Hi,
authvar writes .auth files with 4-byte EFI var attrs header before the authenticated variable itself. This throws off the format (compared to sbsigntools sign-efi-sig-list), and firmware does not accept the file as valid. Removing the 4 bytes, the generated .auth file is equivalent to one generated by sbsigntools, which is accepted by my firmware setup screen. Is there a particular reason for the extra 4 bytes?
This code adds the attributes to the output file:
|
/* The attribute of the variable */ |
|
memcpy(ptr, &ctx->attr, sizeof(ctx->attr)); |
|
ptr += sizeof(ctx->attr); |
My goal was to replace sign-efi-sig-list from sbsigntools with authvar to generate signed .auth files. For sbsigntools, I use:
cert-to-efi-sig-list -g $GUID PK.crt PK.esl
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt PK PK.esl PK.auth
The authvar/efisecdb replacement is:
efisecdb -g "$GUID" -a -c PK.cer -o PK.esl
authvar -d "$nssdb" --set --valuefile PK.esl \
--export PK.auth.tmp --sign "$signer" --name PK
dd if=PK.auth.tmp of=PK.auth bs=1 skip=4
Hi,
authvar writes .auth files with 4-byte EFI var attrs header before the authenticated variable itself. This throws off the format (compared to sbsigntools sign-efi-sig-list), and firmware does not accept the file as valid. Removing the 4 bytes, the generated .auth file is equivalent to one generated by sbsigntools, which is accepted by my firmware setup screen. Is there a particular reason for the extra 4 bytes?
This code adds the attributes to the output file:
pesign/src/authvar_context.c
Lines 168 to 170 in 45d6cb7
My goal was to replace sign-efi-sig-list from sbsigntools with authvar to generate signed .auth files. For sbsigntools, I use:
The authvar/efisecdb replacement is: