Re: [PATCH v4] tools: add a simple script to generate EFI variables

20 Dec 2020

On 12/9/20 12:10 AM, Paulo Alcantara wrote:
...
This script generates EFI variables for U-Boot variable store format.
A few examples:

Generating secure boot keys
$ openssl x509 -in foo.crt -outform DER -out foo.der
$ efisiglist -a -c foo.der -o foo.esl
$ ./efivar.py -i ubootefi.var set -n db -d foo.esl -t file
$ ./efivar.py -i ubootefi.var set -n kek -d foo.esl -t file


efivar.py requires that 'set' is the first parameter.
I will fix the commit message.
Could you, please, provide a man-page for the tool as restructured text
in doc/usage/. Please, check that it is correct with 'make htmldocs'.
Best regards
Heinrich
...
 $ ./efivar.py -i ubootefi.var set -n pk -d foo.esl -t file



Printing out variables
$ ./efivar.py -i ubootefi.var set -n var1 -d foo -t str
$ ./efivar.py -i ubootefi.var set -n var2 -d bar -t str
$ ./efivar.py -i ubootefi.var print
var1:
    8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID
    NV|BS|RT, DataSize = 0x3
    0000000000: 66 6F 6F                                          foo
var2:
    8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID
    NV|BS|RT, DataSize = 0x3
    0000000000: 62 61 72                                          bar

Removing variables
$ ./efivar.py -i ubootefi.var set -n var1 -a nv,bs -d foo -t str
$ ./efivar.py -i ubootefi.var print -n var1
var1:
    8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID
    NV|BS, DataSize = 0x3
    0000000000: 66 6F 6F                                        foo
$ ./efivar.py -i ubootefi.var del -n var1
err: attributes don't match
$ ./efivar.py -i ubootefi.var del -n var1 -a nv,bs
$ ./efivar.py -i ubootefi.var print -n var1
err: variable not found




Signed-off-by: Paulo Alcantara (SUSE) pc@cjr.nz
v4: add 'sign' command for authenticated EFI payloads
tools/efivar.py | 380 ++++++++++++++++++++++++++++++++++++++++++++++++
  1 file changed, 380 insertions(+)
  create mode 100755 tools/efivar.py

diff --git a/tools/efivar.py b/tools/efivar.py
new file mode 100755
index 000000000000..ebfcab2f0a2c
--- /dev/null
+++ b/tools/efivar.py
@@ -0,0 +1,380 @@
+#!/usr/bin/env python3
+## SPDX-License-Identifier: GPL-2.0-only
+#
+# EFI variable store utilities.
+#
+# (c) 2020 Paulo Alcantara palcantara@suse.de
+#



+import os
+import struct
+import uuid
+import time
+import zlib
+import argparse
+from OpenSSL import crypto



+# U-Boot variable store format (version 1)
+UBOOT_EFI_VAR_FILE_MAGIC = 0x0161566966456255



+# UEFI variable attributes
+EFI_VARIABLE_NON_VOLATILE = 0x1
+EFI_VARIABLE_BOOTSERVICE_ACCESS = 0x2
+EFI_VARIABLE_RUNTIME_ACCESS = 0x4
+EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS = 0x10
+EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS = 0x20
+EFI_VARIABLE_READ_ONLY = 1 << 31
+NV_BS = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
+NV_BS_RT = NV_BS | EFI_VARIABLE_RUNTIME_ACCESS
+NV_BS_RT_AT = NV_BS_RT | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
+DEFAULT_VAR_ATTRS = NV_BS_RT



+# vendor GUIDs
+EFI_GLOBAL_VARIABLE_GUID = '8be4df61-93ca-11d2-aa0d-00e098032b8c'
+EFI_IMAGE_SECURITY_DATABASE_GUID = 'd719b2cb-3d3a-4596-a3bc-dad00e67656f'
+EFI_CERT_TYPE_PKCS7_GUID = '4aafd29d-68df-49ee-8aa9-347d375665a7'
+WIN_CERT_TYPE_EFI_GUID = 0x0ef1
+WIN_CERT_REVISION = 0x0200



