BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43 ++++++++++++++++---- 1 file changed, 34 insertions(+), 9 deletions(-)
From: Jason1 Lin <jason1.lin@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928
Windows-based system using signtool.exe to sign the capsule.
Add the support to using "--subject-name" argument to assign
the subject name used to sign the capsule file.
This argument would pass to signtool.exe as a part of input
argument with "/n" flag.
NOTE: If using signtool.exe to sign capsule at least need to
choose one of "--pfx-file" and "--subject-name"
argument to input the value.
Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Dakota Chiang <dakota.chiang@intel.com>
---
BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43 ++++++++++++++++----
1 file changed, 34 insertions(+), 9 deletions(-)
diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
index b8039db878..35435946c6 100644
--- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
+++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
@@ -10,7 +10,7 @@
# keep the tool as simple as possible, it has the following limitations:
# * Do not support vendor code bytes in a capsule.
#
-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader import FmpPayloadHeaderClass
# Globals for help information
#
__prog__ = 'GenerateCapsule'
-__version__ = '0.9'
-__copyright__ = 'Copyright (c) 2018, Intel Corporation. All rights reserved.'
+__version__ = '0.10'
+__copyright__ = 'Copyright (c) 2022, Intel Corporation. All rights reserved.'
__description__ = 'Generate a capsule.\n'
-def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
+def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose = False):
#
# Create a temporary directory
#
@@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe'))
Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 '
Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName)
- Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
+ if PfxFile is not None:
+ Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
+ if SubjectName is not None:
+ Command = Command + '/n {SubjectName} '.format (SubjectName = SubjectName)
Command = Command + TempFileName
if Verbose:
print (Command)
@@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
shutil.rmtree (TempDirectoryName)
return Signature
-def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose = False):
+def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, SubjectName, Verbose = False):
print ('signtool verify is not supported.')
raise ValueError ('GenerateCapsule: error: signtool verify is not supported.')
@@ -249,6 +252,7 @@ if __name__ == '__main__':
HardwareInstance = ConvertJsonValue (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False, Default = 0)
MonotonicCount = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0)
SignToolPfxFile = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)
+ SignToolSubjectName = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True)
OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
OpenSslOtherPublicCertFile = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
@@ -264,6 +268,7 @@ if __name__ == '__main__':
HardwareInstance,
UpdateImageIndex,
SignToolPfxFile,
+ SignToolSubjectName,
OpenSslSignerPrivateCertFile,
OpenSslOtherPublicCertFile,
OpenSslTrustedPublicCertFile,
@@ -303,6 +308,7 @@ if __name__ == '__main__':
UpdateImageIndex = ConvertJsonValue (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False, Default = 1)
MonotonicCount = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0)
SignToolPfxFile = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)
+ SignToolSubjectName = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True)
OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
OpenSslOtherPublicCertFile = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)
@@ -329,6 +335,7 @@ if __name__ == '__main__':
HardwareInstance,
UpdateImageIndex,
SignToolPfxFile,
+ SignToolSubjectName,
OpenSslSignerPrivateCertFile,
OpenSslOtherPublicCertFile,
OpenSslTrustedPublicCertFile,
@@ -348,6 +355,7 @@ if __name__ == '__main__':
"HardwareInstance": str(PayloadDescriptor.HardwareInstance),
"UpdateImageIndex": str(PayloadDescriptor.UpdateImageIndex),
"SignToolPfxFile": str(PayloadDescriptor.SignToolPfxFile),
+ "SignToolSubjectName": str(PayloadDescriptor.SignToolSubjectName),
"OpenSslSignerPrivateCertFile": str(PayloadDescriptor.OpenSslSignerPrivateCertFile),
"OpenSslOtherPublicCertFile": str(PayloadDescriptor.OpenSslOtherPublicCertFile),
"OpenSslTrustedPublicCertFile": str(PayloadDescriptor.OpenSslTrustedPublicCertFile),
@@ -363,6 +371,8 @@ if __name__ == '__main__':
for PayloadField in PayloadSection:
if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:
del PayloadField ['SignToolPfxFile']
+ if PayloadJsonDescriptorList[Index].SignToolSubjectName is None:
+ del PayloadField ['SignToolSubjectName']
if PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None:
del PayloadField ['OpenSslSignerPrivateCertFile']
if PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:
@@ -402,6 +412,9 @@ if __name__ == '__main__':
if args.SignToolPfxFile:
print ('GenerateCapsule: error: Argument --pfx-file conflicts with Argument -j')
sys.exit (1)
+ if args.SignToolSubjectName:
+ print ('GenerateCapsule: error: Argument --SubjectName conflicts with Argument -j')
+ sys.exit (1)
if args.OpenSslSignerPrivateCertFile:
print ('GenerateCapsule: error: Argument --signer-private-cert conflicts with Argument -j')
sys.exit (1)
@@ -425,6 +438,7 @@ if __name__ == '__main__':
HardwareInstance = 0,
UpdateImageIndex = 1,
SignToolPfxFile = None,
+ SignToolSubjectName = None,
OpenSslSignerPrivateCertFile = None,
OpenSslOtherPublicCertFile = None,
OpenSslTrustedPublicCertFile = None,
@@ -439,13 +453,15 @@ if __name__ == '__main__':
self.HardwareInstance = HardwareInstance
self.UpdateImageIndex = UpdateImageIndex
self.SignToolPfxFile = SignToolPfxFile
+ self.SignToolSubjectName = SignToolSubjectName
self.OpenSslSignerPrivateCertFile = OpenSslSignerPrivateCertFile
self.OpenSslOtherPublicCertFile = OpenSslOtherPublicCertFile
self.OpenSslTrustedPublicCertFile = OpenSslTrustedPublicCertFile
self.SigningToolPath = SigningToolPath
self.DepexExp = DepexExp
- self.UseSignTool = self.SignToolPfxFile is not None
+ self.UseSignTool = (self.SignToolPfxFile is not None or
+ self.SignToolSubjectName is not None)
self.UseOpenSsl = (self.OpenSslSignerPrivateCertFile is not None and
self.OpenSslOtherPublicCertFile is not None and
self.OpenSslTrustedPublicCertFile is not None)
@@ -504,8 +520,9 @@ if __name__ == '__main__':
raise argparse.ArgumentTypeError ('--update-image-index must be an integer in range 0x0..0xff')
if self.UseSignTool:
- self.SignToolPfxFile.close()
- self.SignToolPfxFile = self.SignToolPfxFile.name
+ if self.SignToolPfxFile is not None:
+ self.SignToolPfxFile.close()
+ self.SignToolPfxFile = self.SignToolPfxFile.name
if self.UseOpenSsl:
self.OpenSslSignerPrivateCertFile.close()
self.OpenSslOtherPublicCertFile.close()
@@ -548,6 +565,7 @@ if __name__ == '__main__':
args.HardwareInstance,
args.UpdateImageIndex,
args.SignToolPfxFile,
+ args.SignToolSubjectName,
args.OpenSslSignerPrivateCertFile,
args.OpenSslOtherPublicCertFile,
args.OpenSslTrustedPublicCertFile,
@@ -590,6 +608,7 @@ if __name__ == '__main__':
Result + struct.pack ('<Q', SinglePayloadDescriptor.MonotonicCount),
SinglePayloadDescriptor.SigningToolPath,
SinglePayloadDescriptor.SignToolPfxFile,
+ SinglePayloadDescriptor.SignToolSubjectName,
Verbose = args.Verbose
)
else:
@@ -671,6 +690,7 @@ if __name__ == '__main__':
args.HardwareInstance,
args.UpdateImageIndex,
args.SignToolPfxFile,
+ args.SignSubjectName,
args.OpenSslSignerPrivateCertFile,
args.OpenSslOtherPublicCertFile,
args.OpenSslTrustedPublicCertFile,
@@ -715,6 +735,7 @@ if __name__ == '__main__':
HardwareInstance,
UpdateImageIndex,
PayloadDescriptorList[Index].SignToolPfxFile,
+ PayloadDescriptorList[Index].SignToolSubjectName,
PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
@@ -753,6 +774,7 @@ if __name__ == '__main__':
HardwareInstance,
UpdateImageIndex,
PayloadDescriptorList[Index].SignToolPfxFile,
+ PayloadDescriptorList[Index].SignToolSubjectName,
PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
@@ -785,6 +807,7 @@ if __name__ == '__main__':
FmpAuthHeader.CertData,
SinglePayloadDescriptor.SigningToolPath,
SinglePayloadDescriptor.SignToolPfxFile,
+ SinglePayloadDescriptor.SignToolSubjectName,
Verbose = args.Verbose
)
else:
@@ -968,6 +991,8 @@ if __name__ == '__main__':
parser.add_argument ("--pfx-file", dest='SignToolPfxFile', type=argparse.FileType('rb'),
help="signtool PFX certificate filename.")
+ parser.add_argument ("--subject-name", dest='SignToolSubjectName',
+ help="signtool certificate subject name.")
parser.add_argument ("--signer-private-cert", dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),
help="OpenSSL signer private certificate filename.")
--
2.37.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#91180): https://edk2.groups.io/g/devel/message/91180
Mute This Topic: https://groups.io/mt/92249403/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-Jason:
Thanks for you to add the detail usage model in BZ 3928. I have no other
comments. Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Thanks
Liming
> -----邮件原件-----
> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Lin, Jason1
> 发送时间: 2022年7月8日 19:42
> 收件人: devel@edk2.groups.io
> 抄送: Jason1 Lin <jason1.lin@intel.com>; Bob Feng <bob.c.feng@intel.com>;
> Liming Gao <gaoliming@byosoft.com.cn>; Yuwei Chen
> <yuwei.chen@intel.com>; Michael D Kinney <michael.d.kinney@intel.com>;
> Dakota Chiang <dakota.chiang@intel.com>
> 主题: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for signtool
to
> input subject name to sign capsule file
>
> From: Jason1 Lin <jason1.lin@intel.com>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928
>
> Windows-based system using signtool.exe to sign the capsule.
> Add the support to using "--subject-name" argument to assign
> the subject name used to sign the capsule file.
> This argument would pass to signtool.exe as a part of input
> argument with "/n" flag.
>
> NOTE: If using signtool.exe to sign capsule at least need to
> choose one of "--pfx-file" and "--subject-name"
> argument to input the value.
>
> Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Dakota Chiang <dakota.chiang@intel.com>
> ---
> BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43
> ++++++++++++++++----
> 1 file changed, 34 insertions(+), 9 deletions(-)
>
> diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> index b8039db878..35435946c6 100644
> --- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> +++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> @@ -10,7 +10,7 @@
> # keep the tool as simple as possible, it has the following limitations:
>
> # * Do not support vendor code bytes in a capsule.
>
> #
>
> -# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>
>
> +# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #
>
>
>
> @@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader
> import FmpPayloadHeaderClass
> # Globals for help information
>
> #
>
> __prog__ = 'GenerateCapsule'
>
> -__version__ = '0.9'
>
> -__copyright__ = 'Copyright (c) 2018, Intel Corporation. All rights
reserved.'
>
> +__version__ = '0.10'
>
> +__copyright__ = 'Copyright (c) 2022, Intel Corporation. All rights
> reserved.'
