On 12/1/20 11:58 PM, Paulo Alcantara wrote:
This script generates EFI variables for U-Boot variable store format.
A few examples:
Generating secure boot keys
$ openssl x509 -in foo.crt -outform DER -out foo.der $ efisiglist -a -c foo.der -o foo.esl $ ./efivar.py -i ubootefi.var set -n db -d foo.esl -t file $ ./efivar.py -i ubootefi.var set -n kek -d foo.esl -t file $ ./efivar.py -i ubootefi.var set -n pk -d foo.esl -t file
Printing out variables
$ ./efivar.py -i ubootefi.var set -n var1 -a nv,bs -d foo -t str $ ./efivar.py -i ubootefi.var set -n var2 -a nv,bs -d bar -t str $ ./efivar.py -i ubootefi.var print var1: 8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID NV|BS, DataSize = 0x3 0000000000: 66 6F 6F foo var2: 8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID NV|BS, DataSize = 0x3 0000000000: 62 61 72 bar
Removing variables
$ ./efivar.py -i ubootefi.var set -n var1 -a nv,bs -d foo -t str $ ./efivar.py -i ubootefi.var print -n var1 var1: 8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID NV|BS, DataSize = 0x3 0000000000: 66 6F 6F foo $ ./efivar.py -i ubootefi.var set -n var1 $ ./efivar.py -i ubootefi.var print -n var1 err: variable not found
Signed-off-by: Paulo Alcantara (SUSE) pc@cjr.nz
tools/efivar.py | 276 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 276 insertions(+) create mode 100755 tools/efivar.py
diff --git a/tools/efivar.py b/tools/efivar.py new file mode 100755 index 000000000000..ecd12319c43b --- /dev/null +++ b/tools/efivar.py @@ -0,0 +1,276 @@ +#!/usr/bin/env python3 +## SPDX-License-Identifier: GPL-2.0-only +# +# Generate UEFI variables for U-Boot. +# +# (c) 2020 Paulo Alcantara palcantara@suse.de +#
+import os +import struct +import uuid +import time +import zlib +import argparse
+# U-Boot variable store format (version 1) +UBOOT_EFI_VAR_FILE_MAGIC = 0x0161566966456255
+# UEFI variable attributes +EFI_VARIABLE_NON_VOLATILE = 0x1 +EFI_VARIABLE_BOOTSERVICE_ACCESS = 0x2 +EFI_VARIABLE_RUNTIME_ACCESS = 0x4 +EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS = 0x10 +EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS = 0x20 +EFI_VARIABLE_READ_ONLY = 1 << 31 +NV_BS = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS +NV_BS_RT = NV_BS | EFI_VARIABLE_RUNTIME_ACCESS +NV_BS_RT_AT = NV_BS_RT | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
+# UEFI variable GUIDs +EFI_GLOBAL_VARIABLE_GUID = '8be4df61-93ca-11d2-aa0d-00e098032b8c' +EFI_IMAGE_SECURITY_DATABASE_GUID = 'd719b2cb-3d3a-4596-a3bc-dad00e67656f'
+var_attrs = {
'NV': EFI_VARIABLE_NON_VOLATILE,'BS': EFI_VARIABLE_BOOTSERVICE_ACCESS,'RT': EFI_VARIABLE_RUNTIME_ACCESS,'AT': EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,'RO': EFI_VARIABLE_READ_ONLY,'AW': EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS,+}
+var_guids = {
'EFI_GLOBAL_VARIABLE_GUID': '8be4df61-93ca-11d2-aa0d-00e098032b8c','EFI_IMAGE_SECURITY_DATABASE_GUID': 'd719b2cb-3d3a-4596-a3bc-dad00e67656f',+}
+class EfiStruct:
# struct efi_var_filevar_file_fmt = '<QQLL'var_file_size = struct.calcsize(var_file_fmt)# struct efi_var_entryvar_entry_fmt = '<LLQ16s'var_entry_size = struct.calcsize(var_entry_fmt)+class EfiVariable:
- def __init__(self, size, attrs, time, guid, name, data):
self.size = sizeself.attrs = attrsself.time = timeself.guid = guidself.name = nameself.data = data+class EfiVariableStore:
- def __init__(self, infile):
self.infile = infileself.efi = EfiStruct()if os.path.exists(self.infile) and os.stat(self.infile).st_size > self.efi.var_file_size:with open(self.infile, 'rb') as f:buf = f.read()self._check_header(buf)self.ents = buf[self.efi.var_file_size:]else:self.ents = bytearray()- def _check_header(self, buf):
hdr = struct.unpack_from(self.efi.var_file_fmt, buf, 0)magic, crc32 = hdr[1], hdr[3]if magic != UBOOT_EFI_VAR_FILE_MAGIC:print("err: invalid magic number: %s"%hex(magic))exit(1)if crc32 != zlib.crc32(buf[self.efi.var_file_size:]) & 0xffffffff:print("err: invalid crc32: %s"%hex(crc32))exit(1)- def _get_var_name(self, buf):
name = ''for i in range(0, len(buf) - 1, 2):if not buf[i] and not buf[i+1]:breakname += chr(buf[i])return ''.join([chr(x) for x in name.encode('utf_16_le') if x]), i + 2- def _next_var(self, offs=0):
size, attrs, time, guid = struct.unpack_from(self.efi.var_entry_fmt, self.ents, offs)data_fmt = str(size)+"s"offs += self.efi.var_entry_sizename, namelen = self._get_var_name(self.ents[offs:])offs += namelendata = struct.unpack_from(data_fmt, self.ents, offs)[0]offs = (offs + len(data) + 7) & ~7return EfiVariable(size, attrs, time, uuid.UUID(bytes_le=guid), name, data), offs- def __iter__(self):
self.offs = 0return self- def __next__(self):
if self.offs < len(self.ents):var, noffs = self._next_var(self.offs)self.offs = noffsreturn varelse:raise StopIteration- def __len__(self):
return len(self.ents)- def _set_var(self, guid, name_data, size, attrs, tsec):
ent = struct.pack(self.efi.var_entry_fmt,size,attrs,tsec,uuid.UUID(guid).bytes_le)ent += name_dataself.ents += ent- def set_var(self, guid, name, data, size, attrs):
offs = 0while offs < len(self.ents):var, loffs = self._next_var(offs)if var.name == name and str(var.guid) == guid:if not data or not attrs:self.ents = self.ents[:offs] + self.ents[loffs:]returnif var.attrs != attrs:print("err: invalid attributes")
Thanks for adding deletion and modification of variables.
print("attributes don't match")
would better convey the meaning here.
exit(1)# make room for updating varself.ents = self.ents[:offs] + self.ents[loffs:]breakoffs = loffsif not data or not attrs:print("err: variable not found")exit(1)tsec = int(time.time()) if attrs & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS else 0nd = name.encode('utf_16_le') + b"\x00\x00" + data# U-Boot variable format requires the name + data blob to be 8-byte alignedpad = ((len(nd) + 7) & ~7) - len(nd)nd += bytes([0] * pad)return self._set_var(guid, nd, size, attrs, tsec)- def save(self):
hdr = struct.pack(self.efi.var_file_fmt,0,UBOOT_EFI_VAR_FILE_MAGIC,len(self.ents) + self.efi.var_file_size,zlib.crc32(self.ents) & 0xffffffff)with open(self.infile, 'wb') as f:f.write(hdr)f.write(self.ents)+def parse_attrs(attrs):
- v = 0
- if attrs:
for i in attrs.split(','):v |= var_attrs[i.upper()]- return v
+def parse_data(val, vtype):
- if not val or not vtype:
return None, 0- fmt = { 'u8': '<B', 'u16': '<H', 'u32': '<L', 'u64': '<Q' }
- if vtype.lower() == 'file':
with open(val, 'rb') as f:data = f.read()return data, len(data)- if vtype.lower() == 'str':
data = val.encode('utf-8')return data, len(data)- i = fmt[vtype.lower()]
- return struct.pack(i, int(val)), struct.calcsize(i)
+def cmd_set(args):
- env = EfiVariableStore(args.infile)
- data, size = parse_data(args.data, args.type)
- if args.name.lower() == 'pk':
env.set_var(guid=EFI_GLOBAL_VARIABLE_GUID, name='PK', data=data, size=size, attrs=NV_BS_RT_AT)- elif args.name.lower() == 'kek':
env.set_var(guid=EFI_GLOBAL_VARIABLE_GUID, name='KEK', data=data, size=size, attrs=NV_BS_RT_AT)- elif args.name.lower() == 'db':
env.set_var(guid=EFI_IMAGE_SECURITY_DATABASE_GUID, name='db', data=data, size=size, attrs=NV_BS_RT_AT)- elif args.name.lower() == 'dbx':
env.set_var(guid=EFI_IMAGE_SECURITY_DATABASE_GUID, name='dbx', data=data, size=size, attrs=NV_BS_RT_AT)- else:
guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUIDattrs = parse_attrs(args.attrs)env.set_var(guid=guid, name=args.name, data=data, size=size, attrs=attrs)- env.save()
+def print_var(var):
- print(var.name+':')
- print(" "+str(var.guid)+' '+''.join([x for x in var_guids if str(var.guid) == var_guids[x]]))
- print(" "+'|'.join([x for x in var_attrs if var.attrs & var_attrs[x]])+", DataSize = %s"%hex(var.size))
- hexdump(var.data)
+def cmd_print(args):
- env = EfiVariableStore(args.infile)
- if not args.name and not args.guid and not len(env):
return- found = False
- for var in env:
if not args.name:if args.guid and args.guid != str(var.guid):continueprint_var(var)found = Trueelse:if args.name != var.name or (args.guid and args.guid != str(var.guid)):continueprint_var(var)found = True- if not found:
print("err: variable not found")exit(1)+def main():
- ap = argparse.ArgumentParser(description='Generate U-Boot variable store')
- ap.add_argument('--infile', '-i', required=True, help='file to save the UEFI variables')
- subp = ap.add_subparsers(help="sub-command help")
- printp = subp.add_parser('print', help='get/list UEFI variables')
- printp.add_argument('--guid', '-g', help='variable guid')
- printp.add_argument('--name', '-n', help='variable name')
- printp.set_defaults(func=cmd_print)
- setp = subp.add_parser('set', help='set UEFI variable')
- setp.add_argument('--name', '-n', required=True, help='variable name')
- setp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
The online help should indicate how deletion works.
I find it problematic that if a user forgets to specify -a, the variable is deleted inadvertently. PK, KEK, db, dbx cannot be deleted at all.
Please, use a separate sub-command for deletion and reintroduce the default for the attributes as nv,bs,rt which seems more useful than nv,bs.
- setp.add_argument('--guid', '-g', help="variable guid (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
%s/variable guid/vendor GUID/
- setp.add_argument('--type', '-t', help='variable type (values: file|u8|u16|u32|u64|str)')
- setp.add_argument('--data', '-d', help='variable data')
help='data or filename'
Best regards
Heinrich
- setp.set_defaults(func=cmd_set)
- args = ap.parse_args()
- args.func(args)
+def group(a, *ns):
- for n in ns:
a = [a[i:i+n] for i in range(0, len(a), n)]- return a
+def join(a, *cs):
- return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a
+def hexdump(data):
- toHex = lambda c: '{:02X}'.format(c)
- toChr = lambda c: chr(c) if 32 <= c < 127 else '.'
- make = lambda f, *cs: join(group(list(map(f, data)), 8, 2), *cs)
- hs = make(toHex, ' ', ' ')
- cs = make(toChr, ' ', '')
- for i, (h, c) in enumerate(zip(hs, cs)):
print (' {:010X}: {:48} {:16}'.format(i * 16, h, c))+if __name__ == '__main__':
- main()