Signed-off-by: Michael Kinney <michael.d.kinney@intel.com>
Reviewed-by: lhauch <larry.hauch@intel.com>
Fix the behavior of the –version flag in the Rsa2048Sha256 tools and update logic for showing program name, version, usage, and copyright information to match other BaseTools.
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15805 6f19259b-4bc3-4df7-8a09-765794883524
Signed-off-by: Michael Kinney <michael.d.kinney@intel.com>
Reviewed-by: Yingke Liu <yingke.d.liu@intel.com>
Add support for RSA 2048 SHA 256 signing and verification encoded in a PI FFS GUIDED Encapsulation Section. The primary use case of this feature is in support of signing and verification of encapsulated FVs for Recovery and Capsule Update, but can potentially be used for signing and verification of any content that can be stored in a PI conformant FFS file. Signing operations are performed from python scripts that wrap OpenSsl command line utilities. Verification operations are performed using the OpenSsl libraries in the CryptoPkg.
The guided encapsulation sections uses the UEFI 2.4 Specification defined GUID called EFI_CERT_TYPE_RSA2048_SHA256_GUID. The data layout for the encapsulation section starts with the UEFI 2.4 Specification defined structure called EFI_CERT_BLOCK_RSA_2048_SHA256 followed immediately by the data. The signing tool included in these patches performs encode/decode operations using this data layout. HashType is set to the UEFI 2.4 Specification defined GUID called EFI_HASH_ALGORITHM_SHA256_GUID.
MdePkg/Include/Guid/WinCertificate.h
=================================
//
// WIN_CERTIFICATE_UEFI_GUID.CertType
//
#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \
{0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }
///
/// WIN_CERTIFICATE_UEFI_GUID.CertData
///
typedef struct {
EFI_GUID HashType;
UINT8 PublicKey[256];
UINT8 Signature[256];
} EFI_CERT_BLOCK_RSA_2048_SHA256;
MdePkg/Include/Protocol/Hash.h
=================================
#define EFI_HASH_ALGORITHM_SHA256_GUID \
{ \
0x51aa59de, 0xfdf2, 0x4ea3, {0xbc, 0x63, 0x87, 0x5f, 0xb7, 0x84, 0x2e, 0xe9 } \
}
The verification operations require the use of public key(s). A new PCD called gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer is added to the SecurityPkg that supports one or more SHA 256 hashes of the public keys. A SHA 256 hash is performed to minimize the FLASH overhead of storing the public keys. When a verification operation is performed, a SHA 256 hash is performed on EFI_CERT_BLOCK_RSA_2048_SHA256.PublicKey and a check is made to see if that hash matches any of the hashes in the new PCD. It is recommended that this PCD always be configured in the DSC file as storage type of [PcdsDynamixExVpd], so the public keys are stored in a protected read-only region.
While working on this feature, I noticed that the CRC32 signing and verification feature was incomplete. It only supported CRC32 based verification in the DXE Phase, so the attached patches also provide support for CRC32 based verification in the PEI Phase.
I also noticed that the most common method for incorporating guided section extraction libraries was to directly link them to the DXE Core, which is not very flexible. The attached patches also add a generic section extraction PEIM and a generic section extraction DXE driver that can each be linked against one or more section extraction libraries. This provides a platform developer with the option of providing section extraction services with the DXE Core or providing section extraction services with these generic PEIM/DXE Drivers.
Patch Summary
==============
1) BaseTools - Rsa2049Sha256Sign python script that can perform test signing or custom signing of PI FFS file GUIDed sections
a. Wrapper for a set of OpenSsl command line utility operations
b. OpenSsl command line tool must be installed in location that is in standard OS path or in path specified by OS environment variable called OPENSSL_PATH
c. Provides standard EDK II command line arguments for a tool that encodes/decodes guided encapsulation section
Rsa2048Sha256Sign - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
usage: Rsa2048Sha256Sign -e|-d [options] <input_file>
positional arguments:
input_file specify the input filename
optional arguments:
-e encode file
-d decode file
-o filename, --output filename
specify the output filename
--private-key PRIVATEKEYFILE
specify the private key filename. If not specified, a
test signing key is used.
-v, --verbose increase output messages
-q, --quiet reduce output messages
--debug [0-9] set debug level
--version display the program version and exit
-h, --help display this help text
2) BaseTools - Rsa2049Sha256GenerateKeys python script that can generate new private/public key and PCD value that is SHA 256 hash of public key using OpenSsl command line utilities.
a. Wrapper for a set of OpenSsl command line utility operations
b. OpenSsl command line tool must be installed in location that is in standard path or in path specified by OS environment variable called OPENSSL_PATH
Rsa2048Sha256GenerateKeys - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
usage: Rsa2048Sha256GenerateKeys [options]
optional arguments:
-o [filename [filename ...]], --output [filename [filename ...]]
specify the output private key filename in PEM format
-i [filename [filename ...]], --input [filename [filename ...]]
specify the input private key filename in PEM format
--public-key-hash PUBLICKEYHASHFILE
specify the public key hash filename that is SHA 256
hash of 2048 bit RSA public key in binary format
--public-key-hash-c PUBLICKEYHASHCFILE
specify the public key hash filename that is SHA 256
hash of 2048 bit RSA public key in C structure format
-v, --verbose increase output messages
-q, --quiet reduce output messages
--debug [0-9] set debug level
--version display the program version and exit
-h, --help display this help text
3) BaseTools\Conf\tools_def.template
a. Define GUID/Tool to perform RSA 2048 SHA 256 test signing and instructions on how to use alternate private/public key
b. GUID is EFI_CERT_TYPE_RSA2048_SHA256_GUID
c. Tool is Rsa2049Sha256Sign
4) MdeModulePkg\Library\PeiCrc32GuidedSectionExtractionLib
a. Add peer for DxeCrc32GuidedSectionExtractionLib so both PEI and DXE phases can perform basic integrity checks of PEI and DXE components
5) MdeModulePkg\Universal\SectionExtractionPei
a. Generic PEIM that can link against one or more NULL section extraction library instances to provided one or more GUIDED Section Extraction PPIs
6) MdeModulePkg\Universal\SectionExtractionDxe
a. Generic DXE Driver that can link against one or more NULL section extraction library instances to provide one or more GUIDED Section Extraction Protocols.
7) SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib
a. NULL library instances that performs PEI phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg.
b. Based on algorithms from SecurityPkg Authenticated Variable services
c. Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer.
8) SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib
a. NULL library instances that performs DXE phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg.
b. Based on algorithms from SecurityPkg Authenticated Variable services
c. Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer.
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15800 6f19259b-4bc3-4df7-8a09-765794883524
relocations
- ADR_PREL_LO21: support for loading a PC relative label offset.
- R_AARCH64_CONDBR19: support for conditional branch instruction (ELF64 code: 280).
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Harry Liebel <Harry.Liebel@arm.com>
Signed-off-by: Olivier Martin <olivier.martin@arm.com>
Reviewed-by: Yingke Liu <yingke.d.liu@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15745 6f19259b-4bc3-4df7-8a09-765794883524
This change will point to the correct location of the rc.exe tool.
RC.exe is used for building UEFI compliant drivers that must have a UEFI_HII_RESOURCE_SECTION generated as part of the .efi image file.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: lhauch <larry.hauch@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>
Reviewed-by: Yingke Liu <yingke.d.liu@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15735 6f19259b-4bc3-4df7-8a09-765794883524
Vs2013 issue #1: warning message about uninitialized variables or pointers like this:
s:\incbld\ia32\intelframeworkmodulepkg\bus\isa\isabusdxe\isabus.c(395) : warning C4701: potentially uninitialized local variable 'DevicePathData' used
s:\incbld\ia32\intelframeworkmodulepkg\bus\isa\isabusdxe\isabus.c(395) : warning C4703: potentially uninitialized local pointer variable 'DevicePathData' used
LINK : fatal error LNK1257: code generation failed
The following online messages shows discussions related to this vs2013 issue and how Microsoft engineer responded. They suggest a work around by adding the initialization for the variables.
https://connect.microsoft.com/VisualStudio/feedback/details/816730/bogus-warning-from-vs-2013
Vs2013 issue #2:
C:\Program Files\Windows Kits\8.1\include\um\winnt.h(5105) : error C2220: warning treated as error - no 'object' file generated
C:\Program Files\Windows Kits\8.1\include\um\winnt.h(5105) : warning C4005: 'InterlockedCompareExchange64' : macro redefinition
This happened for Nt32Pkg.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wang, Yu <yu.wang@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15722 6f19259b-4bc3-4df7-8a09-765794883524
As long as $EDK_TOOLS_PATH is properly set, the BaseTools/ directory
is not necessary in the workspace. The BuildEnv file itself suggests
setting the variable if BaseTools/ is not available.
However, this only works if the user also sets $WORKSPACE. Otherwise,
BuildEnv refuses to set WORKSPACE itself and does not even try to use
the preset $EDK_TOOLS_PATH. Remove the check that fails, as it does
not have any practical benefit.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15702 6f19259b-4bc3-4df7-8a09-765794883524
GCC 4.9 may use 64-byte (0x40) alignment for data sections.
Therefore we use a different link script for GCC 4.9. The only
difference from the gcc4.4-ld-script is the alignment for data
sections.
When using the GCC48 toolchain with GCC 4.9, this error would be
encountered by GenFw:
> GenFw: ERROR 3000: Invalid
> Unsupported section alignment.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Yingke Liu <yingke.d.liu@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15697 6f19259b-4bc3-4df7-8a09-765794883524
1. Support use expression as DSC file PCD value.
2. Update FDF parser to fix bug to get complete macro value.
3. Fix bug to replace SET statement macro and evaluate SET statement PCD value in FDF file.
4. Fix a bug for MACRO defined in conditional block cannot be processed correctly
Signed-off-by: lgao4
Reviewed-by: gikidy
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12827 6f19259b-4bc3-4df7-8a09-765794883524
1. Fix !include issues
2. Fix Trim to skip the postfix 'U' for hexadecimal and decimal numbers
3. Fix building error C2733 when building C++ code.
4. Add GCC46 tool chain definition
5. Add new RVCT and RVCTLINUX tool chains
Signed-off-by: lgao4
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12782 6f19259b-4bc3-4df7-8a09-765794883524
1. Fix the issue that root directory of disk can’t be used as WORKSPACE.
2. Update AutoGen code style to pass C++ compiler.
Signed-off-by: lgao4
Reviewed-by: jsu1
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12676 6f19259b-4bc3-4df7-8a09-765794883524
This allows for the UNIXGCC_*_PETOOLS_PREFIX and CYGWIN_* macros
to potentially have a prefix before the executable name. This allows
more flexibility for gcc/binutils when the executables include
a prefix. Some commented examples are shown where this might be used.
For example:
DEFINE UNIXGCC_IA32_PETOOLS_PREFIX = i386-pc-mingw32-
or
DEFINE UNIXGCC_IA32_PETOOLS_PREFIX = ENV(HOME)/programs/gcc/ia32/bin/i686-pc-mingw32-
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9076 6f19259b-4bc3-4df7-8a09-765794883524
The new version of mingw-w64-snapshot-20090419.tar.bz2
requires a modification to
IntelFrameworkModulePkg/Library/LzmaCustomDecompressLib/UefiLzma.h
in order to build successfully with the new mingw header files.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9027 6f19259b-4bc3-4df7-8a09-765794883524
The modifications includes:
1) Correct the issue that build tool generate UINT8 array for unicode string type PCD, it maybe cause alignment issue. Now build tool will generate UINT16 array for unicode string type PCD.
