Skip to content

Commit 19c030d

Browse files
h908714124h908714124
committed
some refactoring
add test for mkefivardata
1 parent 459a4f5 commit 19c030d

4 files changed

Lines changed: 56 additions & 34 deletions

File tree

Makefile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,10 @@ sigtest: sign-efi-sig-list
2828
./sign-efi-sig-list -g $(TEST_OWNER) -t "2025-03-24 14:26:01" -k KEK.key -c KEK.crt db fedora.esl fedora.auth
2929
md5sum fedora.auth | grep -q ^960a4d050 && printf "\033[1;32m[OK]\033[0m\n" || printf "\033[1;31m[FAIL]\033[0m\n"
3030

31+
efitest: mkefivardata
32+
./mkefivardata -q fedora.auth fedora.vardata
33+
md5sum fedora.vardata | grep -q ^c0c07e6b0 && printf "\033[1;32m[OK]\033[0m\n" || printf "\033[1;31m[FAIL]\033[0m\n"
34+
3135
expand:
3236
$(CC) -E $(CFLAGS) sign-efi-sig-list.c
3337

cert-to-efi-sig-list.c

Lines changed: 33 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,8 @@ int main(int argc, char *argv[])
3434
{
3535
char *certfile, *efifile;
3636
const char *progname = argv[0];
37-
EFI_GUID owner = { 0 };
37+
EFI_GUID owner;
38+
memset(&owner, 0, sizeof(EFI_GUID));
3839

3940
while (argc > 1) {
4041
if (strcmp("--version", argv[1]) == 0) {
@@ -63,19 +64,39 @@ int main(int argc, char *argv[])
6364
BIO *cert_bio = BIO_new_file(certfile, "r");
6465
X509 *cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL);
6566
unsigned char *PkCert = NULL;
66-
UINT32 PkCertLen = i2d_X509(cert, &PkCert);
67+
uint32_t PkCertLen = i2d_X509(cert, &PkCert);
6768

68-
UINT32 signature_size = PkCertLen + sizeof(EFI_GUID);
69-
UINT32 result_size = PkCertLen + 2 * sizeof(EFI_GUID) + 3 * sizeof(UINT32);
69+
uint32_t signature_size = PkCertLen + sizeof(EFI_GUID);
70+
uint32_t result_size = PkCertLen + 2 * sizeof(EFI_GUID) + 3 * sizeof(uint32_t);
7071
unsigned char *result = malloc(result_size);
71-
72-
// https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html
73-
memcpy(result + 0 * sizeof(EFI_GUID) + 0 * sizeof(UINT32), &EFI_CERT_X509_GUID, sizeof(EFI_GUID)); // SignatureType
74-
memcpy(result + 1 * sizeof(EFI_GUID) + 0 * sizeof(UINT32), &result_size, sizeof(UINT32)); // SignatureListSize
75-
memset(result + 1 * sizeof(EFI_GUID) + 1 * sizeof(UINT32), 0, sizeof(UINT32)); // SignatureHeaderSize
76-
memcpy(result + 1 * sizeof(EFI_GUID) + 2 * sizeof(UINT32), &signature_size, sizeof(UINT32)); // SignatureSize
77-
memcpy(result + 1 * sizeof(EFI_GUID) + 3 * sizeof(UINT32), &owner, sizeof(EFI_GUID)); // Signatures[0]->SignatureOwner
78-
memcpy(result + 2 * sizeof(EFI_GUID) + 3 * sizeof(UINT32), PkCert, PkCertLen); // Signatures[0]->SignatureData
72+
EFI_GUID signatureType = EFI_CERT_X509_GUID;
73+
74+
// EFI_SIGNATURE_LIST.SignatureType
75+
// Type of the signature. GUID signature types are defined in “Related Definitions” below.
76+
memcpy(result, &signatureType, sizeof(EFI_GUID));
77+
78+
// EFI_SIGNATURE_LIST.SignatureListSize
79+
// Total size of the signature list, including this header.
80+
memcpy(result + sizeof(EFI_GUID),
81+
&result_size, sizeof(uint32_t));
82+
83+
// EFI_SIGNATURE_LIST.SignatureHeaderSize
84+
// Size of the signature header which precedes the array of signatures.
85+
memset(result + sizeof(EFI_GUID) + sizeof(uint32_t), 0, sizeof(uint32_t));
86+
87+
// EFI_SIGNATURE_LIST.SignatureSize
88+
// Size of each signature. Must be at least the size of EFI_SIGNATURE_DATA.
89+
memcpy(result + sizeof(EFI_GUID) + 2 * sizeof(uint32_t),
90+
&signature_size, sizeof(uint32_t));
91+
92+
// EFI_SIGNATURE_LIST.Signatures[0].SignatureOwner
93+
// An identifier which identifies the agent which added the signature to the list.
94+
memcpy(result + sizeof(EFI_GUID) + 3 * sizeof(uint32_t),
95+
&owner, sizeof(EFI_GUID));
96+
97+
// EFI_SIGNATURE_LIST.Signatures[0].SignatureData
98+
memcpy(result + 2 * sizeof(EFI_GUID) + 3 * sizeof(uint32_t),
99+
PkCert, PkCertLen);
79100

80101
FILE *f = fopen(efifile, "w");
81102
if (!f) {

mkefivardata.c

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -39,10 +39,13 @@ EFI_GUID* get_owner(char* var)
3939

4040
int write_vardata(
4141
const char* vardata_file,
42-
uint32_t attributes,
4342
uint32_t size,
4443
void* buf)
4544
{
45+
uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
46+
| EFI_VARIABLE_RUNTIME_ACCESS
47+
| EFI_VARIABLE_BOOTSERVICE_ACCESS
48+
| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
4649

4750
char* newbuf = malloc(size + sizeof(attributes));
4851
int fd = open(vardata_file, O_RDWR|O_CREAT|O_TRUNC, 0644);
@@ -59,10 +62,6 @@ int write_vardata(
5962

6063
int main(int argc, char *argv[])
6164
{
62-
uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
63-
| EFI_VARIABLE_RUNTIME_ACCESS
64-
| EFI_VARIABLE_BOOTSERVICE_ACCESS
65-
| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
6665
if (argc == 1) {
6766
usage();
6867
return 1;
@@ -96,7 +95,7 @@ int main(int argc, char *argv[])
9695
}
9796
char* buf = malloc(st.st_size);
9897
read(fd, buf, st.st_size);
99-
int ret = write_vardata(vardata_file, attributes, st.st_size, buf);
98+
int ret = write_vardata(vardata_file, st.st_size, buf);
10099
close(fd);
101100
free(buf);
102101
if (quiet != 0) {

sign-efi-sig-list.c

Lines changed: 14 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -48,11 +48,12 @@ int main(int argc, char *argv[])
4848
EFI_GUID vendor_guid;
4949
struct stat st;
5050
short unsigned int var[MAX_VAR_LEN];
51-
UINT32 attributes = EFI_VARIABLE_NON_VOLATILE
51+
uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
5252
| EFI_VARIABLE_RUNTIME_ACCESS
5353
| EFI_VARIABLE_BOOTSERVICE_ACCESS
5454
| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
55-
EFI_TIME timestamp = { 0 };
55+
EFI_TIME timestamp;
56+
memset(&timestamp, 0, sizeof(timestamp));
5657

5758
while (argc > 1) {
5859
if (strcmp("--help", argv[1]) == 0) {
@@ -95,7 +96,6 @@ int main(int argc, char *argv[])
9596
vendor_guid = (EFI_GUID){ 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }};
9697
}
9798

98-
memset(&timestamp, 0, sizeof(timestamp));
9999
time_t t;
100100
struct tm *tm, tms;
101101

@@ -141,20 +141,19 @@ int main(int argc, char *argv[])
141141
int fdefifile = open(efifile, O_RDONLY);
142142
if (fdefifile == -1) {
143143
fprintf(stderr, "failed to open file %s: ", efifile);
144-
perror("");
145144
exit(1);
146145
}
147146
fstat(fdefifile, &st);
148147

149148
/* signature is over variable name (no null), the vendor GUID, the
150149
* attributes, the timestamp and the contents */
151-
int signbuf_header_len = varlen + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(EFI_TIME);
150+
int signbuf_header_len = varlen + sizeof(EFI_GUID) + sizeof(uint32_t) + sizeof(EFI_TIME);
152151
int signbuflen = signbuf_header_len + st.st_size;
153152
char *signbuf = malloc(signbuflen);
154153
memcpy(signbuf, var, varlen);
155154
memcpy(signbuf + varlen, &vendor_guid, sizeof(EFI_GUID));
156-
memcpy(signbuf + varlen + sizeof(EFI_GUID), &attributes, sizeof(UINT32));
157-
memcpy(signbuf + varlen + sizeof(EFI_GUID) + sizeof(UINT32), &timestamp, sizeof(EFI_TIME));
155+
memcpy(signbuf + varlen + sizeof(EFI_GUID), &attributes, sizeof(uint32_t));
156+
memcpy(signbuf + varlen + sizeof(EFI_GUID) + sizeof(uint32_t), &timestamp, sizeof(EFI_TIME));
158157
read(fdefifile, signbuf + signbuf_header_len, st.st_size);
159158

160159
printf("Authentication Payload size %d\n", signbuflen);
@@ -172,15 +171,15 @@ int main(int argc, char *argv[])
172171
unsigned char *var_auth = malloc(outlen);
173172

174173
// The length of the entire certificate, including the length of the header, in bytes.
175-
// -- Is this correct? What about sizeof(EFI_TIME) and st.st_size?
176-
UINT32 dwLength = sizeof(WIN_CERTIFICATE) + sizeof(EFI_GUID) + sigsize;
174+
// -- Is the timestamp not part of the header?
175+
uint32_t dwLength = sizeof(WIN_CERTIFICATE) + sizeof(EFI_GUID) + sigsize;
177176

178177
// The revision level of the WIN_CERTIFICATE structure. The current revision level is 0x0200.
179-
UINT16 wRevision = 0x0200;
178+
uint16_t wRevision = 0x0200;
180179

181180
// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI certificate types.
182181
// The UEFI specification reserves the range of certificate type values from 0x0EF0 to 0x0EFF.
183-
UINT16 wCertificateType = WIN_CERT_TYPE_EFI_GUID;
182+
uint16_t wCertificateType = WIN_CERT_TYPE_EFI_GUID;
184183

185184
// This is the unique id which determines the format of the CertData.
186185
EFI_GUID certType = EFI_CERT_TYPE_PKCS7_GUID;
@@ -189,14 +188,14 @@ int main(int argc, char *argv[])
189188
memcpy(var_auth, &timestamp, sizeof(EFI_TIME));
190189

191190
// UINT32 AuthInfo.Hdr.dwLength
192-
memcpy(var_auth + sizeof(EFI_TIME), &dwLength, sizeof(UINT32));
191+
memcpy(var_auth + sizeof(EFI_TIME), &dwLength, sizeof(uint32_t));
193192

194193
// UINT16 AuthInfo.Hdr.wRevision
195-
memcpy(var_auth + sizeof(EFI_TIME) + sizeof(UINT32), &wRevision, sizeof(UINT16));
194+
memcpy(var_auth + sizeof(EFI_TIME) + sizeof(uint32_t), &wRevision, sizeof(uint16_t));
196195

197196
// UINT16 AuthInfo.Hdr.wCertificateType
198-
memcpy(var_auth + sizeof(EFI_TIME) + sizeof(UINT32) + sizeof(UINT16),
199-
&wCertificateType, sizeof(UINT16));
197+
memcpy(var_auth + sizeof(EFI_TIME) + sizeof(uint32_t) + sizeof(uint16_t),
198+
&wCertificateType, sizeof(uint16_t));
200199

201200
// EFI_GUID AuthInfo.CertType
202201
memcpy(var_auth + sizeof(EFI_TIME) + sizeof(WIN_CERTIFICATE),
@@ -213,7 +212,6 @@ int main(int argc, char *argv[])
213212
int fdoutfile = open(outfile, O_CREAT|O_WRONLY|O_TRUNC, S_IWUSR|S_IRUSR);
214213
if (fdoutfile == -1) {
215214
fprintf(stderr, "failed to open %s: ", outfile);
216-
perror("");
217215
exit(1);
218216
}
219217

0 commit comments

Comments
 (0)