回复: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file


gaoliming
 

Jason:
Thanks for you to add the detail usage model in BZ 3928. I have no other
comments. Reviewed-by: Liming Gao <gaoliming@...>

Thanks
Liming
-----邮件原件-----
发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Lin, Jason1
发送时间: 2022年7月8日 19:42
收件人: devel@edk2.groups.io
抄送: Jason1 Lin <jason1.lin@...>; Bob Feng <bob.c.feng@...>;
Liming Gao <gaoliming@...>; Yuwei Chen
<yuwei.chen@...>; Michael D Kinney <michael.d.kinney@...>;
Dakota Chiang <dakota.chiang@...>
主题: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for signtool
to
input subject name to sign capsule file

From: Jason1 Lin <jason1.lin@...>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928

Windows-based system using signtool.exe to sign the capsule.
Add the support to using "--subject-name" argument to assign
the subject name used to sign the capsule file.
This argument would pass to signtool.exe as a part of input
argument with "/n" flag.

NOTE: If using signtool.exe to sign capsule at least need to
choose one of "--pfx-file" and "--subject-name"
argument to input the value.

Signed-off-by: Jason1 Lin <jason1.lin@...>
Cc: Bob Feng <bob.c.feng@...>
Cc: Liming Gao <gaoliming@...>
Cc: Yuwei Chen <yuwei.chen@...>
Cc: Michael D Kinney <michael.d.kinney@...>
Cc: Dakota Chiang <dakota.chiang@...>
---
BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43
++++++++++++++++----
1 file changed, 34 insertions(+), 9 deletions(-)

diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
index b8039db878..35435946c6 100644
--- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
+++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
@@ -10,7 +10,7 @@
# keep the tool as simple as possible, it has the following limitations:

# * Do not support vendor code bytes in a capsule.

#

-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>

+# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR>

# SPDX-License-Identifier: BSD-2-Clause-Patent

#



@@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader
import FmpPayloadHeaderClass
# Globals for help information

#

__prog__ = 'GenerateCapsule'

-__version__ = '0.9'

-__copyright__ = 'Copyright (c) 2018, Intel Corporation. All rights
reserved.'

+__version__ = '0.10'

+__copyright__ = 'Copyright (c) 2022, Intel Corporation. All rights
reserved.'

__description__ = 'Generate a capsule.\n'



-def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):

+def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose
=
False):

#

# Create a temporary directory

#

@@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile,
Verbose = False):
Command = Command + '"{Path}" '.format (Path = os.path.join
(ToolPath,
'signtool.exe'))

Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData
/p7co 1.2.840.113549.1.7.2 '

Command = Command + '/p7 {TempDir} '.format (TempDir =
TempDirectoryName)

- Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)

+ if PfxFile is not None:

+ Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)

+ if SubjectName is not None:

+ Command = Command + '/n {SubjectName} '.format
(SubjectName = SubjectName)

Command = Command + TempFileName

if Verbose:

print (Command)

@@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile,
Verbose = False):
shutil.rmtree (TempDirectoryName)

return Signature



-def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose
=
False):

+def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile,
SubjectName,
Verbose = False):

print ('signtool verify is not supported.')

raise ValueError ('GenerateCapsule: error: signtool verify is not
supported.')



@@ -249,6 +252,7 @@ if __name__ == '__main__':
HardwareInstance = ConvertJsonValue
(Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False,
Default = 0)

MonotonicCount = ConvertJsonValue
(Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
= 0)

SignToolPfxFile = ConvertJsonValue (Config,
'SignToolPfxFile', os.path.expandvars, Required = False, Default = None,
Open
= True)

+ SignToolSubjectName = ConvertJsonValue (Config,
'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
Open = True)

OpenSslSignerPrivateCertFile = ConvertJsonValue (Config,
'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
= None, Open = True)

OpenSslOtherPublicCertFile = ConvertJsonValue (Config,
'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
None, Open = True)

OpenSslTrustedPublicCertFile = ConvertJsonValue (Config,
'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
= None, Open = True)

@@ -264,6 +268,7 @@ if __name__ == '__main__':
HardwareInstance,

UpdateImageIndex,

SignToolPfxFile,

+
SignToolSubjectName,


OpenSslSignerPrivateCertFile,


OpenSslOtherPublicCertFile,


OpenSslTrustedPublicCertFile,

@@ -303,6 +308,7 @@ if __name__ == '__main__':
UpdateImageIndex = ConvertJsonValue
(Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False,
Default = 1)

MonotonicCount = ConvertJsonValue
(Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
= 0)

SignToolPfxFile = ConvertJsonValue (Config,
'SignToolPfxFile', os.path.expandvars, Required = False, Default = None,
Open
= True)

+ SignToolSubjectName = ConvertJsonValue (Config,
'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
Open = True)

OpenSslSignerPrivateCertFile = ConvertJsonValue (Config,
'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
= None, Open = True)

OpenSslOtherPublicCertFile = ConvertJsonValue (Config,
'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
None, Open = True)

OpenSslTrustedPublicCertFile = ConvertJsonValue (Config,
'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
= None, Open = True)

@@ -329,6 +335,7 @@ if __name__ == '__main__':
HardwareInstance,

UpdateImageIndex,

SignToolPfxFile,

+
SignToolSubjectName,


OpenSslSignerPrivateCertFile,


OpenSslOtherPublicCertFile,


OpenSslTrustedPublicCertFile,

@@ -348,6 +355,7 @@ if __name__ == '__main__':
"HardwareInstance":
str(PayloadDescriptor.HardwareInstance),

"UpdateImageIndex":
str(PayloadDescriptor.UpdateImageIndex),

"SignToolPfxFile":
str(PayloadDescriptor.SignToolPfxFile),

+ "SignToolSubjectName":
str(PayloadDescriptor.SignToolSubjectName),

"OpenSslSignerPrivateCertFile":
str(PayloadDescriptor.OpenSslSignerPrivateCertFile),

"OpenSslOtherPublicCertFile":
str(PayloadDescriptor.OpenSslOtherPublicCertFile),

"OpenSslTrustedPublicCertFile":
str(PayloadDescriptor.OpenSslTrustedPublicCertFile),

@@ -363,6 +371,8 @@ if __name__ == '__main__':
for PayloadField in PayloadSection:

if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:

del PayloadField ['SignToolPfxFile']

+ if PayloadJsonDescriptorList[Index].SignToolSubjectName is
None:

+ del PayloadField ['SignToolSubjectName']

if
PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None:

del PayloadField ['OpenSslSignerPrivateCertFile']

if
PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:

@@ -402,6 +412,9 @@ if __name__ == '__main__':
if args.SignToolPfxFile:

print ('GenerateCapsule: error: Argument --pfx-file conflicts
with Argument -j')

sys.exit (1)

+ if args.SignToolSubjectName:

+ print ('GenerateCapsule: error: Argument --SubjectName
conflicts with Argument -j')

+ sys.exit (1)

if args.OpenSslSignerPrivateCertFile:

print ('GenerateCapsule: error: Argument
--signer-private-cert conflicts with Argument -j')

sys.exit (1)

@@ -425,6 +438,7 @@ if __name__ == '__main__':
HardwareInstance = 0,

UpdateImageIndex = 1,

SignToolPfxFile = None,

+ SignToolSubjectName = None,

OpenSslSignerPrivateCertFile = None,

OpenSslOtherPublicCertFile = None,

OpenSslTrustedPublicCertFile = None,

@@ -439,13 +453,15 @@ if __name__ == '__main__':
self.HardwareInstance = HardwareInstance

