Parse UEFI variables db and dbx that contain signatures, certificates and hashes. On a Linux system using UEFI, these variables are readable from /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f, /sys/firmware/efi/efivars/dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c, /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f and /sys/firmware/efi/efivars/dbxDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c. ("d719b2cb-3d3a-4596-a3bc-dad00e67656f" is defined as EFI_IMAGE_SECURITY_DATABASE_GUID and "8be4df61-93ca-11d2-aa0d-00e098032b8c" as EFI_GLOBAL_VARIABLE). Each file contains an EFI attribute (32-bit integer) followed by a list of EFI_SIGNATURE_LIST structures.
This page hosts a formal specification of UEFI Variable with Signature List using Kaitai Struct. This specification can be automatically translated into a variety of programming languages to get a parsing library.
All parsing code for C++11/STL generated by Kaitai Struct depends on the C++/STL runtime library. You have to install it before you can parse data.
For C++, the easiest way is to clone the runtime library sources and build them along with your project.
Using Kaitai Struct in C++/STL usually consists of 3 steps.
std::istream). One can open local file for that, or use existing std::string or char* buffer.
#include <fstream>
std::ifstream is("path/to/local/file.bin", std::ifstream::binary);
#include <sstream>
std::istringstream is(str);
#include <sstream>
const char buf[] = { ... };
std::string str(buf, sizeof buf);
std::istringstream is(str);
#include "kaitai/kaitaistream.h"
kaitai::kstream ks(&is);
efivar_signature_list_t data(&ks);
After that, one can get various attributes from the structure by invoking getter methods like:
data.var_attributes() // => Attributes of the UEFI variable
#pragma once
// This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild
#include "kaitai/kaitaistruct.h"
#include <stdint.h>
#include <memory>
#include <vector>
#if KAITAI_STRUCT_VERSION < 9000L
#error "Incompatible Kaitai Struct C++/STL API: version 0.9 or later is required"
#endif
/**
* Parse UEFI variables db and dbx that contain signatures, certificates and
* hashes. On a Linux system using UEFI, these variables are readable from
* /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f,
* /sys/firmware/efi/efivars/dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c,
* /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f and
* /sys/firmware/efi/efivars/dbxDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c.
* ("d719b2cb-3d3a-4596-a3bc-dad00e67656f" is defined as
* EFI_IMAGE_SECURITY_DATABASE_GUID and "8be4df61-93ca-11d2-aa0d-00e098032b8c"
* as EFI_GLOBAL_VARIABLE).
* Each file contains an EFI attribute (32-bit integer) followed by a list of
* EFI_SIGNATURE_LIST structures.
* \sa https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf Source
*/
class efivar_signature_list_t : public kaitai::kstruct {
public:
class signature_list_t;
class signature_data_t;
class efi_var_attr_t;
efivar_signature_list_t(kaitai::kstream* p__io, kaitai::kstruct* p__parent = nullptr, efivar_signature_list_t* p__root = nullptr);
private:
void _read();
void _clean_up();
public:
~efivar_signature_list_t();
/**
* \sa EFI_SIGNATURE_LIST
*/
class signature_list_t : public kaitai::kstruct {
public:
signature_list_t(kaitai::kstream* p__io, efivar_signature_list_t* p__parent = nullptr, efivar_signature_list_t* p__root = nullptr);
private:
void _read();
void _clean_up();
public:
~signature_list_t();
private:
bool f_is_cert_sha512_x509;
bool m_is_cert_sha512_x509;
public:
/**
* SHA512 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation
* \sa EFI_CERT_X509_SHA512_GUID
*/
bool is_cert_sha512_x509();
private:
bool f_is_cert_sha224;
bool m_is_cert_sha224;
public:
/**
* SHA-224 hash
* \sa EFI_CERT_SHA224_GUID
*/
bool is_cert_sha224();
private:
bool f_is_cert_x509;
bool m_is_cert_x509;
public:
/**
* X.509 certificate
* \sa EFI_CERT_X509_GUID
*/
bool is_cert_x509();
private:
bool f_is_cert_sha256_x509;
