From nobody Fri May  3 05:27:14 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+91812+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+91812+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
ARC-Seal: i=1; a=rsa-sha256; t=1658763083; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Cwtldmga1yHzD8nf16tXRIEK6bss0JF/wQOiiIHRH6VzZCUxJ/gmhZjt259a9aIm/65uq1lbWZx3SDpYLadSnIqikHF2UaTMKDdWn9RoQUv17C3tzMvW4ER6mows3Qzgsugukb6cXv3OAp8vSfC/obLPWZ1PG/MSnBLoljknB7E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1658763083;
 h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To;
	bh=SjAdUWrpWx7Iisem60BL0HbWtb3Lre4ooB+x2kLawOw=;
	b=NlXuQ8RFYcNuOyE2CJcnRQccjTB4frXTD3+lfhiRI39tnoOnXRD0eUt8VxJKA2cgu4GX1uNt/wpKtbJv28I3lMm4MKnEkqMkP8zfUxvEfWpeUEsjwSrjRxMuRVseCWItqlsWwK28yMoFVffcfi5VBodkx4j7zC02pY1Spn9ucq0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+91812+1787277+3901457@groups.io;
	dmarc=fail header.from=<jason1.lin@intel.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1658763083643867.0720765943993;
 Mon, 25 Jul 2022 08:31:23 -0700 (PDT)
Return-Path: <bounce+27952+91812+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id mcRtYY1788612xnaHSQNuVRs;
 Mon, 25 Jul 2022 08:31:23 -0700
X-Received: from mga04.intel.com (mga04.intel.com [192.55.52.120])
 by mx.groups.io with SMTP id smtpd.web12.29550.1658763082031445581
 for <devel@edk2.groups.io>;
 Mon, 25 Jul 2022 08:31:22 -0700
X-IronPort-AV: E=McAfee;i="6400,9594,10419"; a="286484955"
X-IronPort-AV: E=Sophos;i="5.93,193,1654585200";
   d="scan'208";a="286484955"
X-Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 25 Jul 2022 08:31:21 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.93,193,1654585200";
   d="scan'208";a="845547534"
X-Received: from linjaso1-desk1.gar.corp.intel.com ([10.5.215.41])
  by fmsmga006.fm.intel.com with ESMTP; 25 Jul 2022 08:31:19 -0700
From: "Lin, Jason1" <jason1.lin@intel.com>
To: devel@edk2.groups.io
Cc: Jason1 Lin <jason1.lin@intel.com>,
	Bob Feng <bob.c.feng@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Yuwei Chen <yuwei.chen@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>,
	Dakota Chiang <dakota.chiang@intel.com>
Subject: [edk2-devel] [PATCH v4] BaseTools/Capsule: Support signtool input
 subject name to sign capsule file
Date: Mon, 25 Jul 2022 23:31:08 +0800
Message-Id: <20220725153108.3253-1-jason1.lin@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jason1.lin@intel.com
X-Gm-Message-State: SIiaIiG2PEazzBCbkwZmx4jTx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1658763083;
 bh=GRB6Fu1k+7//v08pFLRRuxnIGtHBrOgZav5b1QlUYQU=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=iACr2shNihJ1zPvxu/FfQ09gErykHllL9kHiHXPEv0YMtVf5YgTdsav0MIJoPxwh2yT
 BKq9u0KSmF/0PNn3s4CDvUI0C/hfqFL56INJJQCI0yS2WAMRiJHusLYdVGF9fZmyVn2MP
 O0XxfrERExGbQZFMrK8NvVf22+rMWrioAEg=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1658763084384100001
Content-Type: text/plain; charset="utf-8"

From: Jason1 Lin <jason1.lin@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3928

Windows-based system using signtool.exe to sign the capsule.
Add the support to using "--subject-name" argument to assign
the subject name used to sign the capsule file.
This argument would pass to signtool.exe as a part of input
argument with "/n" flag.

NOTE: If using signtool.exe to sign capsule at least need to
      choose one of "--pfx-file" and "--subject-name"
      argument to input the value.

Signed-off-by: Jason1 Lin <jason1.lin@intel.com>
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Dakota Chiang <dakota.chiang@intel.com>
---
 BaseTools/Source/Python/Capsule/GenerateCapsule.py | 43 ++++++++++++++++--=
--
 1 file changed, 34 insertions(+), 9 deletions(-)

diff --git a/BaseTools/Source/Python/Capsule/GenerateCapsule.py b/BaseTools=
/Source/Python/Capsule/GenerateCapsule.py
index b8039db878..35435946c6 100644
--- a/BaseTools/Source/Python/Capsule/GenerateCapsule.py
+++ b/BaseTools/Source/Python/Capsule/GenerateCapsule.py
@@ -10,7 +10,7 @@
 # keep the tool as simple as possible, it has the following limitations:
 #   * Do not support vendor code bytes in a capsule.
 #
-# Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.<BR>
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
=20
@@ -38,11 +38,11 @@ from Common.Edk2.Capsule.FmpPayloadHeader  import FmpPa=
yloadHeaderClass
 # Globals for help information
 #
 __prog__        =3D 'GenerateCapsule'
-__version__     =3D '0.9'
-__copyright__   =3D 'Copyright (c) 2018, Intel Corporation. All rights res=
erved.'
+__version__     =3D '0.10'
+__copyright__   =3D 'Copyright (c) 2022, Intel Corporation. All rights res=
erved.'
 __description__ =3D 'Generate a capsule.\n'
=20
-def SignPayloadSignTool (Payload, ToolPath, PfxFile, Verbose =3D False):
+def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose =
=3D False):
     #
     # Create a temporary directory
     #
@@ -72,7 +72,10 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Ver=
bose =3D False):
     Command =3D Command + '"{Path}" '.format (Path =3D os.path.join (ToolP=
ath, 'signtool.exe'))
     Command =3D Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co =
1.2.840.113549.1.7.2 '
     Command =3D Command + '/p7 {TempDir} '.format (TempDir =3D TempDirecto=
ryName)
-    Command =3D Command + '/f {PfxFile} '.format (PfxFile =3D PfxFile)
+    if PfxFile is not None:
+        Command =3D Command + '/f {PfxFile} '.format (PfxFile =3D PfxFile)
+    if SubjectName is not None:
+        Command =3D Command + '/n {SubjectName} '.format (SubjectName =3D =
SubjectName)
     Command =3D Command + TempFileName
     if Verbose:
         print (Command)
@@ -105,7 +108,7 @@ def SignPayloadSignTool (Payload, ToolPath, PfxFile, Ve=
rbose =3D False):
     shutil.rmtree (TempDirectoryName)
     return Signature
=20
-def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, Verbose =
=3D False):
+def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, SubjectNa=
me, Verbose =3D False):
     print ('signtool verify is not supported.')
     raise ValueError ('GenerateCapsule: error: signtool verify is not supp=
orted.')
=20
@@ -249,6 +252,7 @@ if __name__ =3D=3D '__main__':
             HardwareInstance             =3D ConvertJsonValue (Config, 'Ha=
rdwareInstance', ValidateUnsignedInteger, Required =3D False, Default =3D 0)
             MonotonicCount               =3D ConvertJsonValue (Config, 'Mo=
notonicCount', ValidateUnsignedInteger, Required =3D False, Default =3D 0)
             SignToolPfxFile              =3D ConvertJsonValue (Config, 'Si=
gnToolPfxFile', os.path.expandvars, Required =3D False, Default =3D None, O=
pen =3D True)
+            SignToolSubjectName          =3D ConvertJsonValue (Config, 'Si=
gnToolSubjectName', os.path.expandvars, Required =3D False, Default =3D Non=
e, Open =3D True)
             OpenSslSignerPrivateCertFile =3D ConvertJsonValue (Config, 'Op=
enSslSignerPrivateCertFile', os.path.expandvars, Required =3D False, Defaul=
t =3D None, Open =3D True)
             OpenSslOtherPublicCertFile   =3D ConvertJsonValue (Config, 'Op=
enSslOtherPublicCertFile', os.path.expandvars, Required =3D False, Default =
=3D None, Open =3D True)
             OpenSslTrustedPublicCertFile =3D ConvertJsonValue (Config, 'Op=
enSslTrustedPublicCertFile', os.path.expandvars, Required =3D False, Defaul=
t =3D None, Open =3D True)
@@ -264,6 +268,7 @@ if __name__ =3D=3D '__main__':
                                             HardwareInstance,
                                             UpdateImageIndex,
                                             SignToolPfxFile,
+                                            SignToolSubjectName,
                                             OpenSslSignerPrivateCertFile,
                                             OpenSslOtherPublicCertFile,
                                             OpenSslTrustedPublicCertFile,
@@ -303,6 +308,7 @@ if __name__ =3D=3D '__main__':
             UpdateImageIndex             =3D ConvertJsonValue (Config, 'Up=
dateImageIndex', ValidateUnsignedInteger, Required =3D False, Default =3D 1)
             MonotonicCount               =3D ConvertJsonValue (Config, 'Mo=
notonicCount', ValidateUnsignedInteger, Required =3D False, Default =3D 0)
             SignToolPfxFile              =3D ConvertJsonValue (Config, 'Si=
gnToolPfxFile', os.path.expandvars, Required =3D False, Default =3D None, O=
pen =3D True)
+            SignToolSubjectName          =3D ConvertJsonValue (Config, 'Si=
gnToolSubjectName', os.path.expandvars, Required =3D False, Default =3D Non=
e, Open =3D True)
             OpenSslSignerPrivateCertFile =3D ConvertJsonValue (Config, 'Op=
enSslSignerPrivateCertFile', os.path.expandvars, Required =3D False, Defaul=
t =3D None, Open =3D True)
             OpenSslOtherPublicCertFile   =3D ConvertJsonValue (Config, 'Op=
enSslOtherPublicCertFile', os.path.expandvars, Required =3D False, Default =
=3D None, Open =3D True)
             OpenSslTrustedPublicCertFile =3D ConvertJsonValue (Config, 'Op=
enSslTrustedPublicCertFile', os.path.expandvars, Required =3D False, Defaul=
t =3D None, Open =3D True)
@@ -329,6 +335,7 @@ if __name__ =3D=3D '__main__':
                                             HardwareInstance,
                                             UpdateImageIndex,
                                             SignToolPfxFile,
+                                            SignToolSubjectName,
                                             OpenSslSignerPrivateCertFile,
                                             OpenSslOtherPublicCertFile,
                                             OpenSslTrustedPublicCertFile,
@@ -348,6 +355,7 @@ if __name__ =3D=3D '__main__':
                                   "HardwareInstance": str(PayloadDescripto=
r.HardwareInstance),
                                   "UpdateImageIndex": str(PayloadDescripto=
r.UpdateImageIndex),
                                   "SignToolPfxFile": str(PayloadDescriptor=
.SignToolPfxFile),
+                                  "SignToolSubjectName": str(PayloadDescri=
ptor.SignToolSubjectName),
                                   "OpenSslSignerPrivateCertFile": str(Payl=
oadDescriptor.OpenSslSignerPrivateCertFile),
                                   "OpenSslOtherPublicCertFile": str(Payloa=
dDescriptor.OpenSslOtherPublicCertFile),
                                   "OpenSslTrustedPublicCertFile": str(Payl=
oadDescriptor.OpenSslTrustedPublicCertFile),
@@ -363,6 +371,8 @@ if __name__ =3D=3D '__main__':
         for PayloadField in PayloadSection:
             if PayloadJsonDescriptorList[Index].SignToolPfxFile is None:
                 del PayloadField ['SignToolPfxFile']
+            if PayloadJsonDescriptorList[Index].SignToolSubjectName is Non=
e:
+                del PayloadField ['SignToolSubjectName']
             if PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFi=
le is None:
                 del PayloadField ['OpenSslSignerPrivateCertFile']
             if PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile=
 is None:
@@ -402,6 +412,9 @@ if __name__ =3D=3D '__main__':
         if args.SignToolPfxFile:
             print ('GenerateCapsule: error: Argument --pfx-file conflicts =
with Argument -j')
             sys.exit (1)
+        if args.SignToolSubjectName:
+            print ('GenerateCapsule: error: Argument --SubjectName conflic=
ts with Argument -j')
+            sys.exit (1)
         if args.OpenSslSignerPrivateCertFile:
             print ('GenerateCapsule: error: Argument --signer-private-cert=
 conflicts with Argument -j')
             sys.exit (1)
@@ -425,6 +438,7 @@ if __name__ =3D=3D '__main__':
                      HardwareInstance             =3D 0,
                      UpdateImageIndex             =3D 1,
                      SignToolPfxFile              =3D None,
+                     SignToolSubjectName          =3D None,
                      OpenSslSignerPrivateCertFile =3D None,
                      OpenSslOtherPublicCertFile   =3D None,
                      OpenSslTrustedPublicCertFile =3D None,
@@ -439,13 +453,15 @@ if __name__ =3D=3D '__main__':
             self.HardwareInstance             =3D HardwareInstance
             self.UpdateImageIndex             =3D UpdateImageIndex
             self.SignToolPfxFile              =3D SignToolPfxFile
+            self.SignToolSubjectName          =3D SignToolSubjectName
             self.OpenSslSignerPrivateCertFile =3D OpenSslSignerPrivateCert=
File
             self.OpenSslOtherPublicCertFile   =3D OpenSslOtherPublicCertFi=
le
             self.OpenSslTrustedPublicCertFile =3D OpenSslTrustedPublicCert=
File
             self.SigningToolPath              =3D SigningToolPath
             self.DepexExp                     =3D DepexExp
=20
-            self.UseSignTool =3D self.SignToolPfxFile is not None
+            self.UseSignTool =3D (self.SignToolPfxFile is not None or
+                                self.SignToolSubjectName is not None)
             self.UseOpenSsl  =3D (self.OpenSslSignerPrivateCertFile is not=
 None and
                                 self.OpenSslOtherPublicCertFile is not Non=
e and
                                 self.OpenSslTrustedPublicCertFile is not N=
one)
@@ -504,8 +520,9 @@ if __name__ =3D=3D '__main__':
                         raise argparse.ArgumentTypeError ('--update-image-=
index must be an integer in range 0x0..0xff')
=20
             if self.UseSignTool:
-                self.SignToolPfxFile.close()
-                self.SignToolPfxFile =3D self.SignToolPfxFile.name
+                if self.SignToolPfxFile is not None:
+                    self.SignToolPfxFile.close()
+                    self.SignToolPfxFile =3D self.SignToolPfxFile.name
             if self.UseOpenSsl:
                 self.OpenSslSignerPrivateCertFile.close()
