[PATCH v2] tools: add a simple script to generate EFI variables

This script generates EFI variables for U-Boot variable store format.

A few examples:

- Generating secure boot keys

$ openssl x509 -in foo.crt -outform DER -out foo.der $ efisiglist -a -c foo.der -o foo.esl $ ./efivar.py -i ubootefi.var set -n db -d foo.esl -t file $ ./efivar.py -i ubootefi.var set -n kek -d foo.esl -t file $ ./efivar.py -i ubootefi.var set -n pk -d foo.esl -t file

- Printing out variables

$ ./efivar.py -i ubootefi.var set -n var1 -a nv,bs -d foo -t str $ ./efivar.py -i ubootefi.var set -n var2 -a nv,bs -d bar -t str $ ./efivar.py -i ubootefi.var print var1: 8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID NV|BS, DataSize = 0x3 0000000000: 66 6F 6F foo var2: 8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID NV|BS, DataSize = 0x3 0000000000: 62 61 72 bar

- Removing variables

$ ./efivar.py -i ubootefi.var set -n var1 -a nv,bs -d foo -t str $ ./efivar.py -i ubootefi.var print -n var1 var1: 8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID NV|BS, DataSize = 0x3 0000000000: 66 6F 6F foo $ ./efivar.py -i ubootefi.var set -n var1 $ ./efivar.py -i ubootefi.var print -n var1 err: variable not found

Signed-off-by: Paulo Alcantara (SUSE) pc@cjr.nz --- tools/efivar.py | 276 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 276 insertions(+) create mode 100755 tools/efivar.py

diff --git a/tools/efivar.py b/tools/efivar.py new file mode 100755 index 000000000000..ecd12319c43b --- /dev/null +++ b/tools/efivar.py @@ -0,0 +1,276 @@ +#!/usr/bin/env python3 +## SPDX-License-Identifier: GPL-2.0-only +# +# Generate UEFI variables for U-Boot. +# +# (c) 2020 Paulo Alcantara palcantara@suse.de +# + +import os +import struct +import uuid +import time +import zlib +import argparse + +# U-Boot variable store format (version 1) +UBOOT_EFI_VAR_FILE_MAGIC = 0x0161566966456255 + +# UEFI variable attributes +EFI_VARIABLE_NON_VOLATILE = 0x1 +EFI_VARIABLE_BOOTSERVICE_ACCESS = 0x2 +EFI_VARIABLE_RUNTIME_ACCESS = 0x4 +EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS = 0x10 +EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS = 0x20 +EFI_VARIABLE_READ_ONLY = 1 << 31 +NV_BS = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS +NV_BS_RT = NV_BS | EFI_VARIABLE_RUNTIME_ACCESS +NV_BS_RT_AT = NV_BS_RT | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS + +# UEFI variable GUIDs +EFI_GLOBAL_VARIABLE_GUID = '8be4df61-93ca-11d2-aa0d-00e098032b8c' +EFI_IMAGE_SECURITY_DATABASE_GUID = 'd719b2cb-3d3a-4596-a3bc-dad00e67656f' + +var_attrs = { + 'NV': EFI_VARIABLE_NON_VOLATILE, + 'BS': EFI_VARIABLE_BOOTSERVICE_ACCESS, + 'RT': EFI_VARIABLE_RUNTIME_ACCESS, + 'AT': EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, + 'RO': EFI_VARIABLE_READ_ONLY, + 'AW': EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS, +} + +var_guids = { + 'EFI_GLOBAL_VARIABLE_GUID': '8be4df61-93ca-11d2-aa0d-00e098032b8c', + 'EFI_IMAGE_SECURITY_DATABASE_GUID': 'd719b2cb-3d3a-4596-a3bc-dad00e67656f', +} + +class EfiStruct: + # struct efi_var_file + var_file_fmt = '<QQLL' + var_file_size = struct.calcsize(var_file_fmt) + # struct efi_var_entry + var_entry_fmt = '<LLQ16s' + var_entry_size = struct.calcsize(var_entry_fmt) + +class EfiVariable: + def __init__(self, size, attrs, time, guid, name, data): + self.size = size + self.attrs = attrs + self.time = time + self.guid = guid + self.name = name + self.data = data + +class EfiVariableStore: + def __init__(self, infile): + self.infile = infile + self.efi = EfiStruct() + if os.path.exists(self.infile) and os.stat(self.infile).st_size > self.efi.var_file_size: + with open(self.infile, 'rb') as f: + buf = f.read() + self._check_header(buf) + self.ents = buf[self.efi.var_file_size:] + else: + self.ents = bytearray() + + def _check_header(self, buf): + hdr = struct.unpack_from(self.efi.var_file_fmt, buf, 0) + magic, crc32 = hdr[1], hdr[3] + + if magic != UBOOT_EFI_VAR_FILE_MAGIC: + print("err: invalid magic number: %s"%hex(magic)) + exit(1) + if crc32 != zlib.crc32(buf[self.efi.var_file_size:]) & 0xffffffff: + print("err: invalid crc32: %s"%hex(crc32)) + exit(1) + + def _get_var_name(self, buf): + name = '' + for i in range(0, len(buf) - 1, 2): + if not buf[i] and not buf[i+1]: + break + name += chr(buf[i]) + return ''.join([chr(x) for x in name.encode('utf_16_le') if x]), i + 2 + + def _next_var(self, offs=0): + size, attrs, time, guid = struct.unpack_from(self.efi.var_entry_fmt, self.ents, offs) + data_fmt = str(size)+"s" + offs += self.efi.var_entry_size + name, namelen = self._get_var_name(self.ents[offs:]) + offs += namelen + data = struct.unpack_from(data_fmt, self.ents, offs)[0] + offs = (offs + len(data) + 7) & ~7 + return EfiVariable(size, attrs, time, uuid.UUID(bytes_le=guid), name, data), offs + + def __iter__(self): + self.offs = 0 + return self + + def __next__(self): + if self.offs < len(self.ents): + var, noffs = self._next_var(self.offs) + self.offs = noffs + return var + else: + raise StopIteration + + def __len__(self): + return len(self.ents) + + def _set_var(self, guid, name_data, size, attrs, tsec): + ent = struct.pack(self.efi.var_entry_fmt, + size, + attrs, + tsec, + uuid.UUID(guid).bytes_le) + ent += name_data + self.ents += ent + + def set_var(self, guid, name, data, size, attrs): + offs = 0 + while offs < len(self.ents): + var, loffs = self._next_var(offs) + if var.name == name and str(var.guid) == guid: + if not data or not attrs: + self.ents = self.ents[:offs] + self.ents[loffs:] + return + if var.attrs != attrs: + print("err: invalid attributes") + exit(1) + # make room for updating var + self.ents = self.ents[:offs] + self.ents[loffs:] + break + offs = loffs + + if not data or not attrs: + print("err: variable not found") + exit(1) + + tsec = int(time.time()) if attrs & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS else 0 + nd = name.encode('utf_16_le') + b"\x00\x00" + data + # U-Boot variable format requires the name + data blob to be 8-byte aligned + pad = ((len(nd) + 7) & ~7) - len(nd) + nd += bytes([0] * pad) + + return self._set_var(guid, nd, size, attrs, tsec) + + def save(self): + hdr = struct.pack(self.efi.var_file_fmt, + 0, + UBOOT_EFI_VAR_FILE_MAGIC, + len(self.ents) + self.efi.var_file_size, + zlib.crc32(self.ents) & 0xffffffff) + + with open(self.infile, 'wb') as f: + f.write(hdr) + f.write(self.ents) + +def parse_attrs(attrs): + v = 0 + if attrs: + for i in attrs.split(','): + v |= var_attrs[i.upper()] + return v + +def parse_data(val, vtype): + if not val or not vtype: + return None, 0 + fmt = { 'u8': '<B', 'u16': '<H', 'u32': '<L', 'u64': '<Q' } + if vtype.lower() == 'file': + with open(val, 'rb') as f: + data = f.read() + return data, len(data) + if vtype.lower() == 'str': + data = val.encode('utf-8') + return data, len(data) + i = fmt[vtype.lower()] + return struct.pack(i, int(val)), struct.calcsize(i) + +def cmd_set(args): + env = EfiVariableStore(args.infile) + data, size = parse_data(args.data, args.type) + + if args.name.lower() == 'pk': + env.set_var(guid=EFI_GLOBAL_VARIABLE_GUID, name='PK', data=data, size=size, attrs=NV_BS_RT_AT) + elif args.name.lower() == 'kek': + env.set_var(guid=EFI_GLOBAL_VARIABLE_GUID, name='KEK', data=data, size=size, attrs=NV_BS_RT_AT) + elif args.name.lower() == 'db': + env.set_var(guid=EFI_IMAGE_SECURITY_DATABASE_GUID, name='db', data=data, size=size, attrs=NV_BS_RT_AT) + elif args.name.lower() == 'dbx': + env.set_var(guid=EFI_IMAGE_SECURITY_DATABASE_GUID, name='dbx', data=data, size=size, attrs=NV_BS_RT_AT) + else: + guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID + attrs = parse_attrs(args.attrs) + env.set_var(guid=guid, name=args.name, data=data, size=size, attrs=attrs) + + env.save() + +def print_var(var): + print(var.name+':') + print(" "+str(var.guid)+' '+''.join([x for x in var_guids if str(var.guid) == var_guids[x]])) + print(" "+'|'.join([x for x in var_attrs if var.attrs & var_attrs[x]])+", DataSize = %s"%hex(var.size)) + hexdump(var.data) + +def cmd_print(args): + env = EfiVariableStore(args.infile) + if not args.name and not args.guid and not len(env): + return + + found = False + for var in env: + if not args.name: + if args.guid and args.guid != str(var.guid): + continue + print_var(var) + found = True + else: + if args.name != var.name or (args.guid and args.guid != str(var.guid)): + continue + print_var(var) + found = True + + if not found: + print("err: variable not found") + exit(1) + +def main(): + ap = argparse.ArgumentParser(description='Generate U-Boot variable store') + ap.add_argument('--infile', '-i', required=True, help='file to save the UEFI variables') + subp = ap.add_subparsers(help="sub-command help") + + printp = subp.add_parser('print', help='get/list UEFI variables') + printp.add_argument('--guid', '-g', help='variable guid') + printp.add_argument('--name', '-n', help='variable name') + printp.set_defaults(func=cmd_print) + + setp = subp.add_parser('set', help='set UEFI variable') + setp.add_argument('--name', '-n', required=True, help='variable name') + setp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)') + setp.add_argument('--guid', '-g', help="variable guid (default: %s)"%EFI_GLOBAL_VARIABLE_GUID) + setp.add_argument('--type', '-t', help='variable type (values: file|u8|u16|u32|u64|str)') + setp.add_argument('--data', '-d', help='variable data') + setp.set_defaults(func=cmd_set) + + args = ap.parse_args() + args.func(args) + +def group(a, *ns): + for n in ns: + a = [a[i:i+n] for i in range(0, len(a), n)] + return a + +def join(a, *cs): + return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a + +def hexdump(data): + toHex = lambda c: '{:02X}'.format(c) + toChr = lambda c: chr(c) if 32 <= c < 127 else '.' + make = lambda f, *cs: join(group(list(map(f, data)), 8, 2), *cs) + hs = make(toHex, ' ', ' ') + cs = make(toChr, ' ', '') + for i, (h, c) in enumerate(zip(hs, cs)): + print (' {:010X}: {:48} {:16}'.format(i * 16, h, c)) + +if __name__ == '__main__': + main()