+var_attrs = {

   'NV': EFI_VARIABLE_NON_VOLATILE,


   'BS': EFI_VARIABLE_BOOTSERVICE_ACCESS,


   'RT': EFI_VARIABLE_RUNTIME_ACCESS,


   'AT': EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,


   'RO': EFI_VARIABLE_READ_ONLY,


   'AW': EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS,



+}



+var_guids = {

   'EFI_GLOBAL_VARIABLE_GUID': EFI_GLOBAL_VARIABLE_GUID,


   'EFI_IMAGE_SECURITY_DATABASE_GUID': EFI_IMAGE_SECURITY_DATABASE_GUID,



+}



+class EfiStruct:

   # struct efi_var_file


   var_file_fmt = '<QQLL'


   var_file_size = struct.calcsize(var_file_fmt)


   # struct efi_var_entry


   var_entry_fmt = '<LLQ16s'


   var_entry_size = struct.calcsize(var_entry_fmt)


   # struct efi_time


   var_time_fmt = '<H6BLh2B'


   var_time_size = struct.calcsize(var_time_fmt)


   # WIN_CERTIFICATE


   var_win_cert_fmt = '<L2H'


   var_win_cert_size = struct.calcsize(var_win_cert_fmt)


   # WIN_CERTIFICATE_UEFI_GUID


   var_win_cert_uefi_guid_fmt = var_win_cert_fmt+'16s'


   var_win_cert_uefi_guid_size = struct.calcsize(var_win_cert_uefi_guid_fmt)




+class EfiVariable:

def __init__(self, size, attrs, time, guid, name, data):
   self.size = size


   self.attrs = attrs


   self.time = time


   self.guid = guid


   self.name = name


   self.data = data




+def calc_crc32(buf):

return zlib.crc32(buf) & 0xffffffff


+class EfiVariableStore:

def __init__(self, infile):
   self.infile = infile


   self.efi = EfiStruct()


   if os.path.exists(self.infile) and os.stat(self.infile).st_size > self.efi.var_file_size:


       with open(self.infile, 'rb') as f:


           buf = f.read()


           self._check_header(buf)


           self.ents = buf[self.efi.var_file_size:]


   else:


       self.ents = bytearray()



def _check_header(self, buf):
   hdr = struct.unpack_from(self.efi.var_file_fmt, buf, 0)


   magic, crc32 = hdr[1], hdr[3]



   if magic != UBOOT_EFI_VAR_FILE_MAGIC:


       print("err: invalid magic number: %s"%hex(magic))


       exit(1)


   if crc32 != calc_crc32(buf[self.efi.var_file_size:]):


       print("err: invalid crc32: %s"%hex(crc32))


       exit(1)



def _get_var_name(self, buf):
   name = ''


   for i in range(0, len(buf) - 1, 2):


       if not buf[i] and not buf[i+1]:


           break


       name += chr(buf[i])


   return ''.join([chr(x) for x in name.encode('utf_16_le') if x]), i + 2



def _next_var(self, offs=0):
   size, attrs, time, guid = struct.unpack_from(self.efi.var_entry_fmt, self.ents, offs)


   data_fmt = str(size)+"s"


   offs += self.efi.var_entry_size


   name, namelen = self._get_var_name(self.ents[offs:])


   offs += namelen


   data = struct.unpack_from(data_fmt, self.ents, offs)[0]


   # offset to next 8-byte aligned variable entry


   offs = (offs + len(data) + 7) & ~7


   return EfiVariable(size, attrs, time, uuid.UUID(bytes_le=guid), name, data), offs



def __iter__(self):
   self.offs = 0


   return self



def __next__(self):
   if self.offs < len(self.ents):


       var, noffs = self._next_var(self.offs)


       self.offs = noffs


       return var


   else:


       raise StopIteration



def __len__(self):
   return len(self.ents)



def _set_var(self, guid, name_data, size, attrs, tsec):
   ent = struct.pack(self.efi.var_entry_fmt,


                     size,


                     attrs,


                     tsec,


                     uuid.UUID(guid).bytes_le)


   ent += name_data


   self.ents += ent



def del_var(self, guid, name, attrs):
   offs = 0


   while offs < len(self.ents):


       var, loffs = self._next_var(offs)


       if var.name == name and str(var.guid):


           if var.attrs != attrs:


               print("err: attributes don't match")


               exit(1)


           self.ents = self.ents[:offs] + self.ents[loffs:]


           return


       offs = loffs


   print("err: variable not found")


   exit(1)



def set_var(self, guid, name, data, size, attrs):
   offs = 0


   while offs < len(self.ents):


       var, loffs = self._next_var(offs)


       if var.name == name and str(var.guid) == guid:


           if var.attrs != attrs:


               print("err: attributes don't match")


               exit(1)