self.UpdateImageIndex = UpdateImageIndex

self.SignToolPfxFile = SignToolPfxFile

+ self.SignToolSubjectName = SignToolSubjectName

self.OpenSslSignerPrivateCertFile =
OpenSslSignerPrivateCertFile

self.OpenSslOtherPublicCertFile =
OpenSslOtherPublicCertFile

self.OpenSslTrustedPublicCertFile =
OpenSslTrustedPublicCertFile

self.SigningToolPath = SigningToolPath

self.DepexExp = DepexExp



- self.UseSignTool = self.SignToolPfxFile is not None

+ self.UseSignTool = (self.SignToolPfxFile is not None or

+ self.SignToolSubjectName is not
None)

self.UseOpenSsl = (self.OpenSslSignerPrivateCertFile is not
None and

self.OpenSslOtherPublicCertFile is
not None and

self.OpenSslTrustedPublicCertFile is
not None)

@@ -504,8 +520,9 @@ if __name__ == '__main__':
raise argparse.ArgumentTypeError
('--update-image-index must be an integer in range 0x0..0xff')



if self.UseSignTool:

- self.SignToolPfxFile.close()

- self.SignToolPfxFile = self.SignToolPfxFile.name

+ if self.SignToolPfxFile is not None:

+ self.SignToolPfxFile.close()

+ self.SignToolPfxFile = self.SignToolPfxFile.name

if self.UseOpenSsl:

self.OpenSslSignerPrivateCertFile.close()

self.OpenSslOtherPublicCertFile.close()

@@ -548,6 +565,7 @@ if __name__ == '__main__':

args.HardwareInstance,


args.UpdateImageIndex,

args.SignToolPfxFile,

+
args.SignToolSubjectName,


args.OpenSslSignerPrivateCertFile,


args.OpenSslOtherPublicCertFile,


args.OpenSslTrustedPublicCertFile,

@@ -590,6 +608,7 @@ if __name__ == '__main__':
Result + struct.pack ('<Q',
SinglePayloadDescriptor.MonotonicCount),

SinglePayloadDescriptor.SigningToolPath,

SinglePayloadDescriptor.SignToolPfxFile,

+
SinglePayloadDescriptor.SignToolSubjectName,

Verbose = args.Verbose

)

else:

@@ -671,6 +690,7 @@ if __name__ == '__main__':

args.HardwareInstance,


args.UpdateImageIndex,

args.SignToolPfxFile,

+
args.SignSubjectName,


args.OpenSslSignerPrivateCertFile,


args.OpenSslOtherPublicCertFile,


args.OpenSslTrustedPublicCertFile,

@@ -715,6 +735,7 @@ if __name__ == '__main__':

HardwareInstance,


UpdateImageIndex,


PayloadDescriptorList[Index].SignToolPfxFile,

+
PayloadDescriptorList[Index].SignToolSubjectName,


PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,


PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,


PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,

@@ -753,6 +774,7 @@ if __name__ == '__main__':

HardwareInstance,


UpdateImageIndex,


PayloadDescriptorList[Index].SignToolPfxFile,

+
PayloadDescriptorList[Index].SignToolSubjectName,


PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,


PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,


PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,

@@ -785,6 +807,7 @@ if __name__ == '__main__':

FmpAuthHeader.CertData,


SinglePayloadDescriptor.SigningToolPath,


SinglePayloadDescriptor.SignToolPfxFile,

+
SinglePayloadDescriptor.SignToolSubjectName,

Verbose =
args.Verbose

)

else:

@@ -968,6 +991,8 @@ if __name__ == '__main__':


parser.add_argument ("--pfx-file", dest='SignToolPfxFile',
type=argparse.FileType('rb'),

help="signtool PFX certificate filename.")

+ parser.add_argument ("--subject-name", dest='SignToolSubjectName',

+ help="signtool certificate subject name.")



parser.add_argument ("--signer-private-cert",
dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),

help="OpenSSL signer private certificate
filename.")

--
2.37.0.windows.1



-=-=-=-=-=-=
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#91180): https://edk2.groups.io/g/devel/message/91180
Mute This Topic: https://groups.io/mt/92249403/4905953
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub
[gaoliming@...]
-=-=-=-=-=-=

Join devel@edk2.groups.io to automatically receive all group messages.