refactoring: write signature to array

Author: h908714124

Makefile

@@ -28,6 +28,9 @@ sigtest: sign-efi-sig-list
 	./sign-efi-sig-list -g $(TEST_OWNER) -t "2025-03-24 14:26:01" -k KEK.key -c KEK.crt db fedora.esl fedora.auth
 	md5sum fedora.auth | grep -q ^960a4d050 && printf "\033[1;32m[OK]\033[0m\n" || printf "\033[1;31m[FAIL]\033[0m\n"
 
+expand:
+	$(CC) -E $(CFLAGS) sign-efi-sig-list.c
+
 clean:
 	rm -f mkefivardata cert-to-efi-sig-list sign-efi-sig-list
 

README.md

@@ -1,8 +1,10 @@
 # mkefivardata
 
-Source: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
+[Upstream](https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git)
 
-openssl engines: https://github.com/openssl/openssl/blob/master/README-ENGINES.md
+[Services Runtime Services](https://uefi.org/specs/UEFI/2.11/08_Services_Runtime_Services.html)
+
+[Secure Boot and Driver Signing](https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html)
 
 To enroll signed secureboot keys, aka `.auth` files, [efitools is needed](https://github.com/Foxboron/sbctl/issues/434). The purpose of `mkefivardata` is to convert  `.auth` to a format which can be enrolled on a system where `efitools` is not available. This facilitates rollout of secureboot keys on "untrusted" machines.
 

cert-to-efi-sig-list.c

@@ -64,7 +64,6 @@ int main(int argc, char *argv[])
 	X509 *cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL);
 	unsigned char *PkCert = NULL;
 	UINT32 PkCertLen = i2d_X509(cert, &PkCert);
-	UINT32 zero = 0;
 
 	UINT32 signature_size = PkCertLen + sizeof(EFI_GUID);
 	UINT32 result_size = PkCertLen + 2 * sizeof(EFI_GUID) + 3 * sizeof(UINT32);
@@ -73,7 +72,7 @@ int main(int argc, char *argv[])
 	// https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html
 	memcpy(result + 0 * sizeof(EFI_GUID) + 0 * sizeof(UINT32), &EFI_CERT_X509_GUID, sizeof(EFI_GUID)); // SignatureType
 	memcpy(result + 1 * sizeof(EFI_GUID) + 0 * sizeof(UINT32), &result_size, sizeof(UINT32));          // SignatureListSize
-	memcpy(result + 1 * sizeof(EFI_GUID) + 1 * sizeof(UINT32), &zero, sizeof(UINT32));                 // SignatureHeaderSize
+	memset(result + 1 * sizeof(EFI_GUID) + 1 * sizeof(UINT32), 0, sizeof(UINT32));                 // SignatureHeaderSize
 	memcpy(result + 1 * sizeof(EFI_GUID) + 2 * sizeof(UINT32), &signature_size, sizeof(UINT32));       // SignatureSize
 	memcpy(result + 1 * sizeof(EFI_GUID) + 3 * sizeof(UINT32), &owner, sizeof(EFI_GUID));              // Signatures[0]->SignatureOwner
 	memcpy(result + 2 * sizeof(EFI_GUID) + 3 * sizeof(UINT32), PkCert, PkCertLen);                     // Signatures[0]->SignatureData

include/efiauthenticated.h

@@ -147,6 +147,13 @@ typedef struct {
   UINT8     Signature[256];
 } EFI_CERT_BLOCK_RSA_2048_SHA256;
 
+/// https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html
+///
+/// typedef struct {
+///   UINT32             dwLength;
+///   UINT16             wRevision;
+///   UINT16             wCertificateType;
+/// } WIN_CERTIFICATE;
 
 ///
 /// Certificate which encapsulates a GUID-specific digital signature

sign-efi-sig-list.c

@@ -168,29 +168,57 @@ int main(int argc, char *argv[])
 		exit(1);
 	printf("Signature of size %d\n", sigsize);
 
-	int outlen = OFFSET_OF(EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData) + sigsize;
-	EFI_VARIABLE_AUTHENTICATION_2 *var_auth = malloc(outlen);
+	int outlen = sizeof(EFI_TIME) + sizeof(WIN_CERTIFICATE) + sizeof(EFI_GUID) + sigsize + st.st_size;
+	unsigned char *var_auth = malloc(outlen);
 
-	var_auth->TimeStamp = timestamp;
-	var_auth->AuthInfo.CertType = EFI_CERT_TYPE_PKCS7_GUID;
-	var_auth->AuthInfo.Hdr.dwLength = sigsize + OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData);
-	var_auth->AuthInfo.Hdr.wRevision = 0x0200;
-	var_auth->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+	// The length of the entire certificate, including the length of the header, in bytes.
+	// -- Is this correct? What about sizeof(EFI_TIME) and st.st_size?
+	UINT32 dwLength = sizeof(WIN_CERTIFICATE) + sizeof(EFI_GUID) + sigsize;
 
-	memcpy(var_auth->AuthInfo.CertData, sigbuf, sigsize);
-	sigbuf = var_auth->AuthInfo.CertData;
-	printf("Signature at: %ld\n", sigbuf - (unsigned char *)var_auth);
+	// The revision level of the WIN_CERTIFICATE structure. The current revision level is 0x0200.
+	UINT16 wRevision = 0x0200;
+
+	// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI certificate types.
+	// The UEFI specification reserves the range of certificate type values from 0x0EF0 to 0x0EFF.
+	UINT16 wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+
+	// This is the unique id which determines the format of the CertData.
+	EFI_GUID certType = EFI_CERT_TYPE_PKCS7_GUID;
+
+	// EFI_TIME TimeStamp
+	memcpy(var_auth, &timestamp, sizeof(EFI_TIME));
+
+	// UINT32 AuthInfo.Hdr.dwLength
+	memcpy(var_auth + sizeof(EFI_TIME), &dwLength, sizeof(UINT32));
+
+	// UINT16 AuthInfo.Hdr.wRevision
+	memcpy(var_auth + sizeof(EFI_TIME) + sizeof(UINT32), &wRevision, sizeof(UINT16));
+
+	// UINT16 AuthInfo.Hdr.wCertificateType
+	memcpy(var_auth + sizeof(EFI_TIME) + sizeof(UINT32) + sizeof(UINT16),
+		&wCertificateType, sizeof(UINT16));
+
+	// EFI_GUID AuthInfo.CertType
+	memcpy(var_auth + sizeof(EFI_TIME) + sizeof(WIN_CERTIFICATE),
+		&certType, sizeof(EFI_GUID));
+
+	// AuthInfo.CertData
+	memcpy(var_auth + sizeof(EFI_TIME) + sizeof(WIN_CERTIFICATE) + sizeof(EFI_GUID),
+		sigbuf, sigsize);
+
+	// Authentication header complete, now write the payload
+	memcpy(var_auth + sizeof(EFI_TIME) + sizeof(WIN_CERTIFICATE) + sizeof(EFI_GUID) + sigsize,
+		signbuf + signbuf_header_len, st.st_size);
 
 	int fdoutfile = open(outfile, O_CREAT|O_WRONLY|O_TRUNC, S_IWUSR|S_IRUSR);
 	if (fdoutfile == -1) {
 		fprintf(stderr, "failed to open %s: ", outfile);
 		perror("");
 		exit(1);
 	}
-	/* first we write the authentication header */
+
 	write(fdoutfile, var_auth, outlen);
-	/* Then we write the payload */
-	write(fdoutfile, signbuf + signbuf_header_len, st.st_size);
+
 	/* so now the file is complete and can be fed straight into
 	 * SetVariable() as an authenticated variable update */
 	close(fdoutfile);