CreateVault: Fix sign.command and update signing docs

Fix operation of `sign.command` when printable characters occur immediately before `=BEGIN OC VAULT=`. `strings` finds the location of the first printable character in such a sequence. `hexdump` automatically works on 16 byte boundaries, so still finds the correct offset. Use `BASE_ALIGNAS` to enforce the required alignment, which will not be correct on all builds unless enforced (note alignment is required purely for locating the structure correctly from external script as above, not for reading in C). Remove struct packing, since structs had better be naturally packed anyway (if not, reading from them without arbitrary-alignment-safe code, as we do, would be undefined behaviour). Add static asserts to confirm expected size as required by `sign.command`. Update the docs to refer to `sign.command` rather than to include the signing commands explicitly - otherwise we have two places that need to be kept in sync for signing commands, and note that the commands in the two places were already out of sync. Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
acidanthera · Nov 26, 2024 · 35bcb13 · 35bcb13
1 parent c7779e7
commit 35bcb13
Show file tree

Hide file tree

Showing 9 changed files with 33 additions and 28 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -6,6 +6,7 @@ OpenCore Changelog
 - Added Arrow Lake CPU detection
 - Fixed Raptor Lake CPU detection
 - Supported booting with TuneD in Fedora 41 in OpenLinuxBoot
+- Fixed failure of vault `sign.command` to insert signature in correct location in some circumstances
 
 #### v1.0.2
 - Fixed error in macrecovery when running headless, thx @mkorje

diff --git a/Docs/Configuration.md5 b/Docs/Configuration.md5
@@ -1 +1 @@
-803349296249f30c802a43fbe92926c6
+fa42399c09fbdc260b41745484b4a752
diff --git a/Docs/Configuration.pdf b/Docs/Configuration.pdf
diff --git a/Docs/Configuration.tex b/Docs/Configuration.tex
@@ -4724,7 +4724,7 @@ \subsection{Security Properties}\label{miscsecurityprops}
   \href{https://github.com/acidanthera/OpenCorePkg/tree/master/Utilities/CreateVault}{RsaTool}.
 
 
-  The complete set of commands to:
+  The steps to binary patch \texttt{OpenCore.efi} are:
 
   \begin{itemize}
   \tightlist
@@ -4734,14 +4734,9 @@ \subsection{Security Properties}\label{miscsecurityprops}
   \item Create \texttt{vault.sig}.
   \end{itemize}
 
-  Can look as follows:
+  A script to do this is privided in OpenCore releases:
 \begin{lstlisting}[label=createvault, style=ocbash]
-cd /Volumes/EFI/EFI/OC
-/path/to/create_vault.sh .
-/path/to/RsaTool -sign vault.plist vault.sig vault.pub
-off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16))
-dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc
-rm vault.pub
+/Utilities/CreateVault/sign.command /Volumes/EFI/EFI/OC
 \end{lstlisting}
 
   \emph{Note 1}: While it may appear obvious, an external

diff --git a/Docs/Differences/Differences.pdf b/Docs/Differences/Differences.pdf
diff --git a/Docs/Differences/Differences.tex b/Docs/Differences/Differences.tex
@@ -1,7 +1,7 @@
 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
-%DIF DEL PreviousConfiguration.tex   Sat Nov  9 05:47:31 2024
-%DIF ADD ../Configuration.tex        Wed Nov 20 08:35:03 2024
+%DIF DEL PreviousConfiguration.tex   Tue Nov 26 03:15:30 2024
+%DIF ADD ../Configuration.tex        Tue Nov 26 03:15:30 2024
 
 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -4785,7 +4785,7 @@ \subsection{Security Properties}\label{miscsecurityprops}
   \href{https://github.com/acidanthera/OpenCorePkg/tree/master/Utilities/CreateVault}{RsaTool}.
 
 
-  The complete set of commands to:
+  The \DIFdelbegin \DIFdel{complete set of commands to }\DIFdelend \DIFaddbegin \DIFadd{steps to binary patch }\texttt{\DIFadd{OpenCore.efi}} \DIFadd{are}\DIFaddend :
 
   \begin{itemize}
   \tightlist
@@ -4795,15 +4795,18 @@ \subsection{Security Properties}\label{miscsecurityprops}
   \item Create \texttt{vault.sig}.
   \end{itemize}
 
-  Can look as follows:
-\begin{lstlisting}[label=createvault, style=ocbash]
-cd /Volumes/EFI/EFI/OC
-/path/to/create_vault.sh .
-/path/to/RsaTool -sign vault.plist vault.sig vault.pub
-off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16))
-dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc
-rm vault.pub
+  \DIFdelbegin \DIFdel{Can look as follows}\DIFdelend \DIFaddbegin \DIFadd{A script to do this is privided in OpenCore releases}\DIFaddend :
+\DIFmodbegin
+\begin{lstlisting}[label=createvault, style=ocbash,alsolanguage=DIFcode]
+%DIF < cd /Volumes/EFI/EFI/OC
+%DIF < /path/to/create_vault.sh .
+%DIF < /path/to/RsaTool -sign vault.plist vault.sig vault.pub
+%DIF < off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16))
+%DIF < dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc
+%DIF < rm vault.pub
+%DIF > /Utilities/CreateVault/sign.command /Volumes/EFI/EFI/OC
 \end{lstlisting}
+\DIFmodend
 
   \emph{Note 1}: While it may appear obvious, an external
   method is required to verify \texttt{OpenCore.efi} and \texttt{BOOTx64.efi} for

diff --git a/Docs/Errata/Errata.pdf b/Docs/Errata/Errata.pdf
diff --git a/Library/OcMainLib/OpenCoreVault.c b/Library/OcMainLib/OpenCoreVault.c
@@ -14,24 +14,21 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 
 #include <Library/OcMainLib.h>
 
-#pragma pack(push, 1)
-
-typedef PACKED struct {
+typedef struct {
   OC_RSA_PUBLIC_KEY_HDR    Hdr;
   UINT64                   Data[(2 * (2048 / OC_CHAR_BIT)) / sizeof (UINT64)];
 } OC_RSA_PUBLIC_KEY_2048;
 
-typedef PACKED struct {
+typedef struct {
   CHAR8                     StartMagic[16];
   OC_RSA_PUBLIC_KEY_2048    VaultKey;
   CHAR8                     EndMagic[16];
 } OC_BUILTIN_VAULT_KEY;
 
-#pragma pack(pop)
-
+BASE_ALIGNAS (16)
 STATIC
 OC_BUILTIN_VAULT_KEY
-  mOpenCoreVaultKey = {
+mOpenCoreVaultKey = {
   .StartMagic = { '=', 'B', 'E', 'G', 'I', 'N', ' ', 'O', 'C', ' ', 'V', 'A', 'U', 'L', 'T', '=' },
   .EndMagic   = { '=', '=', 'E', 'N', 'D', ' ', 'O', 'C', ' ', 'V', 'A', 'U', 'L', 'T', '=', '=' }
 };
@@ -44,6 +41,15 @@ OcGetVaultKey (
   UINT32   Index;
   BOOLEAN  AllZero;
 
+  STATIC_ASSERT (
+    sizeof (OC_RSA_PUBLIC_KEY_2048) == 528,
+    "sizeof(OC_RSA_PUBLIC_KEY_2048)"
+    );
+  STATIC_ASSERT (
+    sizeof (OC_BUILTIN_VAULT_KEY) == sizeof (OC_RSA_PUBLIC_KEY_2048) + 32,
+    "sizeof(OC_BUILTIN_VAULT_KEY)"
+    );
+
   //
   // TODO: Perhaps try to get the key from firmware too?
   //

diff --git a/Utilities/CreateVault/sign.command b/Utilities/CreateVault/sign.command
@@ -61,7 +61,7 @@ echo "Signing ${OCBin}..."
 ./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"
 
 echo "Bin-patching ${OCBin}..."
-off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
+off=$((0x$(/usr/bin/hexdump -C "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
 if [ "${off}" -le 16 ]; then
   abort "${OCBin} is borked"
 fi
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		803349296249f30c802a43fbe92926c6
		fa42399c09fbdc260b41745484b4a752