           # make room for updating var


           self.ents = self.ents[:offs] + self.ents[loffs:]


           break


       offs = loffs



   tsec = int(time.time()) if attrs & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS else 0


   nd = name.encode('utf_16_le') + b"\x00\x00" + data


   # U-Boot variable format requires the name + data blob to be 8-byte aligned


   pad = ((len(nd) + 7) & ~7) - len(nd)


   nd += bytes([0] * pad)



   return self._set_var(guid, nd, size, attrs, tsec)



def save(self):
   hdr = struct.pack(self.efi.var_file_fmt,


                     0,


                     UBOOT_EFI_VAR_FILE_MAGIC,


                     len(self.ents) + self.efi.var_file_size,


                     calc_crc32(self.ents))



   with open(self.infile, 'wb') as f:


       f.write(hdr)


       f.write(self.ents)




+def parse_attrs(attrs):

v = DEFAULT_VAR_ATTRS
if attrs:
   v = 0


   for i in attrs.split(','):


       v |= var_attrs[i.upper()]


return v


+def parse_data(val, vtype):

if not val or not vtype:
   return None, 0


fmt = { 'u8': '<B', 'u16': '<H', 'u32': '<L', 'u64': '<Q' }
if vtype.lower() == 'file':
   with open(val, 'rb') as f:


       data = f.read()


       return data, len(data)


if vtype.lower() == 'str':
   data = val.encode('utf-8')


   return data, len(data)


if vtype.lower() == 'nil':
   return None, 0


i = fmt[vtype.lower()]
return struct.pack(i, int(val)), struct.calcsize(i)


+def parse_args(args):

name = args.name
attrs = parse_attrs(args.attrs)
guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID

if name.lower() == 'db' or name.lower() == 'dbx':
   name = name.lower()


   guid = EFI_IMAGE_SECURITY_DATABASE_GUID


   attrs = NV_BS_RT_AT


elif name.lower() == 'pk' or name.lower() == 'kek':
   name = name.upper()


   guid = EFI_GLOBAL_VARIABLE_GUID


   attrs = NV_BS_RT_AT



data, size = parse_data(args.data, args.type)
return guid, name, attrs, data, size


+def cmd_set(args):

env = EfiVariableStore(args.infile)
guid, name, attrs, data, size = parse_args(args)
env.set_var(guid=guid, name=name, data=data, size=size, attrs=attrs)
env.save()


+def print_var(var):

print(var.name+':')
print("    "+str(var.guid)+' '+''.join([x for x in var_guids if str(var.guid) == var_guids[x]]))
print("    "+'|'.join([x for x in var_attrs if var.attrs & var_attrs[x]])+", DataSize = %s"%hex(var.size))
hexdump(var.data)


+def cmd_print(args):

env = EfiVariableStore(args.infile)
if not args.name and not args.guid and not len(env):
   return



found = False
for var in env:
   if not args.name:


       if args.guid and args.guid != str(var.guid):


           continue


       print_var(var)


       found = True


   else:


       if args.name != var.name or (args.guid and args.guid != str(var.guid)):


           continue


       print_var(var)


       found = True



if not found:
   print("err: variable not found")


   exit(1)




+def cmd_del(args):

env = EfiVariableStore(args.infile)
attrs = parse_attrs(args.attrs)
guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID
env.del_var(guid, args.name, attrs)
env.save()


+def pkcs7_sign(cert, key, buf):

with open(cert, 'r') as f:
   crt = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())


with open(key, 'r') as f:
   pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())



