68b4c4b481
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4821 - The capsule payload digest got hardcoded inside the GenerateCapsule script as "sha256". - It would be hard for the caller to change the supported hash algorithm which supported on OpenSSL or Windows signtool program and platform. - Capsule payload digest signed data is followed by the PKCS#7 standard, in EDK-II CryptoPkg "Pkcs7Verify ()" is supported to validate with several hash algorithms naturally. (md5, sha1, sha256, sha384, and sha512) - Deliver below changes within this patch, (1) Introduce an optional argument "--hash-algorithm" to assign the caller expected one and leave the default value "sha256" to support the backward compatibility. (2) Add the double quotes to put the string of certificate's subject name inside it. (3) Set "Open" argument of "SignToolSubjectName" into "False". (4) Set "Convert" argument of "SignToolSubjectName: into "str". (5) Correct the actual name of the "--subject-name" flag. (6) Add back correct number of arguments for PayloadDescriptor class object initializing. Note: - Platform needs to support the correspond hash algorithm to validate the digital signature or the failure would be observed. - Set the md5 and sha1 algorithm as EOL based on the CryptoPkg supported table and reject the capsule creation. Signed-off-by: Jason1 Lin <jason1.lin@intel.com> |
||
|---|---|---|
| .. | ||
| AmlToC | ||
| AutoGen | ||
| BPDG | ||
| Capsule | ||
| Common | ||
| CommonDataClass | ||
| Ecc | ||
| Eot | ||
| FMMT | ||
| FirmwareStorageFormat | ||
| GenFds | ||
| GenPatchPcdTable | ||
| PatchPcdValue | ||
| Pkcs7Sign | ||
| Rsa2048Sha256Sign | ||
| Split | ||
| Table | ||
| TargetTool | ||
| Trim | ||
| UPT | ||
| Workspace | ||
| build | ||
| tests/Split | ||
| GNUmakefile | ||
| Makefile | ||
| README.md | ||
| basetool_tiano_python_path_env.yaml | ||
| sitecustomize.py | ||
README.md
Edk2 Basetools
This folder has traditionally held the source of Python based tools used by EDK2.
The official repo this source has moved to https://github.com/tianocore/edk2-basetools.
This folder will remain in the tree until the next stable release (expected 202102).
There is a new folder under Basetools BinPipWrappers that uses the pip module rather than this tree for Basetools.
By adding the scope pipbuild-win or pipbuild-unix (depending on your host system), the SDE will use the
BinPipWrappers instead of the regular BinWrappers.
Why Move It?
The discussion is on the mailing list. The RFC is here: https://edk2.groups.io/g/rfc/topic/74009714#270 The benefits allow for the Basetools project to be used separately from EDK2 itself as well as offering it in a globally accessible manner. This makes it much easier to build a module using Basetools. Separating the Basetools into their own repo allows for easier CI and contribution process. Additional pros, cons, and process can be found on the mailing list.
How Do I Install It?
By default, EDK2 is tied to and tested with a specific version of the Basetools through pip-requirements.txt.
You can simply run:
pip install -r pip-requirements.txt
This will install the required module, thought we strongly suggest setting up a virtual environment. Additionally, you can also install a local clone of the Basetools as well as a specific git commit.