Re: [edk2] [Patch] BaseTools/Pkcs7Sign: Add PKCS7 test key include files
Reviewed-by: Yonghong Zhu
Best Regards,
Zhu Yonghong
-Original Message-
From: Kinney, Michael D
Sent: Friday, August 3, 2018 9:39 AM
To: edk2-devel@lists.01.org
Cc: Zhu, Yonghong ; Gao, Liming ;
Kinney, Michael D
Subject: [Patch] BaseTools/Pkcs7Sign: Add PKCS7 test key include files
https://bugzilla.tianocore.org/show_bug.cgi?id=1073
Add PCD statement include files for the PKCS7 test key.
* gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer
* gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr
These include files can be used in !include statements in PCD sections of a
platform DSC file to assign these PCDs to the test key certificate values.
Cc: Yonghong Zhu
Cc: Liming Gao
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney
---
BaseTools/Source/Python/Pkcs7Sign/Readme.md| 40 ++
...ecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc | 1 +
...kenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc | 1 +
3 files changed, 42 insertions(+)
create mode 100644
BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
create mode 100644
BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc
diff --git a/BaseTools/Source/Python/Pkcs7Sign/Readme.md
b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
index fee0327876..5315b7fca4 100644
--- a/BaseTools/Source/Python/Pkcs7Sign/Readme.md
+++ b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
@@ -116,3 +116,43 @@ Convert Key and Certificate for signing. Password is
removed with -nodes flag fo
openssl smime -verify -inform DER -in test.bin.p7 -content test.bin
-CAfile TestRoot.pub.pem -out test.org.bin
+## Generate DSC PCD include files for Certificate
+
+The `BinToPcd` utility can be used to convert the binary Certificate
+file to a text file can be included from a DSC file to set a PCD to the
+contents of the Certificate file.
+
+The following 2 PCDs can be set to the PKCS7 Certificate value. The
+first one supports a single certificate. The second one supports
+multiple certificate values using the XDR format.
+* `gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer`
+* `gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr`
+
+Generate DSC PCD include files:
+```
+BinToPcd.py -i TestRoot.cer -p
+gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer -o
+TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
+BinToPcd.py -i TestRoot.cer -p
+gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr -x -o
+TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr
+.inc
+```
+
+These files can be used in `!include` statements in DSC file PCD sections.
For example:
+
+* Platform scoped fixed at build PCD section ``` [PcdsFixedAtBuild]
+ !include
+BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpac
+eGuid.PcdPkcs7CertBuffer.inc
+```
+
+* Platform scoped patchable in module PCD section ```
+[PcdsPatchableInModule]
+ !include
+BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceG
+uid.PcdFmpDevicePkcs7CertBufferXdr.inc
+```
+
+* Module scoped fixed at build PCD section ``` [Components]
+ FmpDevicePkg/FmpDxe/FmpDxe.inf {
+
+ !include
+BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceG
+uid.PcdFmpDevicePkcs7CertBufferXdr.inc
+ }
+```
diff --git
a/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
b/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
new file mode 100644
index 00..907c70dd92
--- /dev/null
+++ b/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgToke
+++ nSpaceGuid.PcdPkcs7CertBuffer.inc
@@ -0,0 +1 @@
+ gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer|{0x30, 0x82, 0x03,
+ 0xEC, 0x30, 0x82, 0x02, 0xD4, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02,
+ 0x09, 0x00, 0xC0, 0x91, 0xC5, 0xE2, 0xB7, 0x66, 0xC0, 0xF8, 0x30,
+ 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
+ 0x0B, 0x05, 0x00, 0x30, 0x81, 0x82, 0x31, 0x0B, 0x30, 0x09, 0x06,
+ 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x0B, 0x30,
+ 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x02, 0x53, 0x48, 0x31,
+ 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x02, 0x53,
+ 0x48, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C,
+ 0x09, 0x54, 0x69, 0x61, 0x6E, 0x6F, 0x43, 0x6F, 0x72, 0x65, 0x31,
+ 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x05, 0x45,
+ 0x44, 0x4B, 0x49, 0x49, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0C, 0x08, 0x54, 0x65, 0x73, 0x74, 0x52, 0x6F, 0x6F,
+ 0x74, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+ 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x13, 0x65, 0x64, 0x6B, 0x69,
+ 0x69, 0x40, 0x74, 0x69, 0x61, 0x6E, 0x6F, 0x63, 0x6F, 0x72, 0x65,
+ 0x2E, 0x6F, 0x72, 0x67, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37,
[edk2] [Patch] BaseTools/Pkcs7Sign: Add PKCS7 test key include files
https://bugzilla.tianocore.org/show_bug.cgi?id=1073
Add PCD statement include files for the PKCS7 test key.
* gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer
* gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr
These include files can be used in !include statements in PCD
sections of a platform DSC file to assign these PCDs to the
test key certificate values.
Cc: Yonghong Zhu
Cc: Liming Gao
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney
---
BaseTools/Source/Python/Pkcs7Sign/Readme.md| 40 ++
...ecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc | 1 +
...kenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc | 1 +
3 files changed, 42 insertions(+)
create mode 100644
BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
create mode 100644
BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc
diff --git a/BaseTools/Source/Python/Pkcs7Sign/Readme.md
b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
index fee0327876..5315b7fca4 100644
--- a/BaseTools/Source/Python/Pkcs7Sign/Readme.md
+++ b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
@@ -116,3 +116,43 @@ Convert Key and Certificate for signing. Password is
removed with -nodes flag fo
openssl smime -verify -inform DER -in test.bin.p7 -content test.bin
-CAfile TestRoot.pub.pem -out test.org.bin
+## Generate DSC PCD include files for Certificate
+
+The `BinToPcd` utility can be used to convert the binary Certificate file to a
+text file can be included from a DSC file to set a PCD to the contents of the
+Certificate file.
+
+The following 2 PCDs can be set to the PKCS7 Certificate value. The first one
+supports a single certificate. The second one supports multiple certificate
+values using the XDR format.
+* `gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer`
+* `gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr`
+
+Generate DSC PCD include files:
+```
+BinToPcd.py -i TestRoot.cer -p
gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer -o
TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
+BinToPcd.py -i TestRoot.cer -p
gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr -x -o
TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc
+```
+
+These files can be used in `!include` statements in DSC file PCD sections.
For example:
+
+* Platform scoped fixed at build PCD section
+```
+[PcdsFixedAtBuild]
+ !include
BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
+```
+
+* Platform scoped patchable in module PCD section
+```
+[PcdsPatchableInModule]
+ !include
BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc
+```
+
+* Module scoped fixed at build PCD section
+```
+[Components]
+ FmpDevicePkg/FmpDxe/FmpDxe.inf {
+
+ !include
BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc
+ }
+```
diff --git
a/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
b/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
new file mode 100644
index 00..907c70dd92
--- /dev/null
+++
b/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
@@ -0,0 +1 @@
+ gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer|{0x30, 0x82, 0x03, 0xEC,
0x30, 0x82, 0x02, 0xD4, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xC0,
0x91, 0xC5, 0xE2, 0xB7, 0x66, 0xC0, 0xF8, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x81, 0x82, 0x31,
0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31,
0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x02, 0x53, 0x48, 0x31,
0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x02, 0x53, 0x48, 0x31,
0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x09, 0x54, 0x69, 0x61,
0x6E, 0x6F, 0x43, 0x6F, 0x72, 0x65, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55,
0x04, 0x0B, 0x0C, 0x05, 0x45, 0x44, 0x4B, 0x49, 0x49, 0x31, 0x11, 0x30, 0x0F,
0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x08, 0x54, 0x65, 0x73, 0x74, 0x52, 0x6F,
0x6F, 0x74, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
0x0D, 0x01, 0x09, 0x01, 0x16, 0x13, 0x65, 0x64, 0x6B, 0x69, 0x6
9, 0x40, 0x74, 0x69, 0x61, 0x6E, 0x6F, 0x63, 0x6F, 0x72, 0x65, 0x2E, 0x6F,
0x72, 0x67, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x30, 0x34, 0x31, 0x30, 0x30,
0x38, 0x32, 0x37, 0x34, 0x30, 0x5A, 0x17, 0x0D, 0x31, 0x37, 0x30, 0x35, 0x31,
0x30, 0x30, 0x38, 0x32, 0x37, 0x34, 0x30, 0x5A, 0x30, 0x81, 0x82, 0x31, 0x0B,
0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x0B,
0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x02, 0x53, 0x48, 0x31, 0x0B,
0x30, 0x09,
