Cryptographic Validation For Authenticated Variables#327
Draft
Flickdm wants to merge 16 commits intomicrosoft:mainfrom
Draft
Cryptographic Validation For Authenticated Variables#327Flickdm wants to merge 16 commits intomicrosoft:mainfrom
Flickdm wants to merge 16 commits intomicrosoft:mainfrom
Conversation
…validation - Renamed script to validate_kek.py to reflect broader functionality - Added validate_single_kek() function to validate individual KEK files - Updated main() to detect and handle both file and folder inputs - Improved output messages: 'Cryptographic Signature: VALID/INVALID' and 'Expected Payload: True/False' - JSON output always generated for CI integration - Preserves git history through git mv
- Created validate-kek-updates.yml workflow that runs on PRs - Triggers when .bin files in KEK directories are added or modified - Validates cryptographic signatures and payloads for all changed KEK files - Fails CI if any KEK has an invalid signature - Warns (but doesn't fail) if payload doesn't match expected hash - Uploads validation results as artifacts - Adds detailed summary to PR with pass/fail status for each file
There was a problem hiding this comment.
Pull request overview
This pull request adds cryptographic verification capabilities to the UEFI authenticated variable tools by introducing a new verify command, a batch validation script, and automated CI workflow validation.
- Adds
verifycommand toauth_var_tool.pywith PKCS7 signature verification - Creates
validate_kek.pyscript for batch validation of KEK update files - Implements GitHub Actions workflow for automated KEK validation on pull requests
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 13 comments.
| File | Description |
|---|---|
| scripts/auth_var_tool.py | Adds cryptographic verification functionality with new verify command, PKCS7 certificate extraction, signature verification helpers, and enhanced describe output with human-readable hex strings |
| scripts/validate_kek.py | New script for validating KEK update files (single or batch) with JSON reporting, payload hash checking, and cryptographic signature verification |
| .github/workflows/validate-kek-updates.yml | New GitHub Actions workflow to automatically validate KEK files in pull requests, checking cryptographic signatures and expected payloads |
Comments suppressed due to low confidence (1)
scripts/auth_var_tool.py:669
- This import of module re is redundant, as it was previously imported on line 49.
import re
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Flickdm
changed the title
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This pull request adds a new "verify" command to the
auth_var_tool.pyscript, enhancing its ability to cryptographically verify UEFI authenticated variables. It also improves the output of the "describe" command by converting hex-encoded certificate fields into human-readable text. The most important changes are summarized below:New Verification Functionality:
verifycommand that verifies the cryptographic signature of authenticated variables, checking PKCS7 structure validity, signature correctness, and presence of the signing certificate. This includes new helper functions for extracting certificates and verifying signatures from PKCS7 data. [1] [2] [3] [4] [5] [6]Improvements to Describe Output:
describecommand to convert ASN.1 hex-encoded certificate fields (such as subject and issuer names) into human-readable strings, making the output more user-friendly. [1] [2]Documentation and Usage Examples:
verifycommand and its arguments, ensuring users are aware of the new functionality. [1] [2]These changes make the tool more robust for workflows that require verification of signed UEFI variables and improve the clarity of output for certificate inspection.
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
How This Was Tested
Against every supplied KEK update
Appears to have caught a couple mistakes, reviewing them internally
Integration Instructions
N/A