Commit Graph

14 Commits

Author SHA1 Message Date
Liming Gao f7496d7173 BaseTools: Clean up source files
1. Do not use tab characters
2. No trailing white space in one line
3. All files must end with CRLF

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
2018-07-09 10:25:47 +08:00
Gary Lin ccaa7754a2 BaseTools: Adjust the spaces around commas and colons
Based on "futurize -f lib2to3.fixes.fix_ws_comma"

Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
2018-06-27 16:33:25 +08:00
Gary Lin 87d2afd07c BaseTools: Remove the old python "not-equal"
Replace "<>" with "!=" to be compatible with python3.

Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
2018-06-27 16:33:22 +08:00
Gary Lin 72443dd250 BaseTools: Refactor python print statements
Refactor print statements to be compatible with python 3.
Based on "futurize -f libfuturize.fixes.fix_print_with_import"

Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
2018-06-27 16:33:21 +08:00
Liming Gao d1b777440b BaseTools: Update Rsa2048Sha256Sign to use openssl dgst option
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Cc: Qin Long <qin.long@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2018-03-28 09:58:43 +08:00
Liming Gao 1d574dfc15 BaseTools: Update Rsa2048Sha256Sign to use openssl standard options
sha256 is not the standard option. It should be replaced by sha -sha256.
Otherwise, it doesn't work in MAC OS.

In V2, update the option to sha1 -sha256.
In late openssl version >= 1.1, there is no sha option, but has sha1,sha256.
In previous openssl version < 1.1, there is no sha256, but has sha,sha1.
To work with all openssl version, use sha1 -sha256 for it.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liao Jui-peng <jui-pengx.liao@intel.com>
Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
2018-03-27 16:11:00 +08:00
Yonghong Zhu a3607b263b BaseTools: Rsa2048Sha256Sign Tool to support OPENSSL_PATH has space
Update Rsa2048Sha256Sign Tool to support the case that OPENSSL_PATH has
space characters.

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-27 21:20:19 +08:00
Yonghong Zhu a5f26fefca BaseTools: Update Pkcs7 and RSA2048 tool with shell=True
Pkcs7Sign, Rsa2048Sha256Sign and Rsa2048Sha256GenerateKeys doesn't work
on Linux. It needs to be changed with shell=True.

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-03-29 16:45:24 +08:00
Yonghong Zhu 8a0933f436 BaseTools: Update some tool with shell=True
Pkcs7Sign, Rsa2048Sha256Sign and Rsa2048Sha256GenerateKeys doesn't work
on Linux. It needs to be changed with shell=True.

Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=423
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-03-18 16:38:04 +08:00
Yonghong Zhu 245cda6641 BaseTools: Update sign tool to make MonotonicCount *after* Payload
The WIN_CERTIFICATE_UEFI_GUID AuthInfo defined in the UEFI spec
mentioned that It is a signature across the image data and the
Monotonic Count value. After clarification, we do the signature
calculation, we put MonotonicCount after Payload.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Tested-by: Jiewen Yao <jiewen.yao@intel.com>
2016-10-17 13:26:22 +08:00
Yonghong Zhu 9b98c41640 BaseTools: Rsa2048Sha256Sign add new option to support Monotonic count
the EFI_FIRMWARE_IMAGE_AUTHENTICATION struct require the AuthInfo which
is a signature across the image data and the Monotonic Count value, so we
add the new option to support Monotonic count.

Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu <yonghong.zhu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2016-08-19 15:35:02 +08:00
Yingke Liu b40286bbec BaseTools: Do not create an empty file if Rsa2048Sha256Sign was failed.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yingke Liu <yingke.d.liu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17774 6f19259b-4bc3-4df7-8a09-765794883524
2015-07-01 05:14:28 +00:00
Michael Kinney c9df168fa0 Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Michael Kinney  <michael.d.kinney@intel.com>
Reviewed-by: lhauch <larry.hauch@intel.com>

Fix the behavior of the –version flag in the Rsa2048Sha256 tools and update logic for showing program name, version, usage, and copyright information to match other BaseTools.




git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15805 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-14 20:08:17 +00:00
Michael Kinney 65ce860e49 Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Michael Kinney  <michael.d.kinney@intel.com>
Reviewed-by: Yingke Liu <yingke.d.liu@intel.com>

Add support for RSA 2048 SHA 256 signing and verification encoded in a PI FFS GUIDED Encapsulation Section.  The primary use case of this feature is in support of signing and verification of encapsulated FVs for Recovery and Capsule Update, but can potentially be used for signing and verification of any content that can be stored in a PI conformant FFS file.  Signing operations are performed from python scripts that wrap OpenSsl command line utilities.  Verification operations are performed using the OpenSsl libraries in the CryptoPkg.

The guided encapsulation sections uses the UEFI 2.4 Specification defined GUID called EFI_CERT_TYPE_RSA2048_SHA256_GUID.  The data layout for the encapsulation section starts with the UEFI 2.4 Specification defined structure called EFI_CERT_BLOCK_RSA_2048_SHA256 followed immediately by the data.  The signing tool included in these patches performs encode/decode operations using this data layout.  HashType is set to the UEFI 2.4 Specification defined GUID called EFI_HASH_ALGORITHM_SHA256_GUID.

