subject:"\[edk2\] \[Patch\] BaseTools\: Update sign tool to make MonotonicCount \*after\* Payload"

Re: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount after Payload

2016-10-16 Thread Gao, Liming

Reviewed-by: Liming Gao <liming@intel.com>

> -Original Message-
> From: Yao, Jiewen
> Sent: Friday, October 14, 2016 9:11 PM
> To: Zhu, Yonghong <yonghong@intel.com>; edk2-devel@lists.01.org
> Cc: Gao, Liming <liming....@intel.com>
> Subject: RE: [edk2] [Patch] BaseTools: Update sign tool to make
> MonotonicCount *after* Payload
> 
> Reviewed-by: jiewen@intel.com
> Tested-by: jiewen@intel.com
> 
> 
> > -Original Message-
> > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
> > Yonghong Zhu
> > Sent: Friday, October 14, 2016 8:57 PM
> > To: edk2-devel@lists.01.org
> > Cc: Yao, Jiewen <jiewen....@intel.com>; Gao, Liming
> > <liming....@intel.com>
> > Subject: [edk2] [Patch] BaseTools: Update sign tool to make
> > MonotonicCount *after* Payload
> >
> > The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
> > mentioned that It is a signature across the image data and the
> > Monotonic Count value. After clarification, we do the signature
> > calculation, we put MonotonicCount after Payload.
> >
> > Cc: Liming Gao <liming@intel.com>
> > Cc: Jiewen Yao <jiewen@intel.com>
> > Contributed-under: TianoCore Contribution Agreement 1.0
> > Signed-off-by: Yonghong Zhu <yonghong@intel.com>
> > ---
> >  BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8
> > 
> >  BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8
> > 
> >  2 files changed, 8 insertions(+), 8 deletions(-)
> >
> > diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > index b9f8c06..f0b2d8a 100644
> > --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> > @@ -195,12 +195,12 @@ if __name__ == '__main__':
> >  args.OtherPublicCertFile.close()
> >except:
> >  print 'ERROR: test other public cert file %s missing' %
> > (args.OtherPublicCertFileName)
> >  sys.exit(1)
> >
> > -format = "Q%ds" % len(args.InputFileBuffer)
> > -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +format = "%dsQ" % len(args.InputFileBuffer)
> > +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> >  #
> >  # Sign the input file using the specified private key and capture
> > signature from STDOUT
> >  #
> >  Process = subprocess.Popen('%s smime -sign -binary -signer "%s"
> > -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand,
> > args.SignerPrivateCertFileName, args.OtherPublicCertFileName),
> > stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> > @@ -259,12 +259,12 @@ if __name__ == '__main__':
> >  sys.exit(1)
> >
> >  args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
> >  args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
> >
> > -format = "Q%ds" % len(args.InputFileBuffer)
> > -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +format = "%dsQ" % len(args.InputFileBuffer)
> > +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >
> >  #
> >  # Save output file contents from input file
> >  #
> >  open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
> > diff --git
> > a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > index 3410668..199ebec 100644
> > --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > +++
> b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> > @@ -167,12 +167,12 @@ if __name__ == '__main__':
> >  pass
> >
> >if args.Encode:
> >  FullInputFileBuffer = args.InputFileBuffer
> >  if args.MonotonicCountStr:
> > -  format = "Q%ds" % len(args.InputFileBuffer)
> > -  FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> > args.InputFileBuffer)
> > +  format = "%dsQ" % len(args.InputFileBuffer)
> > +  FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> > args.MonotonicCountValue)
> >  #
> >  # Sign

Re: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount after Payload

2016-10-14 Thread Yao, Jiewen

Reviewed-by: jiewen@intel.com
Tested-by: jiewen@intel.com


> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
> Yonghong Zhu
> Sent: Friday, October 14, 2016 8:57 PM
> To: edk2-devel@lists.01.org
> Cc: Yao, Jiewen <jiewen@intel.com>; Gao, Liming
> <liming....@intel.com>
> Subject: [edk2] [Patch] BaseTools: Update sign tool to make
> MonotonicCount *after* Payload
> 
> The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
> mentioned that It is a signature across the image data and the
> Monotonic Count value. After clarification, we do the signature
> calculation, we put MonotonicCount after Payload.
> 
> Cc: Liming Gao <liming@intel.com>
> Cc: Jiewen Yao <jiewen@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Yonghong Zhu <yonghong@intel.com>
> ---
>  BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8
> 
>  BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8
> 
>  2 files changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> index b9f8c06..f0b2d8a 100644
> --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> @@ -195,12 +195,12 @@ if __name__ == '__main__':
>  args.OtherPublicCertFile.close()
>except:
>  print 'ERROR: test other public cert file %s missing' %
> (args.OtherPublicCertFileName)
>  sys.exit(1)
> 
> -format = "Q%ds" % len(args.InputFileBuffer)
> -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +format = "%dsQ" % len(args.InputFileBuffer)
> +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
> 
>  #
>  # Sign the input file using the specified private key and capture
> signature from STDOUT
>  #
>  Process = subprocess.Popen('%s smime -sign -binary -signer "%s"
> -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand,
> args.SignerPrivateCertFileName, args.OtherPublicCertFileName),
> stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> @@ -259,12 +259,12 @@ if __name__ == '__main__':
>  sys.exit(1)
> 
>  args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
>  args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
> 
> -format = "Q%ds" % len(args.InputFileBuffer)
> -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +format = "%dsQ" % len(args.InputFileBuffer)
> +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
> 
>  #
>  # Save output file contents from input file
>  #
>  open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
> diff --git
> a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> index 3410668..199ebec 100644
> --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> @@ -167,12 +167,12 @@ if __name__ == '__main__':
>  pass
> 
>if args.Encode:
>  FullInputFileBuffer = args.InputFileBuffer
>  if args.MonotonicCountStr:
> -  format = "Q%ds" % len(args.InputFileBuffer)
> -  FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +  format = "%dsQ" % len(args.InputFileBuffer)
> +  FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>  #
>  # Sign the input file using the specified private key and capture
> signature from STDOUT
>  #
>  Process = subprocess.Popen('%s sha256 -sign "%s"' %
> (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE,
> stdout=subprocess.PIPE, stderr=subprocess.PIPE)
>  Signature = Process.communicate(input=FullInputFileBuffer)[0]
> @@ -210,12 +210,12 @@ if __name__ == '__main__':
>print 'ERROR: Public key in input file does not match public key from
> private key file'
>sys.exit(1)
> 
>  FullInputFileBuffer = args.InputFileBuffer
>  if args.MonotonicCountStr:
> -  format = "Q%ds" % len(args.InputFileBuffer)
> -  FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +

[edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount after Payload

2016-10-14 Thread Yonghong Zhu

The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
mentioned that It is a signature across the image data and the
Monotonic Count value. After clarification, we do the signature
calculation, we put MonotonicCount after Payload.

Cc: Liming Gao 
Cc: Jiewen Yao 
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu 
---
 BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8 
 BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8 
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py 
b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
index b9f8c06..f0b2d8a 100644
--- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
+++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
@@ -195,12 +195,12 @@ if __name__ == '__main__':
 args.OtherPublicCertFile.close()
   except:
 print 'ERROR: test other public cert file %s missing' % 
(args.OtherPublicCertFileName)
 sys.exit(1)
 
-format = "Q%ds" % len(args.InputFileBuffer)
-FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, 
args.InputFileBuffer)
+format = "%dsQ" % len(args.InputFileBuffer)
+FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, 
args.MonotonicCountValue)
 
 #
 # Sign the input file using the specified private key and capture 
signature from STDOUT
 #
 Process = subprocess.Popen('%s smime -sign -binary -signer "%s" -outform 
DER -md sha256 -certfile "%s"' % (OpenSslCommand, 
args.SignerPrivateCertFileName, args.OtherPublicCertFileName), 
stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -259,12 +259,12 @@ if __name__ == '__main__':
 sys.exit(1)
 
 args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
 args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
 
-format = "Q%ds" % len(args.InputFileBuffer)
-FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, 
args.InputFileBuffer)
+format = "%dsQ" % len(args.InputFileBuffer)
+FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, 
args.MonotonicCountValue)
 
 #
 # Save output file contents from input file
 #
 open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py 
b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
index 3410668..199ebec 100644
--- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
+++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
@@ -167,12 +167,12 @@ if __name__ == '__main__':
 pass
 
   if args.Encode:
 FullInputFileBuffer = args.InputFileBuffer
 if args.MonotonicCountStr:
-  format = "Q%ds" % len(args.InputFileBuffer)
-  FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, 
args.InputFileBuffer)
+  format = "%dsQ" % len(args.InputFileBuffer)
+  FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, 
args.MonotonicCountValue)
 # 
 # Sign the input file using the specified private key and capture 
signature from STDOUT
 #
 Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, 
args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, 
stderr=subprocess.PIPE)
 Signature = Process.communicate(input=FullInputFileBuffer)[0]
@@ -210,12 +210,12 @@ if __name__ == '__main__':
   print 'ERROR: Public key in input file does not match public key from 
private key file'
   sys.exit(1)
 
 FullInputFileBuffer = args.InputFileBuffer
 if args.MonotonicCountStr:
-  format = "Q%ds" % len(args.InputFileBuffer)
-  FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue, 
args.InputFileBuffer)
+  format = "%dsQ" % len(args.InputFileBuffer)
+  FullInputFileBuffer = struct.pack(format, args.InputFileBuffer, 
args.MonotonicCountValue)
 
 #
 # Write Signature to output file
 #
 open(args.OutputFileName, 'wb').write(Header.Signature)
-- 
2.6.1.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount after Payload

Re: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount after Payload

[edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount after Payload

3 matches

Site Navigation

Mail list logo

Footer information

Re: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload

Re: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload

[edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount *after* Payload

3 matches

Mail list logo

Re: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount after Payload

Re: [edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount after Payload

[edk2] [Patch] BaseTools: Update sign tool to make MonotonicCount after Payload