior of HiiSetToDefaults(). So far I haven't been able to find a clear definition of what this should do. What I expect is that this call would only touch the items that have a default defined. So what I would think is that Test2OfValue below would become 1 and Test1OfValue would be untouched as long as it's value is either 0 or 1 and become 1 if this is not the case. What seems to happen is that for Test1OfValue the first item is used as the default. oneof name = Test1OneOf, // Define reference name for Question varid = lIfrNVData.Test1OfValue, // Use "DataStructure.Member" to reference Buffer Storage prompt = STRING_TOKEN(STR_TEST1_PROMPT), help= STRING_TOKEN(STR_TEST1_HELP), // // Define an option (EFI_IFR_ONE_OF_OPTION) // option text = STRING_TOKEN(STR_ENABLE), value = 1, flags = 0; option text = STRING_TOKEN(STR_DISABLE), value = 0, flags = 0; endoneof; oneof name = Test2OneOf, // Define reference name for Question varid = lIfrNVData.Test2OfValue, // Use "DataStructure.Member" to reference Buffer Storage prompt = STRING_TOKEN(STR_TEST2_PROMPT), help= STRING_TOKEN(STR_TEST2_HELP), // // Define an option (EFI_IFR_ONE_OF_OPTION) // option text = STRING_TOKEN(STR_ENABLE), value = 1, flags = DEFAULT; option text = STRING_TOKEN(STR_DISABLE), value = 0, flags = 0; endoneof; Best Regards, Wim Vervoorn Eltan B.V. Ambachtstraat 23 5481 SM Schijndel The Netherlands T : +31-(0)73-594 46 64 E : wvervo...@eltan.com W : http://www.eltan.com<http://www.eltan.com/> "THIS MESSAGE CONTAINS CONFIDENTIAL INFORMATION. UNLESS YOU ARE THE INTENDED RECIPIENT OF THIS MESSAGE, ANY USE OF THIS MESSAGE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY TELEPHONE +31-(0)73-5944664 OR REPLY EMAIL, AND IMMEDIATELY DELETE THIS MESSAGE AND ALL COPIES." ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] HiiValidateSettings issue with string item
Hello, I am running into an issue with HiiValidateSettings (); when my VFR contains a string item that is filled with a string of maximum length. In this case the validation returns an error because it thinks the string is too long. During the validation ValidateQuestionFromVfr (); checks if the stringlength is valid. The issue is that this uses the "maxsize" value * 2 from the VFR. It does this using the StrSize function which includes the trailing terminator. This is of course correct. The maxsize from the VFR indicates only the amount of characters excluding the terminator. As a quickfix I changed the ValidateQuestionFromVfr () to take this into account but I am doubting if this is the correct solution. Can you shed some light here? Below is the fragment where I see this issue: // // Get Offset/Width by Question header and OneOf Flags // Offset = IfrString->Question.VarStoreInfo.VarOffset; // // Check whether this question is in current block array. // if (!BlockArrayCheck (CurrentBlockArray, Offset, Width)) { // // This question is not in the current configuration string. Skip it. // break; } // // Check this var question is in the var storage // if ((Offset + Width) > VarStoreData.Size) { // // This question exceeds the var store size. // return EFI_INVALID_PARAMETER; } // // Check current string length is less than maxsize // // Please note we subtract sizeof(CHAR16) here because the StrSize returns the length including the terminator // while we specify the length in characters in the VFR! // ORG -> // if ( (StrSize ((CHAR16 *) (VarBuffer + Offset)) > Width) { CHANGED->if ( (StrSize ((CHAR16 *) (VarBuffer + Offset)) - sizeof(CHAR16)) > Width) { return EFI_INVALID_PARAMETER; } } break; Best Regards, Wim Vervoorn Eltan B.V. Ambachtstraat 23 5481 SM Schijndel The Netherlands T : +31-(0)73-594 46 64 E : wvervo...@eltan.com W : http://www.eltan.com<http://www.eltan.com/> "THIS MESSAGE CONTAINS CONFIDENTIAL INFORMATION. UNLESS YOU ARE THE INTENDED RECIPIENT OF THIS MESSAGE, ANY USE OF THIS MESSAGE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY TELEPHONE +31-(0)73-5944664 OR REPLY EMAIL, AND IMMEDIATELY DELETE THIS MESSAGE AND ALL COPIES." ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel