[mirror_edk2.git] / BaseTools / Source / Python / Capsule / GenerateCapsule.py

## @file\r
# Generate a capsule.\r
#\r
# Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>\r
# This program and the accompanying materials\r
# are licensed and made available under the terms and conditions of the BSD License\r
# which accompanies this distribution.  The full text of the license may be found at\r
# http://opensource.org/licenses/bsd-license.php\r
#\r
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
#\r
\r
'''\r
GenerateCapsule\r
'''\r
\r
import sys\r
import argparse\r
import uuid\r
import struct\r
import subprocess\r
import os\r
import tempfile\r
import shutil\r
import platform\r
from Common.Uefi.Capsule.UefiCapsuleHeader import UefiCapsuleHeaderClass\r
from Common.Uefi.Capsule.FmpCapsuleHeader  import FmpCapsuleHeaderClass\r
from Common.Uefi.Capsule.FmpAuthHeader     import FmpAuthHeaderClass\r
from Common.Edk2.Capsule.FmpPayloadHeader  import FmpPayloadHeaderClass\r
\r
#\r
# Globals for help information\r
#\r
__prog__        = 'GenerateCapsule'\r
__version__     = '0.9'\r
__copyright__   = 'Copyright (c) 2018, Intel Corporation. All rights reserved.'\r
__description__ = 'Generate a capsule.\n'\r
\r
def SignPayloadSignTool (Payload, ToolPath, PfxFile):\r
    #\r
    # Create a temporary directory\r
    #\r
    TempDirectoryName = tempfile.mkdtemp()\r
\r
    #\r
    # Generate temp file name for the payload contents\r
    #\r
    TempFileName = os.path.join (TempDirectoryName, 'Payload.bin')\r
\r
    #\r
    # Create temporary payload file for signing\r
    #\r
    try:\r
        File = open (TempFileName, mode='wb')\r
        File.write (Payload)\r
        File.close ()\r
    except:\r
        shutil.rmtree (TempDirectoryName)\r
        raise ValueError ('GenerateCapsule: error: can not write temporary payload file.')\r
\r
    #\r
    # Build signtool command\r
    #\r
    if ToolPath is None:\r
        ToolPath = ''\r
    Command = ''\r
    Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe'))\r
    Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 '\r
    Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName)\r
    Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)\r
    Command = Command + TempFileName\r
\r
    #\r
    # Sign the input file using the specified private key\r
    #\r
    try:\r
        Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
        Result = Process.communicate('')\r
    except:\r
        shutil.rmtree (TempDirectoryName)\r
        raise ValueError ('GenerateCapsule: error: can not run signtool.')\r
\r
    if Process.returncode != 0:\r
        shutil.rmtree (TempDirectoryName)\r
        print (Result[1].decode())\r
        raise ValueError ('GenerateCapsule: error: signtool failed.')\r
\r
    #\r
    # Read the signature from the generated output file\r
    #\r
    try:\r
        File = open (TempFileName + '.p7', mode='rb')\r
        Signature = File.read ()\r
        File.close ()\r
    except:\r
        shutil.rmtree (TempDirectoryName)\r
        raise ValueError ('GenerateCapsule: error: can not read signature file.')\r
\r
    shutil.rmtree (TempDirectoryName)\r
    return Signature\r
\r
def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile):\r
    print ('signtool verify is not supported.')\r
    raise ValueError ('GenerateCapsule: error: signtool verify is not supported.')\r
\r
def SignPayloadOpenSsl (Payload, ToolPath, SignerPrivateCertFile, OtherPublicCertFile, TrustedPublicCertFile):\r
    #\r
    # Build openssl command\r
    #\r
    if ToolPath is None:\r
        ToolPath = ''\r
    Command = ''\r
    Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'openssl'))\r
    Command = Command + 'smime -sign -binary -outform DER -md sha256 '\r
    Command = Command + '-signer "{Private}" -certfile "{Public}"'.format (Private = SignerPrivateCertFile, Public = OtherPublicCertFile)\r
\r
    #\r
    # Sign the input file using the specified private key and capture signature from STDOUT\r
    #\r
    try:\r
        Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
        Result = Process.communicate(input = Payload)\r
        Signature = Result[0]\r
    except:\r
        raise ValueError ('GenerateCapsule: error: can not run openssl.')\r
\r
    if Process.returncode != 0:\r
        print (Result[1].decode())\r
        raise ValueError ('GenerateCapsule: error: openssl failed.')\r
\r
    return Signature\r
\r
def VerifyPayloadOpenSsl (Payload, CertData, ToolPath, SignerPrivateCertFile, OtherPublicCertFile, TrustedPublicCertFile):\r
    #\r
    # Create a temporary directory\r
    #\r
    TempDirectoryName = tempfile.mkdtemp()\r
\r
    #\r
    # Generate temp file name for the payload contents\r
    #\r
    TempFileName = os.path.join (TempDirectoryName, 'Payload.bin')\r
\r
    #\r
    # Create temporary payload file for verification\r
    #\r
    try:\r
        File = open (TempFileName, mode='wb')\r
        File.write (Payload)\r
        File.close ()\r
    except:\r
        shutil.rmtree (TempDirectoryName)\r
        raise ValueError ('GenerateCapsule: error: can not write temporary payload file.')\r
\r
    #\r
    # Build openssl command\r
    #\r
    if ToolPath is None:\r
        ToolPath = ''\r
    Command = ''\r
    Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'openssl'))\r
    Command = Command + 'smime -verify -inform DER '\r
    Command = Command + '-content {Content} -CAfile "{Public}"'.format (Content = TempFileName, Public = TrustedPublicCertFile)\r
\r
    #\r
    # Verify signature\r
    #\r
    try:\r
        Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
        Result = Process.communicate(input = CertData)\r
    except:\r
        shutil.rmtree (TempDirectoryName)\r
        raise ValueError ('GenerateCapsule: error: can not run openssl.')\r
\r
    if Process.returncode != 0:\r
        shutil.rmtree (TempDirectoryName)\r
        print (Result[1].decode())\r
        raise ValueError ('GenerateCapsule: error: openssl failed.')\r
\r
    shutil.rmtree (TempDirectoryName)\r
    return Payload\r
\r
if __name__ == '__main__':\r
    def convert_arg_line_to_args(arg_line):\r
        for arg in arg_line.split():\r
            if not arg.strip():\r
                continue\r
            yield arg\r
\r
    def ValidateUnsignedInteger (Argument):\r
        try:\r
            Value = int (Argument, 0)\r
        except:\r
            Message = '{Argument} is not a valid integer value.'.format (Argument = Argument)\r
            raise argparse.ArgumentTypeError (Message)\r
        if Value < 0:\r
            Message = '{Argument} is a negative value.'.format (Argument = Argument)\r
            raise argparse.ArgumentTypeError (Message)\r
        return Value\r
\r
    def ValidateRegistryFormatGuid (Argument):\r
        try:\r
            Value = uuid.UUID (Argument)\r
        except:\r
            Message = '{Argument} is not a valid registry format GUID value.'.format (Argument = Argument)\r
            raise argparse.ArgumentTypeError (Message)\r
        return Value\r
\r
    #\r
    # Create command line argument parser object\r
    #\r
    parser = argparse.ArgumentParser (\r
                        prog = __prog__,\r
                        description = __description__ + __copyright__,\r
                        conflict_handler = 'resolve',\r
                        fromfile_prefix_chars = '@'\r
                        )\r
    parser.convert_arg_line_to_args = convert_arg_line_to_args\r
\r
    #\r
    # Add input and output file arguments\r
    #\r
    parser.add_argument("InputFile",  type = argparse.FileType('rb'),\r
                        help = "Input binary payload filename.")\r
    parser.add_argument("-o", "--output", dest = 'OutputFile', type = argparse.FileType('wb'),\r
                        help = "Output filename.")\r
    #\r
    # Add group for -e and -d flags that are mutually exclusive and required\r
    #\r
    group = parser.add_mutually_exclusive_group (required = True)\r
    group.add_argument ("-e", "--encode", dest = 'Encode', action = "store_true",\r
                        help = "Encode file")\r
    group.add_argument ("-d", "--decode", dest = 'Decode', action = "store_true",\r
                        help = "Decode file")\r
    group.add_argument ("--dump-info", dest = 'DumpInfo', action = "store_true",\r
                        help = "Display FMP Payload Header information")\r
    #\r
    # Add optional arguments for this command\r
    #\r
    parser.add_argument ("--capflag", dest = 'CapsuleFlag', action='append', default = [],\r
                         choices=['PersistAcrossReset', 'PopulateSystemTable', 'InitiateReset'],\r
                         help = "Capsule flag can be PersistAcrossReset, or PopulateSystemTable or InitiateReset or not set")\r
    parser.add_argument ("--capoemflag", dest = 'CapsuleOemFlag', type = ValidateUnsignedInteger, default = 0x0000,\r
                         help = "Capsule OEM Flag is an integer between 0x0000 and 0xffff.")\r
\r
    parser.add_argument ("--guid", dest = 'Guid', type = ValidateRegistryFormatGuid,\r
                         help = "The FMP/ESRT GUID in registry format.  Required for encode operations.")\r
    parser.add_argument ("--hardware-instance", dest = 'HardwareInstance', type = ValidateUnsignedInteger, default = 0x0000000000000000,\r
                         help = "The 64-bit hardware instance.  The default is 0x0000000000000000")\r
\r
\r
    parser.add_argument ("--monotonic-count", dest = 'MonotonicCount', type = ValidateUnsignedInteger, default = 0x0000000000000000,\r
                         help = "64-bit monotonic count value in header.  Default is 0x0000000000000000.")\r
\r
    parser.add_argument ("--fw-version", dest = 'FwVersion', type = ValidateUnsignedInteger,\r
                         help = "The 32-bit version of the binary payload (e.g. 0x11223344 or 5678).")\r
    parser.add_argument ("--lsv", dest = 'LowestSupportedVersion', type = ValidateUnsignedInteger,\r
                         help = "The 32-bit lowest supported version of the binary payload (e.g. 0x11223344 or 5678).")\r
\r
    parser.add_argument ("--pfx-file", dest='SignToolPfxFile', type=argparse.FileType('rb'),\r
                         help="signtool PFX certificate filename.")\r
\r
    parser.add_argument ("--signer-private-cert", dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),\r
                         help="OpenSSL signer private certificate filename.")\r
    parser.add_argument ("--other-public-cert", dest='OpenSslOtherPublicCertFile', type=argparse.FileType('rb'),\r
                         help="OpenSSL other public certificate filename.")\r
    parser.add_argument ("--trusted-public-cert", dest='OpenSslTrustedPublicCertFile', type=argparse.FileType('rb'),\r
                         help="OpenSSL trusted public certificate filename.")\r
\r
    parser.add_argument ("--signing-tool-path", dest = 'SigningToolPath',\r
                         help = "Path to signtool or OpenSSL tool.  Optional if path to tools are already in PATH.")\r
\r
    #\r
    # Add optional arguments common to all operations\r
    #\r
    parser.add_argument ('--version', action='version', version='%(prog)s ' + __version__)\r
    parser.add_argument ("-v", "--verbose", dest = 'Verbose', action = "store_true",\r
                         help = "Turn on verbose output with informational messages printed, including capsule headers and warning messages.")\r
    parser.add_argument ("-q", "--quiet", dest = 'Quiet', action = "store_true",\r
                         help = "Disable all messages except fatal errors.")\r
    parser.add_argument ("--debug", dest = 'Debug', type = int, metavar = '[0-9]', choices = range (0, 10), default = 0,\r
                         help = "Set debug level")\r
\r
    #\r
    # Parse command line arguments\r
    #\r
    args = parser.parse_args()\r
\r
    #\r
    # Perform additional argument verification\r
    #\r
    if args.Encode:\r
        if args.Guid is None:\r
            parser.error ('the following option is required: --guid')\r
        if 'PersistAcrossReset' not in args.CapsuleFlag:\r
            if 'PopulateSystemTable' in args.CapsuleFlag:\r
                parser.error ('--capflag PopulateSystemTable also requires --capflag PersistAcrossReset')\r
            if 'InitiateReset' in args.CapsuleFlag:\r
                parser.error ('--capflag InitiateReset also requires --capflag PersistAcrossReset')\r
\r
    UseSignTool = args.SignToolPfxFile is not None\r
    UseOpenSsl  = (args.OpenSslSignerPrivateCertFile is not None and\r
                   args.OpenSslOtherPublicCertFile is not None and\r
                   args.OpenSslTrustedPublicCertFile is not None)\r
    AnyOpenSsl  = (args.OpenSslSignerPrivateCertFile is not None or\r
                   args.OpenSslOtherPublicCertFile is not None or\r
                   args.OpenSslTrustedPublicCertFile is not None)\r
    if args.Encode or args.Decode:\r
        if args.OutputFile is None:\r
            parser.error ('the following option is required for all encode and decode operations: --output')\r
\r
        if UseSignTool and AnyOpenSsl:\r
            parser.error ('Providing both signtool and OpenSSL options is not supported')\r
        if not UseSignTool and not UseOpenSsl and AnyOpenSsl:\r
            parser.error ('all the following options are required for OpenSSL: --signer-private-cert, --other-public-cert, --trusted-public-cert')\r
        if UseSignTool and platform.system() != 'Windows':\r
            parser.error ('Use of signtool is not supported on this operating system.')\r
        if args.Encode and (UseSignTool or UseOpenSsl):\r
            if args.FwVersion is None or args.LowestSupportedVersion is None:\r
                parser.error ('the following options are required: --fw-version, --lsv')\r
\r
        if UseSignTool:\r
            args.SignToolPfxFile.close()\r
            args.SignToolPfxFile = args.SignToolPfxFile.name\r
        if UseOpenSsl:\r
            args.OpenSslSignerPrivateCertFile.close()\r
            args.OpenSslOtherPublicCertFile.close()\r
            args.OpenSslTrustedPublicCertFile.close()\r
            args.OpenSslSignerPrivateCertFile = args.OpenSslSignerPrivateCertFile.name\r
            args.OpenSslOtherPublicCertFile   = args.OpenSslOtherPublicCertFile.name\r
            args.OpenSslTrustedPublicCertFile = args.OpenSslTrustedPublicCertFile.name\r
\r
    #\r
    # Read binary input file\r
    #\r
    try:\r
        if args.Verbose:\r
            print ('Read binary input file {File}'.format (File = args.InputFile.name))\r
        Buffer = args.InputFile.read ()\r
        args.InputFile.close ()\r
    except:\r
        print ('GenerateCapsule: error: can not read binary input file {File}'.format (File = args.InputFile.name))\r
        sys.exit (1)\r
\r
    #\r
    # Create objects\r
    #\r
    UefiCapsuleHeader = UefiCapsuleHeaderClass ()\r
    FmpCapsuleHeader  = FmpCapsuleHeaderClass ()\r
    FmpAuthHeader     = FmpAuthHeaderClass ()\r
    FmpPayloadHeader  = FmpPayloadHeaderClass ()\r
\r
    if args.Encode:\r
        Result = Buffer\r
        if UseSignTool or UseOpenSsl:\r
            try:\r
                FmpPayloadHeader.FwVersion              = args.FwVersion\r
                FmpPayloadHeader.LowestSupportedVersion = args.LowestSupportedVersion\r
                FmpPayloadHeader.Payload                = Result\r
                Result = FmpPayloadHeader.Encode ()\r
                if args.Verbose:\r
                    FmpPayloadHeader.DumpInfo ()\r
            except:\r
                print ('GenerateCapsule: error: can not encode FMP Payload Header')\r
                sys.exit (1)\r
\r
            #\r
            # Sign image with 64-bit MonotonicCount appended to end of image\r
            #\r
            try:\r