PKCS7_BINARY = 0x80
PKCS7_DETACHED = 0x40
PKCS7_NOATTR = 0x100

bio_in = crypto._new_mem_buf(buf)
p7 = crypto._lib.PKCS7_sign(crt._x509, pkey._pkey, crypto._ffi.NULL, bio_in,
                           PKCS7_BINARY|PKCS7_DETACHED|PKCS7_NOATTR)


bio_out = crypto._new_mem_buf()
crypto._lib.i2d_PKCS7_bio(bio_out, p7)
return crypto._bio_to_string(bio_out)


+# UEFI 2.8 Errata B "8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor"
+def cmd_sign(args):

guid, name, attrs, data, size = parse_args(args)
attrs |= EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
efi = EfiStruct()

tm = time.localtime()
etime = struct.pack(efi.var_time_fmt,
                   tm.tm_year, tm.tm_mon, tm.tm_mday,


                   tm.tm_hour, tm.tm_min, tm.tm_sec,


                   0, 0, 0, 0, 0)



buf = name.encode('utf_16_le') + uuid.UUID(guid).bytes_le + attrs.to_bytes(4, byteorder='little') + etime
if data:
   buf += data


sig = pkcs7_sign(args.cert, args.key, buf)

desc = struct.pack(efi.var_win_cert_uefi_guid_fmt,
                  efi.var_win_cert_uefi_guid_size + len(sig),


                  WIN_CERT_REVISION,


                  WIN_CERT_TYPE_EFI_GUID,


                  uuid.UUID(EFI_CERT_TYPE_PKCS7_GUID).bytes_le)



with open(args.outfile, 'wb') as f:
   if data:


       f.write(etime + desc + sig + data)


   else:


       f.write(etime + desc + sig)




+def main():

ap = argparse.ArgumentParser(description='EFI variable store utilities')
subp = ap.add_subparsers(help="sub-command help")

printp = subp.add_parser('print', help='get/list EFI variables')
printp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
printp.add_argument('--name', '-n', help='variable name')
printp.add_argument('--guid', '-g', help='vendor GUID')
printp.set_defaults(func=cmd_print)

setp = subp.add_parser('set', help='set EFI variable')
setp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
setp.add_argument('--name', '-n', required=True, help='variable name')
setp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
setp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
setp.add_argument('--type', '-t', help='variable type (values: file|u8|u16|u32|u64|str)')
setp.add_argument('--data', '-d', help='data or filename')
setp.set_defaults(func=cmd_set)

delp = subp.add_parser('del', help='delete EFI variable')
delp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
delp.add_argument('--name', '-n', required=True, help='variable name')
delp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
delp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
delp.set_defaults(func=cmd_del)

signp = subp.add_parser('sign', help='sign time-based EFI payload')
signp.add_argument('--cert', '-c', required=True, help='x509 certificate filename in PEM format')
signp.add_argument('--key', '-k', required=True, help='signing certificate filename in PEM format')
signp.add_argument('--name', '-n', required=True, help='variable name')
signp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
signp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
signp.add_argument('--type', '-t', required=True, help='variable type (values: file|u8|u16|u32|u64|str|nil)')
signp.add_argument('--data', '-d', help='data or filename')
signp.add_argument('--outfile', '-o', required=True, help='output filename of signed EFI payload')
signp.set_defaults(func=cmd_sign)

args = ap.parse_args()
args.func(args)


+def group(a, *ns):

for n in ns:
   a = [a[i:i+n] for i in range(0, len(a), n)]


return a


+def join(a, *cs):

return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a


+def hexdump(data):

toHex = lambda c: '{:02X}'.format(c)
toChr = lambda c: chr(c) if 32 <= c < 127 else '.'
make = lambda f, *cs: join(group(list(map(f, data)), 8, 2), *cs)
hs = make(toHex, '  ', ' ')
cs = make(toChr, ' ', '')
for i, (h, c) in enumerate(zip(hs, cs)):
   print ('    {:010X}: {:48}  {:16}'.format(i * 16, h, c))




+if __name__ == '__main__':

main()

--
2.29.2

    

Re: [PATCH v4] tools: add a simple script to generate EFI variables

Heinrich Schuchardt

Signed-off-by: Paulo Alcantara (SUSE) pc@cjr.nz

v4: add 'sign' command for authenticated EFI payloads