bool m_is_cert_sha256_x509;
public:
/**
* SHA256 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation
* \sa EFI_CERT_X509_SHA256_GUID
*/
bool is_cert_sha256_x509();
private:
bool f_is_cert_rsa2048_key;
bool m_is_cert_rsa2048_key;
public:
/**
* RSA-2048 key (only the modulus since the public key exponent is known to be 0x10001)
* \sa EFI_CERT_RSA2048_GUID
*/
bool is_cert_rsa2048_key();
private:
bool f_is_cert_sha512;
bool m_is_cert_sha512;
public:
/**
* SHA-512 hash
* \sa EFI_CERT_SHA512_GUID
*/
bool is_cert_sha512();
private:
bool f_is_cert_sha384;
bool m_is_cert_sha384;
public:
/**
* SHA-384 hash
* \sa EFI_CERT_SHA384_GUID
*/
bool is_cert_sha384();
private:
bool f_is_cert_sha1;
bool m_is_cert_sha1;
public:
/**
* SHA-1 hash
* \sa EFI_CERT_SHA1_GUID
*/
bool is_cert_sha1();
private:
bool f_is_cert_rsa2048_sha1;
bool m_is_cert_rsa2048_sha1;
public:
/**
* RSA-2048 signature of a SHA-1 hash
* \sa EFI_CERT_RSA2048_SHA1_GUID
*/
bool is_cert_rsa2048_sha1();
private:
bool f_is_cert_sha256;
bool m_is_cert_sha256;
public:
/**
* SHA-256 hash
* \sa EFI_CERT_SHA256_GUID
*/
bool is_cert_sha256();
private:
bool f_is_cert_sha384_x509;
bool m_is_cert_sha384_x509;
public:
/**
* SHA384 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation
* \sa EFI_CERT_X509_SHA384_GUID
*/
bool is_cert_sha384_x509();
private:
bool f_is_cert_rsa2048_sha256;
bool m_is_cert_rsa2048_sha256;
public:
/**
* RSA-2048 signature of a SHA-256 hash
* \sa EFI_CERT_RSA2048_SHA256_GUID
*/
bool is_cert_rsa2048_sha256();
private:
bool f_is_cert_der_pkcs7;
bool m_is_cert_der_pkcs7;
public:
/**
* DER-encoded PKCS #7 version 1.5 [RFC2315]
* \sa EFI_CERT_TYPE_PKCS7_GUID
*/
bool is_cert_der_pkcs7();
private:
std::string m_signature_type;
uint32_t m_len_signature_list;
uint32_t m_len_signature_header;
uint32_t m_len_signature;
std::string m_header;
std::unique_ptr<std::vector<std::unique_ptr<signature_data_t>>> m_signatures;
bool n_signatures;
public:
bool _is_null_signatures() { signatures(); return n_signatures; };
private:
efivar_signature_list_t* m__root;
efivar_signature_list_t* m__parent;
std::unique_ptr<std::vector<std::string>> m__raw_signatures;
bool n__raw_signatures;
public:
bool _is_null__raw_signatures() { _raw_signatures(); return n__raw_signatures; };
private:
std::unique_ptr<std::vector<std::unique_ptr<kaitai::kstream>>> m__io__raw_signatures;
public:
/**
* Type of the signature as a GUID
*/
std::string signature_type() const { return m_signature_type; }
/**
* Total size of the signature list, including this header
*/
uint32_t len_signature_list() const { return m_len_signature_list; }
/**
* Size of the signature header which precedes the array of signatures
*/
uint32_t len_signature_header() const { return m_len_signature_header; }
/**
* Size of each signature
*/
uint32_t len_signature() const { return m_len_signature; }
/**
* Header before the array of signatures
*/
std::string header() const { return m_header; }
/**
* An array of signatures
*/
std::vector<std::unique_ptr<signature_data_t>>* signatures() const { return m_signatures.get(); }
efivar_signature_list_t* _root() const { return m__root; }
efivar_signature_list_t* _parent() const { return m__parent; }
std::vector<std::string>* _raw_signatures() const { return m__raw_signatures.get(); }
std::vector<std::unique_ptr<kaitai::kstream>>* _io__raw_signatures() const { return m__io__raw_signatures.get(); }
};
/**
* \sa EFI_SIGNATURE_DATA
*/
class signature_data_t : public kaitai::kstruct {
public:
signature_data_t(kaitai::kstream* p__io, efivar_signature_list_t::signature_list_t* p__parent = nullptr, efivar_signature_list_t* p__root = nullptr);
private:
void _read();
void _clean_up();
public:
~signature_data_t();
private:
std::string m_owner;
std::string m_data;
efivar_signature_list_t* m__root;
efivar_signature_list_t::signature_list_t* m__parent;
public:
/**
* An identifier which identifies the agent which added the signature to the list
*/
std::string owner() const { return m_owner; }
/**
* The format of the signature is defined by the SignatureType.
