[mirror_edk2.git] / BaseTools / Source / Python / Capsule / GenerateCapsule.py

## @file\r
# Generate a capsule.\r
#\r
# Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>\r
# This program and the accompanying materials\r
# are licensed and made available under the terms and conditions of the BSD License\r
# which accompanies this distribution.  The full text of the license may be found at\r
# http://opensource.org/licenses/bsd-license.php\r
#\r
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
#\r
\r
'''\r
GenerateCapsule\r
'''\r
\r
import sys\r
import argparse\r
import uuid\r
import struct\r
import subprocess\r
import os\r
import tempfile\r
import shutil\r
import platform\r
from Common.Uefi.Capsule.UefiCapsuleHeader import UefiCapsuleHeaderClass\r
from Common.Uefi.Capsule.FmpCapsuleHeader  import FmpCapsuleHeaderClass\r
from Common.Uefi.Capsule.FmpAuthHeader     import FmpAuthHeaderClass\r
from Common.Edk2.Capsule.FmpPayloadHeader  import FmpPayloadHeaderClass\r
\r
#\r
# Globals for help information\r
#\r
__prog__        = 'GenerateCapsule'\r
__version__     = '0.9'\r
__copyright__   = 'Copyright (c) 2018, Intel Corporation. All rights reserved.'\r
__description__ = 'Generate a capsule.\n'\r
\r
def SignPayloadSignTool (Payload, ToolPath, PfxFile):\r
    #\r
    # Create a temporary directory\r
    #\r
    TempDirectoryName = tempfile.mkdtemp()\r
\r
    #\r
    # Generate temp file name for the payload contents\r
    #\r
    TempFileName = os.path.join (TempDirectoryName, 'Payload.bin')\r
\r
    #\r
    # Create temporary payload file for signing\r
    #\r
    try:\r
        File = open (TempFileName, mode='wb')\r
        File.write (Payload)\r
        File.close ()\r
    except:\r
        shutil.rmtree (TempDirectoryName)\r
        raise ValueError ('GenerateCapsule: error: can not write temporary payload file.')\r
\r
    #\r
    # Build signtool command\r
    #\r
    if ToolPath is None:\r
        ToolPath = ''\r
    Command = ''\r
    Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe'))\r
    Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 '\r
    Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName)\r
    Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)\r
    Command = Command + TempFileName\r
\r
    #\r
    # Sign the input file using the specified private key\r
    #\r
    try:\r
        Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
        Result = Process.communicate('')\r
    except:\r
        shutil.rmtree (TempDirectoryName)\r
        raise ValueError ('GenerateCapsule: error: can not run signtool.')\r
\r
    if Process.returncode != 0:\r
        shutil.rmtree (TempDirectoryName)\r
        print (Result[1].decode())\r
        raise ValueError ('GenerateCapsule: error: signtool failed.')\r
\r
    #\r
    # Read the signature from the generated output file\r
    #\r
    try:\r
        File = open (TempFileName + '.p7', mode='rb')\r
        Signature = File.read ()\r
        File.close ()\r
    except:\r
        shutil.rmtree (TempDirectoryName)\r
        raise ValueError ('GenerateCapsule: error: can not read signature file.')\r
\r
    shutil.rmtree (TempDirectoryName)\r
    return Signature\r
\r
def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile):\r
    print ('signtool verify is not supported.')\r
    raise ValueError ('GenerateCapsule: error: signtool verify is not supported.')\r
\r
def SignPayloadOpenSsl (Payload, ToolPath, SignerPrivateCertFile, OtherPublicCertFile, TrustedPublicCertFile):\r
    #\r
    # Build openssl command\r
    #\r
    if ToolPath is None:\r
        ToolPath = ''\r
    Command = ''\r
    Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'openssl'))\r
    Command = Command + 'smime -sign -binary -outform DER -md sha256 '\r
    Command = Command + '-signer "{Private}" -certfile "{Public}"'.format (Private = SignerPrivateCertFile, Public = OtherPublicCertFile)\r
\r
    #\r
    # Sign the input file using the specified private key and capture signature from STDOUT\r
    #\r
    try:\r
        Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
        Result = Process.communicate(input = Payload)\r
        Signature = Result[0]\r
    except:\r
        raise ValueError ('GenerateCapsule: error: can not run openssl.')\r
\r
    if Process.returncode != 0:\r
        print (Result[1].decode())\r
        raise ValueError ('GenerateCapsule: error: openssl failed.')\r
\r
    return Signature\r
\r
def VerifyPayloadOpenSsl (Payload, CertData, ToolPath, SignerPrivateCertFile, OtherPublicCertFile, TrustedPublicCertFile):\r
    #\r
    # Create a temporary directory\r
    #\r
    TempDirectoryName = tempfile.mkdtemp()\r
\r
    #\r
    # Generate temp file name for the payload contents\r
    #\r
    TempFileName = os.path.join (TempDirectoryName, 'Payload.bin')\r
\r
    #\r
    # Create temporary payload file for verification\r
    #\r
    try:\r
        File = open (TempFileName, mode='wb')\r
        File.write (Payload)\r
        File.close ()\r
    except:\r
        shutil.rmtree (TempDirectoryName)\r
        raise ValueError ('GenerateCapsule: error: can not write temporary payload file.')\r
\r
    #\r
    # Build openssl command\r
    #\r
    if ToolPath is None:\r
        ToolPath = ''\r
    Command = ''\r
    Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'openssl'))\r
    Command = Command + 'smime -verify -inform DER '\r
    Command = Command + '-content {Content} -CAfile "{Public}"'.format (Content = TempFileName, Public = TrustedPublicCertFile)\r
\r
    #\r
    # Verify signature\r
    #\r
    try:\r
        Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
        Result = Process.communicate(input = CertData)\r
    except:\r
        shutil.rmtree (TempDirectoryName)\r
        raise ValueError ('GenerateCapsule: error: can not run openssl.')\r
\r
    if Process.returncode != 0:\r
        shutil.rmtree (TempDirectoryName)\r
        print (Result[1].decode())\r
        raise ValueError ('GenerateCapsule: error: openssl failed.')\r
\r
    shutil.rmtree (TempDirectoryName)\r
    return Payload\r
\r
if __name__ == '__main__':\r
    def convert_arg_line_to_args(arg_line):\r
        for arg in arg_line.split():\r
            if not arg.strip():\r
                continue\r
            yield arg\r
\r
    def ValidateUnsignedInteger (Argument):\r
        try:\r
            Value = int (Argument, 0)\r
        except:\r
            Message = '{Argument} is not a valid integer value.'.format (Argument = Argument)\r
            raise argparse.ArgumentTypeError (Message)\r
        if Value < 0:\r
            Message = '{Argument} is a negative value.'.format (Argument = Argument)\r
            raise argparse.ArgumentTypeError (Message)\r
        return Value\r
\r
    def ValidateRegistryFormatGuid (Argument):\r
        try:\r
            Value = uuid.UUID (Argument)\r
        except:\r
            Message = '{Argument} is not a valid registry format GUID value.'.format (Argument = Argument)\r
            raise argparse.ArgumentTypeError (Message)\r
        return Value\r
\r
    #\r
    # Create command line argument parser object\r
    #\r
    parser = argparse.ArgumentParser (\r
                        prog = __prog__,\r
                        description = __description__ + __copyright__,\r
                        conflict_handler = 'resolve',\r
                        fromfile_prefix_chars = '@'\r
                        )\r
    parser.convert_arg_line_to_args = convert_arg_line_to_args\r
\r
    #\r
    # Add input and output file arguments\r
    #\r
    parser.add_argument("InputFile",  type = argparse.FileType('rb'),\r
                        help = "Input binary payload filename.")\r
    parser.add_argument("-o", "--output", dest = 'OutputFile', type = argparse.FileType('wb'),\r
                        help = "Output filename.")\r
    #\r
    # Add group for -e and -d flags that are mutually exclusive and required\r
    #\r
    group = parser.add_mutually_exclusive_group (required = True)\r
    group.add_argument ("-e", "--encode", dest = 'Encode', action = "store_true",\r
                        help = "Encode file")\r
    group.add_argument ("-d", "--decode", dest = 'Decode', action = "store_true",\r
                        help = "Decode file")\r
    group.add_argument ("--dump-info", dest = 'DumpInfo', action = "store_true",\r
                        help = "Display FMP Payload Header information")\r
    #\r
    # Add optional arguments for this command\r
    #\r
    parser.add_argument ("--capflag", dest = 'CapsuleFlag', action='append', default = [],\r
                         choices=['PersistAcrossReset', 'InitiateReset'],\r
                         help = "Capsule flag can be PersistAcrossReset or InitiateReset or not set")\r
    parser.add_argument ("--capoemflag", dest = 'CapsuleOemFlag', type = ValidateUnsignedInteger, default = 0x0000,\r
                         help = "Capsule OEM Flag is an integer between 0x0000 and 0xffff.")\r
\r
    parser.add_argument ("--guid", dest = 'Guid', type = ValidateRegistryFormatGuid,\r
                         help = "The FMP/ESRT GUID in registry format.  Required for encode operations.")\r
    parser.add_argument ("--hardware-instance", dest = 'HardwareInstance', type = ValidateUnsignedInteger, default = 0x0000000000000000,\r
                         help = "The 64-bit hardware instance.  The default is 0x0000000000000000")\r
\r
\r
    parser.add_argument ("--monotonic-count", dest = 'MonotonicCount', type = ValidateUnsignedInteger, default = 0x0000000000000000,\r
                         help = "64-bit monotonic count value in header.  Default is 0x0000000000000000.")\r
\r
    parser.add_argument ("--fw-version", dest = 'FwVersion', type = ValidateUnsignedInteger,\r
                         help = "The 32-bit version of the binary payload (e.g. 0x11223344 or 5678).")\r
    parser.add_argument ("--lsv", dest = 'LowestSupportedVersion', type = ValidateUnsignedInteger,\r
                         help = "The 32-bit lowest supported version of the binary payload (e.g. 0x11223344 or 5678).")\r
\r
    parser.add_argument ("--pfx-file", dest='SignToolPfxFile', type=argparse.FileType('rb'),\r
                         help="signtool PFX certificate filename.")\r
\r
    parser.add_argument ("--signer-private-cert", dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),\r
                         help="OpenSSL signer private certificate filename.")\r
    parser.add_argument ("--other-public-cert", dest='OpenSslOtherPublicCertFile', type=argparse.FileType('rb'),\r
                         help="OpenSSL other public certificate filename.")\r
    parser.add_argument ("--trusted-public-cert", dest='OpenSslTrustedPublicCertFile', type=argparse.FileType('rb'),\r
                         help="OpenSSL trusted public certificate filename.")\r
\r
    parser.add_argument ("--signing-tool-path", dest = 'SigningToolPath',\r
                         help = "Path to signtool or OpenSSL tool.  Optional if path to tools are already in PATH.")\r
\r
    #\r
    # Add optional arguments common to all operations\r
    #\r
    parser.add_argument ('--version', action='version', version='%(prog)s ' + __version__)\r
    parser.add_argument ("-v", "--verbose", dest = 'Verbose', action = "store_true",\r
                         help = "Turn on verbose output with informational messages printed, including capsule headers and warning messages.")\r
    parser.add_argument ("-q", "--quiet", dest = 'Quiet', action = "store_true",\r
                         help = "Disable all messages except fatal errors.")\r
    parser.add_argument ("--debug", dest = 'Debug', type = int, metavar = '[0-9]', choices = range (0, 10), default = 0,\r
                         help = "Set debug level")\r
\r
    #\r
    # Parse command line arguments\r
    #\r
    args = parser.parse_args()\r
\r
    #\r
    # Perform additional argument verification\r
    #\r
    if args.Encode:\r
        if args.Guid is None:\r
            parser.error ('the following option is required: --guid')\r
        if 'PersistAcrossReset' not in args.CapsuleFlag:\r
            if 'InitiateReset' in args.CapsuleFlag:\r
                parser.error ('--capflag InitiateReset also requires --capflag PersistAcrossReset')\r
        if args.CapsuleOemFlag > 0xFFFF:\r
            parser.error ('--capoemflag must be an integer between 0x0000 and 0xffff')\r
        if args.HardwareInstance > 0xFFFFFFFFFFFFFFFF:\r
            parser.error ('--hardware-instance must be an integer in range 0x0..0xffffffffffffffff')\r
        if args.MonotonicCount > 0xFFFFFFFFFFFFFFFF:\r
            parser.error ('--monotonic-count must be an integer in range 0x0..0xffffffffffffffff')\r
\r
    UseSignTool = args.SignToolPfxFile is not None\r
    UseOpenSsl  = (args.OpenSslSignerPrivateCertFile is not None and\r
                   args.OpenSslOtherPublicCertFile is not None and\r
                   args.OpenSslTrustedPublicCertFile is not None)\r
    AnyOpenSsl  = (args.OpenSslSignerPrivateCertFile is not None or\r
                   args.OpenSslOtherPublicCertFile is not None or\r
                   args.OpenSslTrustedPublicCertFile is not None)\r
    if args.Encode or args.Decode:\r
        if args.OutputFile is None:\r
            parser.error ('the following option is required for all encode and decode operations: --output')\r
\r
        if UseSignTool and AnyOpenSsl:\r
            parser.error ('Providing both signtool and OpenSSL options is not supported')\r
        if not UseSignTool and not UseOpenSsl and AnyOpenSsl:\r
            parser.error ('all the following options are required for OpenSSL: --signer-private-cert, --other-public-cert, --trusted-public-cert')\r
        if UseSignTool and platform.system() != 'Windows':\r
            parser.error ('Use of signtool is not supported on this operating system.')\r
        if args.Encode and (UseSignTool or UseOpenSsl):\r
            if args.FwVersion is None or args.LowestSupportedVersion is None:\r
                parser.error ('the following options are required: --fw-version, --lsv')\r
            if args.FwVersion > 0xFFFFFFFF:\r
                parser.error ('--fw-version must be an integer in range 0x0..0xffffffff')\r
            if args.LowestSupportedVersion > 0xFFFFFFFF:\r
                parser.error ('--lsv must be an integer in range 0x0..0xffffffff')\r
\r
        if UseSignTool:\r
            args.SignToolPfxFile.close()\r
            args.SignToolPfxFile = args.SignToolPfxFile.name\r
        if UseOpenSsl:\r
            args.OpenSslSignerPrivateCertFile.close()\r
            args.OpenSslOtherPublicCertFile.close()\r
            args.OpenSslTrustedPublicCertFile.close()\r
            args.OpenSslSignerPrivateCertFile = args.OpenSslSignerPrivateCertFile.name\r
            args.OpenSslOtherPublicCertFile   = args.OpenSslOtherPublicCertFile.name\r
            args.OpenSslTrustedPublicCertFile = args.OpenSslTrustedPublicCertFile.name\r
\r
    #\r
    # Read binary input file\r
    #\r
    try:\r
        if args.Verbose:\r
            print ('Read binary input file {File}'.format (File = args.InputFile.name))\r
        Buffer = args.InputFile.read ()\r
        args.InputFile.close ()\r
    except:\r
        print ('GenerateCapsule: error: can not read binary input file {File}'.format (File = args.InputFile.name))\r
        sys.exit (1)\r
\r
    #\r
    # Create objects\r
    #\r
    UefiCapsuleHeader = UefiCapsuleHeaderClass ()\r
    FmpCapsuleHeader  = FmpCapsuleHeaderClass ()\r
    FmpAuthHeader     = FmpAuthHeaderClass ()\r
    FmpPayloadHeader  = FmpPayloadHeaderClass ()\r
\r
    if args.Encode:\r
        Result = Buffer\r
        if UseSignTool or UseOpenSsl:\r
            try:\r
                FmpPayloadHeader.FwVersion              = args.FwVersion\r
                FmpPayloadHeader.LowestSupportedVersion = args.LowestSupportedVersion\r
                FmpPayloadHeader.Payload                = Result\r
                Result = FmpPayloadHeader.Encode ()\r
                if args.Verbose:\r
                    FmpPayloadHeader.DumpInfo ()\r
            except:\r
                print ('GenerateCapsule: error: can not encode FMP Payload Header')\r
                sys.exit (1)\r
\r
            #\r
            # Sign image with 64-bit MonotonicCount appended to end of image\r
            #\r
            try:\r
                if UseSignTool:\r
                    CertData = SignPayloadSignTool (\r
                                 Result + struct.pack ('<Q', args.MonotonicCount),\r
                                 args.SigningToolPath,\r
                                 args.SignToolPfxFile\r
                                 )\r
                else:\r
                    CertData = SignPayloadOpenSsl (\r
                                 Result + struct.pack ('<Q', args.MonotonicCount),\r
                                 args.SigningToolPath,\r
                                 args.OpenSslSignerPrivateCertFile,\r
                                 args.OpenSslOtherPublicCertFile,\r
                                 args.OpenSslTrustedPublicCertFile\r
                                 )\r
            except:\r
                print ('GenerateCapsule: error: can not sign payload')\r
                raise\r
                sys.exit (1)\r
\r
            try:\r
                FmpAuthHeader.MonotonicCount = args.MonotonicCount\r
                FmpAuthHeader.CertData       = CertData\r
                FmpAuthHeader.Payload        = Result\r
                Result = FmpAuthHeader.Encode ()\r
                if args.Verbose:\r
                    FmpAuthHeader.DumpInfo ()\r
            except:\r
                print ('GenerateCapsule: error: can not encode FMP Auth Header')\r
                sys.exit (1)\r
\r
        try:\r
            FmpCapsuleHeader.AddPayload (args.Guid, Result, HardwareInstance = args.HardwareInstance)\r
            Result = FmpCapsuleHeader.Encode ()\r
            if args.Verbose:\r
                FmpCapsuleHeader.DumpInfo ()\r
        except:\r
            print ('GenerateCapsule: error: can not encode FMP Capsule Header')\r
            sys.exit (1)\r
\r
        try:\r
            UefiCapsuleHeader.OemFlags            = args.CapsuleOemFlag\r
            UefiCapsuleHeader.PersistAcrossReset  = 'PersistAcrossReset'  in args.CapsuleFlag\r
            UefiCapsuleHeader.PopulateSystemTable = False\r
            UefiCapsuleHeader.InitiateReset       = 'InitiateReset'       in args.CapsuleFlag\r
            UefiCapsuleHeader.Payload             = Result\r
            Result = UefiCapsuleHeader.Encode ()\r
            if args.Verbose:\r
                UefiCapsuleHeader.DumpInfo ()\r
        except:\r
            print ('GenerateCapsule: error: can not encode UEFI Capsule Header')\r
            sys.exit (1)\r
\r
    elif args.Decode:\r
        try:\r
            Result = UefiCapsuleHeader.Decode (Buffer)\r
            FmpCapsuleHeader.Decode (Result)\r
            Result = FmpCapsuleHeader.GetFmpCapsuleImageHeader (0).Payload\r
            if args.Verbose:\r
                print ('========')\r
                UefiCapsuleHeader.DumpInfo ()\r
                print ('--------')\r
                FmpCapsuleHeader.DumpInfo ()\r
            if UseSignTool or UseOpenSsl:\r
                Result = FmpAuthHeader.Decode (Result)\r
\r
                #\r
                # Verify Image with 64-bit MonotonicCount appended to end of image\r
                #\r
                try:\r
                  if UseSignTool:\r
                      CertData = VerifyPayloadSignTool (\r
                                   FmpAuthHeader.Payload + struct.pack ('<Q', FmpAuthHeader.MonotonicCount),\r
                                   FmpAuthHeader.CertData,\r
                                   args.SigningToolPath,\r
                                   args.SignToolPfxFile\r
                                   )\r
                  else:\r
                      CertData = VerifyPayloadOpenSsl (\r
                                   FmpAuthHeader.Payload + struct.pack ('<Q', FmpAuthHeader.MonotonicCount),\r
                                   FmpAuthHeader.CertData,\r
                                   args.SigningToolPath,\r
                                   args.OpenSslSignerPrivateCertFile,\r
                                   args.OpenSslOtherPublicCertFile,\r
                                   args.OpenSslTrustedPublicCertFile\r
                                   )\r
                except ValueError:\r
                    print ('GenerateCapsule: warning: can not verify payload.')\r
\r
                Result = FmpPayloadHeader.Decode (Result)\r
                if args.Verbose:\r
                    print ('--------')\r
                    FmpAuthHeader.DumpInfo ()\r
                    print ('--------')\r
                    FmpPayloadHeader.DumpInfo ()\r
            else:\r
                if args.Verbose:\r
                    print ('--------')\r
                    print ('No EFI_FIRMWARE_IMAGE_AUTHENTICATION')\r
                    print ('--------')\r
                    print ('No FMP_PAYLOAD_HEADER')\r
            if args.Verbose:\r
                print ('========')\r
        except:\r
            print ('GenerateCapsule: error: can not decode capsule')\r
            raise\r
            sys.exit (1)\r
\r
    elif args.DumpInfo:\r
        try:\r
            Result = UefiCapsuleHeader.Decode (Buffer)\r
            FmpCapsuleHeader.Decode (Result)\r
            Result = FmpCapsuleHeader.GetFmpCapsuleImageHeader (0).Payload\r
            print ('========')\r
            UefiCapsuleHeader.DumpInfo ()\r
            print ('--------')\r
            FmpCapsuleHeader.DumpInfo ()\r
            try:\r
                Result = FmpAuthHeader.Decode (Result)\r
                Result = FmpPayloadHeader.Decode (Result)\r
                print ('--------')\r
                FmpAuthHeader.DumpInfo ()\r
                print ('--------')\r
                FmpPayloadHeader.DumpInfo ()\r
            except:\r
                print ('--------')\r
                print ('No EFI_FIRMWARE_IMAGE_AUTHENTICATION')\r
                print ('--------')\r
                print ('No FMP_PAYLOAD_HEADER')\r
            print ('========')\r
        except:\r
            print ('GenerateCapsule: error: can not decode capsule')\r
            sys.exit (1)\r
    else:\r
        print('GenerateCapsule: error: invalid options')\r
        sys.exit (1)\r
\r
    #\r
    # Write binary output file\r
    #\r
    if args.OutputFile is not None:\r
        try:\r
            if args.Verbose:\r
                print ('Write binary output file {File}'.format (File = args.OutputFile.name))\r
            args.OutputFile.write (Result)\r
            args.OutputFile.close ()\r
        except:\r
            print ('GenerateCapsule: error: can not write binary output file {File}'.format (File = args.OutputFile.name))\r
            sys.exit (1)\r
\r
    if args.Verbose:\r
        print('Success')\r
Commit	Line	Data
8b63877a KM	1	## @file\r
	2	# Generate a capsule.\r
	3	#\r
	4	# Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>\r
	5	# This program and the accompanying materials\r
	6	# are licensed and made available under the terms and conditions of the BSD License\r
	7	# which accompanies this distribution. The full text of the license may be found at\r
	8	# http://opensource.org/licenses/bsd-license.php\r
	9	#\r
	10	# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	11	# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	12	#\r
	13	\r
	14	'''\r
	15	GenerateCapsule\r
	16	'''\r
	17	\r
	18	import sys\r
	19	import argparse\r
	20	import uuid\r
	21	import struct\r
	22	import subprocess\r
	23	import os\r
	24	import tempfile\r
	25	import shutil\r
	26	import platform\r
	27	from Common.Uefi.Capsule.UefiCapsuleHeader import UefiCapsuleHeaderClass\r
	28	from Common.Uefi.Capsule.FmpCapsuleHeader import FmpCapsuleHeaderClass\r
	29	from Common.Uefi.Capsule.FmpAuthHeader import FmpAuthHeaderClass\r
	30	from Common.Edk2.Capsule.FmpPayloadHeader import FmpPayloadHeaderClass\r
	31	\r
	32	#\r
	33	# Globals for help information\r
	34	#\r
	35	__prog__ = 'GenerateCapsule'\r
	36	__version__ = '0.9'\r
	37	__copyright__ = 'Copyright (c) 2018, Intel Corporation. All rights reserved.'\r
	38	__description__ = 'Generate a capsule.\n'\r
	39	\r
	40	def SignPayloadSignTool (Payload, ToolPath, PfxFile):\r
	41	#\r
	42	# Create a temporary directory\r
	43	#\r
	44	TempDirectoryName = tempfile.mkdtemp()\r
	45	\r
	46	#\r
	47	# Generate temp file name for the payload contents\r
	48	#\r
	49	TempFileName = os.path.join (TempDirectoryName, 'Payload.bin')\r
	50	\r
	51	#\r
	52	# Create temporary payload file for signing\r
	53	#\r
	54	try:\r
	55	File = open (TempFileName, mode='wb')\r
	56	File.write (Payload)\r
	57	File.close ()\r
	58	except:\r
	59	shutil.rmtree (TempDirectoryName)\r
	60	raise ValueError ('GenerateCapsule: error: can not write temporary payload file.')\r
	61	\r
	62	#\r
	63	# Build signtool command\r
	64	#\r
65	if ToolPath is None:\r
66	ToolPath = ''\r
67	Command = ''\r
68	Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe'))\r
69	Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 '\r
70	Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName)\r
71	Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)\r
72	Command = Command + TempFileName\r
73	\r
74	#\r
75	# Sign the input file using the specified private key\r
76	#\r
77	try:\r
78	Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
79	Result = Process.communicate('')\r
80	except:\r
81	shutil.rmtree (TempDirectoryName)\r
82	raise ValueError ('GenerateCapsule: error: can not run signtool.')\r
83	\r
84	if Process.returncode != 0:\r
85	shutil.rmtree (TempDirectoryName)\r
86	print (Result[1].decode())\r
87	raise ValueError ('GenerateCapsule: error: signtool failed.')\r
88	\r
89	#\r
90	# Read the signature from the generated output file\r
91	#\r
92	try:\r
93	File = open (TempFileName + '.p7', mode='rb')\r
94	Signature = File.read ()\r
95	File.close ()\r
96	except:\r
97	shutil.rmtree (TempDirectoryName)\r
98	raise ValueError ('GenerateCapsule: error: can not read signature file.')\r
99	\r
100	shutil.rmtree (TempDirectoryName)\r
101	return Signature\r
102	\r
103	def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile):\r
104	print ('signtool verify is not supported.')\r
105	raise ValueError ('GenerateCapsule: error: signtool verify is not supported.')\r
106	\r
107	def SignPayloadOpenSsl (Payload, ToolPath, SignerPrivateCertFile, OtherPublicCertFile, TrustedPublicCertFile):\r
108	#\r
109	# Build openssl command\r
110	#\r
111	if ToolPath is None:\r
112	ToolPath = ''\r
113	Command = ''\r
114	Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'openssl'))\r
115	Command = Command + 'smime -sign -binary -outform DER -md sha256 '\r
116	Command = Command + '-signer "{Private}" -certfile "{Public}"'.format (Private = SignerPrivateCertFile, Public = OtherPublicCertFile)\r
117	\r
118	#\r
119	# Sign the input file using the specified private key and capture signature from STDOUT\r
120	#\r
121	try:\r
122	Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
123	Result = Process.communicate(input = Payload)\r
124	Signature = Result[0]\r
125	except:\r
126	raise ValueError ('GenerateCapsule: error: can not run openssl.')\r
127	\r
128	if Process.returncode != 0:\r
129	print (Result[1].decode())\r
130	raise ValueError ('GenerateCapsule: error: openssl failed.')\r
131	\r
132	return Signature\r
133	\r
134	def VerifyPayloadOpenSsl (Payload, CertData, ToolPath, SignerPrivateCertFile, OtherPublicCertFile, TrustedPublicCertFile):\r
135	#\r
136	# Create a temporary directory\r
137	#\r
138	TempDirectoryName = tempfile.mkdtemp()\r
139	\r
140	#\r
141	# Generate temp file name for the payload contents\r
142	#\r
143	TempFileName = os.path.join (TempDirectoryName, 'Payload.bin')\r
144	\r
145	#\r
146	# Create temporary payload file for verification\r
147	#\r
148	try:\r
149	File = open (TempFileName, mode='wb')\r
150	File.write (Payload)\r
151	File.close ()\r
152	except:\r
153	shutil.rmtree (TempDirectoryName)\r
154	raise ValueError ('GenerateCapsule: error: can not write temporary payload file.')\r
155	\r
156	#\r
157	# Build openssl command\r
158	#\r
159	if ToolPath is None:\r
160	ToolPath = ''\r
161	Command = ''\r
162	Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'openssl'))\r
163	Command = Command + 'smime -verify -inform DER '\r
164	Command = Command + '-content {Content} -CAfile "{Public}"'.format (Content = TempFileName, Public = TrustedPublicCertFile)\r
165	\r
166	#\r
167	# Verify signature\r
168	#\r
169	try:\r
170	Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
171	Result = Process.communicate(input = CertData)\r
172	except:\r
173	shutil.rmtree (TempDirectoryName)\r
174	raise ValueError ('GenerateCapsule: error: can not run openssl.')\r
175	\r
176	if Process.returncode != 0:\r
177	shutil.rmtree (TempDirectoryName)\r
178	print (Result[1].decode())\r
179	raise ValueError ('GenerateCapsule: error: openssl failed.')\r
180	\r
181	shutil.rmtree (TempDirectoryName)\r
182	return Payload\r
183	\r
184	if __name__ == '__main__':\r
185	def convert_arg_line_to_args(arg_line):\r
186	for arg in arg_line.split():\r
187	if not arg.strip():\r
188	continue\r
189	yield arg\r
190	\r
191	def ValidateUnsignedInteger (Argument):\r
192	try:\r
193	Value = int (Argument, 0)\r
194	except:\r
195	Message = '{Argument} is not a valid integer value.'.format (Argument = Argument)\r
196	raise argparse.ArgumentTypeError (Message)\r
197	if Value < 0:\r
198	Message = '{Argument} is a negative value.'.format (Argument = Argument)\r
199	raise argparse.ArgumentTypeError (Message)\r
200	return Value\r
201	\r
202	def ValidateRegistryFormatGuid (Argument):\r
203	try:\r
204	Value = uuid.UUID (Argument)\r
205	except:\r
206	Message = '{Argument} is not a valid registry format GUID value.'.format (Argument = Argument)\r
207	raise argparse.ArgumentTypeError (Message)\r
208	return Value\r
209	\r
210	#\r
211	# Create command line argument parser object\r
212	#\r
213	parser = argparse.ArgumentParser (\r
214	prog = __prog__,\r
215	description = __description__ + __copyright__,\r
216	conflict_handler = 'resolve',\r
217	fromfile_prefix_chars = '@'\r
218	)\r
219	parser.convert_arg_line_to_args = convert_arg_line_to_args\r
220	\r
221	#\r
222	# Add input and output file arguments\r
223	#\r
224	parser.add_argument("InputFile", type = argparse.FileType('rb'),\r
225	help = "Input binary payload filename.")\r
226	parser.add_argument("-o", "--output", dest = 'OutputFile', type = argparse.FileType('wb'),\r
227	help = "Output filename.")\r
228	#\r
229	# Add group for -e and -d flags that are mutually exclusive and required\r
230	#\r
231	group = parser.add_mutually_exclusive_group (required = True)\r
232	group.add_argument ("-e", "--encode", dest = 'Encode', action = "store_true",\r
233	help = "Encode file")\r
234	group.add_argument ("-d", "--decode", dest = 'Decode', action = "store_true",\r
235	help = "Decode file")\r
236	group.add_argument ("--dump-info", dest = 'DumpInfo', action = "store_true",\r
237	help = "Display FMP Payload Header information")\r
238	#\r
239	# Add optional arguments for this command\r
240	#\r
241	parser.add_argument ("--capflag", dest = 'CapsuleFlag', action='append', default = [],\r
2779c222 KM	242	choices=['PersistAcrossReset', 'InitiateReset'],\r
2779c222 KM	243	help = "Capsule flag can be PersistAcrossReset or InitiateReset or not set")\r
8b63877a KM	244	parser.add_argument ("--capoemflag", dest = 'CapsuleOemFlag', type = ValidateUnsignedInteger, default = 0x0000,\r
	245	help = "Capsule OEM Flag is an integer between 0x0000 and 0xffff.")\r
	246	\r
	247	parser.add_argument ("--guid", dest = 'Guid', type = ValidateRegistryFormatGuid,\r
	248	help = "The FMP/ESRT GUID in registry format. Required for encode operations.")\r
	249	parser.add_argument ("--hardware-instance", dest = 'HardwareInstance', type = ValidateUnsignedInteger, default = 0x0000000000000000,\r
	250	help = "The 64-bit hardware instance. The default is 0x0000000000000000")\r
	251	\r
	252	\r
	253	parser.add_argument ("--monotonic-count", dest = 'MonotonicCount', type = ValidateUnsignedInteger, default = 0x0000000000000000,\r
	254	help = "64-bit monotonic count value in header. Default is 0x0000000000000000.")\r
	255	\r
	256	parser.add_argument ("--fw-version", dest = 'FwVersion', type = ValidateUnsignedInteger,\r
	257	help = "The 32-bit version of the binary payload (e.g. 0x11223344 or 5678).")\r
	258	parser.add_argument ("--lsv", dest = 'LowestSupportedVersion', type = ValidateUnsignedInteger,\r
	259	help = "The 32-bit lowest supported version of the binary payload (e.g. 0x11223344 or 5678).")\r
	260	\r
	261	parser.add_argument ("--pfx-file", dest='SignToolPfxFile', type=argparse.FileType('rb'),\r
	262	help="signtool PFX certificate filename.")\r
	263	\r
	264	parser.add_argument ("--signer-private-cert", dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),\r
	265	help="OpenSSL signer private certificate filename.")\r
	266	parser.add_argument ("--other-public-cert", dest='OpenSslOtherPublicCertFile', type=argparse.FileType('rb'),\r
	267	help="OpenSSL other public certificate filename.")\r
	268	parser.add_argument ("--trusted-public-cert", dest='OpenSslTrustedPublicCertFile', type=argparse.FileType('rb'),\r
	269	help="OpenSSL trusted public certificate filename.")\r
	270	\r
	271	parser.add_argument ("--signing-tool-path", dest = 'SigningToolPath',\r
	272	help = "Path to signtool or OpenSSL tool. Optional if path to tools are already in PATH.")\r
	273	\r
	274	#\r
	275	# Add optional arguments common to all operations\r
	276	#\r
	277	parser.add_argument ('--version', action='version', version='%(prog)s ' + __version__)\r
	278	parser.add_argument ("-v", "--verbose", dest = 'Verbose', action = "store_true",\r
	279	help = "Turn on verbose output with informational messages printed, including capsule headers and warning messages.")\r
	280	parser.add_argument ("-q", "--quiet", dest = 'Quiet', action = "store_true",\r
	281	help = "Disable all messages except fatal errors.")\r
	282	parser.add_argument ("--debug", dest = 'Debug', type = int, metavar = '[0-9]', choices = range (0, 10), default = 0,\r
	283	help = "Set debug level")\r
	284	\r
	285	#\r
	286	# Parse command line arguments\r
	287	#\r
	288	args = parser.parse_args()\r
	289	\r
	290	#\r
	291	# Perform additional argument verification\r
	292	#\r
	293	if args.Encode:\r
	294	if args.Guid is None:\r
	295	parser.error ('the following option is required: --guid')\r
	296	if 'PersistAcrossReset' not in args.CapsuleFlag:\r
8b63877a KM	297	if 'InitiateReset' in args.CapsuleFlag:\r
8b63877a KM	298	parser.error ('--capflag InitiateReset also requires --capflag PersistAcrossReset')\r
6ed4651c KM	299	if args.CapsuleOemFlag > 0xFFFF:\r
	300	parser.error ('--capoemflag must be an integer between 0x0000 and 0xffff')\r
	301	if args.HardwareInstance > 0xFFFFFFFFFFFFFFFF:\r
	302	parser.error ('--hardware-instance must be an integer in range 0x0..0xffffffffffffffff')\r
	303	if args.MonotonicCount > 0xFFFFFFFFFFFFFFFF:\r
	304	parser.error ('--monotonic-count must be an integer in range 0x0..0xffffffffffffffff')\r
8b63877a KM	305	\r
	306	UseSignTool = args.SignToolPfxFile is not None\r
	307	UseOpenSsl = (args.OpenSslSignerPrivateCertFile is not None and\r
	308	args.OpenSslOtherPublicCertFile is not None and\r
	309	args.OpenSslTrustedPublicCertFile is not None)\r
	310	AnyOpenSsl = (args.OpenSslSignerPrivateCertFile is not None or\r
	311	args.OpenSslOtherPublicCertFile is not None or\r
	312	args.OpenSslTrustedPublicCertFile is not None)\r
	313	if args.Encode or args.Decode:\r
	314	if args.OutputFile is None:\r
	315	parser.error ('the following option is required for all encode and decode operations: --output')\r
	316	\r
	317	if UseSignTool and AnyOpenSsl:\r
	318	parser.error ('Providing both signtool and OpenSSL options is not supported')\r
	319	if not UseSignTool and not UseOpenSsl and AnyOpenSsl:\r
	320	parser.error ('all the following options are required for OpenSSL: --signer-private-cert, --other-public-cert, --trusted-public-cert')\r
	321	if UseSignTool and platform.system() != 'Windows':\r
	322	parser.error ('Use of signtool is not supported on this operating system.')\r
	323	if args.Encode and (UseSignTool or UseOpenSsl):\r
	324	if args.FwVersion is None or args.LowestSupportedVersion is None:\r
	325	parser.error ('the following options are required: --fw-version, --lsv')\r
6ed4651c KM	326	if args.FwVersion > 0xFFFFFFFF:\r
	327	parser.error ('--fw-version must be an integer in range 0x0..0xffffffff')\r
	328	if args.LowestSupportedVersion > 0xFFFFFFFF:\r
	329	parser.error ('--lsv must be an integer in range 0x0..0xffffffff')\r
8b63877a KM	330	\r
	331	if UseSignTool:\r
	332	args.SignToolPfxFile.close()\r
	333	args.SignToolPfxFile = args.SignToolPfxFile.name\r
	334	if UseOpenSsl:\r
	335	args.OpenSslSignerPrivateCertFile.close()\r
	336	args.OpenSslOtherPublicCertFile.close()\r
	337	args.OpenSslTrustedPublicCertFile.close()\r
	338	args.OpenSslSignerPrivateCertFile = args.OpenSslSignerPrivateCertFile.name\r
	339	args.OpenSslOtherPublicCertFile = args.OpenSslOtherPublicCertFile.name\r
	340	args.OpenSslTrustedPublicCertFile = args.OpenSslTrustedPublicCertFile.name\r
	341	\r
	342	#\r
	343	# Read binary input file\r
	344	#\r
	345	try:\r
	346	if args.Verbose:\r
	347	print ('Read binary input file {File}'.format (File = args.InputFile.name))\r
	348	Buffer = args.InputFile.read ()\r
	349	args.InputFile.close ()\r
	350	except:\r
	351	print ('GenerateCapsule: error: can not read binary input file {File}'.format (File = args.InputFile.name))\r
	352	sys.exit (1)\r
	353	\r
	354	#\r
	355	# Create objects\r
	356	#\r
	357	UefiCapsuleHeader = UefiCapsuleHeaderClass ()\r
	358	FmpCapsuleHeader = FmpCapsuleHeaderClass ()\r
	359	FmpAuthHeader = FmpAuthHeaderClass ()\r
	360	FmpPayloadHeader = FmpPayloadHeaderClass ()\r
	361	\r
	362	if args.Encode:\r
	363	Result = Buffer\r
	364	if UseSignTool or UseOpenSsl:\r
	365	try:\r
	366	FmpPayloadHeader.FwVersion = args.FwVersion\r
	367	FmpPayloadHeader.LowestSupportedVersion = args.LowestSupportedVersion\r
	368	FmpPayloadHeader.Payload = Result\r
	369	Result = FmpPayloadHeader.Encode ()\r
	370	if args.Verbose:\r
	371	FmpPayloadHeader.DumpInfo ()\r
	372	except:\r
	373	print ('GenerateCapsule: error: can not encode FMP Payload Header')\r
	374	sys.exit (1)\r
	375	\r
	376	#\r
	377	# Sign image with 64-bit MonotonicCount appended to end of image\r
	378	#\r
	379	try:\r
	380	if UseSignTool:\r
	381	CertData = SignPayloadSignTool (\r
	382	Result + struct.pack ('<Q', args.MonotonicCount),\r
	383	args.SigningToolPath,\r
	384	args.SignToolPfxFile\r
	385	)\r
	386	else:\r
	387	CertData = SignPayloadOpenSsl (\r
	388	Result + struct.pack ('<Q', args.MonotonicCount),\r
	389	args.SigningToolPath,\r
	390	args.OpenSslSignerPrivateCertFile,\r
	391	args.OpenSslOtherPublicCertFile,\r
	392	args.OpenSslTrustedPublicCertFile\r
	393	)\r
394	except:\r
395	print ('GenerateCapsule: error: can not sign payload')\r
396	raise\r
397	sys.exit (1)\r
398	\r
399	try:\r
400	FmpAuthHeader.MonotonicCount = args.MonotonicCount\r
401	FmpAuthHeader.CertData = CertData\r
402	FmpAuthHeader.Payload = Result\r
403	Result = FmpAuthHeader.Encode ()\r
404	if args.Verbose:\r
405	FmpAuthHeader.DumpInfo ()\r
406	except:\r
407	print ('GenerateCapsule: error: can not encode FMP Auth Header')\r
408	sys.exit (1)\r
409	\r
410	try:\r
411	FmpCapsuleHeader.AddPayload (args.Guid, Result, HardwareInstance = args.HardwareInstance)\r
412	Result = FmpCapsuleHeader.Encode ()\r
413	if args.Verbose:\r
414	FmpCapsuleHeader.DumpInfo ()\r
415	except:\r
416	print ('GenerateCapsule: error: can not encode FMP Capsule Header')\r
417	sys.exit (1)\r
418	\r
419	try:\r
420	UefiCapsuleHeader.OemFlags = args.CapsuleOemFlag\r
421	UefiCapsuleHeader.PersistAcrossReset = 'PersistAcrossReset' in args.CapsuleFlag\r
2779c222	422	UefiCapsuleHeader.PopulateSystemTable = False\r
8b63877a KM	423	UefiCapsuleHeader.InitiateReset = 'InitiateReset' in args.CapsuleFlag\r
	424	UefiCapsuleHeader.Payload = Result\r
	425	Result = UefiCapsuleHeader.Encode ()\r
	426	if args.Verbose:\r
	427	UefiCapsuleHeader.DumpInfo ()\r
	428	except:\r
	429	print ('GenerateCapsule: error: can not encode UEFI Capsule Header')\r
	430	sys.exit (1)\r
	431	\r
	432	elif args.Decode:\r
	433	try:\r
	434	Result = UefiCapsuleHeader.Decode (Buffer)\r
	435	FmpCapsuleHeader.Decode (Result)\r
	436	Result = FmpCapsuleHeader.GetFmpCapsuleImageHeader (0).Payload\r
	437	if args.Verbose:\r
	438	print ('========')\r
	439	UefiCapsuleHeader.DumpInfo ()\r
	440	print ('--------')\r
	441	FmpCapsuleHeader.DumpInfo ()\r
	442	if UseSignTool or UseOpenSsl:\r
	443	Result = FmpAuthHeader.Decode (Result)\r
	444	\r
	445	#\r
	446	# Verify Image with 64-bit MonotonicCount appended to end of image\r
	447	#\r
	448	try:\r
	449	if UseSignTool:\r
	450	CertData = VerifyPayloadSignTool (\r
	451	FmpAuthHeader.Payload + struct.pack ('<Q', FmpAuthHeader.MonotonicCount),\r
	452	FmpAuthHeader.CertData,\r
	453	args.SigningToolPath,\r
	454	args.SignToolPfxFile\r
	455	)\r
	456	else:\r
	457	CertData = VerifyPayloadOpenSsl (\r
	458	FmpAuthHeader.Payload + struct.pack ('<Q', FmpAuthHeader.MonotonicCount),\r
	459	FmpAuthHeader.CertData,\r
	460	args.SigningToolPath,\r
	461	args.OpenSslSignerPrivateCertFile,\r
	462	args.OpenSslOtherPublicCertFile,\r
	463	args.OpenSslTrustedPublicCertFile\r
	464	)\r
	465	except ValueError:\r
	466	print ('GenerateCapsule: warning: can not verify payload.')\r
	467	\r
	468	Result = FmpPayloadHeader.Decode (Result)\r
	469	if args.Verbose:\r
	470	print ('--------')\r
	471	FmpAuthHeader.DumpInfo ()\r
	472	print ('--------')\r
	473	FmpPayloadHeader.DumpInfo ()\r
	474	else:\r
	475	if args.Verbose:\r
	476	print ('--------')\r
	477	print ('No EFI_FIRMWARE_IMAGE_AUTHENTICATION')\r
	478	print ('--------')\r
	479	print ('No FMP_PAYLOAD_HEADER')\r
	480	if args.Verbose:\r
	481	print ('========')\r
	482	except:\r
	483	print ('GenerateCapsule: error: can not decode capsule')\r
	484	raise\r
	485	sys.exit (1)\r
	486	\r
487	elif args.DumpInfo:\r
488	try:\r
489	Result = UefiCapsuleHeader.Decode (Buffer)\r
490	FmpCapsuleHeader.Decode (Result)\r
491	Result = FmpCapsuleHeader.GetFmpCapsuleImageHeader (0).Payload\r
492	print ('========')\r
493	UefiCapsuleHeader.DumpInfo ()\r
494	print ('--------')\r
495	FmpCapsuleHeader.DumpInfo ()\r
496	try:\r
497	Result = FmpAuthHeader.Decode (Result)\r
498	Result = FmpPayloadHeader.Decode (Result)\r
499	print ('--------')\r
500	FmpAuthHeader.DumpInfo ()\r
501	print ('--------')\r
502	FmpPayloadHeader.DumpInfo ()\r
503	except:\r
504	print ('--------')\r
505	print ('No EFI_FIRMWARE_IMAGE_AUTHENTICATION')\r
506	print ('--------')\r
507	print ('No FMP_PAYLOAD_HEADER')\r
508	print ('========')\r
509	except:\r
510	print ('GenerateCapsule: error: can not decode capsule')\r
511	sys.exit (1)\r
512	else:\r
513	print('GenerateCapsule: error: invalid options')\r
514	sys.exit (1)\r
515	\r
516	#\r
517	# Write binary output file\r
518	#\r
519	if args.OutputFile is not None:\r
520	try:\r
521	if args.Verbose:\r
522	print ('Write binary output file {File}'.format (File = args.OutputFile.name))\r
523	args.OutputFile.write (Result)\r
524	args.OutputFile.close ()\r
525	except:\r
526	print ('GenerateCapsule: error: can not write binary output file {File}'.format (File = args.OutputFile.name))\r
527	sys.exit (1)\r
528	\r
529	if args.Verbose:\r
530	print('Success')\r