MdePkg/Include/Guid/WinCertificate.h
================================= 
//
// WIN_CERTIFICATE_UEFI_GUID.CertType
// 
#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \
  {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }

///
/// WIN_CERTIFICATE_UEFI_GUID.CertData
/// 
typedef struct {
  EFI_GUID  HashType;
  UINT8     PublicKey[256];
  UINT8     Signature[256];
} EFI_CERT_BLOCK_RSA_2048_SHA256;

MdePkg/Include/Protocol/Hash.h
================================= 
#define EFI_HASH_ALGORITHM_SHA256_GUID \
  { \
    0x51aa59de, 0xfdf2, 0x4ea3, {0xbc, 0x63, 0x87, 0x5f, 0xb7, 0x84, 0x2e, 0xe9 } \
  }

The verification operations require the use of public key(s).  A new PCD called gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer is added to the SecurityPkg that supports one or more SHA 256 hashes of the public keys.  A SHA 256 hash is performed to minimize the FLASH overhead of storing the public keys.  When a verification operation is performed, a SHA 256 hash is performed on EFI_CERT_BLOCK_RSA_2048_SHA256.PublicKey and a check is made to see if that hash matches any of the hashes in the new PCD.  It is recommended that this PCD always be configured in the DSC file as storage type of [PcdsDynamixExVpd], so the public keys are stored in a protected read-only region.

While working on this feature, I noticed that the CRC32 signing and verification feature was incomplete.  It only supported CRC32 based verification in the DXE Phase, so the attached patches also provide support for CRC32 based verification in the PEI Phase.

I also noticed that the most common method for incorporating guided section extraction libraries was to directly link them to the DXE Core, which is not very flexible.  The attached patches also add a generic section extraction PEIM and a generic section extraction DXE driver that can each be linked against one or more section extraction libraries.  This provides a platform developer with the option of providing section extraction services with the DXE Core or providing section extraction services with these generic PEIM/DXE Drivers.

Patch Summary
==============
1)	BaseTools - Rsa2049Sha256Sign python script that can perform test signing or custom signing of PI FFS file GUIDed sections
  a.	Wrapper for a set of OpenSsl command line utility operations
  b.	OpenSsl command line tool must be installed in location that is in standard OS path or in path specified by OS environment variable called OPENSSL_PATH
  c.	Provides standard EDK II command line arguments for a tool that encodes/decodes guided encapsulation section 

Rsa2048Sha256Sign - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
usage: Rsa2048Sha256Sign -e|-d [options] <input_file>

positional arguments:
  input_file            specify the input filename

optional arguments:
  -e                    encode file
  -d                    decode file
  -o filename, --output filename
                        specify the output filename
  --private-key PRIVATEKEYFILE
                        specify the private key filename. If not specified, a
                        test signing key is used.
  -v, --verbose         increase output messages
  -q, --quiet           reduce output messages
  --debug [0-9]         set debug level
  --version             display the program version and exit
  -h, --help            display this help text

2)	BaseTools - Rsa2049Sha256GenerateKeys python script that can generate new private/public key and PCD value that is SHA 256 hash of public key using OpenSsl command line utilities.
  a.	Wrapper for a set of OpenSsl command line utility operations
  b.	OpenSsl command line tool must be installed in location that is in standard path or in path specified by OS environment variable called OPENSSL_PATH

Rsa2048Sha256GenerateKeys - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
usage: Rsa2048Sha256GenerateKeys [options]

optional arguments:
  -o [filename [filename ...]], --output [filename [filename ...]]
                        specify the output private key filename in PEM format
  -i [filename [filename ...]], --input [filename [filename ...]]
                        specify the input private key filename in PEM format
  --public-key-hash PUBLICKEYHASHFILE
                        specify the public key hash filename that is SHA 256
                        hash of 2048 bit RSA public key in binary format
  --public-key-hash-c PUBLICKEYHASHCFILE
                        specify the public key hash filename that is SHA 256
                        hash of 2048 bit RSA public key in C structure format
  -v, --verbose         increase output messages
  -q, --quiet           reduce output messages
  --debug [0-9]         set debug level
  --version             display the program version and exit
  -h, --help            display this help text

3)	BaseTools\Conf\tools_def.template
  a.	Define GUID/Tool to perform RSA 2048 SHA 256 test signing and instructions on how to use alternate private/public key
b.	GUID is EFI_CERT_TYPE_RSA2048_SHA256_GUID
  c.	Tool is Rsa2049Sha256Sign
4)	MdeModulePkg\Library\PeiCrc32GuidedSectionExtractionLib
  a.	Add peer for DxeCrc32GuidedSectionExtractionLib so both PEI and DXE phases can perform basic integrity checks of PEI and DXE components
5)	MdeModulePkg\Universal\SectionExtractionPei
  a.	Generic PEIM that can link against one or more NULL section extraction library instances to provided one or more GUIDED Section Extraction PPIs
6)	MdeModulePkg\Universal\SectionExtractionDxe
  a.	Generic DXE Driver that can link against one or more NULL section extraction library instances to provide one or more GUIDED Section Extraction Protocols.
7)	SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib
  a.	NULL library instances that performs PEI phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg.
  b.	Based on algorithms from SecurityPkg Authenticated Variable services
  c.	Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer.
8)	SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib
  a.	NULL library instances that performs DXE phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg.
  b.	Based on algorithms from SecurityPkg Authenticated Variable services
  c.	Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer.




git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15800 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-14 06:30:10 +00:00