*/
std::string data() const { return m_data; }
efivar_signature_list_t* _root() const { return m__root; }
efivar_signature_list_t::signature_list_t* _parent() const { return m__parent; }
};
/**
* Attributes of a UEFI variable
*/
class efi_var_attr_t : public kaitai::kstruct {
public:
efi_var_attr_t(kaitai::kstream* p__io, efivar_signature_list_t* p__parent = nullptr, efivar_signature_list_t* p__root = nullptr);
private:
void _read();
void _clean_up();
public:
~efi_var_attr_t();
private:
bool m_enhanced_authenticated_access;
bool m_append_write;
bool m_time_based_authenticated_write_access;
bool m_authenticated_write_access;
bool m_hardware_error_record;
bool m_runtime_access;
bool m_bootservice_access;
bool m_non_volatile;
uint64_t m_reserved1;
efivar_signature_list_t* m__root;
efivar_signature_list_t* m__parent;
public:
bool enhanced_authenticated_access() const { return m_enhanced_authenticated_access; }
bool append_write() const { return m_append_write; }
bool time_based_authenticated_write_access() const { return m_time_based_authenticated_write_access; }
bool authenticated_write_access() const { return m_authenticated_write_access; }
bool hardware_error_record() const { return m_hardware_error_record; }
bool runtime_access() const { return m_runtime_access; }
bool bootservice_access() const { return m_bootservice_access; }
bool non_volatile() const { return m_non_volatile; }
/**
* Reserved (unused) bits
*/
uint64_t reserved1() const { return m_reserved1; }
efivar_signature_list_t* _root() const { return m__root; }
efivar_signature_list_t* _parent() const { return m__parent; }
};
private:
std::unique_ptr<efi_var_attr_t> m_var_attributes;
std::unique_ptr<std::vector<std::unique_ptr<signature_list_t>>> m_signatures;
efivar_signature_list_t* m__root;
kaitai::kstruct* m__parent;
public:
/**
* Attributes of the UEFI variable
*/
efi_var_attr_t* var_attributes() const { return m_var_attributes.get(); }
std::vector<std::unique_ptr<signature_list_t>>* signatures() const { return m_signatures.get(); }
efivar_signature_list_t* _root() const { return m__root; }
kaitai::kstruct* _parent() const { return m__parent; }
};
// This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild
#include "efivar_signature_list.h"
efivar_signature_list_t::efivar_signature_list_t(kaitai::kstream* p__io, kaitai::kstruct* p__parent, efivar_signature_list_t* p__root) : kaitai::kstruct(p__io) {
m__parent = p__parent;
m__root = this;
m_var_attributes = nullptr;
m_signatures = nullptr;
_read();
}
void efivar_signature_list_t::_read() {
m_var_attributes = std::unique_ptr<efi_var_attr_t>(new efi_var_attr_t(m__io, this, m__root));
m_signatures = std::unique_ptr<std::vector<std::unique_ptr<signature_list_t>>>(new std::vector<std::unique_ptr<signature_list_t>>());
{
int i = 0;
while (!m__io->is_eof()) {
m_signatures->push_back(std::move(std::unique_ptr<signature_list_t>(new signature_list_t(m__io, this, m__root))));
i++;
}
}
}
efivar_signature_list_t::~efivar_signature_list_t() {
_clean_up();
}
void efivar_signature_list_t::_clean_up() {
}
efivar_signature_list_t::signature_list_t::signature_list_t(kaitai::kstream* p__io, efivar_signature_list_t* p__parent, efivar_signature_list_t* p__root) : kaitai::kstruct(p__io) {
m__parent = p__parent;
m__root = p__root;
m_signatures = nullptr;
m__raw_signatures = nullptr;
m__io__raw_signatures = nullptr;
f_is_cert_sha512_x509 = false;
f_is_cert_sha224 = false;
f_is_cert_x509 = false;
f_is_cert_sha256_x509 = false;
f_is_cert_rsa2048_key = false;