2) Merge FdfParser.py updates to FdfParserLite.py
3) Replace EFI_IMAGE_NT_HEADERS with EFI_IMAGE_OPTIONAL_HEADER_UNION. (GenFv)
The code referencing EFI_IMAGE_NT_HEADERS has been modified to
refer to EFI_IMAGE_OPTIONAL_HEADER_UNION => Pe32/Pe32Plus.
4) Remove definitions of build machine specific types.
Remove EFI_IMAGE_OPTIONAL_HEADER, EFI_IMAGE_NT_HEADERS,
EFI_IMAGE_NT_OPTIONAL_HDR_MAGIC, and EFI_IMAGE_MACHINE_TYPE_SUPPORTED,
since these were defined differently based on the architecture
of the build machine. The BaseTools should support the edk2
supported processor architectures and not depend on the architecture
of the build platform.
5) Added support for the ARM processor type
Added RVCT as a ToolChainFamily (Real View Compiler Tools from ARM)
Enabled FixedAtBuild 32-bit PCDs to be used from GCC or RVCT assembler.
Updated GenFw to support RVCT ELF images and removed #ifdefs for ELF. Also made ELF to PE/COFF features available on all supported build targets for the tools by adding some FreeBSD ELF headers.
Updated GenFv to support the ARM reset vector in ZeroBytes of the FV header.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@8872 6f19259b-4bc3-4df7-8a09-765794883524
The modifications are:
1. Support BuildRuleFamily attribute of tool chain tag to be filtered build rule.
2. Enhance GenFds tool to get the default PcdValue from DEC file.
3. Enhance AutoGen to generate library function constructors for SEC type module.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@8764 6f19259b-4bc3-4df7-8a09-765794883524
The modification is add additional checking for whether need renew the immediate file workspace database, the renew reason maybe:
The renew reason maybe:
1) If user force to renew;
2) If user do not force renew, and
a) If the time of last modified python source is newer than database file;
b) If the time of last modified frozen executable file is newer than database file, the executable file is build.exe in window and build in Linux/Unix/OSX
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@8615 6f19259b-4bc3-4df7-8a09-765794883524
This patch including following change:
1) Build tools:
a) StringTable in generated PCD database is changed to UINT8 array but not original UINT16, because it can also stored the ANSIC and byte array.
b) The layout of string table in PCD database is changed. To make sure unicode string is in double byte aligned, the item in string table which hold unicode string value will be put ahead than other items. After unicode string item, the HII variable name item is immediate. The byte array item and ANSIC string array item will be put at tail of whole string table.
c) Fix bug that build tools does not handle the size of unicode string, byte array and ANSIC string.
2) PCD PEI/DXE driver:
The pointer of StringTable is changed to UINT8* but not original UINT16*.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@8392 6f19259b-4bc3-4df7-8a09-765794883524
1. Incorrect usage help of TianoCompress tool
2. Wrong check for the input parameters of GenVtf tool.
3. The potential issues to get FFS files in GenFv tool.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@8379 6f19259b-4bc3-4df7-8a09-765794883524
1) The collect action of platform's dynamic PCD database is trigged by module's autogen action.
2) If platform is used for more than one architecture, two platform object will be created
Above two rules will cause an issue for single module building that if
1) platform support IA32 and X64
2) do single module for X64 module
then, the dynamic PCD for IA32 modules will missed in PCD database, because no IA32 module need autogen so collection action for IA32 module is not trigged.
Now, I think the collection action for platform dynamic PCD should be explicitly called after PlatformAutoGen is created.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@8323 6f19259b-4bc3-4df7-8a09-765794883524
a. Fixed PCD database error
b. Fixed inf file extension issue
c. Fixed an issue in which RealPath() returns None if WORKSPACE root was passed in
d. Check MODULE_TYPE and COMPONENT_TYPE to be defined
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@7994 6f19259b-4bc3-4df7-8a09-765794883524
default value used the HOME environment variable, which is
not always defined on windows, and therefore will
cause the build to break for windows based builds.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@7986 6f19259b-4bc3-4df7-8a09-765794883524