                 self.OpenSslOtherPublicCertFile.close()
@@ -548,6 +565,7 @@ if __name__ =3D=3D '__main__':
                                             args.HardwareInstance,
                                             args.UpdateImageIndex,
                                             args.SignToolPfxFile,
+                                            args.SignToolSubjectName,
                                             args.OpenSslSignerPrivateCertF=
ile,
                                             args.OpenSslOtherPublicCertFil=
e,
                                             args.OpenSslTrustedPublicCertF=
ile,
@@ -590,6 +608,7 @@ if __name__ =3D=3D '__main__':
                             Result + struct.pack ('<Q', SinglePayloadDescr=
iptor.MonotonicCount),
                             SinglePayloadDescriptor.SigningToolPath,
                             SinglePayloadDescriptor.SignToolPfxFile,
+                            SinglePayloadDescriptor.SignToolSubjectName,
                             Verbose =3D args.Verbose
                         )
                     else:
@@ -671,6 +690,7 @@ if __name__ =3D=3D '__main__':
                                             args.HardwareInstance,
                                             args.UpdateImageIndex,
                                             args.SignToolPfxFile,
+                                            args.SignSubjectName,
                                             args.OpenSslSignerPrivateCertF=
ile,
                                             args.OpenSslOtherPublicCertFil=
e,
                                             args.OpenSslTrustedPublicCertF=
ile,
@@ -715,6 +735,7 @@ if __name__ =3D=3D '__main__':
                                                                 HardwareIn=
stance,
                                                                 UpdateImag=
eIndex,
                                                                 PayloadDes=
criptorList[Index].SignToolPfxFile,
+                                                                PayloadDes=
criptorList[Index].SignToolSubjectName,
                                                                 PayloadDes=
criptorList[Index].OpenSslSignerPrivateCertFile,
                                                                 PayloadDes=
criptorList[Index].OpenSslOtherPublicCertFile,
                                                                 PayloadDes=
criptorList[Index].OpenSslTrustedPublicCertFile,
@@ -753,6 +774,7 @@ if __name__ =3D=3D '__main__':
                                                             HardwareInstan=
ce,
                                                             UpdateImageInd=
ex,
                                                             PayloadDescrip=
torList[Index].SignToolPfxFile,
+                                                            PayloadDescrip=
torList[Index].SignToolSubjectName,
                                                             PayloadDescrip=
torList[Index].OpenSslSignerPrivateCertFile,
                                                             PayloadDescrip=
torList[Index].OpenSslOtherPublicCertFile,
                                                             PayloadDescrip=
torList[Index].OpenSslTrustedPublicCertFile,
@@ -785,6 +807,7 @@ if __name__ =3D=3D '__main__':
                                            FmpAuthHeader.CertData,
                                            SinglePayloadDescriptor.Signing=
ToolPath,
                                            SinglePayloadDescriptor.SignToo=
lPfxFile,
+                                           SinglePayloadDescriptor.SignToo=
lSubjectName,
                                            Verbose =3D args.Verbose
                                            )
                           else:
@@ -968,6 +991,8 @@ if __name__ =3D=3D '__main__':
=20
     parser.add_argument ("--pfx-file", dest=3D'SignToolPfxFile', type=3Dar=
gparse.FileType('rb'),
                          help=3D"signtool PFX certificate filename.")
+    parser.add_argument ("--subject-name", dest=3D'SignToolSubjectName',
+                         help=3D"signtool certificate subject name.")
=20
     parser.add_argument ("--signer-private-cert", dest=3D'OpenSslSignerPri=
vateCertFile', type=3Dargparse.FileType('rb'),
                          help=3D"OpenSSL signer private certificate filena=
me.")
--=20
2.37.0.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#91812): https://edk2.groups.io/g/devel/message/91812
Mute This Topic: https://groups.io/mt/92607125/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-