BaseTools/Scripts: Add the GenFmpImageAuth and WindowsCapsuleFiles sc…

…ripts
microsoft · Jul 16, 2024 · 86b5ee6 · 86b5ee6
1 parent 37e5adf
commit 86b5ee6
Show file tree

Hide file tree

Showing 3 changed files with 364 additions and 0 deletions.
diff --git a/BaseTools/Scripts/GenFmpImageAuth.py b/BaseTools/Scripts/GenFmpImageAuth.py
@@ -0,0 +1,231 @@
+##
+## Script to Generate a UEFI 2.4B FMP compliant Image Auth Header wrapped
+## around the payload file.
+##
+## For dev purposes this script takes a payload file and signs it and encapsulates it
+## in the correct headers.  This file is then ready to be put into a FMP capsule. 
+##
+## For production use this script has a production flag and a DetachedSignature parameter
+## which allows the signing to be done offline. 
+##
+## General process:
+##   Phase 1: Create payload file by combining payload and monotonic count
+##   Phase 2: Sign it using signtool
+##   Phase 3: Wrap payload in headers to create final FMP Image header/payload
+##
+##
+## Copyright (c) Microsoft Corporation.
+## SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+
+import os, sys
+from optparse import OptionParser
+import logging
+import datetime
+import struct
+import subprocess
+import uuid
+from edk2toollib.utility_functions import RunCmd
+from edk2toollib.utility_functions import DetachedSignWithSignTool
+
+
+gPhase3PackageOnly = False
+
+#
+#main script function
+#
+def main():
+    parser = OptionParser()
+    #Output debug log
+    parser.add_option("-l", dest="OutputLog", help="Create an output log file: ie -l out.txt", default=None)
+    parser.add_option("-o", "--OutputFile", dest="OutputFile", help="Result/Output file", default=None)
+    parser.add_option("-p", "--payload", dest="Payload", help="Input unsigned payload file", default=None)
+    parser.add_option("--production", dest="ProductionSign", action="store_true", help="Production Sign Process (no dev signing)", default=False)
+    parser.add_option("-m", dest="MonotonicCount", help="Monotonic Count Value", default=0)
+    parser.add_option("-s", dest="DetachedSignature", help="Detached Signature file (production signed phase 3 step only)", default=None)
+    parser.add_option("--pfxfile", dest="PfxPath", help="Path to PFX file for dev signing", default=None)
+    parser.add_option("--pfxpass", dest="PfxPass", help="Optional - PFX password for dev signing with PFX cert", default=None)
+    parser.add_option("--eku", dest="Eku", help="Option -specify EKU value to pass to signtool if required", default=None)
+    parser.add_option("--SignTool", dest="SignToolPath", help="Path to signtool.exe")
+    #Turn on dubug level logging
+    parser.add_option("--debug", action="store_true", dest="debug", help="turn on debug logging level for file log",  default=False)
+    parser.add_option("--dirty", action="store_true", dest="dirty", help="turn on dirty flag to keep intermediate files.  Default is to delete them.",  default=False)
+
+    (options, args) = parser.parse_args()
+
+    #setup file based logging if outputReport specified
+    if(options.OutputLog):
+        if(len(options.OutputLog) < 2):
+            logging.critical("the output log file parameter is invalid")
+            return -2
+        else:
+            #setup file based logging
+            filelogger = logging.FileHandler(filename=options.OutputLog, mode='w')
+            if(options.debug):
+                filelogger.setLevel(logging.DEBUG)
+            else:
+                filelogger.setLevel(logging.INFO)
+
+            filelogger.setFormatter(formatter)
+            logging.getLogger('').addHandler(filelogger)
+
+    logging.info("Log Started: " + datetime.datetime.strftime(datetime.datetime.now(), "%A, %B %d, %Y %I:%M%p" ))
+
+    #check for valid files
+    if not options.Payload:
+        logging.critical("No Payload file specified")
+        return -1
+
+    if not os.path.isfile(options.Payload):
+        logging.critical("Invalid Path to payload file")
+        return -2
+
+    if not options.DetachedSignature:
+        logging.debug("No Detached Signature File.")
+    else:
+        logging.debug("Parameter for detached signature file specified. " + options.DetachedSignature)
+        logging.debug("Entering Phase2-PackageOnly Mode")
+        global gPhase3PackageOnly
+        gPhase3PackageOnly = True
+
+    if not options.OutputFile:
+        logging.debug("No output file specified.  Using default. AuthPayload.FmImageAuth")
+        options.OutputFile = "AuthPayload.FmImageAuth"
+
+    if(not gPhase3PackageOnly and not options.ProductionSign):
+        #must have a pfx file
+        if not options.PfxPath:
+            logging.critical("No Pfx File given.")
+            return -7
+        if not os.path.isfile(options.PfxPath):
+            logging.critical("Invalid PFX Path.  File doesn't exist.  " + options.PfxPath)
+            return -6
+
+        logging.debug("Using PFX file: " + str(options.PfxPath))
+
+
+    logging.debug("Production Mode: " + str(options.ProductionSign))
+    logging.debug("Monotonic Count: " + str(options.MonotonicCount))
+    logging.debug("Output File: " + str(options.OutputFile))
+    logging.debug("Dirty Mode: " + str(options.dirty))
+
+    FileToSign = os.path.join("payload.Temp.ToBeSigned")
+
+
+
+    #if not doing phase2 only then we need to do presign stuff
+    if not gPhase3PackageOnly:
+        #Since we are not in phase3packageonly mode we know no DetachedSignature file speficied.  Set to the default output. 
+        OutputDir = os.path.dirname(os.path.abspath(options.OutputFile))
+        logging.debug("Temp files will be written to: " + str(OutputDir))
+
+        #change the path to temp location
+        FileToSign = os.path.join(OutputDir, FileToSign)
+        options.DetachedSignature = FileToSign + ".p7"
+
+        #Create a temp file with payload + monotonic count
+        f = open(FileToSign, "wb")
+        pf = open(options.Payload, "rb")
+        f.write(pf.read())
+        mc = struct.pack("Q", int(options.MonotonicCount))
+        f.write(mc)
+        pf.close()
+        f.close()
+
+
+        #if not doing production signing then sign it
+        if not options.ProductionSign:
+            #check sign tool
+            if(os.path.exists(options.SignToolPath)):
+                logging.debug("Signtool.exe found at location: " + options.SignToolPath)
+            else:
+                logging.critical("Can't find signtool at location: " + options.SignToolPath)
+                return -5
+
+            ret = DetachedSignWithSignTool(
+                options.SignToolPath, 
+                FileToSign,  
+                options.DetachedSignature, 
+                options.PfxPath, 
+                PfxPass=options.PfxPass,
+                Eku=options.Eku
+                )
+
+            if ret != 0:
+                logging.critical("DetachedSignWithSignTool Failed: " + str(ret))
+                return ret
+
+            if not options.dirty:
+                logging.debug("Delete temp file: " + str(FileToSign))
+                os.remove(FileToSign)
+
+
+        else:
+            logging.critical("File To Production Sign Created: " + FileToSign)
+            return 0
+
+    #package the final output (phase 3)
+    wcugSize = os.path.getsize(options.DetachedSignature)
+    logging.debug("PKCS7 Signed Data is size: " + str(wcugSize))
+    wcugSize = wcugSize + 4 + 2 + 2 + 16  # matches the hdr + guid below
+
+    #
+    #Header layout and structures defined in UEFI 2.4 Errata B.
+    #
+
+    #EFI_FIRMWARE_IMAGE_AUTH
+        #UINT64 Monotonic Count                  <--count value used when signing it
+        #WIN_CERTIFICATE_UEFI_GUID AuthInfo
+            #WIN_CERTIFICATE Hdr
+                #UINT32 dwLength                 <--Length of cert header 
+                #UINT16 wRevision                <--Revision level of win cert current 0x0200
+                #UINT16 wCertType                <--WIN_CERT_TYPE_EFI_GUID  0x0EF1
+            #EFI_GUID CertType                   <--gEfiCertPkcs7Guid  = { 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7 }}
+            #UINT8[] PKCS7 SignedData            <--DetachedSignature from signtool 
+    #UINT8[] Payload                             <--Payload file
+
+    #struct format for the header
+    header = struct.pack("QLHH", int(options.MonotonicCount), int(wcugSize), int("200", 16), int("0EF1", 16))
+    pkcsguid = uuid.UUID('{4aafd29d-68df-49ee-8aa9-347d375665a7}')
+
+    f = open(options.OutputFile, "wb")
+    f.write(header)
+    f.write(pkcsguid.bytes_le)
+    sd = open(options.DetachedSignature, "rb")
+    f.write(sd.read())
+    sd.close()
+    p = open(options.Payload, "rb")
+    f.write(p.read())
+    p.close()
+    f.close()
+    logging.critical("Final FMP compliant Authenticated Payload Image File created:\n " + os.path.abspath(str(options.OutputFile)))
+
+    #if user wants temp files deleted and didn't pass in the p7 file....then delete it now
+    if not options.dirty:
+        if not gPhase3PackageOnly:
+            logging.debug("Delete temp file: " + str(options.DetachedSignature))
+            os.remove(options.DetachedSignature)
+
+
+    return 0
+
+
+if __name__ == '__main__':
+    #setup main console as logger
+    logger = logging.getLogger('')
+    logger.setLevel(logging.DEBUG)
+    formatter = logging.Formatter("%(levelname)s - %(message)s")
+    console = logging.StreamHandler()
+    console.setLevel(logging.CRITICAL)
+    console.setFormatter(formatter)
+    logger.addHandler(console)
+
+    #call main worker function
+    retcode = main()
+
+    if retcode != 0:
+        logging.critical("Failed.  Return Code: %i" % retcode)
+    #end logging
+    logging.shutdown()
+    sys.exit(retcode)
diff --git a/BaseTools/Scripts/WindowsCapsuleFileGen.py b/BaseTools/Scripts/WindowsCapsuleFileGen.py
@@ -0,0 +1,129 @@
+##
+# Tool to create a Windows Capsule files that complies with 
+# the Windows Firmware Update Platform specification.  
+#
+# Gen INF, CAT, and then dev sign the CAT if PFX supplied.
+#
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+import os
+import sys
+import logging
+import argparse
+import datetime
+
+from edk2toollib.windows.capsule.cat_generator import *
+from edk2toollib.windows.capsule.inf_generator import *
+from edk2toollib.utility_functions import CatalogSignWithSignTool
+
+def main():
+    parser = argparse.ArgumentParser(description='Generate Windows Firmware Update Platform Files for Capsules')
+    parser.add_argument("name", help="Firmware Name. No spaces")
+    parser.add_argument("provider", help="Firmware provider listed in INF")
+    parser.add_argument("description", help="Firmware description listed in INF")
+    parser.add_argument("version_string", help="Version String in form of XX.XX.XX[.XX]")
+    parser.add_argument("version_hex", help="Version String in Hex 0xAABBCCDD must be representable within 32bit")
+    parser.add_argument("esrt_guid", help="guid string in registry format (########-####-####-####-############) for this ESRT entry")
+    parser.add_argument("firmware_bin_file_path", help="full path to firmware bin / capsule file")
+    parser.add_argument('arch', choices=InfGenerator.SUPPORTED_ARCH,  help="Architecture targeted by INF and CAT")
+    parser.add_argument('operating_sytem', choices=CatGenerator.SUPPORTED_OS,  help="operating system targeted by INF and CAT")
+    parser.add_argument("--mfgname", help="Manufacturer name listed in INF")
+    parser.add_argument("--rollback", action="store_true", dest="rollback", help="build a rollback capsule",  default=False)
+    parser.add_argument("--pfx_file", help="Full Path to PFX file.  If not set then signing will not be performed.")
+    parser.add_argument("--pfx_pass", help="Password for PFX file.  Optional based on PFX file")
+
+
+    #Turn on dubug level logging
+    parser.add_argument("--debug", action="store_true", dest="debug", help="turn on debug logging level for file log",  default=False)
+    #Output debug log
+    parser.add_argument("-l", dest="OutputLog", help="Create an output debug log file: ie -l out.txt", default=None)
+
+    args = parser.parse_args()
+
+    #setup file based logging if outputReport specified
+    if(args.OutputLog):
+        if(len(args.OutputLog) < 2):
+            logging.critical("the output log file parameter is invalid")
+            return -2
+        else:
+            #setup file based logging
+            filelogger = logging.FileHandler(filename=args.OutputLog, mode='w')
+            if(args.debug):
+                filelogger.setLevel(logging.DEBUG)
+            else:
+                filelogger.setLevel(logging.INFO)
+
+            filelogger.setFormatter(formatter)
+            logging.getLogger('').addHandler(filelogger)
+
+    logging.info("Log Started: " + datetime.datetime.strftime(datetime.datetime.now(), "%A, %B %d, %Y %I:%M%p" ))
+    OutputFolder = os.path.dirname(args.firmware_bin_file_path)
+    FirmwareFile = os.path.basename(args.firmware_bin_file_path)
+
+    logging.debug("Make INF")
+    #Make INF
+    InfFilePath = os.path.join(OutputFolder, args.name + ".inf")
+    InfTool = InfGenerator(args.name, args.provider, args.esrt_guid, args.arch, args.description, args.version_string, args.version_hex)
+    if(args.mfgname is not None):
+      InfTool.Manufacturer = args.mfgname  #optional
+    ret = InfTool.MakeInf(InfFilePath, FirmwareFile, args.rollback)
+    if(ret != 0):
+        logging.critical("CreateWindowsInf Failed with errorcode %d" % ret)
+        return ret
+
+    #Make CAT
+    CatFilePath = os.path.realpath(os.path.join(OutputFolder, args.name + ".cat"))
+    CatTool = CatGenerator(args.arch, args.operating_sytem)
+    ret = CatTool.MakeCat(CatFilePath)
+
+    if(ret != 0):
+        logging.critical("Creating Cat file Failed with errorcode %d" % ret)
+        return ret
+
+    if(args.pfx_file is not None):
+        logging.debug("PFX file set.  Going to do signing")
+        #Find Signtool 
+        SignToolPath = os.path.join(os.getenv("ProgramFiles(x86)"), "Windows Kits", "8.1", "bin", "x64", "signtool.exe")
+        if not os.path.exists(SignToolPath):
+            logging.debug("Failed to find 8.1 version of signtool. Trying 10")
+            SignToolPath = SignToolPath.replace('8.1', '10')
+
+        if not os.path.exists(SignToolPath):
+            logging.critical("Can't find signtool on this machine.")
+            return -3
+        #dev sign the cat file
+        ret = CatalogSignWithSignTool(SignToolPath, CatFilePath, args.pfx_file, args.pfx_pass)
+        if(ret != 0):
+            logging.critical("Signing Cat file Failed with errorcode %d" % ret)
+            return ret
+    else:
+        logging.info("No PFX. Not signing")
+
+    return ret 
+
+
+#--------------------------------
+# Control starts here
+#
+#--------------------------------
+if __name__ == '__main__':
+    #setup main console as logger
+    logger = logging.getLogger('')
+    logger.setLevel(logging.DEBUG)
+    formatter = logging.Formatter("%(levelname)s - %(message)s")
+    console = logging.StreamHandler()
+    console.setLevel(logging.CRITICAL)
+    console.setFormatter(formatter)
+    logger.addHandler(console)
+
+    #call main worker function
+    retcode = main()
+
+    if retcode != 0:
+        logging.critical("Failed.  Return Code: %i" % retcode)
+    #end logging
+    logging.shutdown()
+    sys.exit(retcode)
diff --git a/BaseTools/Scripts/basetools_scripts_bin_path_env.json b/BaseTools/Scripts/basetools_scripts_bin_path_env.json
@@ -0,0 +1,4 @@
+{
+  "scope": "global",
+  "flags": ["set_path"]
+}