>
> __description__ = 'Generate a capsule.\n'
>
>
>
> -def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
>
> +def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose
=
> False):
>
> #
>
> # Create a temporary directory
>
> #
>
> @@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile,
> Verbose = False):
> Command = Command + '"{Path}" '.format (Path = os.path.join
(ToolPath,
> 'signtool.exe'))
>
> Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData
> /p7co 1.2.840.113549.1.7.2 '
>
> Command = Command + '/p7 {TempDir} '.format (TempDir =
> TempDirectoryName)
>
> - Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
>
> + if PfxFile is not None:
>
> + Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
>
> + if SubjectName is not None:
>
> + Command = Command + '/n {SubjectName} '.format
> (SubjectName = SubjectName)
>
> Command = Command + TempFileName
>
> if Verbose:
>
> print (Command)
>
> @@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile,
> Verbose = False):
> shutil.rmtree (TempDirectoryName)
>
> return Signature
>
>
>
> -def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose
=
> False):
>
> +def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile,
SubjectName,
> Verbose = False):
>
> print ('signtool verify is not supported.')
>
> raise ValueError ('GenerateCapsule: error: signtool verify is not
> supported.')
>
>
>
> @@ -249,6 +252,7 @@ if __name__ == '__main__':
> HardwareInstance = ConvertJsonValue
> (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False,
> Default = 0)
>
> MonotonicCount = ConvertJsonValue
> (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
> = 0)
>
> SignToolPfxFile = ConvertJsonValue (Config,
> 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None,
Open
> = True)
>
> + SignToolSubjectName = ConvertJsonValue (Config,
> 'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
> Open = True)
>
> OpenSslSignerPrivateCertFile = ConvertJsonValue (Config,
> 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> OpenSslOtherPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
> None, Open = True)
>
> OpenSslTrustedPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> @@ -264,6 +268,7 @@ if __name__ == '__main__':
> HardwareInstance,
>
> UpdateImageIndex,
>
> SignToolPfxFile,
>
> +
> SignToolSubjectName,
>
>
> OpenSslSignerPrivateCertFile,
>
>
> OpenSslOtherPublicCertFile,
>
>
> OpenSslTrustedPublicCertFile,
>
> @@ -303,6 +308,7 @@ if __name__ == '__main__':
> UpdateImageIndex = ConvertJsonValue
> (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False,
> Default = 1)
>
> MonotonicCount = ConvertJsonValue
> (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
> = 0)
>
> SignToolPfxFile = ConvertJsonValue (Config,
> 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None,
Open
> = True)
>
> + SignToolSubjectName = ConvertJsonValue (Config,
> 'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
> Open = True)
>
> OpenSslSignerPrivateCertFile = ConvertJsonValue (Config,
> 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> OpenSslOtherPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
> None, Open = True)
>
> OpenSslTrustedPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> @@ -329,6 +335,7 @@ if __name__ == '__main__':
> HardwareInstance,
>
> UpdateImageIndex,
>
> SignToolPfxFile,
>
> +
> SignToolSubjectName,
>
>
> OpenSslSignerPrivateCertFile,
>
>
> OpenSslOtherPublicCertFile,
>
>
> OpenSslTrustedPublicCertFile,
>
> @@ -348,6 +355,7 @@ if __name__ == '__main__':
> "HardwareInstance":
> str(PayloadDescriptor.HardwareInstance),
>
> "UpdateImageIndex":
> str(PayloadDescriptor.UpdateImageIndex),
>
> "SignToolPfxFile":
> str(PayloadDescriptor.SignToolPfxFile),
>
> + "SignToolSubjectName":
> str(PayloadDescriptor.SignToolSubjectName),
>
> "OpenSslSignerPrivateCertFile":
> str(PayloadDescriptor.OpenSslSignerPrivateCertFile),
>
> "OpenSslOtherPublicCertFile":
> str(PayloadDescriptor.OpenSslOtherPublicCertFile),
>
> "OpenSslTrustedPublicCertFile":
> str(PayloadDescriptor.OpenSslTrustedPublicCertFile),
>
> @@ -363,6 +371,8 @@ if __name__ == '__main__':
> for PayloadField in PayloadSection:
>
> if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:
>
> del PayloadField ['SignToolPfxFile']
>
> + if PayloadJsonDescriptorList[Index].SignToolSubjectName is
> None:
>
> + del PayloadField ['SignToolSubjectName']
>
> if
> PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None:
>
> del PayloadField ['OpenSslSignerPrivateCertFile']
>
> if
> PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:
>
> @@ -402,6 +412,9 @@ if __name__ == '__main__':
> if args.SignToolPfxFile:
>
> print ('GenerateCapsule: error: Argument --pfx-file conflicts
> with Argument -j')
>
> sys.exit (1)
>
> + if args.SignToolSubjectName:
>
> + print ('GenerateCapsule: error: Argument --SubjectName
> conflicts with Argument -j')
>
> + sys.exit (1)
>
> if args.OpenSslSignerPrivateCertFile:
>
> print ('GenerateCapsule: error: Argument
> --signer-private-cert conflicts with Argument -j')
>
> sys.exit (1)
>
> @@ -425,6 +438,7 @@ if __name__ == '__main__':
> HardwareInstance = 0,
>
> UpdateImageIndex = 1,
>
> SignToolPfxFile = None,
>
> + SignToolSubjectName = None,
>
> OpenSslSignerPrivateCertFile = None,
>
> OpenSslOtherPublicCertFile = None,
>
> OpenSslTrustedPublicCertFile = None,
>
> @@ -439,13 +453,15 @@ if __name__ == '__main__':
> self.HardwareInstance = HardwareInstance
>
> self.UpdateImageIndex = UpdateImageIndex
>
> self.SignToolPfxFile = SignToolPfxFile
>
> + self.SignToolSubjectName = SignToolSubjectName
>
> self.OpenSslSignerPrivateCertFile =
> OpenSslSignerPrivateCertFile
>
> self.OpenSslOtherPublicCertFile =
> OpenSslOtherPublicCertFile
>
> self.OpenSslTrustedPublicCertFile =
> OpenSslTrustedPublicCertFile
>
> self.SigningToolPath = SigningToolPath
>
> self.DepexExp = DepexExp
>
>
>
> - self.UseSignTool = self.SignToolPfxFile is not None
>
> + self.UseSignTool = (self.SignToolPfxFile is not None or
>
> + self.SignToolSubjectName is not
> None)
>
> self.UseOpenSsl = (self.OpenSslSignerPrivateCertFile is not
> None and
>
> self.OpenSslOtherPublicCertFile is
> not None and
>
> self.OpenSslTrustedPublicCertFile is
> not None)
>
> @@ -504,8 +520,9 @@ if __name__ == '__main__':
> raise argparse.ArgumentTypeError
> ('--update-image-index must be an integer in range 0x0..0xff')
>
>
>
> if self.UseSignTool:
>
> - self.SignToolPfxFile.close()
>
> - self.SignToolPfxFile = self.SignToolPfxFile.name
>
> + if self.SignToolPfxFile is not None:
>
> + self.SignToolPfxFile.close()
>
> + self.SignToolPfxFile = self.SignToolPfxFile.name
>
> if self.UseOpenSsl:
>
> self.OpenSslSignerPrivateCertFile.close()
>
> self.OpenSslOtherPublicCertFile.close()
>
> @@ -548,6 +565,7 @@ if __name__ == '__main__':
>
> args.HardwareInstance,
>
>
> args.UpdateImageIndex,
>
> args.SignToolPfxFile,
>
> +
> args.SignToolSubjectName,
>
>
> args.OpenSslSignerPrivateCertFile,
>
>
> args.OpenSslOtherPublicCertFile,
>
>
> args.OpenSslTrustedPublicCertFile,
>
> @@ -590,6 +608,7 @@ if __name__ == '__main__':
> Result + struct.pack ('<Q',
> SinglePayloadDescriptor.MonotonicCount),
>
> SinglePayloadDescriptor.SigningToolPath,
>
> SinglePayloadDescriptor.SignToolPfxFile,
>
> +
> SinglePayloadDescriptor.SignToolSubjectName,
>
> Verbose = args.Verbose
>
> )
>
> else:
>
> @@ -671,6 +690,7 @@ if __name__ == '__main__':
>
> args.HardwareInstance,
>
>
> args.UpdateImageIndex,
>
> args.SignToolPfxFile,
>
> +
> args.SignSubjectName,
>
>
> args.OpenSslSignerPrivateCertFile,
>
>
> args.OpenSslOtherPublicCertFile,
>
>
> args.OpenSslTrustedPublicCertFile,
>
> @@ -715,6 +735,7 @@ if __name__ == '__main__':
>
> HardwareInstance,
>
>
> UpdateImageIndex,
>
>
> PayloadDescriptorList[Index].SignToolPfxFile,
>
> +
> PayloadDescriptorList[Index].SignToolSubjectName,
>
>
> PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
>
> @@ -753,6 +774,7 @@ if __name__ == '__main__':
>
> HardwareInstance,
>
>
> UpdateImageIndex,
>
>
> PayloadDescriptorList[Index].SignToolPfxFile,
>
> +
> PayloadDescriptorList[Index].SignToolSubjectName,
>
>
> PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
>
> @@ -785,6 +807,7 @@ if __name__ == '__main__':
>
> FmpAuthHeader.CertData,
>
>
> SinglePayloadDescriptor.SigningToolPath,
>
>
> SinglePayloadDescriptor.SignToolPfxFile,
>
> +
> SinglePayloadDescriptor.SignToolSubjectName,
>
> Verbose =
> args.Verbose
>
> )
>
> else:
>
> @@ -968,6 +991,8 @@ if __name__ == '__main__':
>
>
> parser.add_argument ("--pfx-file", dest='SignToolPfxFile',
> type=argparse.FileType('rb'),
>
> help="signtool PFX certificate filename.")
>
> + parser.add_argument ("--subject-name", dest='SignToolSubjectName',
>
> + help="signtool certificate subject name.")
>
>
>
> parser.add_argument ("--signer-private-cert",
> dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),
>
> help="OpenSSL signer private certificate
> filename.")
>
> --
> 2.37.0.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#91180): https://edk2.groups.io/g/devel/message/91180
> Mute This Topic: https://groups.io/mt/92249403/4905953
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub
> [gaoliming@byosoft.com.cn]
> -=-=-=-=-=-=
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#91798): https://edk2.groups.io/g/devel/message/91798
Mute This Topic: https://groups.io/mt/92598702/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Created the PR for merge. https://github.com/tianocore/edk2/pull/3137
-----Original Message-----
From: gaoliming <gaoliming@byosoft.com.cn>
Sent: Monday, July 25, 2022 12:27 PM
To: devel@edk2.groups.io; Lin, Jason1 <jason1.lin@intel.com>
Cc: Feng, Bob C <bob.c.feng@intel.com>; Chen, Christine <yuwei.chen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Chiang, Dakota <dakota.chiang@intel.com>
Subject: 回复: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file
Jason:
Thanks for you to add the detail usage model in BZ 3928. I have no other comments. Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Thanks
Liming
> -----邮件原件-----
> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Lin, Jason1
> 发送时间: 2022年7月8日 19:42
> 收件人: devel@edk2.groups.io
> 抄送: Jason1 Lin <jason1.lin@intel.com>; Bob Feng
> <bob.c.feng@intel.com>; Liming Gao <gaoliming@byosoft.com.cn>; Yuwei
> Chen <yuwei.chen@intel.com>; Michael D Kinney
> <michael.d.kinney@intel.com>; Dakota Chiang <dakota.chiang@intel.com>
> 主题: [edk2-devel] [PATCH v3] BaseTools/Capsule: Add support for
> signtool
to
> input subject name to sign capsule file
>
> From: Jason1 Lin <jason1.lin@intel.com>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928
>
> Windows-based system using signtool.exe to sign the capsule.
> Add the support to using "--subject-name" argument to assign the
> subject name used to sign the capsule file.
> This argument would pass to signtool.exe as a part of input argument
> with "/n" flag.
>
> NOTE: If using signtool.exe to sign capsule at least need to
> choose one of "--pfx-file" and "--subject-name"
> argument to input the value.
>
> Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Dakota Chiang <dakota.chiang@intel.com>
> ---
> BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43
> ++++++++++++++++----
> 1 file changed, 34 insertions(+), 9 deletions(-)
>
> diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> index b8039db878..35435946c6 100644
> --- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> +++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
> @@ -10,7 +10,7 @@
> # keep the tool as simple as possible, it has the following limitations:
>
> # * Do not support vendor code bytes in a capsule.
>
> #
>
> -# Copyright (c) 2018 - 2019, Intel Corporation. All rights
> reserved.<BR>
>
> +# Copyright (c) 2018 - 2022, Intel Corporation. All rights
> +reserved.<BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #
>
>
>
> @@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader
> import FmpPayloadHeaderClass
> # Globals for help information
>
> #
>
> __prog__ = 'GenerateCapsule'
>
> -__version__ = '0.9'
>
> -__copyright__ = 'Copyright (c) 2018, Intel Corporation. All rights
reserved.'
>
> +__version__ = '0.10'
>
> +__copyright__ = 'Copyright (c) 2022, Intel Corporation. All rights
> reserved.'
>
> __description__ = 'Generate a capsule.\n'
>
>
>
> -def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
>
> +def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName,
> +Verbose
=
> False):
>
> #
>
> # Create a temporary directory
>
> #
>
> @@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath,
> PfxFile, Verbose = False):
> Command = Command + '"{Path}" '.format (Path = os.path.join
(ToolPath,
> 'signtool.exe'))
>
> Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData
> /p7co 1.2.840.113549.1.7.2 '
>
> Command = Command + '/p7 {TempDir} '.format (TempDir =
> TempDirectoryName)
>
> - Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)
>
> + if PfxFile is not None:
>
> + Command = Command + '/f {PfxFile} '.format (PfxFile =
> + PfxFile)
>
> + if SubjectName is not None:
>
> + Command = Command + '/n {SubjectName} '.format
> (SubjectName = SubjectName)
>
> Command = Command + TempFileName
>
> if Verbose:
>
> print (Command)
>
> @@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath,
> PfxFile, Verbose = False):
> shutil.rmtree (TempDirectoryName)
>
> return Signature
>
>
>
> -def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile,
> Verbose
=
> False):
>
> +def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile,
SubjectName,
> Verbose = False):
>
> print ('signtool verify is not supported.')
>
> raise ValueError ('GenerateCapsule: error: signtool verify is not
> supported.')
>
>
>
> @@ -249,6 +252,7 @@ if __name__ == '__main__':
> HardwareInstance = ConvertJsonValue
> (Config, 'HardwareInstance', ValidateUnsignedInteger, Required =
> False, Default = 0)
>
> MonotonicCount = ConvertJsonValue
> (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
> = 0)
>
> SignToolPfxFile = ConvertJsonValue (Config,
> 'SignToolPfxFile', os.path.expandvars, Required = False, Default =
> None,
Open
> = True)
>
> + SignToolSubjectName = ConvertJsonValue (Config,
> 'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
> Open = True)
>
> OpenSslSignerPrivateCertFile = ConvertJsonValue (Config,
> 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> OpenSslOtherPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
> None, Open = True)
>
> OpenSslTrustedPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> @@ -264,6 +268,7 @@ if __name__ == '__main__':
> HardwareInstance,
>
> UpdateImageIndex,
>
> SignToolPfxFile,
>
> +
> SignToolSubjectName,
>
>
> OpenSslSignerPrivateCertFile,
>
>
> OpenSslOtherPublicCertFile,
>
>
> OpenSslTrustedPublicCertFile,
>
> @@ -303,6 +308,7 @@ if __name__ == '__main__':
> UpdateImageIndex = ConvertJsonValue
> (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required =
> False, Default = 1)
>
> MonotonicCount = ConvertJsonValue
> (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False,
Default
> = 0)
>
> SignToolPfxFile = ConvertJsonValue (Config,
> 'SignToolPfxFile', os.path.expandvars, Required = False, Default =
> None,
Open
> = True)
>
> + SignToolSubjectName = ConvertJsonValue (Config,
> 'SignToolSubjectName', os.path.expandvars, Required = False, Default =
None,
> Open = True)
>
> OpenSslSignerPrivateCertFile = ConvertJsonValue (Config,
> 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> OpenSslOtherPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False,
Default =
> None, Open = True)
>
> OpenSslTrustedPublicCertFile = ConvertJsonValue (Config,
> 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False,
Default
> = None, Open = True)
>
> @@ -329,6 +335,7 @@ if __name__ == '__main__':
> HardwareInstance,
>
> UpdateImageIndex,
>
> SignToolPfxFile,
>
> +
> SignToolSubjectName,
>
>
> OpenSslSignerPrivateCertFile,
>
>
> OpenSslOtherPublicCertFile,
>
>
> OpenSslTrustedPublicCertFile,
>
> @@ -348,6 +355,7 @@ if __name__ == '__main__':
> "HardwareInstance":
> str(PayloadDescriptor.HardwareInstance),
>
> "UpdateImageIndex":
> str(PayloadDescriptor.UpdateImageIndex),
>
> "SignToolPfxFile":
> str(PayloadDescriptor.SignToolPfxFile),
>
> + "SignToolSubjectName":
> str(PayloadDescriptor.SignToolSubjectName),
>
> "OpenSslSignerPrivateCertFile":
> str(PayloadDescriptor.OpenSslSignerPrivateCertFile),
>
> "OpenSslOtherPublicCertFile":
> str(PayloadDescriptor.OpenSslOtherPublicCertFile),
>
> "OpenSslTrustedPublicCertFile":
> str(PayloadDescriptor.OpenSslTrustedPublicCertFile),
>
> @@ -363,6 +371,8 @@ if __name__ == '__main__':
> for PayloadField in PayloadSection:
>
> if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:
>
> del PayloadField ['SignToolPfxFile']
>
> + if PayloadJsonDescriptorList[Index].SignToolSubjectName
> + is
> None:
>
> + del PayloadField ['SignToolSubjectName']
>
> if
> PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None:
>
> del PayloadField ['OpenSslSignerPrivateCertFile']
>
> if
> PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:
>
> @@ -402,6 +412,9 @@ if __name__ == '__main__':
> if args.SignToolPfxFile:
>
> print ('GenerateCapsule: error: Argument --pfx-file
> conflicts with Argument -j')
>
> sys.exit (1)
>
> + if args.SignToolSubjectName:
>
> + print ('GenerateCapsule: error: Argument --SubjectName
> conflicts with Argument -j')
>
> + sys.exit (1)
>
> if args.OpenSslSignerPrivateCertFile:
>
> print ('GenerateCapsule: error: Argument
> --signer-private-cert conflicts with Argument -j')
>
> sys.exit (1)
>
> @@ -425,6 +438,7 @@ if __name__ == '__main__':
> HardwareInstance = 0,
>
> UpdateImageIndex = 1,
>
> SignToolPfxFile = None,
>
> + SignToolSubjectName = None,
>
> OpenSslSignerPrivateCertFile = None,
>
> OpenSslOtherPublicCertFile = None,
>
> OpenSslTrustedPublicCertFile = None,
>
> @@ -439,13 +453,15 @@ if __name__ == '__main__':
> self.HardwareInstance = HardwareInstance
>
> self.UpdateImageIndex = UpdateImageIndex
>
> self.SignToolPfxFile = SignToolPfxFile
>
> + self.SignToolSubjectName = SignToolSubjectName
>
> self.OpenSslSignerPrivateCertFile =
> OpenSslSignerPrivateCertFile
>
> self.OpenSslOtherPublicCertFile =
> OpenSslOtherPublicCertFile
>
> self.OpenSslTrustedPublicCertFile =
> OpenSslTrustedPublicCertFile
>
> self.SigningToolPath = SigningToolPath
>
> self.DepexExp = DepexExp
>
>
>
> - self.UseSignTool = self.SignToolPfxFile is not None
>
> + self.UseSignTool = (self.SignToolPfxFile is not None or
>
> + self.SignToolSubjectName is not
> None)
>
> self.UseOpenSsl = (self.OpenSslSignerPrivateCertFile is
> not None and
>
> self.OpenSslOtherPublicCertFile is
> not None and
>
> self.OpenSslTrustedPublicCertFile is
> not None)
>
> @@ -504,8 +520,9 @@ if __name__ == '__main__':
> raise argparse.ArgumentTypeError
> ('--update-image-index must be an integer in range 0x0..0xff')
>
>
>
> if self.UseSignTool:
>
> - self.SignToolPfxFile.close()
>
> - self.SignToolPfxFile = self.SignToolPfxFile.name
>
> + if self.SignToolPfxFile is not None:
>
> + self.SignToolPfxFile.close()
>
> + self.SignToolPfxFile = self.SignToolPfxFile.name
>
> if self.UseOpenSsl:
>
> self.OpenSslSignerPrivateCertFile.close()
>
> self.OpenSslOtherPublicCertFile.close()
>
> @@ -548,6 +565,7 @@ if __name__ == '__main__':
>
> args.HardwareInstance,
>
>
> args.UpdateImageIndex,
>
> args.SignToolPfxFile,
>
> +
> args.SignToolSubjectName,
>
>
> args.OpenSslSignerPrivateCertFile,
>
>
> args.OpenSslOtherPublicCertFile,
>
>
> args.OpenSslTrustedPublicCertFile,
>
> @@ -590,6 +608,7 @@ if __name__ == '__main__':
> Result + struct.pack ('<Q',
> SinglePayloadDescriptor.MonotonicCount),
>
> SinglePayloadDescriptor.SigningToolPath,
>
> SinglePayloadDescriptor.SignToolPfxFile,
>
> +
> SinglePayloadDescriptor.SignToolSubjectName,
>
> Verbose = args.Verbose
>
> )
>
> else:
>
> @@ -671,6 +690,7 @@ if __name__ == '__main__':
>
> args.HardwareInstance,
>
>
> args.UpdateImageIndex,
>
> args.SignToolPfxFile,
>
> +
> args.SignSubjectName,
>
>
> args.OpenSslSignerPrivateCertFile,
>
>
> args.OpenSslOtherPublicCertFile,
>
>
> args.OpenSslTrustedPublicCertFile,
>
> @@ -715,6 +735,7 @@ if __name__ == '__main__':
>
> HardwareInstance,
>
>
> UpdateImageIndex,
>
>
> PayloadDescriptorList[Index].SignToolPfxFile,
>
> +
> PayloadDescriptorList[Index].SignToolSubjectName,
>
>
> PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
>
> @@ -753,6 +774,7 @@ if __name__ == '__main__':
>
> HardwareInstance,
>
>
> UpdateImageIndex,
>
>
> PayloadDescriptorList[Index].SignToolPfxFile,
>
> +
> PayloadDescriptorList[Index].SignToolSubjectName,
>
>
> PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslOtherPublicCertFile,
>
>
> PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,
>
> @@ -785,6 +807,7 @@ if __name__ == '__main__':
>
> FmpAuthHeader.CertData,
>
>
> SinglePayloadDescriptor.SigningToolPath,
>
>
> SinglePayloadDescriptor.SignToolPfxFile,
>
> +
> SinglePayloadDescriptor.SignToolSubjectName,
>
> Verbose = args.Verbose
>
> )
>
> else:
>
> @@ -968,6 +991,8 @@ if __name__ == '__main__':
>
>
> parser.add_argument ("--pfx-file", dest='SignToolPfxFile',
> type=argparse.FileType('rb'),
>
> help="signtool PFX certificate filename.")
