## @file # Generate a capsule. # # This tool generates a UEFI Capsule around an FMP Capsule. The capsule payload # be signed using signtool or OpenSSL and if it is signed the signed content # includes an FMP Payload Header. # # This tool is intended to be used to generate UEFI Capsules to update the # system firmware or device firmware for integrated devices. In order to # keep the tool as simple as possible, it has the following limitations: # * Do not support vendor code bytes in a capsule. # # Copyright (c) 2018 - 2022, Intel Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent # ''' GenerateCapsule ''' import sys import argparse import uuid import struct import subprocess import os import tempfile import shutil import platform import json from Common.Uefi.Capsule.UefiCapsuleHeader import UefiCapsuleHeaderClass from Common.Uefi.Capsule.FmpCapsuleHeader import FmpCapsuleHeaderClass from Common.Uefi.Capsule.FmpAuthHeader import FmpAuthHeaderClass from Common.Uefi.Capsule.CapsuleDependency import CapsuleDependencyClass from Common.Edk2.Capsule.FmpPayloadHeader import FmpPayloadHeaderClass # # Globals for help information # __prog__ = 'GenerateCapsule' __version__ = '0.10' __copyright__ = 'Copyright (c) 2022, Intel Corporation. All rights reserved.' __description__ = 'Generate a capsule.\n' def SignPayloadSignTool (Payload, ToolPath, PfxFile, SubjectName, Verbose = False): # # Create a temporary directory # TempDirectoryName = tempfile.mkdtemp() # # Generate temp file name for the payload contents # TempFileName = os.path.join (TempDirectoryName, 'Payload.bin') # # Create temporary payload file for signing # try: with open (TempFileName, 'wb') as File: File.write (Payload) except: shutil.rmtree (TempDirectoryName) raise ValueError ('GenerateCapsule: error: can not write temporary payload file.') # # Build signtool command # if ToolPath is None: ToolPath = '' Command = '' Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'signtool.exe')) Command = Command + 'sign /fd sha256 /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 ' Command = Command + '/p7 {TempDir} '.format (TempDir = TempDirectoryName) if PfxFile is not None: Command = Command + '/f {PfxFile} '.format (PfxFile = PfxFile) if SubjectName is not None: Command = Command + '/n {SubjectName} '.format (SubjectName = SubjectName) Command = Command + TempFileName if Verbose: print (Command) # # Sign the input file using the specified private key # try: Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True) Result = Process.communicate('') except: shutil.rmtree (TempDirectoryName) raise ValueError ('GenerateCapsule: error: can not run signtool.') if Process.returncode != 0: shutil.rmtree (TempDirectoryName) print (Result[1].decode()) raise ValueError ('GenerateCapsule: error: signtool failed.') # # Read the signature from the generated output file # try: with open (TempFileName + '.p7', 'rb') as File: Signature = File.read () except: shutil.rmtree (TempDirectoryName) raise ValueError ('GenerateCapsule: error: can not read signature file.') shutil.rmtree (TempDirectoryName) return Signature def VerifyPayloadSignTool (Payload, CertData, ToolPath, PfxFile, SubjectName, Verbose = False): print ('signtool verify is not supported.') raise ValueError ('GenerateCapsule: error: signtool verify is not supported.') def SignPayloadOpenSsl (Payload, ToolPath, SignerPrivateCertFile, OtherPublicCertFile, TrustedPublicCertFile, Verbose = False): # # Build openssl command # if ToolPath is None: ToolPath = '' Command = '' Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'openssl')) Command = Command + 'smime -sign -binary -outform DER -md sha256 ' Command = Command + '-signer "{Private}" -certfile "{Public}"'.format (Private = SignerPrivateCertFile, Public = OtherPublicCertFile) if Verbose: print (Command) # # Sign the input file using the specified private key and capture signature from STDOUT # try: Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True) Result = Process.communicate(input = Payload) Signature = Result[0] except: raise ValueError ('GenerateCapsule: error: can not run openssl.') if Process.returncode != 0: print (Result[1].decode()) raise ValueError ('GenerateCapsule: error: openssl failed.') return Signature def VerifyPayloadOpenSsl (Payload, CertData, ToolPath, SignerPrivateCertFile, OtherPublicCertFile, TrustedPublicCertFile, Verbose = False): # # Create a temporary directory # TempDirectoryName = tempfile.mkdtemp() # # Generate temp file name for the payload contents # TempFileName = os.path.join (TempDirectoryName, 'Payload.bin') # # Create temporary payload file for verification # try: with open (TempFileName, 'wb') as File: File.write (Payload) except: shutil.rmtree (TempDirectoryName) raise ValueError ('GenerateCapsule: error: can not write temporary payload file.') # # Build openssl command # if ToolPath is None: ToolPath = '' Command = '' Command = Command + '"{Path}" '.format (Path = os.path.join (ToolPath, 'openssl')) Command = Command + 'smime -verify -inform DER ' Command = Command + '-content {Content} -CAfile "{Public}"'.format (Content = TempFileName, Public = TrustedPublicCertFile) if Verbose: print (Command) # # Verify signature # try: Process = subprocess.Popen (Command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = True) Result = Process.communicate(input = CertData) except: shutil.rmtree (TempDirectoryName) raise ValueError ('GenerateCapsule: error: can not run openssl.') if Process.returncode != 0: shutil.rmtree (TempDirectoryName) print (Result[1].decode()) raise ValueError ('GenerateCapsule: error: openssl failed.') shutil.rmtree (TempDirectoryName) return Payload if __name__ == '__main__': def convert_arg_line_to_args(arg_line): for arg in arg_line.split(): if not arg.strip(): continue yield arg def ValidateUnsignedInteger (Argument): try: Value = int (Argument, 0) except: Message = '{Argument} is not a valid integer value.'.format (Argument = Argument) raise argparse.ArgumentTypeError (Message) if Value < 0: Message = '{Argument} is a negative value.'.format (Argument = Argument) raise argparse.ArgumentTypeError (Message) return Value def ValidateRegistryFormatGuid (Argument): try: Value = uuid.UUID (Argument) except: Message = '{Argument} is not a valid registry format GUID value.'.format (Argument = Argument) raise argparse.ArgumentTypeError (Message) return Value def ConvertJsonValue (Config, FieldName, Convert, Required = True, Default = None, Open = False): if FieldName not in Config: if Required: print ('GenerateCapsule: error: Payload descriptor invalid syntax. Could not find {Key} in payload descriptor.'.format(Key = FieldName)) sys.exit (1) return Default try: Value = Convert (Config[FieldName]) except: print ('GenerateCapsule: error: {Key} in payload descriptor has invalid syntax.'.format (Key = FieldName)) sys.exit (1) if Open: try: Value = open (Value, "rb") except: print ('GenerateCapsule: error: can not open file {File}'.format (File = FieldName)) sys.exit (1) return Value def DecodeJsonFileParse (Json): if 'Payloads' not in Json: print ('GenerateCapsule: error "Payloads" section not found in JSON file {File}'.format (File = args.JsonFile.name)) sys.exit (1) for Config in Json['Payloads']: # # Parse fields from JSON # PayloadFile = ConvertJsonValue (Config, 'Payload', os.path.expandvars, Required = False) Guid = ConvertJsonValue (Config, 'Guid', ValidateRegistryFormatGuid, Required = False) FwVersion = ConvertJsonValue (Config, 'FwVersion', ValidateUnsignedInteger, Required = False) LowestSupportedVersion = ConvertJsonValue (Config, 'LowestSupportedVersion', ValidateUnsignedInteger, Required = False) HardwareInstance = ConvertJsonValue (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False, Default = 0) MonotonicCount = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0) SignToolPfxFile = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True) SignToolSubjectName = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslOtherPublicCertFile = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True) SigningToolPath = ConvertJsonValue (Config, 'SigningToolPath', os.path.expandvars, Required = False, Default = None) UpdateImageIndex = ConvertJsonValue (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False, Default = 1) PayloadDescriptorList.append (PayloadDescriptor ( PayloadFile, Guid, FwVersion, LowestSupportedVersion, MonotonicCount, HardwareInstance, UpdateImageIndex, SignToolPfxFile, SignToolSubjectName, OpenSslSignerPrivateCertFile, OpenSslOtherPublicCertFile, OpenSslTrustedPublicCertFile, SigningToolPath )) def EncodeJsonFileParse (Json): if 'EmbeddedDrivers' not in Json: print ('GenerateCapsule: warning "EmbeddedDrivers" section not found in JSON file {File}'.format (File = args.JsonFile.name)) else: for Config in Json['EmbeddedDrivers']: EmbeddedDriverFile = ConvertJsonValue(Config, 'Driver', os.path.expandvars, Open = True) # #Read EmbeddedDriver file # try: if args.Verbose: print ('Read EmbeddedDriver file {File}'.format (File = EmbeddedDriverFile.name)) Driver = EmbeddedDriverFile.read() except: print ('GenerateCapsule: error: can not read EmbeddedDriver file {File}'.format (File = EmbeddedDriverFile.name)) sys.exit (1) EmbeddedDriverDescriptorList.append (Driver) if 'Payloads' not in Json: print ('GenerateCapsule: error: "Payloads" section not found in JSON file {File}'.format (File = args.JsonFile.name)) sys.exit (1) for Config in Json['Payloads']: # # Parse fields from JSON # PayloadFile = ConvertJsonValue (Config, 'Payload', os.path.expandvars, Open = True) Guid = ConvertJsonValue (Config, 'Guid', ValidateRegistryFormatGuid) FwVersion = ConvertJsonValue (Config, 'FwVersion', ValidateUnsignedInteger) LowestSupportedVersion = ConvertJsonValue (Config, 'LowestSupportedVersion', ValidateUnsignedInteger) HardwareInstance = ConvertJsonValue (Config, 'HardwareInstance', ValidateUnsignedInteger, Required = False, Default = 0) UpdateImageIndex = ConvertJsonValue (Config, 'UpdateImageIndex', ValidateUnsignedInteger, Required = False, Default = 1) MonotonicCount = ConvertJsonValue (Config, 'MonotonicCount', ValidateUnsignedInteger, Required = False, Default = 0) SignToolPfxFile = ConvertJsonValue (Config, 'SignToolPfxFile', os.path.expandvars, Required = False, Default = None, Open = True) SignToolSubjectName = ConvertJsonValue (Config, 'SignToolSubjectName', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslSignerPrivateCertFile = ConvertJsonValue (Config, 'OpenSslSignerPrivateCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslOtherPublicCertFile = ConvertJsonValue (Config, 'OpenSslOtherPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True) OpenSslTrustedPublicCertFile = ConvertJsonValue (Config, 'OpenSslTrustedPublicCertFile', os.path.expandvars, Required = False, Default = None, Open = True) SigningToolPath = ConvertJsonValue (Config, 'SigningToolPath', os.path.expandvars, Required = False, Default = None) DepexExp = ConvertJsonValue (Config, 'Dependencies', str, Required = False, Default = None) # # Read binary input file # try: if args.Verbose: print ('Read binary input file {File}'.format (File = PayloadFile.name)) Payload = PayloadFile.read() PayloadFile.close () except: print ('GenerateCapsule: error: can not read binary input file {File}'.format (File = PayloadFile.name)) sys.exit (1) PayloadDescriptorList.append (PayloadDescriptor ( Payload, Guid, FwVersion, LowestSupportedVersion, MonotonicCount, HardwareInstance, UpdateImageIndex, SignToolPfxFile, SignToolSubjectName, OpenSslSignerPrivateCertFile, OpenSslOtherPublicCertFile, OpenSslTrustedPublicCertFile, SigningToolPath, DepexExp )) def GenerateOutputJson (PayloadJsonDescriptorList): PayloadJson = { "Payloads" : [ { "Guid": str(PayloadDescriptor.Guid).upper(), "FwVersion": str(PayloadDescriptor.FwVersion), "LowestSupportedVersion": str(PayloadDescriptor.LowestSupportedVersion), "MonotonicCount": str(PayloadDescriptor.MonotonicCount), "Payload": PayloadDescriptor.Payload, "HardwareInstance": str(PayloadDescriptor.HardwareInstance), "UpdateImageIndex": str(PayloadDescriptor.UpdateImageIndex), "SignToolPfxFile": str(PayloadDescriptor.SignToolPfxFile), "SignToolSubjectName": str(PayloadDescriptor.SignToolSubjectName), "OpenSslSignerPrivateCertFile": str(PayloadDescriptor.OpenSslSignerPrivateCertFile), "OpenSslOtherPublicCertFile": str(PayloadDescriptor.OpenSslOtherPublicCertFile), "OpenSslTrustedPublicCertFile": str(PayloadDescriptor.OpenSslTrustedPublicCertFile), "SigningToolPath": str(PayloadDescriptor.SigningToolPath), "Dependencies" : str(PayloadDescriptor.DepexExp) }for PayloadDescriptor in PayloadJsonDescriptorList ] } OutputJsonFile = args.OutputFile.name + '.json' if 'Payloads' in PayloadJson: PayloadSection = PayloadJson ['Payloads'] Index = 0 for PayloadField in PayloadSection: if PayloadJsonDescriptorList[Index].SignToolPfxFile is None: del PayloadField ['SignToolPfxFile'] if PayloadJsonDescriptorList[Index].SignToolSubjectName is None: del PayloadField ['SignToolSubjectName'] if PayloadJsonDescriptorList[Index].OpenSslSignerPrivateCertFile is None: del PayloadField ['OpenSslSignerPrivateCertFile'] if PayloadJsonDescriptorList[Index].OpenSslOtherPublicCertFile is None: del PayloadField ['OpenSslOtherPublicCertFile'] if PayloadJsonDescriptorList[Index].OpenSslTrustedPublicCertFile is None: del PayloadField ['OpenSslTrustedPublicCertFile'] if PayloadJsonDescriptorList[Index].SigningToolPath is None: del PayloadField ['SigningToolPath'] Index = Index + 1 Result = json.dumps (PayloadJson, indent=4, sort_keys=True, separators=(',', ': ')) with open (OutputJsonFile, 'w') as OutputFile: OutputFile.write (Result) def CheckArgumentConflict (args): if args.Encode: if args.InputFile: print ('GenerateCapsule: error: Argument InputFile conflicts with Argument -j') sys.exit (1) if args.EmbeddedDriver: print ('GenerateCapsule: error: Argument --embedded-driver conflicts with Argument -j') sys.exit (1) if args.Guid: print ('GenerateCapsule: error: Argument --guid conflicts with Argument -j') sys.exit (1) if args.FwVersion: print ('GenerateCapsule: error: Argument --fw-version conflicts with Argument -j') sys.exit (1) if args.LowestSupportedVersion: print ('GenerateCapsule: error: Argument --lsv conflicts with Argument -j') sys.exit (1) if args.MonotonicCount: print ('GenerateCapsule: error: Argument --monotonic-count conflicts with Argument -j') sys.exit (1) if args.HardwareInstance: print ('GenerateCapsule: error: Argument --hardware-instance conflicts with Argument -j') sys.exit (1) if args.SignToolPfxFile: print ('GenerateCapsule: error: Argument --pfx-file conflicts with Argument -j') sys.exit (1) if args.SignToolSubjectName: print ('GenerateCapsule: error: Argument --SubjectName conflicts with Argument -j') sys.exit (1) if args.OpenSslSignerPrivateCertFile: print ('GenerateCapsule: error: Argument --signer-private-cert conflicts with Argument -j') sys.exit (1) if args.OpenSslOtherPublicCertFile: print ('GenerateCapsule: error: Argument --other-public-cert conflicts with Argument -j') sys.exit (1) if args.OpenSslTrustedPublicCertFile: print ('GenerateCapsule: error: Argument --trusted-public-cert conflicts with Argument -j') sys.exit (1) if args.SigningToolPath: print ('GenerateCapsule: error: Argument --signing-tool-path conflicts with Argument -j') sys.exit (1) class PayloadDescriptor (object): def __init__(self, Payload, Guid, FwVersion, LowestSupportedVersion, MonotonicCount = 0, HardwareInstance = 0, UpdateImageIndex = 1, SignToolPfxFile = None, SignToolSubjectName = None, OpenSslSignerPrivateCertFile = None, OpenSslOtherPublicCertFile = None, OpenSslTrustedPublicCertFile = None, SigningToolPath = None, DepexExp = None ): self.Payload = Payload self.Guid = Guid self.FwVersion = FwVersion self.LowestSupportedVersion = LowestSupportedVersion self.MonotonicCount = MonotonicCount self.HardwareInstance = HardwareInstance self.UpdateImageIndex = UpdateImageIndex self.SignToolPfxFile = SignToolPfxFile self.SignToolSubjectName = SignToolSubjectName self.OpenSslSignerPrivateCertFile = OpenSslSignerPrivateCertFile self.OpenSslOtherPublicCertFile = OpenSslOtherPublicCertFile self.OpenSslTrustedPublicCertFile = OpenSslTrustedPublicCertFile self.SigningToolPath = SigningToolPath self.DepexExp = DepexExp self.UseSignTool = (self.SignToolPfxFile is not None or self.SignToolSubjectName is not None) self.UseOpenSsl = (self.OpenSslSignerPrivateCertFile is not None and self.OpenSslOtherPublicCertFile is not None and self.OpenSslTrustedPublicCertFile is not None) self.AnyOpenSsl = (self.OpenSslSignerPrivateCertFile is not None or self.OpenSslOtherPublicCertFile is not None or self.OpenSslTrustedPublicCertFile is not None) self.UseDependency = self.DepexExp is not None def Validate(self, args): if self.UseSignTool and self.AnyOpenSsl: raise argparse.ArgumentTypeError ('Providing both signtool and OpenSSL options is not supported') if not self.UseSignTool and not self.UseOpenSsl and self.AnyOpenSsl: if args.JsonFile: raise argparse.ArgumentTypeError ('the following JSON fields are required for OpenSSL: OpenSslSignerPrivateCertFile, OpenSslOtherPublicCertFile, OpenSslTrustedPublicCertFile') else: raise argparse.ArgumentTypeError ('the following options are required for OpenSSL: --signer-private-cert, --other-public-cert, --trusted-public-cert') if self.UseSignTool and platform.system() != 'Windows': raise argparse.ArgumentTypeError ('Use of signtool is not supported on this operating system.') if args.Encode: if self.FwVersion is None or self.LowestSupportedVersion is None: if args.JsonFile: raise argparse.ArgumentTypeError ('the following JSON fields are required: FwVersion, LowestSupportedVersion') else: raise argparse.ArgumentTypeError ('the following options are required: --fw-version, --lsv') if self.FwVersion > 0xFFFFFFFF: if args.JsonFile: raise argparse.ArgumentTypeError ('JSON field FwVersion must be an integer in range 0x0..0xffffffff') else: raise argparse.ArgumentTypeError ('--fw-version must be an integer in range 0x0..0xffffffff') if self.LowestSupportedVersion > 0xFFFFFFFF: if args.JsonFile: raise argparse.ArgumentTypeError ('JSON field LowestSupportedVersion must be an integer in range 0x0..0xffffffff') else: raise argparse.ArgumentTypeError ('--lsv must be an integer in range 0x0..0xffffffff') if args.Encode: if self.Guid is None: if args.JsonFile: raise argparse.ArgumentTypeError ('the following JSON field is required: Guid') else: raise argparse.ArgumentTypeError ('the following option is required: --guid') if self.HardwareInstance > 0xFFFFFFFFFFFFFFFF: if args.JsonFile: raise argparse.ArgumentTypeError ('JSON field HardwareInstance must be an integer in range 0x0..0xffffffffffffffff') else: raise argparse.ArgumentTypeError ('--hardware-instance must be an integer in range 0x0..0xffffffffffffffff') if self.MonotonicCount > 0xFFFFFFFFFFFFFFFF: if args.JsonFile: raise argparse.ArgumentTypeError ('JSON field MonotonicCount must be an integer in range 0x0..0xffffffffffffffff') else: raise argparse.ArgumentTypeError ('--monotonic-count must be an integer in range 0x0..0xffffffffffffffff') if self.UpdateImageIndex < 0x1 or self.UpdateImageIndex > 0xFF: if args.JsonFile: raise argparse.ArgumentTypeError ('JSON field UpdateImageIndex must be an integer in range 0x1..0xff') else: raise argparse.ArgumentTypeError ('--update-image-index must be an integer in range 0x1..0xff') if self.UseSignTool: if self.SignToolPfxFile is not None: self.SignToolPfxFile.close() self.SignToolPfxFile = self.SignToolPfxFile.name if self.UseOpenSsl: self.OpenSslSignerPrivateCertFile.close() self.OpenSslOtherPublicCertFile.close() self.OpenSslTrustedPublicCertFile.close() self.OpenSslSignerPrivateCertFile = self.OpenSslSignerPrivateCertFile.name self.OpenSslOtherPublicCertFile = self.OpenSslOtherPublicCertFile.name self.OpenSslTrustedPublicCertFile = self.OpenSslTrustedPublicCertFile.name # # Perform additional argument verification # if args.Encode: if 'PersistAcrossReset' not in args.CapsuleFlag: if 'InitiateReset' in args.CapsuleFlag: raise argparse.ArgumentTypeError ('--capflag InitiateReset also requires --capflag PersistAcrossReset') if args.CapsuleOemFlag > 0xFFFF: raise argparse.ArgumentTypeError ('--capoemflag must be an integer between 0x0000 and 0xffff') return True def Encode (PayloadDescriptorList, EmbeddedDriverDescriptorList, Buffer): if args.JsonFile: CheckArgumentConflict(args) try: Json = json.loads (args.JsonFile.read ()) except: print ('GenerateCapsule: error: {JSONFile} loads failure. '.format (JSONFile = args.JsonFile)) sys.exit (1) EncodeJsonFileParse(Json) else: for Driver in args.EmbeddedDriver: EmbeddedDriverDescriptorList.append (Driver.read()) PayloadDescriptorList.append (PayloadDescriptor ( Buffer, args.Guid, args.FwVersion, args.LowestSupportedVersion, args.MonotonicCount, args.HardwareInstance, args.UpdateImageIndex, args.SignToolPfxFile, args.SignToolSubjectName, args.OpenSslSignerPrivateCertFile, args.OpenSslOtherPublicCertFile, args.OpenSslTrustedPublicCertFile, args.SigningToolPath, None )) for SinglePayloadDescriptor in PayloadDescriptorList: try: SinglePayloadDescriptor.Validate (args) except Exception as Msg: print ('GenerateCapsule: error:' + str(Msg)) sys.exit (1) for SinglePayloadDescriptor in PayloadDescriptorList: ImageCapsuleSupport = 0x0000000000000000 Result = SinglePayloadDescriptor.Payload try: FmpPayloadHeader.FwVersion = SinglePayloadDescriptor.FwVersion FmpPayloadHeader.LowestSupportedVersion = SinglePayloadDescriptor.LowestSupportedVersion FmpPayloadHeader.Payload = SinglePayloadDescriptor.Payload Result = FmpPayloadHeader.Encode () if args.Verbose: FmpPayloadHeader.DumpInfo () except: print ('GenerateCapsule: error: can not encode FMP Payload Header') sys.exit (1) if SinglePayloadDescriptor.UseDependency: CapsuleDependency.Payload = Result CapsuleDependency.DepexExp = SinglePayloadDescriptor.DepexExp ImageCapsuleSupport |= FmpCapsuleHeader.CAPSULE_SUPPORT_DEPENDENCY Result = CapsuleDependency.Encode () if args.Verbose: CapsuleDependency.DumpInfo () if SinglePayloadDescriptor.UseOpenSsl or SinglePayloadDescriptor.UseSignTool: # # Sign image with 64-bit MonotonicCount appended to end of image # try: if SinglePayloadDescriptor.UseSignTool: CertData = SignPayloadSignTool ( Result + struct.pack (' 0: Result = FmpCapsuleHeader.Decode (Result) if args.JsonFile: if FmpCapsuleHeader.PayloadItemCount != len (PayloadDescriptorList): CapsulePayloadNum = FmpCapsuleHeader.PayloadItemCount JsonPayloadNum = len (PayloadDescriptorList) print ('GenerateCapsule: Decode error: {JsonPayloadNumber} payloads in JSON file {File} and {CapsulePayloadNumber} payloads in Capsule {CapsuleName}'.format (JsonPayloadNumber = JsonPayloadNum, File = args.JsonFile.name, CapsulePayloadNumber = CapsulePayloadNum, CapsuleName = args.InputFile.name)) sys.exit (1) for Index in range (0, FmpCapsuleHeader.PayloadItemCount): if Index < len (PayloadDescriptorList): GUID = FmpCapsuleHeader.GetFmpCapsuleImageHeader (Index).UpdateImageTypeId HardwareInstance = FmpCapsuleHeader.GetFmpCapsuleImageHeader (Index).UpdateHardwareInstance UpdateImageIndex = FmpCapsuleHeader.GetFmpCapsuleImageHeader (Index).UpdateImageIndex if PayloadDescriptorList[Index].Guid != GUID or PayloadDescriptorList[Index].HardwareInstance != HardwareInstance: print ('GenerateCapsule: Decode error: Guid or HardwareInstance pair in input JSON file {File} does not match the payload {PayloadIndex} in Capsule {InputCapsule}'.format (File = args.JsonFile.name, PayloadIndex = Index + 1, InputCapsule = args.InputFile.name)) sys.exit (1) PayloadDescriptorList[Index].Payload = FmpCapsuleHeader.GetFmpCapsuleImageHeader (Index).Payload DecodeJsonOutput = args.OutputFile.name + '.Payload.{Index:d}.bin'.format (Index = Index + 1) PayloadJsonDescriptorList.append (PayloadDescriptor ( DecodeJsonOutput, GUID, None, None, None, HardwareInstance, UpdateImageIndex, PayloadDescriptorList[Index].SignToolPfxFile, PayloadDescriptorList[Index].SignToolSubjectName, PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile, PayloadDescriptorList[Index].OpenSslOtherPublicCertFile, PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile, PayloadDescriptorList[Index].SigningToolPath, None )) else: PayloadDescriptorList[0].Payload = FmpCapsuleHeader.GetFmpCapsuleImageHeader (0).Payload for Index in range (0, FmpCapsuleHeader.PayloadItemCount): if Index > 0: PayloadDecodeFile = FmpCapsuleHeader.GetFmpCapsuleImageHeader (Index).Payload PayloadDescriptorList.append (PayloadDescriptor (PayloadDecodeFile, None, None, None, None, None, None, None, None, None, None, None, None )) GUID = FmpCapsuleHeader.GetFmpCapsuleImageHeader (Index).UpdateImageTypeId HardwareInstance = FmpCapsuleHeader.GetFmpCapsuleImageHeader (Index).UpdateHardwareInstance UpdateImageIndex = FmpCapsuleHeader.GetFmpCapsuleImageHeader (Index).UpdateImageIndex DecodeJsonOutput = args.OutputFile.name + '.Payload.{Index:d}.bin'.format (Index = Index + 1) PayloadJsonDescriptorList.append (PayloadDescriptor ( DecodeJsonOutput, GUID, None, None, None, HardwareInstance, UpdateImageIndex, PayloadDescriptorList[Index].SignToolPfxFile, PayloadDescriptorList[Index].SignToolSubjectName, PayloadDescriptorList[Index].OpenSslSignerPrivateCertFile, PayloadDescriptorList[Index].OpenSslOtherPublicCertFile, PayloadDescriptorList[Index].OpenSslTrustedPublicCertFile, PayloadDescriptorList[Index].SigningToolPath, None )) JsonIndex = 0 for SinglePayloadDescriptor in PayloadDescriptorList: if args.Verbose: print ('========') UefiCapsuleHeader.DumpInfo () print ('--------') FmpCapsuleHeader.DumpInfo () if FmpAuthHeader.IsSigned(SinglePayloadDescriptor.Payload): if not SinglePayloadDescriptor.UseOpenSsl and not SinglePayloadDescriptor.UseSignTool: print ('GenerateCapsule: decode warning: can not verify singed payload without cert or pfx file. Index = {Index}'.format (Index = JsonIndex + 1)) SinglePayloadDescriptor.Payload = FmpAuthHeader.Decode (SinglePayloadDescriptor.Payload) PayloadJsonDescriptorList[JsonIndex].MonotonicCount = FmpAuthHeader.MonotonicCount if args.Verbose: print ('--------') FmpAuthHeader.DumpInfo () # # Verify Image with 64-bit MonotonicCount appended to end of image # try: if SinglePayloadDescriptor.UseSignTool: CertData = VerifyPayloadSignTool ( FmpAuthHeader.Payload + struct.pack (' 0: FmpCapsuleHeader.Decode (Result) print ('--------') FmpCapsuleHeader.DumpInfo () for Index in range (0, FmpCapsuleHeader.PayloadItemCount): Result = FmpCapsuleHeader.GetFmpCapsuleImageHeader (Index).Payload try: Result = FmpAuthHeader.Decode (Result) print ('--------') FmpAuthHeader.DumpInfo () except: print ('--------') print ('No EFI_FIRMWARE_IMAGE_AUTHENTICATION') PayloadSignature = struct.unpack ('