[J-u-boot.git] / tools / efivar.py

#!/usr/bin/env python3
## SPDX-License-Identifier: GPL-2.0-only
#
# EFI variable store utilities.
#
# (c) 2020 Paulo Alcantara <[email protected]>
#

import os
import struct
import uuid
import time
import zlib
import argparse
from OpenSSL import crypto

# U-Boot variable store format (version 1)
UBOOT_EFI_VAR_FILE_MAGIC = 0x0161566966456255

# UEFI variable attributes
EFI_VARIABLE_NON_VOLATILE = 0x1
EFI_VARIABLE_BOOTSERVICE_ACCESS = 0x2
EFI_VARIABLE_RUNTIME_ACCESS = 0x4
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS = 0x10
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS = 0x20
EFI_VARIABLE_READ_ONLY = 1 << 31
NV_BS = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
NV_BS_RT = NV_BS | EFI_VARIABLE_RUNTIME_ACCESS
NV_BS_RT_AT = NV_BS_RT | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
DEFAULT_VAR_ATTRS = NV_BS_RT

# vendor GUIDs
EFI_GLOBAL_VARIABLE_GUID = '8be4df61-93ca-11d2-aa0d-00e098032b8c'
EFI_IMAGE_SECURITY_DATABASE_GUID = 'd719b2cb-3d3a-4596-a3bc-dad00e67656f'
EFI_CERT_TYPE_PKCS7_GUID = '4aafd29d-68df-49ee-8aa9-347d375665a7'
WIN_CERT_TYPE_EFI_GUID = 0x0ef1
WIN_CERT_REVISION = 0x0200

var_attrs = {
        'NV': EFI_VARIABLE_NON_VOLATILE,
        'BS': EFI_VARIABLE_BOOTSERVICE_ACCESS,
        'RT': EFI_VARIABLE_RUNTIME_ACCESS,
        'AT': EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
        'RO': EFI_VARIABLE_READ_ONLY,
        'AW': EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS,
}

var_guids = {
        'EFI_GLOBAL_VARIABLE_GUID': EFI_GLOBAL_VARIABLE_GUID,
        'EFI_IMAGE_SECURITY_DATABASE_GUID': EFI_IMAGE_SECURITY_DATABASE_GUID,
}

class EfiStruct:
    # struct efi_var_file
    var_file_fmt = '<QQLL'
    var_file_size = struct.calcsize(var_file_fmt)
    # struct efi_var_entry
    var_entry_fmt = '<LLQ16s'
    var_entry_size = struct.calcsize(var_entry_fmt)
    # struct efi_time
    var_time_fmt = '<H6BLh2B'
    var_time_size = struct.calcsize(var_time_fmt)
    # WIN_CERTIFICATE
    var_win_cert_fmt = '<L2H'
    var_win_cert_size = struct.calcsize(var_win_cert_fmt)
    # WIN_CERTIFICATE_UEFI_GUID
    var_win_cert_uefi_guid_fmt = var_win_cert_fmt+'16s'
    var_win_cert_uefi_guid_size = struct.calcsize(var_win_cert_uefi_guid_fmt)

class EfiVariable:
    def __init__(self, size, attrs, time, guid, name, data):
        self.size = size
        self.attrs = attrs
        self.time = time
        self.guid = guid
        self.name = name
        self.data = data

def calc_crc32(buf):
    return zlib.crc32(buf) & 0xffffffff

class EfiVariableStore:
    def __init__(self, infile):
        self.infile = infile
        self.efi = EfiStruct()
        if os.path.exists(self.infile) and os.stat(self.infile).st_size > self.efi.var_file_size:
            with open(self.infile, 'rb') as f:
                buf = f.read()
                self._check_header(buf)
                self.ents = buf[self.efi.var_file_size:]
        else:
            self.ents = bytearray()

    def _check_header(self, buf):
        hdr = struct.unpack_from(self.efi.var_file_fmt, buf, 0)
        magic, crc32 = hdr[1], hdr[3]

        if magic != UBOOT_EFI_VAR_FILE_MAGIC:
            print("err: invalid magic number: %s"%hex(magic))
            exit(1)
        if crc32 != calc_crc32(buf[self.efi.var_file_size:]):
            print("err: invalid crc32: %s"%hex(crc32))
            exit(1)

    def _get_var_name(self, buf):
        name = ''
        for i in range(0, len(buf) - 1, 2):
            if not buf[i] and not buf[i+1]:
                break
            name += chr(buf[i])
        return ''.join([chr(x) for x in name.encode('utf_16_le') if x]), i + 2

    def _next_var(self, offs=0):
        size, attrs, time, guid = struct.unpack_from(self.efi.var_entry_fmt, self.ents, offs)
        data_fmt = str(size)+"s"
        offs += self.efi.var_entry_size
        name, namelen = self._get_var_name(self.ents[offs:])
        offs += namelen
        data = struct.unpack_from(data_fmt, self.ents, offs)[0]
        # offset to next 8-byte aligned variable entry
        offs = (offs + len(data) + 7) & ~7
        return EfiVariable(size, attrs, time, uuid.UUID(bytes_le=guid), name, data), offs

    def __iter__(self):
        self.offs = 0
        return self

    def __next__(self):
        if self.offs < len(self.ents):
            var, noffs = self._next_var(self.offs)
            self.offs = noffs
            return var
        else:
            raise StopIteration

    def __len__(self):
        return len(self.ents)

    def _set_var(self, guid, name_data, size, attrs, tsec):
        ent = struct.pack(self.efi.var_entry_fmt,
                          size,
                          attrs,
                          tsec,
                          uuid.UUID(guid).bytes_le)
        ent += name_data
        self.ents += ent

    def del_var(self, guid, name, attrs):
        offs = 0
        while offs < len(self.ents):
            var, loffs = self._next_var(offs)
            if var.name == name and str(var.guid) == guid:
                if var.attrs != attrs:
                    print("err: attributes don't match")
                    exit(1)
                self.ents = self.ents[:offs] + self.ents[loffs:]
                return
            offs = loffs
        print("err: variable not found")
        exit(1)

    def set_var(self, guid, name, data, size, attrs):
        offs = 0
        while offs < len(self.ents):
            var, loffs = self._next_var(offs)
            if var.name == name and str(var.guid) == guid:
                if var.attrs != attrs:
                    print("err: attributes don't match")
                    exit(1)
                # make room for updating var
                self.ents = self.ents[:offs] + self.ents[loffs:]
                break
            offs = loffs

        tsec = int(time.time()) if attrs & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS else 0
        nd = name.encode('utf_16_le') + b"\x00\x00" + data
        # U-Boot variable format requires the name + data blob to be 8-byte aligned
        pad = ((len(nd) + 7) & ~7) - len(nd)
        nd += bytes([0] * pad)

        return self._set_var(guid, nd, size, attrs, tsec)

    def save(self):
        hdr = struct.pack(self.efi.var_file_fmt,
                          0,
                          UBOOT_EFI_VAR_FILE_MAGIC,
                          len(self.ents) + self.efi.var_file_size,
                          calc_crc32(self.ents))

        with open(self.infile, 'wb') as f:
            f.write(hdr)
            f.write(self.ents)

def parse_attrs(attrs):
    v = DEFAULT_VAR_ATTRS
    if attrs:
        v = 0
        for i in attrs.split(','):
            v |= var_attrs[i.upper()]
    return v

def parse_data(val, vtype):
    if not val or not vtype:
        return None, 0
    fmt = { 'u8': '<B', 'u16': '<H', 'u32': '<L', 'u64': '<Q' }
    if vtype.lower() == 'file':
        with open(val, 'rb') as f:
            data = f.read()
            return data, len(data)
    if vtype.lower() == 'str':
        data = val.encode('utf-8')
        return data, len(data)
    if vtype.lower() == 'nil':
        return None, 0
    i = fmt[vtype.lower()]
    return struct.pack(i, int(val)), struct.calcsize(i)

def parse_args(args):
    name = args.name
    attrs = parse_attrs(args.attrs)
    guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID

    if name.lower() == 'db' or name.lower() == 'dbx':
        name = name.lower()
        guid = EFI_IMAGE_SECURITY_DATABASE_GUID
        attrs = NV_BS_RT_AT
    elif name.lower() == 'pk' or name.lower() == 'kek':
        name = name.upper()
        guid = EFI_GLOBAL_VARIABLE_GUID
        attrs = NV_BS_RT_AT

    data, size = parse_data(args.data, args.type)
    return guid, name, attrs, data, size

def cmd_set(args):
    env = EfiVariableStore(args.infile)
    guid, name, attrs, data, size = parse_args(args)
    env.set_var(guid=guid, name=name, data=data, size=size, attrs=attrs)
    env.save()

def print_var(var):
    print(var.name+':')
    print("    "+str(var.guid)+' '+''.join([x for x in var_guids if str(var.guid) == var_guids[x]]))
    print("    "+'|'.join([x for x in var_attrs if var.attrs & var_attrs[x]])+", DataSize = %s"%hex(var.size))
    hexdump(var.data)

def cmd_print(args):
    env = EfiVariableStore(args.infile)
    if not args.name and not args.guid and not len(env):
        return

    found = False
    for var in env:
        if not args.name:
            if args.guid and args.guid != str(var.guid):
                continue
            print_var(var)
            found = True
        else:
            if args.name != var.name or (args.guid and args.guid != str(var.guid)):
                continue
            print_var(var)
            found = True

    if not found:
        print("err: variable not found")
        exit(1)

def cmd_del(args):
    env = EfiVariableStore(args.infile)
    attrs = parse_attrs(args.attrs)
    guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID
    env.del_var(guid, args.name, attrs)
    env.save()

def pkcs7_sign(cert, key, buf):
    with open(cert, 'r') as f:
        crt = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
    with open(key, 'r') as f:
        pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())

    PKCS7_BINARY = 0x80
    PKCS7_DETACHED = 0x40
    PKCS7_NOATTR = 0x100

    bio_in = crypto._new_mem_buf(buf)
    p7 = crypto._lib.PKCS7_sign(crt._x509, pkey._pkey, crypto._ffi.NULL, bio_in,
                                PKCS7_BINARY|PKCS7_DETACHED|PKCS7_NOATTR)
    bio_out = crypto._new_mem_buf()
    crypto._lib.i2d_PKCS7_bio(bio_out, p7)
    return crypto._bio_to_string(bio_out)

# UEFI 2.8 Errata B "8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor"
def cmd_sign(args):
    guid, name, attrs, data, _ = parse_args(args)
    attrs |= EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
    efi = EfiStruct()

    tm = time.localtime()
    etime = struct.pack(efi.var_time_fmt,
                        tm.tm_year, tm.tm_mon, tm.tm_mday,
                        tm.tm_hour, tm.tm_min, tm.tm_sec,
                        0, 0, 0, 0, 0)

    buf = name.encode('utf_16_le') + uuid.UUID(guid).bytes_le + attrs.to_bytes(4, byteorder='little') + etime
    if data:
        buf += data
    sig = pkcs7_sign(args.cert, args.key, buf)

    desc = struct.pack(efi.var_win_cert_uefi_guid_fmt,
                       efi.var_win_cert_uefi_guid_size + len(sig),
                       WIN_CERT_REVISION,
                       WIN_CERT_TYPE_EFI_GUID,
                       uuid.UUID(EFI_CERT_TYPE_PKCS7_GUID).bytes_le)

    with open(args.outfile, 'wb') as f:
        if data:
            f.write(etime + desc + sig + data)
        else:
            f.write(etime + desc + sig)

def main():
    ap = argparse.ArgumentParser(description='EFI variable store utilities')
    subp = ap.add_subparsers(help="sub-command help")

    printp = subp.add_parser('print', help='get/list EFI variables')
    printp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
    printp.add_argument('--name', '-n', help='variable name')
    printp.add_argument('--guid', '-g', help='vendor GUID')
    printp.set_defaults(func=cmd_print)

    setp = subp.add_parser('set', help='set EFI variable')
    setp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
    setp.add_argument('--name', '-n', required=True, help='variable name')
    setp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
    setp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
    setp.add_argument('--type', '-t', help='variable type (values: file|u8|u16|u32|u64|str)')
    setp.add_argument('--data', '-d', help='data or filename')
    setp.set_defaults(func=cmd_set)

    delp = subp.add_parser('del', help='delete EFI variable')
    delp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
    delp.add_argument('--name', '-n', required=True, help='variable name')
    delp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
    delp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
    delp.set_defaults(func=cmd_del)

    signp = subp.add_parser('sign', help='sign time-based EFI payload')
    signp.add_argument('--cert', '-c', required=True, help='x509 certificate filename in PEM format')
    signp.add_argument('--key', '-k', required=True, help='signing certificate filename in PEM format')
    signp.add_argument('--name', '-n', required=True, help='variable name')
    signp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
    signp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
    signp.add_argument('--type', '-t', required=True, help='variable type (values: file|u8|u16|u32|u64|str|nil)')
    signp.add_argument('--data', '-d', help='data or filename')
    signp.add_argument('--outfile', '-o', required=True, help='output filename of signed EFI payload')
    signp.set_defaults(func=cmd_sign)

    args = ap.parse_args()
    if hasattr(args, "func"):
        args.func(args)
    else:
        ap.print_help()

def group(a, *ns):
    for n in ns:
        a = [a[i:i+n] for i in range(0, len(a), n)]
    return a

def join(a, *cs):
    return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a

def hexdump(data):
    toHex = lambda c: '{:02X}'.format(c)
    toChr = lambda c: chr(c) if 32 <= c < 127 else '.'
    make = lambda f, *cs: join(group(list(map(f, data)), 8, 2), *cs)
    hs = make(toHex, '  ', ' ')
    cs = make(toChr, ' ', '')
    for i, (h, c) in enumerate(zip(hs, cs)):
        print ('    {:010X}: {:48}  {:16}'.format(i * 16, h, c))

if __name__ == '__main__':
    main()
Commit	Line	Data
73253d77 PA	1	#!/usr/bin/env python3
	2	## SPDX-License-Identifier: GPL-2.0-only
	3	#
	4	# EFI variable store utilities.
	5	#
	6	# (c) 2020 Paulo Alcantara <[email protected]>
	7	#
	8
	9	import os
	10	import struct
	11	import uuid
	12	import time
	13	import zlib
	14	import argparse
	15	from OpenSSL import crypto
	16
	17	# U-Boot variable store format (version 1)
	18	UBOOT_EFI_VAR_FILE_MAGIC = 0x0161566966456255
	19
	20	# UEFI variable attributes
	21	EFI_VARIABLE_NON_VOLATILE = 0x1
	22	EFI_VARIABLE_BOOTSERVICE_ACCESS = 0x2
	23	EFI_VARIABLE_RUNTIME_ACCESS = 0x4
	24	EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS = 0x10
	25	EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS = 0x20
	26	EFI_VARIABLE_READ_ONLY = 1 << 31
	27	NV_BS = EFI_VARIABLE_NON_VOLATILE \| EFI_VARIABLE_BOOTSERVICE_ACCESS
	28	NV_BS_RT = NV_BS \| EFI_VARIABLE_RUNTIME_ACCESS
	29	NV_BS_RT_AT = NV_BS_RT \| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
	30	DEFAULT_VAR_ATTRS = NV_BS_RT
	31
	32	# vendor GUIDs
	33	EFI_GLOBAL_VARIABLE_GUID = '8be4df61-93ca-11d2-aa0d-00e098032b8c'
	34	EFI_IMAGE_SECURITY_DATABASE_GUID = 'd719b2cb-3d3a-4596-a3bc-dad00e67656f'
	35	EFI_CERT_TYPE_PKCS7_GUID = '4aafd29d-68df-49ee-8aa9-347d375665a7'
	36	WIN_CERT_TYPE_EFI_GUID = 0x0ef1
	37	WIN_CERT_REVISION = 0x0200
	38
	39	var_attrs = {
	40	'NV': EFI_VARIABLE_NON_VOLATILE,
	41	'BS': EFI_VARIABLE_BOOTSERVICE_ACCESS,
	42	'RT': EFI_VARIABLE_RUNTIME_ACCESS,
	43	'AT': EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
	44	'RO': EFI_VARIABLE_READ_ONLY,
	45	'AW': EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS,
	46	}
	47
	48	var_guids = {
	49	'EFI_GLOBAL_VARIABLE_GUID': EFI_GLOBAL_VARIABLE_GUID,
	50	'EFI_IMAGE_SECURITY_DATABASE_GUID': EFI_IMAGE_SECURITY_DATABASE_GUID,
	51	}
	52
	53	class EfiStruct:
45c0792c HS	54	# struct efi_var_file
	55	var_file_fmt = '<QQLL'
	56	var_file_size = struct.calcsize(var_file_fmt)
	57	# struct efi_var_entry
	58	var_entry_fmt = '<LLQ16s'
	59	var_entry_size = struct.calcsize(var_entry_fmt)
	60	# struct efi_time
	61	var_time_fmt = '<H6BLh2B'
	62	var_time_size = struct.calcsize(var_time_fmt)
	63	# WIN_CERTIFICATE
	64	var_win_cert_fmt = '<L2H'
	65	var_win_cert_size = struct.calcsize(var_win_cert_fmt)
	66	# WIN_CERTIFICATE_UEFI_GUID
	67	var_win_cert_uefi_guid_fmt = var_win_cert_fmt+'16s'
	68	var_win_cert_uefi_guid_size = struct.calcsize(var_win_cert_uefi_guid_fmt)
73253d77 PA	69
	70	class EfiVariable:
	71	def __init__(self, size, attrs, time, guid, name, data):
	72	self.size = size
	73	self.attrs = attrs
	74	self.time = time
	75	self.guid = guid
	76	self.name = name
	77	self.data = data
	78
	79	def calc_crc32(buf):
	80	return zlib.crc32(buf) & 0xffffffff
	81
	82	class EfiVariableStore:
	83	def __init__(self, infile):
	84	self.infile = infile
	85	self.efi = EfiStruct()
	86	if os.path.exists(self.infile) and os.stat(self.infile).st_size > self.efi.var_file_size:
	87	with open(self.infile, 'rb') as f:
	88	buf = f.read()
	89	self._check_header(buf)
	90	self.ents = buf[self.efi.var_file_size:]
	91	else:
	92	self.ents = bytearray()
	93
	94	def _check_header(self, buf):
	95	hdr = struct.unpack_from(self.efi.var_file_fmt, buf, 0)
	96	magic, crc32 = hdr[1], hdr[3]
	97
	98	if magic != UBOOT_EFI_VAR_FILE_MAGIC:
	99	print("err: invalid magic number: %s"%hex(magic))
	100	exit(1)
	101	if crc32 != calc_crc32(buf[self.efi.var_file_size:]):
	102	print("err: invalid crc32: %s"%hex(crc32))
	103	exit(1)
	104
	105	def _get_var_name(self, buf):
	106	name = ''
	107	for i in range(0, len(buf) - 1, 2):
	108	if not buf[i] and not buf[i+1]:
	109	break
	110	name += chr(buf[i])
	111	return ''.join([chr(x) for x in name.encode('utf_16_le') if x]), i + 2
	112
	113	def _next_var(self, offs=0):
	114	size, attrs, time, guid = struct.unpack_from(self.efi.var_entry_fmt, self.ents, offs)
	115	data_fmt = str(size)+"s"
	116	offs += self.efi.var_entry_size
	117	name, namelen = self._get_var_name(self.ents[offs:])
	118	offs += namelen
	119	data = struct.unpack_from(data_fmt, self.ents, offs)[0]
	120	# offset to next 8-byte aligned variable entry
	121	offs = (offs + len(data) + 7) & ~7
	122	return EfiVariable(size, attrs, time, uuid.UUID(bytes_le=guid), name, data), offs
	123
	124	def __iter__(self):
	125	self.offs = 0
	126	return self
	127
	128	def __next__(self):
	129	if self.offs < len(self.ents):
	130	var, noffs = self._next_var(self.offs)
	131	self.offs = noffs
	132	return var
133	else:
134	raise StopIteration
135
136	def __len__(self):
137	return len(self.ents)
138
139	def _set_var(self, guid, name_data, size, attrs, tsec):
140	ent = struct.pack(self.efi.var_entry_fmt,
141	size,
142	attrs,
143	tsec,
144	uuid.UUID(guid).bytes_le)
145	ent += name_data
146	self.ents += ent
147
148	def del_var(self, guid, name, attrs):
149	offs = 0
150	while offs < len(self.ents):
151	var, loffs = self._next_var(offs)
33abdb98	152	if var.name == name and str(var.guid) == guid:
73253d77 PA	153	if var.attrs != attrs:
	154	print("err: attributes don't match")
	155	exit(1)
	156	self.ents = self.ents[:offs] + self.ents[loffs:]
	157	return
	158	offs = loffs
	159	print("err: variable not found")
	160	exit(1)
	161
	162	def set_var(self, guid, name, data, size, attrs):
	163	offs = 0
	164	while offs < len(self.ents):
	165	var, loffs = self._next_var(offs)
	166	if var.name == name and str(var.guid) == guid:
	167	if var.attrs != attrs:
	168	print("err: attributes don't match")
	169	exit(1)
	170	# make room for updating var
	171	self.ents = self.ents[:offs] + self.ents[loffs:]
	172	break
	173	offs = loffs
	174
	175	tsec = int(time.time()) if attrs & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS else 0
	176	nd = name.encode('utf_16_le') + b"\x00\x00" + data
	177	# U-Boot variable format requires the name + data blob to be 8-byte aligned
	178	pad = ((len(nd) + 7) & ~7) - len(nd)
	179	nd += bytes([0] * pad)
	180
	181	return self._set_var(guid, nd, size, attrs, tsec)
	182
	183	def save(self):
	184	hdr = struct.pack(self.efi.var_file_fmt,
	185	0,
	186	UBOOT_EFI_VAR_FILE_MAGIC,
	187	len(self.ents) + self.efi.var_file_size,
	188	calc_crc32(self.ents))
	189
	190	with open(self.infile, 'wb') as f:
	191	f.write(hdr)
	192	f.write(self.ents)
	193
	194	def parse_attrs(attrs):
	195	v = DEFAULT_VAR_ATTRS
	196	if attrs:
	197	v = 0
	198	for i in attrs.split(','):
	199	v \|= var_attrs[i.upper()]
	200	return v
	201
	202	def parse_data(val, vtype):
	203	if not val or not vtype:
	204	return None, 0
	205	fmt = { 'u8': '<B', 'u16': '<H', 'u32': '<L', 'u64': '<Q' }
	206	if vtype.lower() == 'file':
	207	with open(val, 'rb') as f:
	208	data = f.read()
	209	return data, len(data)
	210	if vtype.lower() == 'str':
	211	data = val.encode('utf-8')
	212	return data, len(data)
	213	if vtype.lower() == 'nil':
	214	return None, 0
	215	i = fmt[vtype.lower()]
	216	return struct.pack(i, int(val)), struct.calcsize(i)
217
218	def parse_args(args):
219	name = args.name
220	attrs = parse_attrs(args.attrs)
221	guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID
222
223	if name.lower() == 'db' or name.lower() == 'dbx':
224	name = name.lower()
225	guid = EFI_IMAGE_SECURITY_DATABASE_GUID
226	attrs = NV_BS_RT_AT
227	elif name.lower() == 'pk' or name.lower() == 'kek':
228	name = name.upper()
229	guid = EFI_GLOBAL_VARIABLE_GUID
230	attrs = NV_BS_RT_AT
231
232	data, size = parse_data(args.data, args.type)
233	return guid, name, attrs, data, size
234
235	def cmd_set(args):
236	env = EfiVariableStore(args.infile)
237	guid, name, attrs, data, size = parse_args(args)
238	env.set_var(guid=guid, name=name, data=data, size=size, attrs=attrs)
239	env.save()
240
241	def print_var(var):
242	print(var.name+':')
243	print(" "+str(var.guid)+' '+''.join([x for x in var_guids if str(var.guid) == var_guids[x]]))
244	print(" "+'\|'.join([x for x in var_attrs if var.attrs & var_attrs[x]])+", DataSize = %s"%hex(var.size))
245	hexdump(var.data)
246
247	def cmd_print(args):
248	env = EfiVariableStore(args.infile)
249	if not args.name and not args.guid and not len(env):
250	return
251
252	found = False
253	for var in env:
254	if not args.name:
255	if args.guid and args.guid != str(var.guid):
256	continue
257	print_var(var)
258	found = True
259	else:
260	if args.name != var.name or (args.guid and args.guid != str(var.guid)):
261	continue
262	print_var(var)
263	found = True
264
265	if not found:
266	print("err: variable not found")
267	exit(1)
268
269	def cmd_del(args):
270	env = EfiVariableStore(args.infile)
271	attrs = parse_attrs(args.attrs)
272	guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID
273	env.del_var(guid, args.name, attrs)
274	env.save()
275
276	def pkcs7_sign(cert, key, buf):
277	with open(cert, 'r') as f:
278	crt = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
279	with open(key, 'r') as f:
280	pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
281
282	PKCS7_BINARY = 0x80
283	PKCS7_DETACHED = 0x40
284	PKCS7_NOATTR = 0x100
285
286	bio_in = crypto._new_mem_buf(buf)
287	p7 = crypto._lib.PKCS7_sign(crt._x509, pkey._pkey, crypto._ffi.NULL, bio_in,
288	PKCS7_BINARY\|PKCS7_DETACHED\|PKCS7_NOATTR)
289	bio_out = crypto._new_mem_buf()
290	crypto._lib.i2d_PKCS7_bio(bio_out, p7)
291	return crypto._bio_to_string(bio_out)
292
293	# UEFI 2.8 Errata B "8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor"
294	def cmd_sign(args):
4961ceef	295	guid, name, attrs, data, _ = parse_args(args)
73253d77 PA	296	attrs \|= EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
	297	efi = EfiStruct()
	298
	299	tm = time.localtime()
	300	etime = struct.pack(efi.var_time_fmt,
	301	tm.tm_year, tm.tm_mon, tm.tm_mday,
	302	tm.tm_hour, tm.tm_min, tm.tm_sec,
	303	0, 0, 0, 0, 0)
	304
	305	buf = name.encode('utf_16_le') + uuid.UUID(guid).bytes_le + attrs.to_bytes(4, byteorder='little') + etime
	306	if data:
	307	buf += data
	308	sig = pkcs7_sign(args.cert, args.key, buf)
	309
	310	desc = struct.pack(efi.var_win_cert_uefi_guid_fmt,
	311	efi.var_win_cert_uefi_guid_size + len(sig),
	312	WIN_CERT_REVISION,
	313	WIN_CERT_TYPE_EFI_GUID,
	314	uuid.UUID(EFI_CERT_TYPE_PKCS7_GUID).bytes_le)
	315
	316	with open(args.outfile, 'wb') as f:
	317	if data:
	318	f.write(etime + desc + sig + data)
	319	else:
	320	f.write(etime + desc + sig)
	321
	322	def main():
	323	ap = argparse.ArgumentParser(description='EFI variable store utilities')
	324	subp = ap.add_subparsers(help="sub-command help")
	325
	326	printp = subp.add_parser('print', help='get/list EFI variables')
	327	printp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
	328	printp.add_argument('--name', '-n', help='variable name')
	329	printp.add_argument('--guid', '-g', help='vendor GUID')
	330	printp.set_defaults(func=cmd_print)
	331
	332	setp = subp.add_parser('set', help='set EFI variable')
	333	setp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
	334	setp.add_argument('--name', '-n', required=True, help='variable name')
	335	setp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
	336	setp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
	337	setp.add_argument('--type', '-t', help='variable type (values: file\|u8\|u16\|u32\|u64\|str)')
	338	setp.add_argument('--data', '-d', help='data or filename')
	339	setp.set_defaults(func=cmd_set)
	340
	341	delp = subp.add_parser('del', help='delete EFI variable')
	342	delp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
	343	delp.add_argument('--name', '-n', required=True, help='variable name')
	344	delp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
	345	delp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
	346	delp.set_defaults(func=cmd_del)
	347
	348	signp = subp.add_parser('sign', help='sign time-based EFI payload')
	349	signp.add_argument('--cert', '-c', required=True, help='x509 certificate filename in PEM format')
	350	signp.add_argument('--key', '-k', required=True, help='signing certificate filename in PEM format')
	351	signp.add_argument('--name', '-n', required=True, help='variable name')
	352	signp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
	353	signp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
	354	signp.add_argument('--type', '-t', required=True, help='variable type (values: file\|u8\|u16\|u32\|u64\|str\|nil)')
	355	signp.add_argument('--data', '-d', help='data or filename')
	356	signp.add_argument('--outfile', '-o', required=True, help='output filename of signed EFI payload')
	357	signp.set_defaults(func=cmd_sign)
	358
	359	args = ap.parse_args()
4f6ec775 HS	360	if hasattr(args, "func"):
	361	args.func(args)
	362	else:
	363	ap.print_help()
73253d77 PA	364
	365	def group(a, *ns):
	366	for n in ns:
	367	a = [a[i:i+n] for i in range(0, len(a), n)]
	368	return a
	369
	370	def join(a, *cs):
	371	return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a
	372
	373	def hexdump(data):
	374	toHex = lambda c: '{:02X}'.format(c)
	375	toChr = lambda c: chr(c) if 32 <= c < 127 else '.'
	376	make = lambda f, cs: join(group(list(map(f, data)), 8, 2), cs)
	377	hs = make(toHex, ' ', ' ')
	378	cs = make(toChr, ' ', '')
	379	for i, (h, c) in enumerate(zip(hs, cs)):
	380	print (' {:010X}: {:48} {:16}'.format(i * 16, h, c))
	381
	382	if __name__ == '__main__':
	383	main()