This Intel mobo didn't like? This is the code snippet that builds it:
// calc size of header (with no certdata) and crt file data to add
size_t authhdrsize;
size_t siglisthdrsize;
if (applyrawdata) {
authhdrsize=0;
siglisthdrsize=0;
}
else {
authhdrsize=offsetof(EFI_VARIABLE_AUTHENTICATION_2,
AuthInfo)+offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData);
siglisthdrsize=sizeof(EFI_SIGNATURE_LIST)+offsetof(EFI_SIGNATURE_DATA,
SignatureData);
}
size_t tempbufsize=ffinfo.FileSize+authhdrsize+siglisthdrsize;
BYTE *tempbuf;
if ((tempbuf=new BYTE [tempbufsize])!=NULL) {
// variable to determine where to read file
BYTE *certdata=tempbuf;
// determine if need to prefix .crt for kek/db entries
if (!applyrawdata) {
// zero header part of buffer so all are init to zero
memset(tempbuf, 0, authhdrsize+siglisthdrsize);
//
// setup EFI_VARIABLE_AUTHENTICATION_2 header
//
EFI_VARIABLE_AUTHENTICATION_2
*efivarauth2=(EFI_VARIABLE_AUTHENTICATION_2 *) tempbuf;
// setup time
TimeTToUEFITimeGMT(time(NULL), &efivarauth2->TimeStamp);
efivarauth2->TimeStamp.Nanosecond=0;
// setup authinfo (without any CertData)
efivarauth2->AuthInfo.Hdr.dwLength=offsetof(WIN_CERTIFICATE_UEFI_GUID,
CertData);
efivarauth2->AuthInfo.Hdr.wRevision=0x200;
efivarauth2->AuthInfo.Hdr.wCertificateType=WIN_CERT_TYPE_EFI_GUID;
efivarauth2->AuthInfo.CertType=gEfiCertPkcs7Guid;
//
// setup EFI_SIGNATURE_LIST
//
EFI_SIGNATURE_LIST *efisiglist=(EFI_SIGNATURE_LIST *)
(tempbuf+authhdrsize);
efisiglist->SignatureType=gEfiCertX509Guid;
efisiglist->SignatureListSize=(uint32_t)(ffinfo.FileSize+siglisthdrsize);
efisiglist->SignatureHeaderSize=0;
efisiglist->SignatureSize=ffinfo.FileSize+offsetof(EFI_SIGNATURE_DATA,
SignatureData);
//
// setup EFI_SIGNATURE_DATA (no owner)
//
EFI_SIGNATURE_DATA *efisigdata=(EFI_SIGNATURE_DATA *)
((BYTE*)efisiglist+sizeof(EFI_SIGNATURE_LIST)+efisiglist->SignatureHeaderSize);
certdata=efisigdata->SignatureData;
}
// Read file to buffer
if ((errcode=FSOpenReadCloseFile(openpath, certdata, 0, ffinfo.FileSize,
NULL, filesys))==ERROR_NONE) {
// have the data, now write it to the correct variable
uint32_t varattr=EFI_VARIABLE_NON_VOLATILE|
EFI_VARIABLE_BOOTSERVICE_ACCESS|
EFI_VARIABLE_RUNTIME_ACCESS|
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
if (!rparam) {
varattr|=EFI_VARIABLE_APPEND_WRITE;
}
// update variable
errcode=UEFISetVariable(varname, guidstr, tempbuf, tempbufsize,
varattr);
}
// clean up
delete[] tempbuf;
}
On Wed, May 2, 2018 at 3:21 AM, Laszlo Ersek <ler...@redhat.com> wrote:
> On 05/01/18 23:13, David F. wrote:
> > Hi,
> >
> > Had a fairly simple task of wanting to install the latest MS .crt
> > files for KEK, and their two files for the "db" (the Windows CA and
> > UEFI CA) in a system placed in setup/custom mode. However, even
> > though it seemed to take the KEK, it never took the "db", always had a
> > problem on a DH77KC mobo (dumped data headers looked as expected). Now
> > when I constructed it, I thought I could leave out any PKCS#7 data
> > (set the expected CertType but in the Hdr dwLength only included
> > CertType and not any CertData),
>
> Right, I've stumbled upon that too. According to the UEFI spec, dwLength
> should include CertData too, but edk2 does *not* accept that. This can
> be seen e.g. in
> "SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/
> SecureBootConfigImpl.c",
> function CreateTimeBasedPayload():
>
> > //
> > // In Setup mode or Custom mode, the variable does not need to be
> signed but the
> > // parameters to the SetVariable() call still need to be prepared as
> authenticated
> > // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor
> without certificate
> > // data in it.
> > //
> > ...
> > DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF
> (WIN_CERTIFICATE_UEFI_GUID, CertData);
>
> Back to your email:
>
> On 05/01/18 23:13, David F. wrote:
> > but looking at the algo in UEFI Spec 2.6 page 245, it looks like we'd
> > always have to generate the hash, sign it, create all the PKCS stuff
> > even in setup mode? That would surely unnecessarily bloat any apps
> > that really only need to update things in setup mode wouldn't it? So
> > to confirm, that is a requirement even in setup mode? If so, why?
>
> It's not a requirement; see the code comment I quoted above.
>
> Thanks,
> Laszlo
>
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
