Re: [edk2] [Patch] BaseTools/Pkcs7Sign: Add PKCS7 test key include files
Reviewed-by: Yonghong Zhu Best Regards, Zhu Yonghong -Original Message- From: Kinney, Michael D Sent: Friday, August 3, 2018 9:39 AM To: edk2-devel@lists.01.org Cc: Zhu, Yonghong ; Gao, Liming ; Kinney, Michael D Subject: [Patch] BaseTools/Pkcs7Sign: Add PKCS7 test key include files https://bugzilla.tianocore.org/show_bug.cgi?id=1073 Add PCD statement include files for the PKCS7 test key. * gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer * gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr These include files can be used in !include statements in PCD sections of a platform DSC file to assign these PCDs to the test key certificate values. Cc: Yonghong Zhu Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney --- BaseTools/Source/Python/Pkcs7Sign/Readme.md| 40 ++ ...ecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc | 1 + ...kenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc | 1 + 3 files changed, 42 insertions(+) create mode 100644 BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc create mode 100644 BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc diff --git a/BaseTools/Source/Python/Pkcs7Sign/Readme.md b/BaseTools/Source/Python/Pkcs7Sign/Readme.md index fee0327876..5315b7fca4 100644 --- a/BaseTools/Source/Python/Pkcs7Sign/Readme.md +++ b/BaseTools/Source/Python/Pkcs7Sign/Readme.md @@ -116,3 +116,43 @@ Convert Key and Certificate for signing. Password is removed with -nodes flag fo openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile TestRoot.pub.pem -out test.org.bin +## Generate DSC PCD include files for Certificate + +The `BinToPcd` utility can be used to convert the binary Certificate +file to a text file can be included from a DSC file to set a PCD to the +contents of the Certificate file. + +The following 2 PCDs can be set to the PKCS7 Certificate value. The +first one supports a single certificate. The second one supports +multiple certificate values using the XDR format. +* `gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer` +* `gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr` + +Generate DSC PCD include files: +``` +BinToPcd.py -i TestRoot.cer -p +gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer -o +TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc +BinToPcd.py -i TestRoot.cer -p +gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr -x -o +TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr +.inc +``` + +These files can be used in `!include` statements in DSC file PCD sections. For example: + +* Platform scoped fixed at build PCD section ``` [PcdsFixedAtBuild] + !include +BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpac +eGuid.PcdPkcs7CertBuffer.inc +``` + +* Platform scoped patchable in module PCD section ``` +[PcdsPatchableInModule] + !include +BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceG +uid.PcdFmpDevicePkcs7CertBufferXdr.inc +``` + +* Module scoped fixed at build PCD section ``` [Components] + FmpDevicePkg/FmpDxe/FmpDxe.inf { + + !include +BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceG +uid.PcdFmpDevicePkcs7CertBufferXdr.inc + } +``` diff --git a/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc b/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc new file mode 100644 index 00..907c70dd92 --- /dev/null +++ b/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgToke +++ nSpaceGuid.PcdPkcs7CertBuffer.inc @@ -0,0 +1 @@ + gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer|{0x30, 0x82, 0x03, + 0xEC, 0x30, 0x82, 0x02, 0xD4, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, + 0x09, 0x00, 0xC0, 0x91, 0xC5, 0xE2, 0xB7, 0x66, 0xC0, 0xF8, 0x30, + 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, + 0x0B, 0x05, 0x00, 0x30, 0x81, 0x82, 0x31, 0x0B, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x0B, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x02, 0x53, 0x48, 0x31, + 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x02, 0x53, + 0x48, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, + 0x09, 0x54, 0x69, 0x61, 0x6E, 0x6F, 0x43, 0x6F, 0x72, 0x65, 0x31, + 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x05, 0x45, + 0x44, 0x4B, 0x49, 0x49, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0C, 0x08, 0x54, 0x65, 0x73, 0x74, 0x52, 0x6F, 0x6F, + 0x74, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, + 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x13, 0x65, 0x64, 0x6B, 0x69, + 0x69, 0x40, 0x74, 0x69, 0x61, 0x6E, 0x6F, 0x63, 0x6F, 0x72, 0x65, + 0x2E, 0x6F, 0x72, 0x67, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37,
[edk2] [Patch] BaseTools/Pkcs7Sign: Add PKCS7 test key include files
https://bugzilla.tianocore.org/show_bug.cgi?id=1073 Add PCD statement include files for the PKCS7 test key. * gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer * gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr These include files can be used in !include statements in PCD sections of a platform DSC file to assign these PCDs to the test key certificate values. Cc: Yonghong Zhu Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney --- BaseTools/Source/Python/Pkcs7Sign/Readme.md| 40 ++ ...ecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc | 1 + ...kenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc | 1 + 3 files changed, 42 insertions(+) create mode 100644 BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc create mode 100644 BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc diff --git a/BaseTools/Source/Python/Pkcs7Sign/Readme.md b/BaseTools/Source/Python/Pkcs7Sign/Readme.md index fee0327876..5315b7fca4 100644 --- a/BaseTools/Source/Python/Pkcs7Sign/Readme.md +++ b/BaseTools/Source/Python/Pkcs7Sign/Readme.md @@ -116,3 +116,43 @@ Convert Key and Certificate for signing. Password is removed with -nodes flag fo openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile TestRoot.pub.pem -out test.org.bin +## Generate DSC PCD include files for Certificate + +The `BinToPcd` utility can be used to convert the binary Certificate file to a +text file can be included from a DSC file to set a PCD to the contents of the +Certificate file. + +The following 2 PCDs can be set to the PKCS7 Certificate value. The first one +supports a single certificate. The second one supports multiple certificate +values using the XDR format. +* `gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer` +* `gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr` + +Generate DSC PCD include files: +``` +BinToPcd.py -i TestRoot.cer -p gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer -o TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc +BinToPcd.py -i TestRoot.cer -p gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr -x -o TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc +``` + +These files can be used in `!include` statements in DSC file PCD sections. For example: + +* Platform scoped fixed at build PCD section +``` +[PcdsFixedAtBuild] + !include BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc +``` + +* Platform scoped patchable in module PCD section +``` +[PcdsPatchableInModule] + !include BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc +``` + +* Module scoped fixed at build PCD section +``` +[Components] + FmpDevicePkg/FmpDxe/FmpDxe.inf { + + !include BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc + } +``` diff --git a/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc b/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc new file mode 100644 index 00..907c70dd92 --- /dev/null +++ b/BaseTools/Source/Python/Pkcs7Sign/TestRoot.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc @@ -0,0 +1 @@ + gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer|{0x30, 0x82, 0x03, 0xEC, 0x30, 0x82, 0x02, 0xD4, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xC0, 0x91, 0xC5, 0xE2, 0xB7, 0x66, 0xC0, 0xF8, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x81, 0x82, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x02, 0x53, 0x48, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x02, 0x53, 0x48, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x09, 0x54, 0x69, 0x61, 0x6E, 0x6F, 0x43, 0x6F, 0x72, 0x65, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x05, 0x45, 0x44, 0x4B, 0x49, 0x49, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x08, 0x54, 0x65, 0x73, 0x74, 0x52, 0x6F, 0x6F, 0x74, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x13, 0x65, 0x64, 0x6B, 0x69, 0x6 9, 0x40, 0x74, 0x69, 0x61, 0x6E, 0x6F, 0x63, 0x6F, 0x72, 0x65, 0x2E, 0x6F, 0x72, 0x67, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x30, 0x34, 0x31, 0x30, 0x30, 0x38, 0x32, 0x37, 0x34, 0x30, 0x5A, 0x17, 0x0D, 0x31, 0x37, 0x30, 0x35, 0x31, 0x30, 0x30, 0x38, 0x32, 0x37, 0x34, 0x30, 0x5A, 0x30, 0x81, 0x82, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x02, 0x53, 0x48, 0x31, 0x0B, 0x30, 0x09,