                if UseSignTool:\r
                    CertData = SignPayloadSignTool (\r
                                 Result + struct.pack ('<Q', args.MonotonicCount),\r
                                 args.SigningToolPath,\r
                                 args.SignToolPfxFile\r
                                 )\r
                else:\r
                    CertData = SignPayloadOpenSsl (\r
                                 Result + struct.pack ('<Q', args.MonotonicCount),\r
                                 args.SigningToolPath,\r
                                 args.OpenSslSignerPrivateCertFile,\r
                                 args.OpenSslOtherPublicCertFile,\r
                                 args.OpenSslTrustedPublicCertFile\r
                                 )\r
            except:\r
                print ('GenerateCapsule: error: can not sign payload')\r
                raise\r
                sys.exit (1)\r
\r
            try:\r
                FmpAuthHeader.MonotonicCount = args.MonotonicCount\r
                FmpAuthHeader.CertData       = CertData\r
                FmpAuthHeader.Payload        = Result\r
                Result = FmpAuthHeader.Encode ()\r
                if args.Verbose:\r
                    FmpAuthHeader.DumpInfo ()\r
            except:\r
                print ('GenerateCapsule: error: can not encode FMP Auth Header')\r
                sys.exit (1)\r
\r
        try:\r
            FmpCapsuleHeader.AddPayload (args.Guid, Result, HardwareInstance = args.HardwareInstance)\r
            Result = FmpCapsuleHeader.Encode ()\r
            if args.Verbose:\r
                FmpCapsuleHeader.DumpInfo ()\r
        except:\r
            print ('GenerateCapsule: error: can not encode FMP Capsule Header')\r
            sys.exit (1)\r
\r
        try:\r
            UefiCapsuleHeader.OemFlags            = args.CapsuleOemFlag\r
            UefiCapsuleHeader.PersistAcrossReset  = 'PersistAcrossReset'  in args.CapsuleFlag\r
            UefiCapsuleHeader.PopulateSystemTable = 'PopulateSystemTable' in args.CapsuleFlag\r
            UefiCapsuleHeader.InitiateReset       = 'InitiateReset'       in args.CapsuleFlag\r
            UefiCapsuleHeader.Payload             = Result\r
            Result = UefiCapsuleHeader.Encode ()\r
            if args.Verbose:\r
                UefiCapsuleHeader.DumpInfo ()\r
        except:\r
            print ('GenerateCapsule: error: can not encode UEFI Capsule Header')\r
            sys.exit (1)\r
\r
    elif args.Decode:\r
        try:\r
            Result = UefiCapsuleHeader.Decode (Buffer)\r
            FmpCapsuleHeader.Decode (Result)\r
            Result = FmpCapsuleHeader.GetFmpCapsuleImageHeader (0).Payload\r
            if args.Verbose:\r
                print ('========')\r
                UefiCapsuleHeader.DumpInfo ()\r
                print ('--------')\r
                FmpCapsuleHeader.DumpInfo ()\r
            if UseSignTool or UseOpenSsl:\r
                Result = FmpAuthHeader.Decode (Result)\r
\r
                #\r
                # Verify Image with 64-bit MonotonicCount appended to end of image\r
                #\r
                try:\r
                  if UseSignTool:\r
                      CertData = VerifyPayloadSignTool (\r
                                   FmpAuthHeader.Payload + struct.pack ('<Q', FmpAuthHeader.MonotonicCount),\r
                                   FmpAuthHeader.CertData,\r
                                   args.SigningToolPath,\r
                                   args.SignToolPfxFile\r
                                   )\r
                  else:\r
                      CertData = VerifyPayloadOpenSsl (\r
                                   FmpAuthHeader.Payload + struct.pack ('<Q', FmpAuthHeader.MonotonicCount),\r
                                   FmpAuthHeader.CertData,\r
                                   args.SigningToolPath,\r
                                   args.OpenSslSignerPrivateCertFile,\r
                                   args.OpenSslOtherPublicCertFile,\r
                                   args.OpenSslTrustedPublicCertFile\r
                                   )\r
                except ValueError:\r
                    print ('GenerateCapsule: warning: can not verify payload.')\r
\r
                Result = FmpPayloadHeader.Decode (Result)\r
                if args.Verbose:\r
                    print ('--------')\r
                    FmpAuthHeader.DumpInfo ()\r
                    print ('--------')\r
                    FmpPayloadHeader.DumpInfo ()\r
            else:\r
                if args.Verbose:\r
                    print ('--------')\r
                    print ('No EFI_FIRMWARE_IMAGE_AUTHENTICATION')\r
                    print ('--------')\r
                    print ('No FMP_PAYLOAD_HEADER')\r
            if args.Verbose:\r
                print ('========')\r
        except:\r
            print ('GenerateCapsule: error: can not decode capsule')\r
            raise\r
            sys.exit (1)\r
\r
    elif args.DumpInfo:\r
        try:\r
            Result = UefiCapsuleHeader.Decode (Buffer)\r
            FmpCapsuleHeader.Decode (Result)\r
            Result = FmpCapsuleHeader.GetFmpCapsuleImageHeader (0).Payload\r
            print ('========')\r
            UefiCapsuleHeader.DumpInfo ()\r
            print ('--------')\r
            FmpCapsuleHeader.DumpInfo ()\r
            try:\r
                Result = FmpAuthHeader.Decode (Result)\r
                Result = FmpPayloadHeader.Decode (Result)\r
                print ('--------')\r
                FmpAuthHeader.DumpInfo ()\r
                print ('--------')\r
                FmpPayloadHeader.DumpInfo ()\r
            except:\r
                print ('--------')\r
                print ('No EFI_FIRMWARE_IMAGE_AUTHENTICATION')\r
                print ('--------')\r
                print ('No FMP_PAYLOAD_HEADER')\r
            print ('========')\r
        except:\r
            print ('GenerateCapsule: error: can not decode capsule')\r
            sys.exit (1)\r
    else:\r
        print('GenerateCapsule: error: invalid options')\r
        sys.exit (1)\r
\r
    #\r
    # Write binary output file\r
    #\r
    if args.OutputFile is not None:\r
        try:\r
            if args.Verbose:\r
                print ('Write binary output file {File}'.format (File = args.OutputFile.name))\r
            args.OutputFile.write (Result)\r
            args.OutputFile.close ()\r
        except:\r
            print ('GenerateCapsule: error: can not write binary output file {File}'.format (File = args.OutputFile.name))\r
            sys.exit (1)\r
\r
    if args.Verbose:\r
        print('Success')\r
Commit	Line	Data
8b63877a KM	1	## @file\r
	2	# Generate a capsule.\r
	3	#\r
	4	# Copyright (c) 2018, Intel Corporation. All rights reserved.<BR>\r
	5	# This program and the accompanying materials\r
	6	# are licensed and made available under the terms and conditions of the BSD License\r
	7	# which accompanies this distribution. The full text of the license may be found at\r
	8	# http://opensource.org/licenses/bsd-license.php\r
	9	#\r
	10	# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	11	# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	12	#\r
	13	\r
	14	'''\r
	15	GenerateCapsule\r
	16	'''\r
	17	\r
	18	import sys\r
	19	import argparse\r
	20	import uuid\r
	21	import struct\r
	22	import subprocess\r
	23	import os\r
	24	import tempfile\r
	25	import shutil\r
	26	import platform\r
	27	from Common.Uefi.Capsule.UefiCapsuleHeader import UefiCapsuleHeaderClass\r
	28	from Common.Uefi.Capsule.FmpCapsuleHeader import FmpCapsuleHeaderClass\r
	29	from Common.Uefi.Capsule.FmpAuthHeader import FmpAuthHeaderClass\r
	30	from Common.Edk2.Capsule.FmpPayloadHeader import FmpPayloadHeaderClass\r
	31	\r
	32	#\r
	33	# Globals for help information\r
	34	#\r
	35	__prog__ = 'GenerateCapsule'\r
	36	__version__ = '0.9'\r
	37	__copyright__ = 'Copyright (c) 2018, Intel Corporation. All rights reserved.'\r
	38	__description__ = 'Generate a capsule.\n'\r
	39	\r
	40	def SignPayloadSignTool (Payload, ToolPath, PfxFile):\r
	41	#\r
	42	# Create a temporary directory\r
	43	#\r
	44	TempDirectoryName = tempfile.mkdtemp()\r
	45	\r
	46	#\r
	47	# Generate temp file name for the payload contents\r
	48	#\r
	49	TempFileName = os.path.join (TempDirectoryName, 'Payload.bin')\r
	50	\r
	51	#\r
	52	# Create temporary payload file for signing\r
	53	#\r
	54	try:\r
	55	File = open (TempFileName, mode='wb')\r
	56	File.write (Payload)\r
	57	File.close ()\r
	58	except:\r
	59	shutil.rmtree (TempDirectoryName)\r
	60	raise ValueError ('GenerateCapsule: error: can not write temporary payload file.')\r
	61	\r
	62	#\r
	63	# Build signtool command\r
	64	#\r
65	if ToolPath is None:\r
66	ToolPath = ''\r
67	Command = ''\r
68	Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe'))\r
69	Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 '\r
70	Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName)\r
71	Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile)\r
72	Command = Command + TempFileName\r
73	\r
74	#\r
75	# Sign the input file using the specified private key\r
76	#\r
77	try:\r
78	Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
79	Result = Process.communicate('')\r
80	except:\r
81	shutil.rmtree (TempDirectoryName)\r
82	raise ValueError ('GenerateCapsule: error: can not run signtool.')\r
83	\r
84	if Process.returncode != 0:\r
85	shutil.rmtree (TempDirectoryName)\r
86	print (Result[1].decode())\r
87	raise ValueError ('GenerateCapsule: error: signtool failed.')\r
88	\r
89	#\r
90	# Read the signature from the generated output file\r
91	#\r
92	try:\r
93	File = open (TempFileName + '.p7', mode='rb')\r
94	Signature = File.read ()\r
95	File.close ()\r
96	except:\r
97	shutil.rmtree (TempDirectoryName)\r
98	raise ValueError ('GenerateCapsule: error: can not read signature file.')\r
99	\r
100	shutil.rmtree (TempDirectoryName)\r
101	return Signature\r
102	\r
103	def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile):\r
104	print ('signtool verify is not supported.')\r
105	raise ValueError ('GenerateCapsule: error: signtool verify is not supported.')\r
106	\r
107	def SignPayloadOpenSsl (Payload, ToolPath, SignerPrivateCertFile, OtherPublicCertFile, TrustedPublicCertFile):\r
108	#\r
109	# Build openssl command\r
110	#\r
111	if ToolPath is None:\r
112	ToolPath = ''\r
113	Command = ''\r
114	Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'openssl'))\r
115	Command = Command + 'smime -sign -binary -outform DER -md sha256 '\r
116	Command = Command + '-signer "{Private}" -certfile "{Public}"'.format (Private = SignerPrivateCertFile, Public = OtherPublicCertFile)\r
117	\r
118	#\r
119	# Sign the input file using the specified private key and capture signature from STDOUT\r
120	#\r
121	try:\r
122	Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
123	Result = Process.communicate(input = Payload)\r
124	Signature = Result[0]\r
125	except:\r
126	raise ValueError ('GenerateCapsule: error: can not run openssl.')\r
127	\r
128	if Process.returncode != 0:\r
129	print (Result[1].decode())\r
130	raise ValueError ('GenerateCapsule: error: openssl failed.')\r
131	\r
132	return Signature\r
133	\r
134	def VerifyPayloadOpenSsl (Payload, CertData, ToolPath, SignerPrivateCertFile, OtherPublicCertFile, TrustedPublicCertFile):\r
135	#\r
136	# Create a temporary directory\r
137	#\r
138	TempDirectoryName = tempfile.mkdtemp()\r
139	\r
140	#\r
141	# Generate temp file name for the payload contents\r
142	#\r
143	TempFileName = os.path.join (TempDirectoryName, 'Payload.bin')\r
144	\r
145	#\r
146	# Create temporary payload file for verification\r
147	#\r
148	try:\r
149	File = open (TempFileName, mode='wb')\r
150	File.write (Payload)\r
151	File.close ()\r
152	except:\r
153	shutil.rmtree (TempDirectoryName)\r
154	raise ValueError ('GenerateCapsule: error: can not write temporary payload file.')\r
155	\r
156	#\r
157	# Build openssl command\r
158	#\r
159	if ToolPath is None:\r
160	ToolPath = ''\r
161	Command = ''\r
162	Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'openssl'))\r
163	Command = Command + 'smime -verify -inform DER '\r
164	Command = Command + '-content {Content} -CAfile "{Public}"'.format (Content = TempFileName, Public = TrustedPublicCertFile)\r
165	\r
166	#\r
167	# Verify signature\r
168	#\r
169	try:\r
170	Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True)\r
171	Result = Process.communicate(input = CertData)\r
172	except:\r
173	shutil.rmtree (TempDirectoryName)\r
174	raise ValueError ('GenerateCapsule: error: can not run openssl.')\r
175	\r
176	if Process.returncode != 0:\r
177	shutil.rmtree (TempDirectoryName)\r
178	print (Result[1].decode())\r
179	raise ValueError ('GenerateCapsule: error: openssl failed.')\r
180	\r
181	shutil.rmtree (TempDirectoryName)\r
182	return Payload\r
183	\r
184	if __name__ == '__main__':\r
185	def convert_arg_line_to_args(arg_line):\r
186	for arg in arg_line.split():\r
187	if not arg.strip():\r
188	continue\r
189	yield arg\r
190	\r
191	def ValidateUnsignedInteger (Argument):\r
192	try:\r
193	Value = int (Argument, 0)\r
194	except:\r
195	Message = '{Argument} is not a valid integer value.'.format (Argument = Argument)\r
196	raise argparse.ArgumentTypeError (Message)\r
197	if Value < 0:\r
198	Message = '{Argument} is a negative value.'.format (Argument = Argument)\r
199	raise argparse.ArgumentTypeError (Message)\r
200	return Value\r
201	\r
202	def ValidateRegistryFormatGuid (Argument):\r
203	try:\r
204	Value = uuid.UUID (Argument)\r
205	except:\r
206	Message = '{Argument} is not a valid registry format GUID value.'.format (Argument = Argument)\r
207	raise argparse.ArgumentTypeError (Message)\r
208	return Value\r
209	\r
210	#\r
211	# Create command line argument parser object\r
212	#\r
213	parser = argparse.ArgumentParser (\r
214	prog = __prog__,\r
215	description = __description__ + __copyright__,\r
216	conflict_handler = 'resolve',\r
217	fromfile_prefix_chars = '@'\r
218	)\r
219	parser.convert_arg_line_to_args = convert_arg_line_to_args\r
220	\r
221	#\r
222	# Add input and output file arguments\r
223	#\r
224	parser.add_argument("InputFile", type = argparse.FileType('rb'),\r
225	help = "Input binary payload filename.")\r
226	parser.add_argument("-o", "--output", dest = 'OutputFile', type = argparse.FileType('wb'),\r
227	help = "Output filename.")\r
228	#\r
229	# Add group for -e and -d flags that are mutually exclusive and required\r
230	#\r
231	group = parser.add_mutually_exclusive_group (required = True)\r
232	group.add_argument ("-e", "--encode", dest = 'Encode', action = "store_true",\r
233	help = "Encode file")\r
234	group.add_argument ("-d", "--decode", dest = 'Decode', action = "store_true",\r
235	help = "Decode file")\r
236	group.add_argument ("--dump-info", dest = 'DumpInfo', action = "store_true",\r
237	help = "Display FMP Payload Header information")\r
238	#\r
239	# Add optional arguments for this command\r
240	#\r
241	parser.add_argument ("--capflag", dest = 'CapsuleFlag', action='append', default = [],\r
242	choices=['PersistAcrossReset', 'PopulateSystemTable', 'InitiateReset'],\r
243	help = "Capsule flag can be PersistAcrossReset, or PopulateSystemTable or InitiateReset or not set")\r
244	parser.add_argument ("--capoemflag", dest = 'CapsuleOemFlag', type = ValidateUnsignedInteger, default = 0x0000,\r
245	help = "Capsule OEM Flag is an integer between 0x0000 and 0xffff.")\r
246	\r
247	parser.add_argument ("--guid", dest = 'Guid', type = ValidateRegistryFormatGuid,\r
248	help = "The FMP/ESRT GUID in registry format. Required for encode operations.")\r
249	parser.add_argument ("--hardware-instance", dest = 'HardwareInstance', type = ValidateUnsignedInteger, default = 0x0000000000000000,\r
250	help = "The 64-bit hardware instance. The default is 0x0000000000000000")\r
251	\r
252	\r
253	parser.add_argument ("--monotonic-count", dest = 'MonotonicCount', type = ValidateUnsignedInteger, default = 0x0000000000000000,\r
254	help = "64-bit monotonic count value in header. Default is 0x0000000000000000.")\r
255	\r
256	parser.add_argument ("--fw-version", dest = 'FwVersion', type = ValidateUnsignedInteger,\r
257	help = "The 32-bit version of the binary payload (e.g. 0x11223344 or 5678).")\r
258	parser.add_argument ("--lsv", dest = 'LowestSupportedVersion', type = ValidateUnsignedInteger,\r
259	help = "The 32-bit lowest supported version of the binary payload (e.g. 0x11223344 or 5678).")\r
260	\r
261	parser.add_argument ("--pfx-file", dest='SignToolPfxFile', type=argparse.FileType('rb'),\r
262	help="signtool PFX certificate filename.")\r
263	\r
264	parser.add_argument ("--signer-private-cert", dest='OpenSslSignerPrivateCertFile', type=argparse.FileType('rb'),\r
265	help="OpenSSL signer private certificate filename.")\r
266	parser.add_argument ("--other-public-cert", dest='OpenSslOtherPublicCertFile', type=argparse.FileType('rb'),\r
267	help="OpenSSL other public certificate filename.")\r
268	parser.add_argument ("--trusted-public-cert", dest='OpenSslTrustedPublicCertFile', type=argparse.FileType('rb'),\r
269	help="OpenSSL trusted public certificate filename.")\r
270	\r
271	parser.add_argument ("--signing-tool-path", dest = 'SigningToolPath',\r
272	help = "Path to signtool or OpenSSL tool. Optional if path to tools are already in PATH.")\r
273	\r
274	#\r
275	# Add optional arguments common to all operations\r
276	#\r
277	parser.add_argument ('--version', action='version', version='%(prog)s ' + __version__)\r
278	parser.add_argument ("-v", "--verbose", dest = 'Verbose', action = "store_true",\r
279	help = "Turn on verbose output with informational messages printed, including capsule headers and warning messages.")\r
280	parser.add_argument ("-q", "--quiet", dest = 'Quiet', action = "store_true",\r
281	help = "Disable all messages except fatal errors.")\r
282	parser.add_argument ("--debug", dest = 'Debug', type = int, metavar = '[0-9]', choices = range (0, 10), default = 0,\r
283	help = "Set debug level")\r
284	\r
285	#\r
286	# Parse command line arguments\r
287	#\r
288	args = parser.parse_args()\r
289	\r
290	#\r
291	# Perform additional argument verification\r
292	#\r
293	if args.Encode:\r
294	if args.Guid is None:\r
295	parser.error ('the following option is required: --guid')\r
296	if 'PersistAcrossReset' not in args.CapsuleFlag:\r
297	if 'PopulateSystemTable' in args.CapsuleFlag:\r
298	parser.error ('--capflag PopulateSystemTable also requires --capflag PersistAcrossReset')\r
299	if 'InitiateReset' in args.CapsuleFlag:\r
300	parser.error ('--capflag InitiateReset also requires --capflag PersistAcrossReset')\r
301	\r
302	UseSignTool = args.SignToolPfxFile is not None\r
303	UseOpenSsl = (args.OpenSslSignerPrivateCertFile is not None and\r
304	args.OpenSslOtherPublicCertFile is not None and\r
305	args.OpenSslTrustedPublicCertFile is not None)\r
306	AnyOpenSsl = (args.OpenSslSignerPrivateCertFile is not None or\r
307	args.OpenSslOtherPublicCertFile is not None or\r
308	args.OpenSslTrustedPublicCertFile is not None)\r
309	if args.Encode or args.Decode:\r
310	if args.OutputFile is None:\r
311	parser.error ('the following option is required for all encode and decode operations: --output')\r
312	\r
313	if UseSignTool and AnyOpenSsl:\r
314	parser.error ('Providing both signtool and OpenSSL options is not supported')\r
315	if not UseSignTool and not UseOpenSsl and AnyOpenSsl:\r
316	parser.error ('all the following options are required for OpenSSL: --signer-private-cert, --other-public-cert, --trusted-public-cert')\r
317	if UseSignTool and platform.system() != 'Windows':\r
318	parser.error ('Use of signtool is not supported on this operating system.')\r
319	if args.Encode and (UseSignTool or UseOpenSsl):\r
320	if args.FwVersion is None or args.LowestSupportedVersion is None:\r
321	parser.error ('the following options are required: --fw-version, --lsv')\r
322	\r
323	if UseSignTool:\r
324	args.SignToolPfxFile.close()\r
325	args.SignToolPfxFile = args.SignToolPfxFile.name\r
326	if UseOpenSsl:\r
327	args.OpenSslSignerPrivateCertFile.close()\r
328	args.OpenSslOtherPublicCertFile.close()\r
329	args.OpenSslTrustedPublicCertFile.close()\r
330	args.OpenSslSignerPrivateCertFile = args.OpenSslSignerPrivateCertFile.name\r
331	args.OpenSslOtherPublicCertFile = args.OpenSslOtherPublicCertFile.name\r
332	args.OpenSslTrustedPublicCertFile = args.OpenSslTrustedPublicCertFile.name\r
333	\r
334	#\r
335	# Read binary input file\r
336	#\r
337	try:\r
338	if args.Verbose:\r
339	print ('Read binary input file {File}'.format (File = args.InputFile.name))\r
340	Buffer = args.InputFile.read ()\r
341	args.InputFile.close ()\r
342	except:\r
343	print ('GenerateCapsule: error: can not read binary input file {File}'.format (File = args.InputFile.name))\r
344	sys.exit (1)\r
345	\r
346	#\r
347	# Create objects\r
348	#\r
349	UefiCapsuleHeader = UefiCapsuleHeaderClass ()\r
350	FmpCapsuleHeader = FmpCapsuleHeaderClass ()\r
351	FmpAuthHeader = FmpAuthHeaderClass ()\r
352	FmpPayloadHeader = FmpPayloadHeaderClass ()\r
353	\r
354	if args.Encode:\r
355	Result = Buffer\r
356	if UseSignTool or UseOpenSsl:\r
357	try:\r
358	FmpPayloadHeader.FwVersion = args.FwVersion\r
359	FmpPayloadHeader.LowestSupportedVersion = args.LowestSupportedVersion\r
360	FmpPayloadHeader.Payload = Result\r
361	Result = FmpPayloadHeader.Encode ()\r
362	if args.Verbose:\r
363	FmpPayloadHeader.DumpInfo ()\r
364	except:\r
365	print ('GenerateCapsule: error: can not encode FMP Payload Header')\r
366	sys.exit (1)\r
367	\r
368	#\r
369	# Sign image with 64-bit MonotonicCount appended to end of image\r
370	#\r
371	try:\r
372	if UseSignTool:\r
373	CertData = SignPayloadSignTool (\r
374	Result + struct.pack ('<Q', args.MonotonicCount),\r
375	args.SigningToolPath,\r
376	args.SignToolPfxFile\r
377	)\r
378	else:\r
379	CertData = SignPayloadOpenSsl (\r
380	Result + struct.pack ('<Q', args.MonotonicCount),\r
381	args.SigningToolPath,\r
382	args.OpenSslSignerPrivateCertFile,\r
383	args.OpenSslOtherPublicCertFile,\r
384	args.OpenSslTrustedPublicCertFile\r
385	)\r
386	except:\r
387	print ('GenerateCapsule: error: can not sign payload')\r
388	raise\r
389	sys.exit (1)\r
390	\r
391	try:\r
392	FmpAuthHeader.MonotonicCount = args.MonotonicCount\r
393	FmpAuthHeader.CertData = CertData\r
394	FmpAuthHeader.Payload = Result\r
395	Result = FmpAuthHeader.Encode ()\r
396	if args.Verbose:\r
397	FmpAuthHeader.DumpInfo ()\r
398	except:\r
399	print ('GenerateCapsule: error: can not encode FMP Auth Header')\r
400	sys.exit (1)\r
401	\r
402	try:\r
403	FmpCapsuleHeader.AddPayload (args.Guid, Result, HardwareInstance = args.HardwareInstance)\r
404	Result = FmpCapsuleHeader.Encode ()\r
405	if args.Verbose:\r
406	FmpCapsuleHeader.DumpInfo ()\r
407	except:\r
408	print ('GenerateCapsule: error: can not encode FMP Capsule Header')\r
409	sys.exit (1)\r
410	\r
411	try:\r
412	UefiCapsuleHeader.OemFlags = args.CapsuleOemFlag\r
413	UefiCapsuleHeader.PersistAcrossReset = 'PersistAcrossReset' in args.CapsuleFlag\r
414	UefiCapsuleHeader.PopulateSystemTable = 'PopulateSystemTable' in args.CapsuleFlag\r
415	UefiCapsuleHeader.InitiateReset = 'InitiateReset' in args.CapsuleFlag\r
416	UefiCapsuleHeader.Payload = Result\r
417	Result = UefiCapsuleHeader.Encode ()\r
418	if args.Verbose:\r
419	UefiCapsuleHeader.DumpInfo ()\r
420	except:\r
421	print ('GenerateCapsule: error: can not encode UEFI Capsule Header')\r
422	sys.exit (1)\r
423	\r
424	elif args.Decode:\r
425	try:\r
426	Result = UefiCapsuleHeader.Decode (Buffer)\r
427	FmpCapsuleHeader.Decode (Result)\r
428	Result = FmpCapsuleHeader.GetFmpCapsuleImageHeader (0).Payload\r
429	if args.Verbose:\r
430	print ('========')\r
431	UefiCapsuleHeader.DumpInfo ()\r
432	print ('--------')\r
433	FmpCapsuleHeader.DumpInfo ()\r
434	if UseSignTool or UseOpenSsl:\r
435	Result = FmpAuthHeader.Decode (Result)\r
436	\r
437	#\r
438	# Verify Image with 64-bit MonotonicCount appended to end of image\r
439	#\r
440	try:\r
441	if UseSignTool:\r
442	CertData = VerifyPayloadSignTool (\r
443	FmpAuthHeader.Payload + struct.pack ('<Q', FmpAuthHeader.MonotonicCount),\r
444	FmpAuthHeader.CertData,\r
445	args.SigningToolPath,\r
446	args.SignToolPfxFile\r
447	)\r
448	else:\r
449	CertData = VerifyPayloadOpenSsl (\r
450	FmpAuthHeader.Payload + struct.pack ('<Q', FmpAuthHeader.MonotonicCount),\r
451	FmpAuthHeader.CertData,\r
452	args.SigningToolPath,\r
453	args.OpenSslSignerPrivateCertFile,\r
454	args.OpenSslOtherPublicCertFile,\r
455	args.OpenSslTrustedPublicCertFile\r
456	)\r
457	except ValueError:\r
458	print ('GenerateCapsule: warning: can not verify payload.')\r
459	\r
460	Result = FmpPayloadHeader.Decode (Result)\r
461	if args.Verbose:\r
462	print ('--------')\r
463	FmpAuthHeader.DumpInfo ()\r
464	print ('--------')\r
465	FmpPayloadHeader.DumpInfo ()\r
466	else:\r
467	if args.Verbose:\r
468	print ('--------')\r
469	print ('No EFI_FIRMWARE_IMAGE_AUTHENTICATION')\r
470	print ('--------')\r
471	print ('No FMP_PAYLOAD_HEADER')\r
472	if args.Verbose:\r
473	print ('========')\r
474	except:\r
475	print ('GenerateCapsule: error: can not decode capsule')\r
476	raise\r
477	sys.exit (1)\r
478	\r
479	elif args.DumpInfo:\r
480	try:\r
481	Result = UefiCapsuleHeader.Decode (Buffer)\r
482	FmpCapsuleHeader.Decode (Result)\r
483	Result = FmpCapsuleHeader.GetFmpCapsuleImageHeader (0).Payload\r
484	print ('========')\r
485	UefiCapsuleHeader.DumpInfo ()\r
486	print ('--------')\r
487	FmpCapsuleHeader.DumpInfo ()\r
488	try:\r
489	Result = FmpAuthHeader.Decode (Result)\r
490	Result = FmpPayloadHeader.Decode (Result)\r
491	print ('--------')\r
492	FmpAuthHeader.DumpInfo ()\r
493	print ('--------')\r
494	FmpPayloadHeader.DumpInfo ()\r
495	except:\r
496	print ('--------')\r
497	print ('No EFI_FIRMWARE_IMAGE_AUTHENTICATION')\r
498	print ('--------')\r
499	print ('No FMP_PAYLOAD_HEADER')\r
500	print ('========')\r
501	except:\r
502	print ('GenerateCapsule: error: can not decode capsule')\r
503	sys.exit (1)\r
504	else:\r
505	print('GenerateCapsule: error: invalid options')\r
506	sys.exit (1)\r
507	\r
508	#\r
509	# Write binary output file\r
510	#\r
511	if args.OutputFile is not None:\r
512	try:\r
513	if args.Verbose:\r
514	print ('Write binary output file {File}'.format (File = args.OutputFile.name))\r
515	args.OutputFile.write (Result)\r
516	args.OutputFile.close ()\r
517	except:\r
518	print ('GenerateCapsule: error: can not write binary output file {File}'.format (File = args.OutputFile.name))\r
519	sys.exit (1)\r
520	\r
521	if args.Verbose:\r
522	print('Success')\r