>
> + parser.add_argument ("--subject-name",
> + dest='SignToolSubjectName',
>
> + help="signtool certificate subject name.")
>
>
>
> parser.add_argument ("--signer-private-cert",
> dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),
>
> help="OpenSSL signer private certificate
> filename.")
>
> --
> 2.37.0.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#91180):
> https://edk2.groups.io/g/devel/message/91180
> Mute This Topic: https://groups.io/mt/92249403/4905953
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub
> [gaoliming@byosoft.com.cn]
> -=-=-=-=-=-=
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#91809): https://edk2.groups.io/g/devel/message/91809
Mute This Topic: https://groups.io/mt/92606756/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Reviewed-by: Bob Feng <bob.c.feng@intel.com>
-----Original Message-----
From: Lin, Jason1 <jason1.lin@intel.com>
Sent: Friday, July 8, 2022 7:42 PM
To: devel@edk2.groups.io
Cc: Lin, Jason1 <jason1.lin@intel.com>; Feng, Bob C <bob.c.feng@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>; Chen, Christine <yuwei.chen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Chiang, Dakota <dakota.chiang@intel.com>
Subject: [PATCH v3] BaseTools/Capsule: Add support for signtool to input subject name to sign capsule file
From: Jason1 Lin <jason1.lin@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3928
Windows-based system using signtool.exe to sign the capsule.
Add the support to using "--subject-name" argument to assign the subject name used to sign the capsule file.
This argument would pass to signtool.exe as a part of input argument with "/n" flag.
NOTE: If using signtool.exe to sign capsule at least need to
choose one of "--pfx-file" and "--subject-name"
argument to input the value.
Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Dakota Chiang <dakota.chiang@intel.com>
---
BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43 ++++++++++++++++----
1 file changed, 34 insertions(+), 9 deletions(-)
diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
index b8039db878..35435946c6 100644
--- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
+++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
@@ -10,7 +10,7 @@
# keep the tool as simple as possible, it has the following limitations: # * Do not support vendor code bytes in a capsule. #-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>+# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR> # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader import FmpPayloadHeaderClass
# Globals for help information # __prog__ = 'GenerateCapsule'-__version__ = '0.9'-__copyright__ = 'Copyright (c) 2018, Intel Corporation. All rights reserved.'+__version__ = '0.10'+__copyright__ = 'Copyright (c) 2022, Intel Corporation. All rights reserved.' __description__ = 'Generate a capsule.\n' -def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):+def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose = False): # # Create a temporary directory #@@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe')) Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 ' Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName)- Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)+ if PfxFile is not None:+ Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)+ if SubjectName is not None:+ Command = Command + '/n {SubjectName} '.format (SubjectName = SubjectName) Command = Command + TempFileName if Verbose: print (Command)@@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose = False):
shutil.rmtree (TempDirectoryName) return Signature -def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose = False):+def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, SubjectName, Verbose = False): print ('signtool verify is not supported.') raise ValueError ('GenerateCapsule: error: signtool verify is not supported.') @@ -249,6 +252,7 @@ if __name__ == '__main__':
HardwareInstance = ConvertJsonValue (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False, Default = 0) MonotonicCount = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0) SignToolPfxFile = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)+ SignToolSubjectName = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslOtherPublicCertFile = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)@@ -264,6 +268,7 @@ if __name__ == '__main__':
HardwareInstance, UpdateImageIndex, SignToolPfxFile,+ SignToolSubjectName, OpenSslSignerPrivateCertFile, OpenSslOtherPublicCertFile, OpenSslTrustedPublicCertFile,@@ -303,6 +308,7 @@ if __name__ == '__main__':
UpdateImageIndex = ConvertJsonValue (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False, Default = 1) MonotonicCount = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0) SignToolPfxFile = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True)+ SignToolSubjectName = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslOtherPublicCertFile = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True)@@ -329,6 +335,7 @@ if __name__ == '__main__':
HardwareInstance, UpdateImageIndex, SignToolPfxFile,+ SignToolSubjectName, OpenSslSignerPrivateCertFile, OpenSslOtherPublicCertFile, OpenSslTrustedPublicCertFile,@@ -348,6 +355,7 @@ if __name__ == '__main__':
"HardwareInstance": str(PayloadDescriptor.HardwareInstance), "UpdateImageIndex": str(PayloadDescriptor.UpdateImageIndex), "SignToolPfxFile": str(PayloadDescriptor.SignToolPfxFile),+ "SignToolSubjectName": str(PayloadDescriptor.SignToolSubjectName), "OpenSslSignerPrivateCertFile": str(PayloadDescriptor.OpenSslSignerPrivateCertFile), "OpenSslOtherPublicCertFile": str(PayloadDescriptor.OpenSslOtherPublicCertFile), "OpenSslTrustedPublicCertFile": str(PayloadDescriptor.OpenSslTrustedPublicCertFile),@@ -363,6 +371,8 @@ if __name__ == '__main__':
for PayloadField in PayloadSection: if PayloadJsonDescriptorList[Index].SignToolPfxFile is None: del PayloadField ['SignToolPfxFile']+ if PayloadJsonDescriptorList[Index].SignToolSubjectName is None:+ del PayloadField ['SignToolSubjectName'] if PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None: del PayloadField ['OpenSslSignerPrivateCertFile'] if PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None:@@ -402,6 +412,9 @@ if __name__ == '__main__':
if args.SignToolPfxFile: print ('GenerateCapsule: error: Argument --pfx-file conflicts with Argument -j') sys.exit (1)+ if args.SignToolSubjectName:+ print ('GenerateCapsule: error: Argument --SubjectName conflicts with Argument -j')+ sys.exit (1) if args.OpenSslSignerPrivateCertFile: print ('GenerateCapsule: error: Argument --signer-private-cert conflicts with Argument -j') sys.exit (1)@@ -425,6 +438,7 @@ if __name__ == '__main__':
HardwareInstance = 0, UpdateImageIndex = 1, SignToolPfxFile = None,+ SignToolSubjectName = None, OpenSslSignerPrivateCertFile = None, OpenSslOtherPublicCertFile = None, OpenSslTrustedPublicCertFile = None,@@ -439,13 +453,15 @@ if __name__ == '__main__':
self.HardwareInstance = HardwareInstance self.UpdateImageIndex = UpdateImageIndex self.SignToolPfxFile = SignToolPfxFile+ self.SignToolSubjectName = SignToolSubjectName self.OpenSslSignerPrivateCertFile = OpenSslSignerPrivateCertFile self.OpenSslOtherPublicCertFile = OpenSslOtherPublicCertFile self.OpenSslTrustedPublicCertFile = OpenSslTrustedPublicCertFile self.SigningToolPath = SigningToolPath self.DepexExp = DepexExp - self.UseSignTool = self.SignToolPfxFile is not None+ self.UseSignTool = (self.SignToolPfxFile is not None or+ self.SignToolSubjectName is not None) self.UseOpenSsl = (self.OpenSslSignerPrivateCertFile is not None and self.OpenSslOtherPublicCertFile is not None and self.OpenSslTrustedPublicCertFile is not None)@@ -504,8 +520,9 @@ if __name__ == '__main__':
raise argparse.ArgumentTypeError ('--update-image-index must be an integer in range 0x0..0xff') if self.UseSignTool:- self.SignToolPfxFile.close()- self.SignToolPfxFile = self.SignToolPfxFile.name+ if self.SignToolPfxFile is not None:+ self.SignToolPfxFile.close()+ self.SignToolPfxFile = self.SignToolPfxFile.name if self.UseOpenSsl: self.OpenSslSignerPrivateCertFile.close() self.OpenSslOtherPublicCertFile.close()@@ -548,6 +565,7 @@ if __name__ == '__main__':
args.HardwareInstance, args.UpdateImageIndex, args.SignToolPfxFile,+ args.SignToolSubjectName, args.OpenSslSignerPrivateCertFile, args.OpenSslOtherPublicCertFile, args.OpenSslTrustedPublicCertFile,@@ -590,6 +608,7 @@ if __name__ == '__main__':
Result + struct.pack ('<Q', SinglePayloadDescriptor.MonotonicCount), SinglePayloadDescriptor.SigningToolPath, SinglePayloadDescriptor.SignToolPfxFile,+ SinglePayloadDescriptor.SignToolSubjectName, Verbose = args.Verbose ) else:@@ -671,6 +690,7 @@ if __name__ == '__main__':
args.HardwareInstance, args.UpdateImageIndex, args.SignToolPfxFile,+ args.SignSubjectName, args.OpenSslSignerPrivateCertFile, args.OpenSslOtherPublicCertFile, args.OpenSslTrustedPublicCertFile,@@ -715,6 +735,7 @@ if __name__ == '__main__':
HardwareInstance, UpdateImageIndex, PayloadDescriptorList[Index].SignToolPfxFile,+ PayloadDescriptorList[Index].SignToolSubjectName, PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile, PayloadDescriptorList[Index].OpenSslOtherPublicCertFile, PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,@@ -753,6 +774,7 @@ if __name__ == '__main__':
HardwareInstance, UpdateImageIndex, PayloadDescriptorList[Index].SignToolPfxFile,+ PayloadDescriptorList[Index].SignToolSubjectName, PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile, PayloadDescriptorList[Index].OpenSslOtherPublicCertFile, PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile,@@ -785,6 +807,7 @@ if __name__ == '__main__':
FmpAuthHeader.CertData, SinglePayloadDescriptor.SigningToolPath, SinglePayloadDescriptor.SignToolPfxFile,+ SinglePayloadDescriptor.SignToolSubjectName, Verbose = args.Verbose ) else:@@ -968,6 +991,8 @@ if __name__ == '__main__':
parser.add_argument ("--pfx-file", dest='SignToolPfxFile', type=argparse.FileType('rb'), help="signtool PFX certificate filename.")+ parser.add_argument ("--subject-name", dest='SignToolSubjectName',+ help="signtool certificate subject name.") parser.add_argument ("--signer-private-cert", dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'), help="OpenSSL signer private certificate filename.")--
2.37.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#91204): https://edk2.groups.io/g/devel/message/91204
Mute This Topic: https://groups.io/mt/92249403/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2024 Red Hat, Inc.