blob: ebfcab2f0a2c3ec08e58b6fc939335ee71f7213e [file] [log] [blame]
Paulo Alcantara26590682020-12-08 20:10:48 -03001#!/usr/bin/env python3
2## SPDX-License-Identifier: GPL-2.0-only
3#
4# EFI variable store utilities.
5#
6# (c) 2020 Paulo Alcantara <palcantara@suse.de>
7#
8
9import os
10import struct
11import uuid
12import time
13import zlib
14import argparse
15from OpenSSL import crypto
16
17# U-Boot variable store format (version 1)
18UBOOT_EFI_VAR_FILE_MAGIC = 0x0161566966456255
19
20# UEFI variable attributes
21EFI_VARIABLE_NON_VOLATILE = 0x1
22EFI_VARIABLE_BOOTSERVICE_ACCESS = 0x2
23EFI_VARIABLE_RUNTIME_ACCESS = 0x4
24EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS = 0x10
25EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS = 0x20
26EFI_VARIABLE_READ_ONLY = 1 << 31
27NV_BS = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
28NV_BS_RT = NV_BS | EFI_VARIABLE_RUNTIME_ACCESS
29NV_BS_RT_AT = NV_BS_RT | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
30DEFAULT_VAR_ATTRS = NV_BS_RT
31
32# vendor GUIDs
33EFI_GLOBAL_VARIABLE_GUID = '8be4df61-93ca-11d2-aa0d-00e098032b8c'
34EFI_IMAGE_SECURITY_DATABASE_GUID = 'd719b2cb-3d3a-4596-a3bc-dad00e67656f'
35EFI_CERT_TYPE_PKCS7_GUID = '4aafd29d-68df-49ee-8aa9-347d375665a7'
36WIN_CERT_TYPE_EFI_GUID = 0x0ef1
37WIN_CERT_REVISION = 0x0200
38
39var_attrs = {
40 'NV': EFI_VARIABLE_NON_VOLATILE,
41 'BS': EFI_VARIABLE_BOOTSERVICE_ACCESS,
42 'RT': EFI_VARIABLE_RUNTIME_ACCESS,
43 'AT': EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
44 'RO': EFI_VARIABLE_READ_ONLY,
45 'AW': EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS,
46}
47
48var_guids = {
49 'EFI_GLOBAL_VARIABLE_GUID': EFI_GLOBAL_VARIABLE_GUID,
50 'EFI_IMAGE_SECURITY_DATABASE_GUID': EFI_IMAGE_SECURITY_DATABASE_GUID,
51}
52
53class EfiStruct:
54 # struct efi_var_file
55 var_file_fmt = '<QQLL'
56 var_file_size = struct.calcsize(var_file_fmt)
57 # struct efi_var_entry
58 var_entry_fmt = '<LLQ16s'
59 var_entry_size = struct.calcsize(var_entry_fmt)
60 # struct efi_time
61 var_time_fmt = '<H6BLh2B'
62 var_time_size = struct.calcsize(var_time_fmt)
63 # WIN_CERTIFICATE
64 var_win_cert_fmt = '<L2H'
65 var_win_cert_size = struct.calcsize(var_win_cert_fmt)
66 # WIN_CERTIFICATE_UEFI_GUID
67 var_win_cert_uefi_guid_fmt = var_win_cert_fmt+'16s'
68 var_win_cert_uefi_guid_size = struct.calcsize(var_win_cert_uefi_guid_fmt)
69
70class EfiVariable:
71 def __init__(self, size, attrs, time, guid, name, data):
72 self.size = size
73 self.attrs = attrs
74 self.time = time
75 self.guid = guid
76 self.name = name
77 self.data = data
78
79def calc_crc32(buf):
80 return zlib.crc32(buf) & 0xffffffff
81
82class EfiVariableStore:
83 def __init__(self, infile):
84 self.infile = infile
85 self.efi = EfiStruct()
86 if os.path.exists(self.infile) and os.stat(self.infile).st_size > self.efi.var_file_size:
87 with open(self.infile, 'rb') as f:
88 buf = f.read()
89 self._check_header(buf)
90 self.ents = buf[self.efi.var_file_size:]
91 else:
92 self.ents = bytearray()
93
94 def _check_header(self, buf):
95 hdr = struct.unpack_from(self.efi.var_file_fmt, buf, 0)
96 magic, crc32 = hdr[1], hdr[3]
97
98 if magic != UBOOT_EFI_VAR_FILE_MAGIC:
99 print("err: invalid magic number: %s"%hex(magic))
100 exit(1)
101 if crc32 != calc_crc32(buf[self.efi.var_file_size:]):
102 print("err: invalid crc32: %s"%hex(crc32))
103 exit(1)
104
105 def _get_var_name(self, buf):
106 name = ''
107 for i in range(0, len(buf) - 1, 2):
108 if not buf[i] and not buf[i+1]:
109 break
110 name += chr(buf[i])
111 return ''.join([chr(x) for x in name.encode('utf_16_le') if x]), i + 2
112
113 def _next_var(self, offs=0):
114 size, attrs, time, guid = struct.unpack_from(self.efi.var_entry_fmt, self.ents, offs)
115 data_fmt = str(size)+"s"
116 offs += self.efi.var_entry_size
117 name, namelen = self._get_var_name(self.ents[offs:])
118 offs += namelen
119 data = struct.unpack_from(data_fmt, self.ents, offs)[0]
120 # offset to next 8-byte aligned variable entry
121 offs = (offs + len(data) + 7) & ~7
122 return EfiVariable(size, attrs, time, uuid.UUID(bytes_le=guid), name, data), offs
123
124 def __iter__(self):
125 self.offs = 0
126 return self
127
128 def __next__(self):
129 if self.offs < len(self.ents):
130 var, noffs = self._next_var(self.offs)
131 self.offs = noffs
132 return var
133 else:
134 raise StopIteration
135
136 def __len__(self):
137 return len(self.ents)
138
139 def _set_var(self, guid, name_data, size, attrs, tsec):
140 ent = struct.pack(self.efi.var_entry_fmt,
141 size,
142 attrs,
143 tsec,
144 uuid.UUID(guid).bytes_le)
145 ent += name_data
146 self.ents += ent
147
148 def del_var(self, guid, name, attrs):
149 offs = 0
150 while offs < len(self.ents):
151 var, loffs = self._next_var(offs)
152 if var.name == name and str(var.guid):
153 if var.attrs != attrs:
154 print("err: attributes don't match")
155 exit(1)
156 self.ents = self.ents[:offs] + self.ents[loffs:]
157 return
158 offs = loffs
159 print("err: variable not found")
160 exit(1)
161
162 def set_var(self, guid, name, data, size, attrs):
163 offs = 0
164 while offs < len(self.ents):
165 var, loffs = self._next_var(offs)
166 if var.name == name and str(var.guid) == guid:
167 if var.attrs != attrs:
168 print("err: attributes don't match")
169 exit(1)
170 # make room for updating var
171 self.ents = self.ents[:offs] + self.ents[loffs:]
172 break
173 offs = loffs
174
175 tsec = int(time.time()) if attrs & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS else 0
176 nd = name.encode('utf_16_le') + b"\x00\x00" + data
177 # U-Boot variable format requires the name + data blob to be 8-byte aligned
178 pad = ((len(nd) + 7) & ~7) - len(nd)
179 nd += bytes([0] * pad)
180
181 return self._set_var(guid, nd, size, attrs, tsec)
182
183 def save(self):
184 hdr = struct.pack(self.efi.var_file_fmt,
185 0,
186 UBOOT_EFI_VAR_FILE_MAGIC,
187 len(self.ents) + self.efi.var_file_size,
188 calc_crc32(self.ents))
189
190 with open(self.infile, 'wb') as f:
191 f.write(hdr)
192 f.write(self.ents)
193
194def parse_attrs(attrs):
195 v = DEFAULT_VAR_ATTRS
196 if attrs:
197 v = 0
198 for i in attrs.split(','):
199 v |= var_attrs[i.upper()]
200 return v
201
202def parse_data(val, vtype):
203 if not val or not vtype:
204 return None, 0
205 fmt = { 'u8': '<B', 'u16': '<H', 'u32': '<L', 'u64': '<Q' }
206 if vtype.lower() == 'file':
207 with open(val, 'rb') as f:
208 data = f.read()
209 return data, len(data)
210 if vtype.lower() == 'str':
211 data = val.encode('utf-8')
212 return data, len(data)
213 if vtype.lower() == 'nil':
214 return None, 0
215 i = fmt[vtype.lower()]
216 return struct.pack(i, int(val)), struct.calcsize(i)
217
218def parse_args(args):
219 name = args.name
220 attrs = parse_attrs(args.attrs)
221 guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID
222
223 if name.lower() == 'db' or name.lower() == 'dbx':
224 name = name.lower()
225 guid = EFI_IMAGE_SECURITY_DATABASE_GUID
226 attrs = NV_BS_RT_AT
227 elif name.lower() == 'pk' or name.lower() == 'kek':
228 name = name.upper()
229 guid = EFI_GLOBAL_VARIABLE_GUID
230 attrs = NV_BS_RT_AT
231
232 data, size = parse_data(args.data, args.type)
233 return guid, name, attrs, data, size
234
235def cmd_set(args):
236 env = EfiVariableStore(args.infile)
237 guid, name, attrs, data, size = parse_args(args)
238 env.set_var(guid=guid, name=name, data=data, size=size, attrs=attrs)
239 env.save()
240
241def print_var(var):
242 print(var.name+':')
243 print(" "+str(var.guid)+' '+''.join([x for x in var_guids if str(var.guid) == var_guids[x]]))
244 print(" "+'|'.join([x for x in var_attrs if var.attrs & var_attrs[x]])+", DataSize = %s"%hex(var.size))
245 hexdump(var.data)
246
247def cmd_print(args):
248 env = EfiVariableStore(args.infile)
249 if not args.name and not args.guid and not len(env):
250 return
251
252 found = False
253 for var in env:
254 if not args.name:
255 if args.guid and args.guid != str(var.guid):
256 continue
257 print_var(var)
258 found = True
259 else:
260 if args.name != var.name or (args.guid and args.guid != str(var.guid)):
261 continue
262 print_var(var)
263 found = True
264
265 if not found:
266 print("err: variable not found")
267 exit(1)
268
269def cmd_del(args):
270 env = EfiVariableStore(args.infile)
271 attrs = parse_attrs(args.attrs)
272 guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID
273 env.del_var(guid, args.name, attrs)
274 env.save()
275
276def pkcs7_sign(cert, key, buf):
277 with open(cert, 'r') as f:
278 crt = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
279 with open(key, 'r') as f:
280 pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
281
282 PKCS7_BINARY = 0x80
283 PKCS7_DETACHED = 0x40
284 PKCS7_NOATTR = 0x100
285
286 bio_in = crypto._new_mem_buf(buf)
287 p7 = crypto._lib.PKCS7_sign(crt._x509, pkey._pkey, crypto._ffi.NULL, bio_in,
288 PKCS7_BINARY|PKCS7_DETACHED|PKCS7_NOATTR)
289 bio_out = crypto._new_mem_buf()
290 crypto._lib.i2d_PKCS7_bio(bio_out, p7)
291 return crypto._bio_to_string(bio_out)
292
293# UEFI 2.8 Errata B "8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor"
294def cmd_sign(args):
295 guid, name, attrs, data, size = parse_args(args)
296 attrs |= EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
297 efi = EfiStruct()
298
299 tm = time.localtime()
300 etime = struct.pack(efi.var_time_fmt,
301 tm.tm_year, tm.tm_mon, tm.tm_mday,
302 tm.tm_hour, tm.tm_min, tm.tm_sec,
303 0, 0, 0, 0, 0)
304
305 buf = name.encode('utf_16_le') + uuid.UUID(guid).bytes_le + attrs.to_bytes(4, byteorder='little') + etime
306 if data:
307 buf += data
308 sig = pkcs7_sign(args.cert, args.key, buf)
309
310 desc = struct.pack(efi.var_win_cert_uefi_guid_fmt,
311 efi.var_win_cert_uefi_guid_size + len(sig),
312 WIN_CERT_REVISION,
313 WIN_CERT_TYPE_EFI_GUID,
314 uuid.UUID(EFI_CERT_TYPE_PKCS7_GUID).bytes_le)
315
316 with open(args.outfile, 'wb') as f:
317 if data:
318 f.write(etime + desc + sig + data)
319 else:
320 f.write(etime + desc + sig)
321
322def main():
323 ap = argparse.ArgumentParser(description='EFI variable store utilities')
324 subp = ap.add_subparsers(help="sub-command help")
325
326 printp = subp.add_parser('print', help='get/list EFI variables')
327 printp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
328 printp.add_argument('--name', '-n', help='variable name')
329 printp.add_argument('--guid', '-g', help='vendor GUID')
330 printp.set_defaults(func=cmd_print)
331
332 setp = subp.add_parser('set', help='set EFI variable')
333 setp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
334 setp.add_argument('--name', '-n', required=True, help='variable name')
335 setp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
336 setp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
337 setp.add_argument('--type', '-t', help='variable type (values: file|u8|u16|u32|u64|str)')
338 setp.add_argument('--data', '-d', help='data or filename')
339 setp.set_defaults(func=cmd_set)
340
341 delp = subp.add_parser('del', help='delete EFI variable')
342 delp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
343 delp.add_argument('--name', '-n', required=True, help='variable name')
344 delp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
345 delp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
346 delp.set_defaults(func=cmd_del)
347
348 signp = subp.add_parser('sign', help='sign time-based EFI payload')
349 signp.add_argument('--cert', '-c', required=True, help='x509 certificate filename in PEM format')
350 signp.add_argument('--key', '-k', required=True, help='signing certificate filename in PEM format')
351 signp.add_argument('--name', '-n', required=True, help='variable name')
352 signp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
353 signp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
354 signp.add_argument('--type', '-t', required=True, help='variable type (values: file|u8|u16|u32|u64|str|nil)')
355 signp.add_argument('--data', '-d', help='data or filename')
356 signp.add_argument('--outfile', '-o', required=True, help='output filename of signed EFI payload')
357 signp.set_defaults(func=cmd_sign)
358
359 args = ap.parse_args()
360 args.func(args)
361
362def group(a, *ns):
363 for n in ns:
364 a = [a[i:i+n] for i in range(0, len(a), n)]
365 return a
366
367def join(a, *cs):
368 return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a
369
370def hexdump(data):
371 toHex = lambda c: '{:02X}'.format(c)
372 toChr = lambda c: chr(c) if 32 <= c < 127 else '.'
373 make = lambda f, *cs: join(group(list(map(f, data)), 8, 2), *cs)
374 hs = make(toHex, ' ', ' ')
375 cs = make(toChr, ' ', '')
376 for i, (h, c) in enumerate(zip(hs, cs)):
377 print (' {:010X}: {:48} {:16}'.format(i * 16, h, c))
378
379if __name__ == '__main__':
380 main()