On Fri, 15 May 2026 at 16:17, Aswin Murugan <[email protected]> wrote: > > Hi Ilias, > > This change has been verified locally with our setups on qcs615 & > QCS9100 SOCs
Alright, I'll have another look in case I missed something. Thanks /Ilias > > Regards, > Aswin > > On 5/15/2026 4:02 PM, Ilias Apalodimas wrote: > > Hi Ashwin, > > > > On Thu, 14 May 2026 at 20:17, Aswin Murugan > > <[email protected]> wrote: > >> efivar.py currently stores authenticated variables including the > >> EFI_VARIABLE_AUTHENTICATION_2 descriptor (timestamp + WIN_CERTIFICATE) > >> along with the payload. > >> > >> When variables are set via U-Boot, SetVariable() validates and strips > >> this authentication descriptor before persisting the variable data, > >> resulting in only the payload being stored and returned by GetVariable(). > >> > >> This mismatch causes efivar.py-generated stores to differ from U-Boot > >> runtime behavior and leads to incorrect GetVariable() results. > >> > >> Update efivar.py to strip the authentication descriptor and store only > >> the payload for authenticated variables, ensuring consistency with > >> U-Boot behavior and compliance with UEFI expectations. > > The approach is fine, but when I use the tool now to create signatures > > and enable secure boot I am getting > > => bootefi bootmgr > > Getting signature database(db) failed" > > > > Have you tried a built that worked locally? > > > > Thanks > > /Ilias > >> Signed-off-by: Aswin Murugan <[email protected]> > >> --- > >> Changes in v3: > >> - Previously stripped the authentication descriptor at GetVariable(), > >> now moved to strip it in efivar.py during variable pre-seeding/set. > >> Link to v2: > >> https://lore.kernel.org/u-boot/[email protected]/ > >> > >> Changes in v2: > >> - Enhanced commit message with explicit UEFI spec reference > >> Link to v1: > >> https://lore.kernel.org/u-boot/[email protected]/ > >> --- > >> tools/efivar.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- > >> 1 file changed, 49 insertions(+), 1 deletion(-) > >> > >> diff --git a/tools/efivar.py b/tools/efivar.py > >> index 67729fa8505..d248cd868ba 100755 > >> --- a/tools/efivar.py > >> +++ b/tools/efivar.py > >> @@ -79,6 +79,50 @@ class EfiVariable: > >> def calc_crc32(buf): > >> return zlib.crc32(buf) & 0xffffffff > >> > >> +def strip_auth_descriptor(data, attrs): > >> + """ > >> + Strip the EFI auth descriptor from authenticated variable data. > >> + > >> + This is used during efivar.py-based pre-seeding of ubootefi.var to > >> + match U-Boot SetVariable() behavior, where the authentication header > >> + is consumed during validation and only the payload is stored. > >> + > >> + For variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS: > >> + - Input format: [EFI_VARIABLE_AUTHENTICATION_2 | payload] > >> + - Stored format: [payload only] > >> + > >> + Auth header size calculation (aligned with U-Boot > >> efi_variable_authenticate()): > >> + auth_size = sizeof(EFI_TIME) + WIN_CERTIFICATE.dwLength > >> + > >> + Only the payload portion is retained after stripping the header. > >> + """ > >> + if not (attrs & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS): > >> + return data > >> + if not data: > >> + return data > >> + > >> + efi = EfiStruct() > >> + if len(data) < efi.var_time_size: > >> + return data > >> + > >> + offset = efi.var_time_size > >> + if len(data) < offset + efi.var_win_cert_size: > >> + return data > >> + > >> + try: > >> + cert_hdr = struct.unpack_from(efi.var_win_cert_fmt, data, offset) > >> + dwLength = cert_hdr[0] > >> + except struct.error: > >> + return data > >> + > >> + auth_size = efi.var_time_size + dwLength > >> + if auth_size <= 0 or auth_size > len(data): > >> + return data > >> + > >> + if len(data) <= auth_size: > >> + return b'' > >> + return data[auth_size:] > >> + > >> class EfiVariableStore: > >> def __init__(self, infile): > >> self.infile = infile > >> @@ -172,8 +216,12 @@ class EfiVariableStore: > >> break > >> offs = loffs > >> > >> + if data and (attrs & > >> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS): > >> + data = strip_auth_descriptor(data, attrs) > >> + size = len(data) if data else 0 > >> + > >> tsec = int(time.time()) if attrs & > >> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS else 0 > >> - nd = name.encode('utf_16_le') + b"\x00\x00" + data > >> + nd = name.encode('utf_16_le') + b"\x00\x00" + (data if data else > >> b'') > >> # U-Boot variable format requires the name + data blob to be > >> 8-byte aligned > >> pad = ((len(nd) + 7) & ~7) - len(nd) > >> nd += bytes([0] * pad) > >> -- > >> 2.34.1 > >>
