some refactoring

add test for mkefivardata

Author: h908714124

.github/workflows/make.yml

@@ -9,4 +9,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
-    - run: make esltest && make sigtest
+    - run: |
+      apt-get install -y gnu-efi
+      make esltest || exit 1
+      make sigtest || exit 1
+      make efitest

Makefile

@@ -22,11 +22,15 @@ sign-efi-sig-list: sign-efi-sig-list.c lib/openssl_sign.c
 esltest: cert-to-efi-sig-list
 	rm -f fedora.esl
 	./cert-to-efi-sig-list -g $(TEST_OWNER) fedora.crt fedora.esl
-	md5sum fedora.esl | grep -q ^e868d249 && printf "\033[1;32m[OK]\033[0m\n" || printf "\033[1;31m[FAIL]\033[0m\n"
+	md5sum fedora.esl | grep -q ^e868d249 && printf "\033[1;32m[OK]\033[0m\n"
 
 sigtest: sign-efi-sig-list
 	./sign-efi-sig-list -g $(TEST_OWNER) -t "2025-03-24 14:26:01" -k KEK.key -c KEK.crt db fedora.esl fedora.auth
-	md5sum fedora.auth | grep -q ^960a4d050 && printf "\033[1;32m[OK]\033[0m\n" || printf "\033[1;31m[FAIL]\033[0m\n"
+	md5sum fedora.auth | grep -q ^960a4d050 && printf "\033[1;32m[OK]\033[0m\n"
+
+efitest: mkefivardata
+	./mkefivardata -q fedora.auth fedora.vardata
+	md5sum fedora.vardata | grep -q ^c0c07e6b0 && printf "\033[1;32m[OK]\033[0m\n"
 
 expand:
 	$(CC) -E $(CFLAGS) sign-efi-sig-list.c

cert-to-efi-sig-list.c

@@ -34,7 +34,8 @@ int main(int argc, char *argv[])
 {
 	char *certfile, *efifile;
 	const char *progname = argv[0];
-	EFI_GUID owner = { 0 };
+	EFI_GUID owner;
+	memset(&owner, 0, sizeof(EFI_GUID));
 
 	while (argc > 1) {
 		if (strcmp("--version", argv[1]) == 0) {
@@ -63,19 +64,39 @@ int main(int argc, char *argv[])
 	BIO *cert_bio = BIO_new_file(certfile, "r");
 	X509 *cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL);
 	unsigned char *PkCert = NULL;
-	UINT32 PkCertLen = i2d_X509(cert, &PkCert);
+	uint32_t PkCertLen = i2d_X509(cert, &PkCert);
 
-	UINT32 signature_size = PkCertLen + sizeof(EFI_GUID);
-	UINT32 result_size = PkCertLen + 2 * sizeof(EFI_GUID) + 3 * sizeof(UINT32);
+	uint32_t signature_size = PkCertLen + sizeof(EFI_GUID);
+	uint32_t result_size = PkCertLen + 2 * sizeof(EFI_GUID) + 3 * sizeof(uint32_t);
 	unsigned char *result = malloc(result_size);
-
-	// https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html
-	memcpy(result + 0 * sizeof(EFI_GUID) + 0 * sizeof(UINT32), &EFI_CERT_X509_GUID, sizeof(EFI_GUID)); // SignatureType
-	memcpy(result + 1 * sizeof(EFI_GUID) + 0 * sizeof(UINT32), &result_size, sizeof(UINT32));          // SignatureListSize
-	memset(result + 1 * sizeof(EFI_GUID) + 1 * sizeof(UINT32), 0, sizeof(UINT32));                 // SignatureHeaderSize
-	memcpy(result + 1 * sizeof(EFI_GUID) + 2 * sizeof(UINT32), &signature_size, sizeof(UINT32));       // SignatureSize
-	memcpy(result + 1 * sizeof(EFI_GUID) + 3 * sizeof(UINT32), &owner, sizeof(EFI_GUID));              // Signatures[0]->SignatureOwner
-	memcpy(result + 2 * sizeof(EFI_GUID) + 3 * sizeof(UINT32), PkCert, PkCertLen);                     // Signatures[0]->SignatureData
+	EFI_GUID signatureType = EFI_CERT_X509_GUID;
+
+	// EFI_SIGNATURE_LIST.SignatureType
+	// Type of the signature. GUID signature types are defined in “Related Definitions” below.
+	memcpy(result, &signatureType, sizeof(EFI_GUID));
+
+	// EFI_SIGNATURE_LIST.SignatureListSize
+	// Total size of the signature list, including this header.
+	memcpy(result + sizeof(EFI_GUID),
+		&result_size, sizeof(uint32_t));
+
+	// EFI_SIGNATURE_LIST.SignatureHeaderSize
+	// Size of the signature header which precedes the array of signatures.
+	memset(result + sizeof(EFI_GUID) + sizeof(uint32_t), 0, sizeof(uint32_t));
+
+	// EFI_SIGNATURE_LIST.SignatureSize
+	// Size of each signature. Must be at least the size of EFI_SIGNATURE_DATA.
+	memcpy(result + sizeof(EFI_GUID) + 2 * sizeof(uint32_t),
+		&signature_size, sizeof(uint32_t));
+
+	// EFI_SIGNATURE_LIST.Signatures[0].SignatureOwner
+	// An identifier which identifies the agent which added the signature to the list.
+	memcpy(result + sizeof(EFI_GUID) + 3 * sizeof(uint32_t),
+		&owner, sizeof(EFI_GUID));
+
+	// EFI_SIGNATURE_LIST.Signatures[0].SignatureData
+	memcpy(result + 2 * sizeof(EFI_GUID) + 3 * sizeof(uint32_t),
+		PkCert, PkCertLen);
 
 	FILE *f = fopen(efifile, "w");
 	if (!f) {

mkefivardata.c

@@ -39,10 +39,13 @@ EFI_GUID* get_owner(char* var)
 
 int write_vardata(
 	const char* vardata_file,
-	uint32_t attributes,
 	uint32_t size,
 	void* buf)
 {
+	uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+		| EFI_VARIABLE_RUNTIME_ACCESS
+		| EFI_VARIABLE_BOOTSERVICE_ACCESS
+		| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
 
 	char* newbuf = malloc(size + sizeof(attributes));
 	int fd = open(vardata_file, O_RDWR|O_CREAT|O_TRUNC, 0644);
@@ -59,10 +62,6 @@ int write_vardata(
 
 int main(int argc, char *argv[])
 {
-	uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
-		| EFI_VARIABLE_RUNTIME_ACCESS
-		| EFI_VARIABLE_BOOTSERVICE_ACCESS
-		| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
 	if (argc == 1) {
 		usage();
 		return 1;
@@ -96,7 +95,7 @@ int main(int argc, char *argv[])
 	}
 	char* buf = malloc(st.st_size);
 	read(fd, buf, st.st_size);
-	int ret = write_vardata(vardata_file, attributes, st.st_size, buf);
+	int ret = write_vardata(vardata_file, st.st_size, buf);
 	close(fd);
 	free(buf);
 	if (quiet != 0) {

sign-efi-sig-list.c

@@ -48,11 +48,12 @@ int main(int argc, char *argv[])
 	EFI_GUID vendor_guid;
 	struct stat st;
 	short unsigned int var[MAX_VAR_LEN];
-	UINT32 attributes = EFI_VARIABLE_NON_VOLATILE
+	uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
 		| EFI_VARIABLE_RUNTIME_ACCESS
 		| EFI_VARIABLE_BOOTSERVICE_ACCESS
 		| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-	EFI_TIME timestamp = { 0 };
+	EFI_TIME timestamp;
+	memset(&timestamp, 0, sizeof(timestamp));
 
 	while (argc > 1) {
 		if (strcmp("--help", argv[1]) == 0) {
@@ -95,7 +96,6 @@ int main(int argc, char *argv[])
 		vendor_guid = (EFI_GUID){ 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }};
 	}
 
-	memset(&timestamp, 0, sizeof(timestamp));
 	time_t t;
 	struct tm *tm, tms;
 
@@ -141,20 +141,19 @@ int main(int argc, char *argv[])
 	int fdefifile = open(efifile, O_RDONLY);
 	if (fdefifile == -1) {
 		fprintf(stderr, "failed to open file %s: ", efifile);
-		perror("");
 		exit(1);
 	}
 	fstat(fdefifile, &st);
 
 	/* signature is over variable name (no null), the vendor GUID, the
 	 * attributes, the timestamp and the contents */
-	int signbuf_header_len = varlen + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(EFI_TIME);
+	int signbuf_header_len = varlen + sizeof(EFI_GUID) + sizeof(uint32_t) + sizeof(EFI_TIME);
 	int signbuflen = signbuf_header_len + st.st_size;
 	char *signbuf = malloc(signbuflen);
 	memcpy(signbuf, var, varlen);
 	memcpy(signbuf + varlen, &vendor_guid, sizeof(EFI_GUID));
-	memcpy(signbuf + varlen + sizeof(EFI_GUID), &attributes, sizeof(UINT32));
-	memcpy(signbuf + varlen + sizeof(EFI_GUID) + sizeof(UINT32), &timestamp, sizeof(EFI_TIME));
+	memcpy(signbuf + varlen + sizeof(EFI_GUID), &attributes, sizeof(uint32_t));
+	memcpy(signbuf + varlen + sizeof(EFI_GUID) + sizeof(uint32_t), &timestamp, sizeof(EFI_TIME));
 	read(fdefifile, signbuf + signbuf_header_len, st.st_size);
 
 	printf("Authentication Payload size %d\n", signbuflen);
@@ -172,15 +171,15 @@ int main(int argc, char *argv[])
 	unsigned char *var_auth = malloc(outlen);
 
 	// The length of the entire certificate, including the length of the header, in bytes.
-	// -- Is this correct? What about sizeof(EFI_TIME) and st.st_size?
-	UINT32 dwLength = sizeof(WIN_CERTIFICATE) + sizeof(EFI_GUID) + sigsize;
+	// -- Is the timestamp not part of the header?
+	uint32_t dwLength = sizeof(WIN_CERTIFICATE) + sizeof(EFI_GUID) + sigsize;
 
 	// The revision level of the WIN_CERTIFICATE structure. The current revision level is 0x0200.
-	UINT16 wRevision = 0x0200;
+	uint16_t wRevision = 0x0200;
 
 	// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI certificate types.
 	// The UEFI specification reserves the range of certificate type values from 0x0EF0 to 0x0EFF.
-	UINT16 wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+	uint16_t wCertificateType = WIN_CERT_TYPE_EFI_GUID;
 
 	// This is the unique id which determines the format of the CertData.
 	EFI_GUID certType = EFI_CERT_TYPE_PKCS7_GUID;
@@ -189,14 +188,14 @@ int main(int argc, char *argv[])
 	memcpy(var_auth, &timestamp, sizeof(EFI_TIME));
 
 	// UINT32 AuthInfo.Hdr.dwLength
-	memcpy(var_auth + sizeof(EFI_TIME), &dwLength, sizeof(UINT32));
+	memcpy(var_auth + sizeof(EFI_TIME), &dwLength, sizeof(uint32_t));
 
 	// UINT16 AuthInfo.Hdr.wRevision
-	memcpy(var_auth + sizeof(EFI_TIME) + sizeof(UINT32), &wRevision, sizeof(UINT16));
+	memcpy(var_auth + sizeof(EFI_TIME) + sizeof(uint32_t), &wRevision, sizeof(uint16_t));
 
 	// UINT16 AuthInfo.Hdr.wCertificateType
-	memcpy(var_auth + sizeof(EFI_TIME) + sizeof(UINT32) + sizeof(UINT16),
-		&wCertificateType, sizeof(UINT16));
+	memcpy(var_auth + sizeof(EFI_TIME) + sizeof(uint32_t) + sizeof(uint16_t),
+		&wCertificateType, sizeof(uint16_t));
 
 	// EFI_GUID AuthInfo.CertType
 	memcpy(var_auth + sizeof(EFI_TIME) + sizeof(WIN_CERTIFICATE),
@@ -213,7 +212,6 @@ int main(int argc, char *argv[])
 	int fdoutfile = open(outfile, O_CREAT|O_WRONLY|O_TRUNC, S_IWUSR|S_IRUSR);
 	if (fdoutfile == -1) {
 		fprintf(stderr, "failed to open %s: ", outfile);
-		perror("");
 		exit(1);
 	}