Reviewed-by: jiewen@intel.com
Tested-by: jiewen@intel.com
> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
> Yonghong Zhu
> Sent: Friday, October 14, 2016 8:57 PM
> To: edk2-devel@lists.01.org
> Cc: Yao, Jiewen ; Gao, Liming
>
> Subject: [edk2] [Patch] BaseTools: Update sign tool to make
> MonotonicCount *after* Payload
>
> The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
> mentioned that It is a signature across the image data and the
> Monotonic Count value. After clarification, we do the signature
> calculation, we put MonotonicCount after Payload.
>
> Cc: Liming Gao
> Cc: Jiewen Yao
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Yonghong Zhu
> ---
> BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py | 8
>
> BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 8
>
> 2 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> index b9f8c06..f0b2d8a 100644
> --- a/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> +++ b/BaseTools/Source/Python/Pkcs7Sign/Pkcs7Sign.py
> @@ -195,12 +195,12 @@ if __name__ == '__main__':
> args.OtherPublicCertFile.close()
>except:
> print 'ERROR: test other public cert file %s missing' %
> (args.OtherPublicCertFileName)
> sys.exit(1)
>
> -format = "Q%ds" % len(args.InputFileBuffer)
> -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +format = "%dsQ" % len(args.InputFileBuffer)
> +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>
> #
> # Sign the input file using the specified private key and capture
> signature from STDOUT
> #
> Process = subprocess.Popen('%s smime -sign -binary -signer "%s"
> -outform DER -md sha256 -certfile "%s"' % (OpenSslCommand,
> args.SignerPrivateCertFileName, args.OtherPublicCertFileName),
> stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> @@ -259,12 +259,12 @@ if __name__ == '__main__':
> sys.exit(1)
>
> args.SignatureBuffer = args.InputFileBuffer[0:SignatureSize]
> args.InputFileBuffer = args.InputFileBuffer[SignatureSize:]
>
> -format = "Q%ds" % len(args.InputFileBuffer)
> -FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> +format = "%dsQ" % len(args.InputFileBuffer)
> +FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>
> #
> # Save output file contents from input file
> #
> open(args.OutputFileName, 'wb').write(FullInputFileBuffer)
> diff --git
> a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> index 3410668..199ebec 100644
> --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
> @@ -167,12 +167,12 @@ if __name__ == '__main__':
> pass
>
>if args.Encode:
> FullInputFileBuffer = args.InputFileBuffer
> if args.MonotonicCountStr:
> - format = "Q%ds" % len(args.InputFileBuffer)
> - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> + format = "%dsQ" % len(args.InputFileBuffer)
> + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
> #
> # Sign the input file using the specified private key and capture
> signature from STDOUT
> #
> Process = subprocess.Popen('%s sha256 -sign "%s"' %
> (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE,
> stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> Signature = Process.communicate(input=FullInputFileBuffer)[0]
> @@ -210,12 +210,12 @@ if __name__ == '__main__':
>print 'ERROR: Public key in input file does not match public key from
> private key file'
>sys.exit(1)
>
> FullInputFileBuffer = args.InputFileBuffer
> if args.MonotonicCountStr:
> - format = "Q%ds" % len(args.InputFileBuffer)
> - FullInputFileBuffer = struct.pack(format,args.MonotonicCountValue,
> args.InputFileBuffer)
> + format = "%dsQ" % len(args.InputFileBuffer)
> + FullInputFileBuffer = struct.pack(format, args.InputFileBuffer,
> args.MonotonicCountValue)
>
> #
> # Write Signature to output file
> #
> open(args.OutputFileName, 'wb').write(Header.Signature)
> --
> 2.6.1.windows.1
>
> ___
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel