[edk2-devel] How to fill EFI_VARIABLE_AUTHENTICATION_2 descriptor properly

Mon Sep 23 14:02:55 UTC 2019

I want to create an Authenticated Variable like described in UEFI specification 2.8 on tópic 8.2.2(8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor). I understood the first step but im stucked from step 2 to 6.

On the second step i should compute a Hash of the serialization of some parameters of the SetVariable() call, the serialization here means to concatenate bytes of each variable and then compute the Hash? The algorithm to compute de hash is not specified til this moment. The pseudo-code example is *digest=hash(VariableName,VendorGuid,* *Attributes, TimeStamp, DataNew_variable_content);* by reading past i assume the allowed algorithm is SHA256 which is quoted on step 4.b.

In the third step i should sign the digest value computed in the second step, using a selected signature scheme and they show an example: *(e.g. PKCS #1 v1.5)* , i don't know which methods we have to do this task but i assume we have some tool or feature in openssl which can handle this task. Read past again i found *Only a digest encryption algorithm of RSA with PKCS #1 v1.5 padding (RSASSA_PKCS1v1_5).
is accepted* sayd on step 4.g. Then im assumed its needed to use PKCS #1 v.15 in this step.

In the fourth step the spec ask to create a DER-encoded PKCS #7 version 1.5 SignedData with a st of rules to fill SignedData and SignerInfo.

The steps 5 and 6 is just about to construct the Data parameter following the properly rules before the call to SetVariable(). I want to know if we have the used algorithms in the Crypto and Security Pkg, and if i asssumed the used algorithms in the steps 2 to 4 correctly. Iam new to all those cryptography concepts so any resource and code example on setting a new Authenticated variable will be appreciated.

I attached an example of what i believe the UEFI Application should do to set a new time based authenticated variable, the steps from 2 to 6 are just comments in somekind of pseudo-code. Let me know if this is the correct path and if i should use external tools out of UEFI preboot enviroment to do the computations.

Regards, Paulo Amorim.

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#47850): https://edk2.groups.io/g/devel/message/47850
Mute This Topic: https://groups.io/mt/34264328/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20190923/043e06f1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: authvar.c
Type: text/x-csrc
Size: 1306 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20190923/043e06f1/attachment.bin>