f_is_cert_sha512 = false;
f_is_cert_sha384 = false;
f_is_cert_sha1 = false;
f_is_cert_rsa2048_sha1 = false;
f_is_cert_sha256 = false;
f_is_cert_sha384_x509 = false;
f_is_cert_rsa2048_sha256 = false;
f_is_cert_der_pkcs7 = false;
_read();
}
void efivar_signature_list_t::signature_list_t::_read() {
m_signature_type = m__io->read_bytes(16);
m_len_signature_list = m__io->read_u4le();
m_len_signature_header = m__io->read_u4le();
m_len_signature = m__io->read_u4le();
m_header = m__io->read_bytes(len_signature_header());
n_signatures = true;
if (len_signature() > 0) {
n_signatures = false;
m__raw_signatures = std::unique_ptr<std::vector<std::string>>(new std::vector<std::string>());
m__io__raw_signatures = std::unique_ptr<std::vector<std::unique_ptr<kaitai::kstream>>>(new std::vector<std::unique_ptr<kaitai::kstream>>());
m_signatures = std::unique_ptr<std::vector<std::unique_ptr<signature_data_t>>>(new std::vector<std::unique_ptr<signature_data_t>>());
const int l_signatures = (((len_signature_list() - len_signature_header()) - 28) / len_signature());
for (int i = 0; i < l_signatures; i++) {
m__raw_signatures->push_back(std::move(m__io->read_bytes(len_signature())));
kaitai::kstream* io__raw_signatures = new kaitai::kstream(m__raw_signatures->at(m__raw_signatures->size() - 1));
m__io__raw_signatures->emplace_back(io__raw_signatures);
m_signatures->push_back(std::move(std::unique_ptr<signature_data_t>(new signature_data_t(io__raw_signatures, this, m__root))));
}
}
}
efivar_signature_list_t::signature_list_t::~signature_list_t() {
_clean_up();
}
void efivar_signature_list_t::signature_list_t::_clean_up() {
if (!n_signatures) {
}
}
bool efivar_signature_list_t::signature_list_t::is_cert_sha512_x509() {
if (f_is_cert_sha512_x509)
return m_is_cert_sha512_x509;
m_is_cert_sha512_x509 = signature_type() == std::string("\x63\xBF\x6D\x44\x02\x25\xDA\x4C\xBC\xFA\x24\x65\xD2\xB0\xFE\x9D", 16);
f_is_cert_sha512_x509 = true;
return m_is_cert_sha512_x509;
}
bool efivar_signature_list_t::signature_list_t::is_cert_sha224() {
if (f_is_cert_sha224)
return m_is_cert_sha224;
m_is_cert_sha224 = signature_type() == std::string("\x33\x52\x6E\x0B\x5C\xA6\xC9\x44\x94\x07\xD9\xAB\x83\xBF\xC8\xBD", 16);
f_is_cert_sha224 = true;
return m_is_cert_sha224;
}
bool efivar_signature_list_t::signature_list_t::is_cert_x509() {
if (f_is_cert_x509)
return m_is_cert_x509;
m_is_cert_x509 = signature_type() == std::string("\xA1\x59\xC0\xA5\xE4\x94\xA7\x4A\x87\xB5\xAB\x15\x5C\x2B\xF0\x72", 16);
f_is_cert_x509 = true;
return m_is_cert_x509;
}
bool efivar_signature_list_t::signature_list_t::is_cert_sha256_x509() {
if (f_is_cert_sha256_x509)
return m_is_cert_sha256_x509;
m_is_cert_sha256_x509 = signature_type() == std::string("\x92\xA4\xD2\x3B\xC0\x96\x79\x40\xB4\x20\xFC\xF9\x8E\xF1\x03\xED", 16);
f_is_cert_sha256_x509 = true;
return m_is_cert_sha256_x509;
}
bool efivar_signature_list_t::signature_list_t::is_cert_rsa2048_key() {
if (f_is_cert_rsa2048_key)
return m_is_cert_rsa2048_key;
m_is_cert_rsa2048_key = signature_type() == std::string("\xE8\x66\x57\x3C\x9C\x26\x34\x4E\xAA\x14\xED\x77\x6E\x85\xB3\xB6", 16);
f_is_cert_rsa2048_key = true;
return m_is_cert_rsa2048_key;
}
bool efivar_signature_list_t::signature_list_t::is_cert_sha512() {
if (f_is_cert_sha512)
return m_is_cert_sha512;
m_is_cert_sha512 = signature_type() == std::string("\xAE\x0F\x3E\x09\xC4\xA6\x50\x4F\x9F\x1B\xD4\x1E\x2B\x89\xC1\x9A", 16);
f_is_cert_sha512 = true;
return m_is_cert_sha512;
}
bool efivar_signature_list_t::signature_list_t::is_cert_sha384() {
if (f_is_cert_sha384)
return m_is_cert_sha384;
m_is_cert_sha384 = signature_type() == std::string("\x07\x53\x3E\xFF\xD0\x9F\xC9\x48\x85\xF1\x8A\xD5\x6C\x70\x1E\x01", 16);
f_is_cert_sha384 = true;
return m_is_cert_sha384;
}
bool efivar_signature_list_t::signature_list_t::is_cert_sha1() {
if (f_is_cert_sha1)
return m_is_cert_sha1;
m_is_cert_sha1 = signature_type() == std::string("\x12\xA5\x6C\x82\x10\xCF\xC9\x4A\xB1\x87\xBE\x01\x49\x66\x31\xBD", 16);
f_is_cert_sha1 = true;
return m_is_cert_sha1;
}
bool efivar_signature_list_t::signature_list_t::is_cert_rsa2048_sha1() {
if (f_is_cert_rsa2048_sha1)
return m_is_cert_rsa2048_sha1;
m_is_cert_rsa2048_sha1 = signature_type() == std::string("\x4F\x44\xF8\x67\x43\x87\xF1\x48\xA3\x28\x1E\xAA\xB8\x73\x60\x80", 16);
f_is_cert_rsa2048_sha1 = true;
return m_is_cert_rsa2048_sha1;
}
bool efivar_signature_list_t::signature_list_t::is_cert_sha256() {
if (f_is_cert_sha256)
return m_is_cert_sha256;
m_is_cert_sha256 = signature_type() == std::string("\x26\x16\xC4\xC1\x4C\x50\x92\x40\xAC\xA9\x41\xF9\x36\x93\x43\x28", 16);
f_is_cert_sha256 = true;
return m_is_cert_sha256;
}
bool efivar_signature_list_t::signature_list_t::is_cert_sha384_x509() {
if (f_is_cert_sha384_x509)
return m_is_cert_sha384_x509;
m_is_cert_sha384_x509 = signature_type() == std::string("\x6E\x87\x76\x70\xC2\x80\xE6\x4E\xAA\xD2\x28\xB3\x49\xA6\x86\x5B", 16);
f_is_cert_sha384_x509 = true;
return m_is_cert_sha384_x509;
}
bool efivar_signature_list_t::signature_list_t::is_cert_rsa2048_sha256() {
if (f_is_cert_rsa2048_sha256)
return m_is_cert_rsa2048_sha256;
m_is_cert_rsa2048_sha256 = signature_type() == std::string("\x90\x61\xB3\xE2\x9B\x87\x3D\x4A\xAD\x8D\xF2\xE7\xBB\xA3\x27\x84", 16);
f_is_cert_rsa2048_sha256 = true;
return m_is_cert_rsa2048_sha256;
}
bool efivar_signature_list_t::signature_list_t::is_cert_der_pkcs7() {
if (f_is_cert_der_pkcs7)
return m_is_cert_der_pkcs7;
m_is_cert_der_pkcs7 = signature_type() == std::string("\x9D\xD2\xAF\x4A\xDF\x68\xEE\x49\x8A\xA9\x34\x7D\x37\x56\x65\xA7", 16);
f_is_cert_der_pkcs7 = true;
return m_is_cert_der_pkcs7;
}
efivar_signature_list_t::signature_data_t::signature_data_t(kaitai::kstream* p__io, efivar_signature_list_t::signature_list_t* p__parent, efivar_signature_list_t* p__root) : kaitai::kstruct(p__io) {
m__parent = p__parent;
m__root = p__root;
_read();
}
void efivar_signature_list_t::signature_data_t::_read() {
m_owner = m__io->read_bytes(16);
m_data = m__io->read_bytes_full();
}
efivar_signature_list_t::signature_data_t::~signature_data_t() {
_clean_up();
}
void efivar_signature_list_t::signature_data_t::_clean_up() {
}
efivar_signature_list_t::efi_var_attr_t::efi_var_attr_t(kaitai::kstream* p__io, efivar_signature_list_t* p__parent, efivar_signature_list_t* p__root) : kaitai::kstruct(p__io) {
m__parent = p__parent;
m__root = p__root;
_read();
}
void efivar_signature_list_t::efi_var_attr_t::_read() {
m_enhanced_authenticated_access = m__io->read_bits_int_be(1);
m_append_write = m__io->read_bits_int_be(1);
m_time_based_authenticated_write_access = m__io->read_bits_int_be(1);
m_authenticated_write_access = m__io->read_bits_int_be(1);
m_hardware_error_record = m__io->read_bits_int_be(1);
m_runtime_access = m__io->read_bits_int_be(1);
m_bootservice_access = m__io->read_bits_int_be(1);
m_non_volatile = m__io->read_bits_int_be(1);
m_reserved1 = m__io->read_bits_int_be(24);
}
efivar_signature_list_t::efi_var_attr_t::~efi_var_attr_t() {
_clean_up();
}
void efivar_signature_list_t::efi_var_attr_t::_clean_up() {
}