Reviewed-by: Bob Feng <bob.c.f...@intel.com> -----Original Message----- From: Lin, Jason1 <jason1....@intel.com> Sent: Friday, July 8, 2022 7:42 PM To: devel@edk2.groups.io Cc: Lin, Jason1 <jason1....@intel.com>; Feng, Bob C <bob.c.f...@intel.com>; Gao, Liming <gaolim...@byosoft.com.cn>; Chen, Christine <yuwei.c...@intel.com>; Kinney, Michael D <michael.d.kin...@intel.com>; Chiang, Dakota <dakota.chi...@intel.com> Subject: [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file
From: Jason1 Lin <jason1....@intel.com> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928 Windows-based system using signtool.exe to sign the capsule. Add the support to using "--subject-name" argument to assign the subject name used to sign the capsule file. This argument would pass to signtool.exe as a part of input argument with "/n" flag. NOTE: If using signtool.exe to sign capsule at least need to choose one of "--pfx-file" and "--subject-name" argument to input the value. Signed-off-by: Jason1 Lin <jason1....@intel.com> Cc: Bob Feng <bob.c.f...@intel.com> Cc: Liming Gao <gaolim...@byosoft.com.cn> Cc: Yuwei Chen <yuwei.c...@intel.com> Cc: Michael D Kinney <michael.d.kin...@intel.com> Cc: Dakota Chiang <dakota.chi...@intel.com> --- BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43 ++++++++++++++++---- 1 file changed, 34 insertions(+), 9 deletions(-) diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py b/BaseTools/Source/Python/Capsule/GenerateCapsule.py index b8039db878..35435946c6 100644 --- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py +++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py @@ -10,7 +10,7 @@ # keep the tool as simple as possible, it has the following limitations: # * Do not support vendor code bytes in a capsule. #-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>+# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR> # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader import FmpPayloadHeaderClass # Globals for help information # __prog__ = 'GenerateCapsule'-__version__ = '0.9'-__copyright__ = 'Copyright (c) 2018, Intel Corporation. All rights reserved.'+__version__ = '0.10'+__copyright__ = 'Copyright (c) 2022, Intel Corporation. All rights reserved.' __description__ = 'Generate a capsule.\n' -def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):+def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose = False): # # Create a temporary directory #@@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False): Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe')) Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 ' Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName)- Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)+ if PfxFile is not None:+ Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)+ if SubjectName is not None:+ Command = Command + '/n {SubjectName} '.format (SubjectName = SubjectName) Command = Command + TempFileName if Verbose: print (Command)@@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False): shutil.rmtree (TempDirectoryName) return Signature -def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose = False):+def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, SubjectName, Verbose = False): print ('signtool verify is not supported.') raise ValueError ('GenerateCapsule: error: signtool verify is not supported.') @@ -249,6 +252,7 @@ if __name__ == '__main__': HardwareInstance = ConvertJsonValue (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False, Default = 0) MonotonicCount = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0) SignToolPfxFile = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)+ SignToolSubjectName = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslOtherPublicCertFile = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)@@ -264,6 +268,7 @@ if __name__ == '__main__': HardwareInstance, UpdateImageIndex, SignToolPfxFile,+ SignToolSubjectName, OpenSslSignerPrivateCertFile, OpenSslOtherPublicCertFile, OpenSslTrustedPublicCertFile,@@ -303,6 +308,7 @@ if __name__ == '__main__': UpdateImageIndex = ConvertJsonValue (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False, Default = 1) MonotonicCount = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0) SignToolPfxFile = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)+ SignToolSubjectName = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslOtherPublicCertFile = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)@@ -329,6 +335,7 @@ if __name__ == '__main__': HardwareInstance, UpdateImageIndex, SignToolPfxFile,+ SignToolSubjectName, OpenSslSignerPrivateCertFile, OpenSslOtherPublicCertFile, OpenSslTrustedPublicCertFile,@@ -348,6 +355,7 @@ if __name__ == '__main__': "HardwareInstance": str(PayloadDescriptor.HardwareInstance), "UpdateImageIndex": str(PayloadDescriptor.UpdateImageIndex), "SignToolPfxFile": str(PayloadDescriptor.SignToolPfxFile),+ "SignToolSubjectName": str(PayloadDescriptor.SignToolSubjectName), "OpenSslSignerPrivateCertFile": str(PayloadDescriptor.OpenSslSignerPrivateCertFile), "OpenSslOtherPublicCertFile": str(PayloadDescriptor.OpenSslOtherPublicCertFile), "OpenSslTrustedPublicCertFile": str(PayloadDescriptor.OpenSslTrustedPublicCertFile),@@ -363,6 +371,8 @@ if __name__ == '__main__': for PayloadField in PayloadSection: if PayloadJsonDescriptorList[Index].SignToolPfxFile is None: del PayloadField ['SignToolPfxFile']+ if PayloadJsonDescriptorList[Index].SignToolSubjectName is None:+ del PayloadField ['SignToolSubjectName'] if PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None: del PayloadField ['OpenSslSignerPrivateCertFile'] if PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:@@ -402,6 +412,9 @@ if __name__ == '__main__': if args.SignToolPfxFile: print ('GenerateCapsule: error: Argument --pfx-file conflicts with Argument -j') sys.exit (1)+ if args.SignToolSubjectName:+ print ('GenerateCapsule: error: Argument --SubjectName conflicts with Argument -j')+ sys.exit (1) if args.OpenSslSignerPrivateCertFile: print ('GenerateCapsule: error: Argument --signer-private-cert conflicts with Argument -j') sys.exit (1)@@ -425,6 +438,7 @@ if __name__ == '__main__': HardwareInstance = 0, UpdateImageIndex = 1, SignToolPfxFile = None,+ SignToolSubjectName = None, OpenSslSignerPrivateCertFile = None, OpenSslOtherPublicCertFile = None, OpenSslTrustedPublicCertFile = None,@@ -439,13 +453,15 @@ if __name__ == '__main__': self.HardwareInstance = HardwareInstance self.UpdateImageIndex = UpdateImageIndex self.SignToolPfxFile = SignToolPfxFile+ self.SignToolSubjectName = SignToolSubjectName self.OpenSslSignerPrivateCertFile = OpenSslSignerPrivateCertFile self.OpenSslOtherPublicCertFile = OpenSslOtherPublicCertFile self.OpenSslTrustedPublicCertFile = OpenSslTrustedPublicCertFile self.SigningToolPath = SigningToolPath self.DepexExp = DepexExp - self.UseSignTool = self.SignToolPfxFile is not None+ self.UseSignTool = (self.SignToolPfxFile is not None or+ self.SignToolSubjectName is not None) self.UseOpenSsl = (self.OpenSslSignerPrivateCertFile is not None and self.OpenSslOtherPublicCertFile is not None and self.OpenSslTrustedPublicCertFile is not None)@@ -504,8 +520,9 @@ if __name__ == '__main__': raise argparse.ArgumentTypeError ('--update-image-index must be an integer in range 0x0..0xff') if self.UseSignTool:- self.SignToolPfxFile.close()- self.SignToolPfxFile = self.SignToolPfxFile.name+ if self.SignToolPfxFile is not None:+ self.SignToolPfxFile.close()+ self.SignToolPfxFile = self.SignToolPfxFile.name if self.UseOpenSsl: self.OpenSslSignerPrivateCertFile.close() self.OpenSslOtherPublicCertFile.close()@@ -548,6 +565,7 @@ if __name__ == '__main__': args.HardwareInstance, args.UpdateImageIndex, args.SignToolPfxFile,+ args.SignToolSubjectName, args.OpenSslSignerPrivateCertFile, args.OpenSslOtherPublicCertFile, args.OpenSslTrustedPublicCertFile,@@ -590,6 +608,7 @@ if __name__ == '__main__': Result + struct.pack ('<Q', SinglePayloadDescriptor.MonotonicCount), SinglePayloadDescriptor.SigningToolPath, SinglePayloadDescriptor.SignToolPfxFile,+ SinglePayloadDescriptor.SignToolSubjectName, Verbose = args.Verbose ) else:@@ -671,6 +690,7 @@ if __name__ == '__main__': args.HardwareInstance, args.UpdateImageIndex, args.SignToolPfxFile,+ args.SignSubjectName, args.OpenSslSignerPrivateCertFile, args.OpenSslOtherPublicCertFile, args.OpenSslTrustedPublicCertFile,@@ -715,6 +735,7 @@ if __name__ == '__main__': HardwareInstance, UpdateImageIndex, PayloadDescriptorList[Index].SignToolPfxFile,+ PayloadDescriptorList[Index].SignToolSubjectName, PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile, PayloadDescriptorList[Index].OpenSslOtherPublicCertFile, PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,@@ -753,6 +774,7 @@ if __name__ == '__main__': HardwareInstance, UpdateImageIndex, PayloadDescriptorList[Index].SignToolPfxFile,+ PayloadDescriptorList[Index].SignToolSubjectName, PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile, PayloadDescriptorList[Index].OpenSslOtherPublicCertFile, PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,@@ -785,6 +807,7 @@ if __name__ == '__main__': FmpAuthHeader.CertData, SinglePayloadDescriptor.SigningToolPath, SinglePayloadDescriptor.SignToolPfxFile,+ SinglePayloadDescriptor.SignToolSubjectName, Verbose = args.Verbose ) else:@@ -968,6 +991,8 @@ if __name__ == '__main__': parser.add_argument ("--pfx-file", dest='SignToolPfxFile', type=argparse.FileType('rb'), help="signtool PFX certificate filename.")+ parser.add_argument ("--subject-name", dest='SignToolSubjectName',+ help="signtool certificate subject name.") parser.add_argument ("--signer-private-cert", dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'), help="OpenSSL signer private certificate filename.")-- 2.37.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#91204): https://edk2.groups.io/g/devel/message/91204 Mute This Topic: https://groups.io/mt/92249403/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
