Re: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload
Reviewed-by: Liming Gao <liming@intel.com> > -Original Message- > From: Yao, Jiewen > Sent: Friday, October 14, 2016 9:11 PM > To: Zhu, Yonghong <yonghong@intel.com>; edk2-devel@lists.01.org > Cc: Gao, Liming <liming....@intel.com> > Subject: RE: [edk2] [Patch] BaseTools: Update sign tool to make > MonotonicCount *after* Payload > > Reviewed-by: jiewen@intel.com > Tested-by: jiewen@intel.com > > > > -Original Message- > > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > > Yonghong Zhu > > Sent: Friday, October 14, 2016 8:57 PM > > To: edk2-devel@lists.01.org > > Cc: Yao, Jiewen <jiewen....@intel.com>; Gao, Liming > > <liming....@intel.com> > > Subject: [edk2] [Patch] BaseTools: Update sign tool to make > > MonotonicCount *after* Payload > > > > The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec > > mentioned that It is a signature across the image data and the > > Monotonic Count value. After clarification, we do the signature > > calculation, we put MonotonicCount after Payload. > > > > Cc: Liming Gao <liming@intel.com> > > Cc: Jiewen Yao <jiewen@intel.com> > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Yonghong Zhu <yonghong@intel.com> > > --- > > BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8 > > > > BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 > > > > 2 files changed, 8 insertions(+), 8 deletions(-) > > > > diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > index b9f8c06..f0b2d8a 100644 > > --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > > @@ -195,12 +195,12 @@ if __name__ == '__main__': > > args.OtherPublicCertFile.close() > >except: > > print 'ERROR: test other public cert file %s missing' % > > (args.OtherPublicCertFileName) > > sys.exit(1) > > > > -format = "Q%ds" % len(args.InputFileBuffer) > > -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > > args.InputFileBuffer) > > +format = "%dsQ" % len(args.InputFileBuffer) > > +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, > > args.MonotonicCountValue) > > > > # > > # Sign the input file using the specified private key and capture > > signature from STDOUT > > # > > Process = subprocess.Popen('%s smime -sign -binary -signer "%s" > > -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand, > > args.SignerPrivateCertFileName, args.OtherPublicCertFileName), > > stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) > > @@ -259,12 +259,12 @@ if __name__ == '__main__': > > sys.exit(1) > > > > args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize] > > args.InputFileBuffer = args.InputFileBuffer[SignatureSize:] > > > > -format = "Q%ds" % len(args.InputFileBuffer) > > -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > > args.InputFileBuffer) > > +format = "%dsQ" % len(args.InputFileBuffer) > > +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, > > args.MonotonicCountValue) > > > > # > > # Save output file contents from input file > > # > > open(args.OutputFileName, 'wb').write(FullInputFileBuffer) > > diff --git > > a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > index 3410668..199ebec 100644 > > --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > +++ > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > > @@ -167,12 +167,12 @@ if __name__ == '__main__': > > pass > > > >if args.Encode: > > FullInputFileBuffer = args.InputFileBuffer > > if args.MonotonicCountStr: > > - format = "Q%ds" % len(args.InputFileBuffer) > > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > > args.InputFileBuffer) > > + format = "%dsQ" % len(args.InputFileBuffer) > > + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, > > args.MonotonicCountValue) > > # > > # Sign
Re: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload
Reviewed-by: jiewen@intel.com Tested-by: jiewen@intel.com > -Original Message- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > Yonghong Zhu > Sent: Friday, October 14, 2016 8:57 PM > To: edk2-devel@lists.01.org > Cc: Yao, Jiewen <jiewen@intel.com>; Gao, Liming > <liming....@intel.com> > Subject: [edk2] [Patch] BaseTools: Update sign tool to make > MonotonicCount *after* Payload > > The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec > mentioned that It is a signature across the image data and the > Monotonic Count value. After clarification, we do the signature > calculation, we put MonotonicCount after Payload. > > Cc: Liming Gao <liming@intel.com> > Cc: Jiewen Yao <jiewen@intel.com> > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Yonghong Zhu <yonghong@intel.com> > --- > BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8 > > BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 > > 2 files changed, 8 insertions(+), 8 deletions(-) > > diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > index b9f8c06..f0b2d8a 100644 > --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py > @@ -195,12 +195,12 @@ if __name__ == '__main__': > args.OtherPublicCertFile.close() >except: > print 'ERROR: test other public cert file %s missing' % > (args.OtherPublicCertFileName) > sys.exit(1) > > -format = "Q%ds" % len(args.InputFileBuffer) > -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > args.InputFileBuffer) > +format = "%dsQ" % len(args.InputFileBuffer) > +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, > args.MonotonicCountValue) > > # > # Sign the input file using the specified private key and capture > signature from STDOUT > # > Process = subprocess.Popen('%s smime -sign -binary -signer "%s" > -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand, > args.SignerPrivateCertFileName, args.OtherPublicCertFileName), > stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) > @@ -259,12 +259,12 @@ if __name__ == '__main__': > sys.exit(1) > > args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize] > args.InputFileBuffer = args.InputFileBuffer[SignatureSize:] > > -format = "Q%ds" % len(args.InputFileBuffer) > -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > args.InputFileBuffer) > +format = "%dsQ" % len(args.InputFileBuffer) > +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, > args.MonotonicCountValue) > > # > # Save output file contents from input file > # > open(args.OutputFileName, 'wb').write(FullInputFileBuffer) > diff --git > a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > index 3410668..199ebec 100644 > --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py > @@ -167,12 +167,12 @@ if __name__ == '__main__': > pass > >if args.Encode: > FullInputFileBuffer = args.InputFileBuffer > if args.MonotonicCountStr: > - format = "Q%ds" % len(args.InputFileBuffer) > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > args.InputFileBuffer) > + format = "%dsQ" % len(args.InputFileBuffer) > + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, > args.MonotonicCountValue) > # > # Sign the input file using the specified private key and capture > signature from STDOUT > # > Process = subprocess.Popen('%s sha256 -sign "%s"' % > (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, > stdout=subprocess.PIPE, stderr=subprocess.PIPE) > Signature = Process.communicate(input=FullInputFileBuffer)[0] > @@ -210,12 +210,12 @@ if __name__ == '__main__': >print 'ERROR: Public key in input file does not match public key from > private key file' >sys.exit(1) > > FullInputFileBuffer = args.InputFileBuffer > if args.MonotonicCountStr: > - format = "Q%ds" % len(args.InputFileBuffer) > - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, > args.InputFileBuffer) > +
[edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload
The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec mentioned that It is a signature across the image data and the Monotonic Count value. After clarification, we do the signature calculation, we put MonotonicCount after Payload. Cc: Liming GaoCc: Jiewen Yao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Yonghong Zhu --- BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8 BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py index b9f8c06..f0b2d8a 100644 --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py @@ -195,12 +195,12 @@ if __name__ == '__main__': args.OtherPublicCertFile.close() except: print 'ERROR: test other public cert file %s missing' % (args.OtherPublicCertFileName) sys.exit(1) -format = "Q%ds" % len(args.InputFileBuffer) -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) +format = "%dsQ" % len(args.InputFileBuffer) +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Sign the input file using the specified private key and capture signature from STDOUT # Process = subprocess.Popen('%s smime -sign -binary -signer "%s" -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand, args.SignerPrivateCertFileName, args.OtherPublicCertFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -259,12 +259,12 @@ if __name__ == '__main__': sys.exit(1) args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize] args.InputFileBuffer = args.InputFileBuffer[SignatureSize:] -format = "Q%ds" % len(args.InputFileBuffer) -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) +format = "%dsQ" % len(args.InputFileBuffer) +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Save output file contents from input file # open(args.OutputFileName, 'wb').write(FullInputFileBuffer) diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py index 3410668..199ebec 100644 --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py @@ -167,12 +167,12 @@ if __name__ == '__main__': pass if args.Encode: FullInputFileBuffer = args.InputFileBuffer if args.MonotonicCountStr: - format = "Q%ds" % len(args.InputFileBuffer) - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + format = "%dsQ" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Sign the input file using the specified private key and capture signature from STDOUT # Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) Signature = Process.communicate(input=FullInputFileBuffer)[0] @@ -210,12 +210,12 @@ if __name__ == '__main__': print 'ERROR: Public key in input file does not match public key from private key file' sys.exit(1) FullInputFileBuffer = args.InputFileBuffer if args.MonotonicCountStr: - format = "Q%ds" % len(args.InputFileBuffer) - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, args.InputFileBuffer) + format = "%dsQ" % len(args.InputFileBuffer) + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, args.MonotonicCountValue) # # Write Signature to output file # open(args.OutputFileName, 'wb').write(Header.Signature) -- 2.6.1.windows.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel