UEFI Variable with Signature List: C++11/STL parsing library

Parse UEFI variables db and dbx that contain signatures, certificates and hashes. On a Linux system using UEFI, these variables are readable from /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f, /sys/firmware/efi/efivars/dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c, /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f and /sys/firmware/efi/efivars/dbxDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c. ("d719b2cb-3d3a-4596-a3bc-dad00e67656f" is defined as EFI_IMAGE_SECURITY_DATABASE_GUID and "8be4df61-93ca-11d2-aa0d-00e098032b8c" as EFI_GLOBAL_VARIABLE). Each file contains an EFI attribute (32-bit integer) followed by a list of EFI_SIGNATURE_LIST structures.

KS implementation details

License: CC0-1.0

References

This page hosts a formal specification of UEFI Variable with Signature List using Kaitai Struct. This specification can be automatically translated into a variety of programming languages to get a parsing library.

Usage

Runtime library

All parsing code for C++11/STL generated by Kaitai Struct depends on the C++/STL runtime library. You have to install it before you can parse data.

For C++, the easiest way is to clone the runtime library sources and build them along with your project.

Code

Using Kaitai Struct in C++/STL usually consists of 3 steps.

  1. We need to create an STL input stream (std::istream). One can open local file for that, or use existing std::string or char* buffer.
    #include <fstream>
    
    std::ifstream is("path/to/local/file.bin", std::ifstream::binary);
    
    #include <sstream>
    
    std::istringstream is(str);
    
    #include <sstream>
    
    const char buf[] = { ... };
    std::string str(buf, sizeof buf);
    std::istringstream is(str);
    
  2. We need to wrap our input stream into Kaitai stream:
    #include "kaitai/kaitaistream.h"
    
    kaitai::kstream ks(&is);
    
  3. And finally, we can invoke the parsing:
    efivar_signature_list_t data(&ks);
    

After that, one can get various attributes from the structure by invoking getter methods like:

data.var_attributes() // => Attributes of the UEFI variable

C++11/STL source code to parse UEFI Variable with Signature List

efivar_signature_list.h

#pragma once

// This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild

#include "kaitai/kaitaistruct.h"
#include <stdint.h>
#include <memory>
#include <vector>

#if KAITAI_STRUCT_VERSION < 9000L
#error "Incompatible Kaitai Struct C++/STL API: version 0.9 or later is required"
#endif

/**
 * Parse UEFI variables db and dbx that contain signatures, certificates and
 * hashes. On a Linux system using UEFI, these variables are readable from
 * /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f,
 * /sys/firmware/efi/efivars/dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c,
 * /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f and
 * /sys/firmware/efi/efivars/dbxDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c.
 * ("d719b2cb-3d3a-4596-a3bc-dad00e67656f" is defined as
 * EFI_IMAGE_SECURITY_DATABASE_GUID and "8be4df61-93ca-11d2-aa0d-00e098032b8c"
 * as EFI_GLOBAL_VARIABLE).
 * Each file contains an EFI attribute (32-bit integer) followed by a list of
 * EFI_SIGNATURE_LIST structures.
 * \sa https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf Source
 */

class efivar_signature_list_t : public kaitai::kstruct {

public:
    class signature_list_t;
    class signature_data_t;
    class efi_var_attr_t;

    efivar_signature_list_t(kaitai::kstream* p__io, kaitai::kstruct* p__parent = nullptr, efivar_signature_list_t* p__root = nullptr);

private:
    void _read();
    void _clean_up();

public:
    ~efivar_signature_list_t();

    /**
     * \sa EFI_SIGNATURE_LIST
     */

    class signature_list_t : public kaitai::kstruct {

    public:

        signature_list_t(kaitai::kstream* p__io, efivar_signature_list_t* p__parent = nullptr, efivar_signature_list_t* p__root = nullptr);

    private:
        void _read();
        void _clean_up();

    public:
        ~signature_list_t();

    private:
        bool f_is_cert_sha512_x509;
        bool m_is_cert_sha512_x509;

    public:

        /**
         * SHA512 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation
         * \sa EFI_CERT_X509_SHA512_GUID
         */
        bool is_cert_sha512_x509();

    private:
        bool f_is_cert_sha224;
        bool m_is_cert_sha224;

    public:

        /**
         * SHA-224 hash
         * \sa EFI_CERT_SHA224_GUID
         */
        bool is_cert_sha224();

    private:
        bool f_is_cert_x509;
        bool m_is_cert_x509;

    public:

        /**
         * X.509 certificate
         * \sa EFI_CERT_X509_GUID
         */
        bool is_cert_x509();

    private:
        bool f_is_cert_sha256_x509;
        bool m_is_cert_sha256_x509;

    public:

        /**
         * SHA256 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation
         * \sa EFI_CERT_X509_SHA256_GUID
         */
        bool is_cert_sha256_x509();

    private:
        bool f_is_cert_rsa2048_key;
        bool m_is_cert_rsa2048_key;

    public:

        /**
         * RSA-2048 key (only the modulus since the public key exponent is known to be 0x10001)
         * \sa EFI_CERT_RSA2048_GUID
         */
        bool is_cert_rsa2048_key();

    private:
        bool f_is_cert_sha512;
        bool m_is_cert_sha512;

    public:

        /**
         * SHA-512 hash
         * \sa EFI_CERT_SHA512_GUID
         */
        bool is_cert_sha512();

    private:
        bool f_is_cert_sha384;
        bool m_is_cert_sha384;

    public:

        /**
         * SHA-384 hash
         * \sa EFI_CERT_SHA384_GUID
         */
        bool is_cert_sha384();

    private:
        bool f_is_cert_sha1;
        bool m_is_cert_sha1;

    public:

        /**
         * SHA-1 hash
         * \sa EFI_CERT_SHA1_GUID
         */
        bool is_cert_sha1();

    private:
        bool f_is_cert_rsa2048_sha1;
        bool m_is_cert_rsa2048_sha1;

    public:

        /**
         * RSA-2048 signature of a SHA-1 hash
         * \sa EFI_CERT_RSA2048_SHA1_GUID
         */
        bool is_cert_rsa2048_sha1();

    private:
        bool f_is_cert_sha256;
        bool m_is_cert_sha256;

    public:

        /**
         * SHA-256 hash
         * \sa EFI_CERT_SHA256_GUID
         */
        bool is_cert_sha256();

    private:
        bool f_is_cert_sha384_x509;
        bool m_is_cert_sha384_x509;

    public:

        /**
         * SHA384 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation
         * \sa EFI_CERT_X509_SHA384_GUID
         */
        bool is_cert_sha384_x509();

    private:
        bool f_is_cert_rsa2048_sha256;
        bool m_is_cert_rsa2048_sha256;

    public:

        /**
         * RSA-2048 signature of a SHA-256 hash
         * \sa EFI_CERT_RSA2048_SHA256_GUID
         */
        bool is_cert_rsa2048_sha256();

    private:
        bool f_is_cert_der_pkcs7;
        bool m_is_cert_der_pkcs7;

    public:

        /**
         * DER-encoded PKCS #7 version 1.5 [RFC2315]
         * \sa EFI_CERT_TYPE_PKCS7_GUID
         */
        bool is_cert_der_pkcs7();

    private:
        std::string m_signature_type;
        uint32_t m_len_signature_list;
        uint32_t m_len_signature_header;
        uint32_t m_len_signature;
        std::string m_header;
        std::unique_ptr<std::vector<std::unique_ptr<signature_data_t>>> m_signatures;
        bool n_signatures;

    public:
        bool _is_null_signatures() { signatures(); return n_signatures; };

    private:
        efivar_signature_list_t* m__root;
        efivar_signature_list_t* m__parent;
        std::unique_ptr<std::vector<std::string>> m__raw_signatures;
        bool n__raw_signatures;

    public:
        bool _is_null__raw_signatures() { _raw_signatures(); return n__raw_signatures; };

    private:
        std::unique_ptr<std::vector<std::unique_ptr<kaitai::kstream>>> m__io__raw_signatures;

    public:

        /**
         * Type of the signature as a GUID
         */
        std::string signature_type() const { return m_signature_type; }

        /**
         * Total size of the signature list, including this header
         */
        uint32_t len_signature_list() const { return m_len_signature_list; }

        /**
         * Size of the signature header which precedes the array of signatures
         */
        uint32_t len_signature_header() const { return m_len_signature_header; }

        /**
         * Size of each signature
         */
        uint32_t len_signature() const { return m_len_signature; }

        /**
         * Header before the array of signatures
         */
        std::string header() const { return m_header; }

        /**
         * An array of signatures
         */
        std::vector<std::unique_ptr<signature_data_t>>* signatures() const { return m_signatures.get(); }
        efivar_signature_list_t* _root() const { return m__root; }
        efivar_signature_list_t* _parent() const { return m__parent; }
        std::vector<std::string>* _raw_signatures() const { return m__raw_signatures.get(); }
        std::vector<std::unique_ptr<kaitai::kstream>>* _io__raw_signatures() const { return m__io__raw_signatures.get(); }
    };

    /**
     * \sa EFI_SIGNATURE_DATA
     */

    class signature_data_t : public kaitai::kstruct {

    public:

        signature_data_t(kaitai::kstream* p__io, efivar_signature_list_t::signature_list_t* p__parent = nullptr, efivar_signature_list_t* p__root = nullptr);

    private:
        void _read();
        void _clean_up();

    public:
        ~signature_data_t();

    private:
        std::string m_owner;
        std::string m_data;
        efivar_signature_list_t* m__root;
        efivar_signature_list_t::signature_list_t* m__parent;

    public:

        /**
         * An identifier which identifies the agent which added the signature to the list
         */
        std::string owner() const { return m_owner; }

        /**
         * The format of the signature is defined by the SignatureType.
         */
        std::string data() const { return m_data; }
        efivar_signature_list_t* _root() const { return m__root; }
        efivar_signature_list_t::signature_list_t* _parent() const { return m__parent; }
    };

    /**
     * Attributes of a UEFI variable
     */

    class efi_var_attr_t : public kaitai::kstruct {

    public:

        efi_var_attr_t(kaitai::kstream* p__io, efivar_signature_list_t* p__parent = nullptr, efivar_signature_list_t* p__root = nullptr);

    private:
        void _read();
        void _clean_up();

    public:
        ~efi_var_attr_t();

    private:
        bool m_enhanced_authenticated_access;
        bool m_append_write;
        bool m_time_based_authenticated_write_access;
        bool m_authenticated_write_access;
        bool m_hardware_error_record;
        bool m_runtime_access;
        bool m_bootservice_access;
        bool m_non_volatile;
        uint64_t m_reserved1;
        efivar_signature_list_t* m__root;
        efivar_signature_list_t* m__parent;

    public:
        bool enhanced_authenticated_access() const { return m_enhanced_authenticated_access; }
        bool append_write() const { return m_append_write; }
        bool time_based_authenticated_write_access() const { return m_time_based_authenticated_write_access; }
        bool authenticated_write_access() const { return m_authenticated_write_access; }
        bool hardware_error_record() const { return m_hardware_error_record; }
        bool runtime_access() const { return m_runtime_access; }
        bool bootservice_access() const { return m_bootservice_access; }
        bool non_volatile() const { return m_non_volatile; }

        /**
         * Reserved (unused) bits
         */
        uint64_t reserved1() const { return m_reserved1; }
        efivar_signature_list_t* _root() const { return m__root; }
        efivar_signature_list_t* _parent() const { return m__parent; }
    };

private:
    std::unique_ptr<efi_var_attr_t> m_var_attributes;
    std::unique_ptr<std::vector<std::unique_ptr<signature_list_t>>> m_signatures;
    efivar_signature_list_t* m__root;
    kaitai::kstruct* m__parent;

public:

    /**
     * Attributes of the UEFI variable
     */
    efi_var_attr_t* var_attributes() const { return m_var_attributes.get(); }
    std::vector<std::unique_ptr<signature_list_t>>* signatures() const { return m_signatures.get(); }
    efivar_signature_list_t* _root() const { return m__root; }
    kaitai::kstruct* _parent() const { return m__parent; }
};

efivar_signature_list.cpp

// This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild

#include "efivar_signature_list.h"

efivar_signature_list_t::efivar_signature_list_t(kaitai::kstream* p__io, kaitai::kstruct* p__parent, efivar_signature_list_t* p__root) : kaitai::kstruct(p__io) {
    m__parent = p__parent;
    m__root = this;
    m_var_attributes = nullptr;
    m_signatures = nullptr;
    _read();
}

void efivar_signature_list_t::_read() {
    m_var_attributes = std::unique_ptr<efi_var_attr_t>(new efi_var_attr_t(m__io, this, m__root));
    m_signatures = std::unique_ptr<std::vector<std::unique_ptr<signature_list_t>>>(new std::vector<std::unique_ptr<signature_list_t>>());
    {
        int i = 0;
        while (!m__io->is_eof()) {
            m_signatures->push_back(std::move(std::unique_ptr<signature_list_t>(new signature_list_t(m__io, this, m__root))));
            i++;
        }
    }
}

efivar_signature_list_t::~efivar_signature_list_t() {
    _clean_up();
}

void efivar_signature_list_t::_clean_up() {
}

efivar_signature_list_t::signature_list_t::signature_list_t(kaitai::kstream* p__io, efivar_signature_list_t* p__parent, efivar_signature_list_t* p__root) : kaitai::kstruct(p__io) {
    m__parent = p__parent;
    m__root = p__root;
    m_signatures = nullptr;
    m__raw_signatures = nullptr;
    m__io__raw_signatures = nullptr;
    f_is_cert_sha512_x509 = false;
    f_is_cert_sha224 = false;
    f_is_cert_x509 = false;
    f_is_cert_sha256_x509 = false;
    f_is_cert_rsa2048_key = false;
    f_is_cert_sha512 = false;
    f_is_cert_sha384 = false;
    f_is_cert_sha1 = false;
    f_is_cert_rsa2048_sha1 = false;
    f_is_cert_sha256 = false;
    f_is_cert_sha384_x509 = false;
    f_is_cert_rsa2048_sha256 = false;
    f_is_cert_der_pkcs7 = false;
    _read();
}

void efivar_signature_list_t::signature_list_t::_read() {
    m_signature_type = m__io->read_bytes(16);
    m_len_signature_list = m__io->read_u4le();
    m_len_signature_header = m__io->read_u4le();
    m_len_signature = m__io->read_u4le();
    m_header = m__io->read_bytes(len_signature_header());
    n_signatures = true;
    if (len_signature() > 0) {
        n_signatures = false;
        m__raw_signatures = std::unique_ptr<std::vector<std::string>>(new std::vector<std::string>());
        m__io__raw_signatures = std::unique_ptr<std::vector<std::unique_ptr<kaitai::kstream>>>(new std::vector<std::unique_ptr<kaitai::kstream>>());
        m_signatures = std::unique_ptr<std::vector<std::unique_ptr<signature_data_t>>>(new std::vector<std::unique_ptr<signature_data_t>>());
        const int l_signatures = (((len_signature_list() - len_signature_header()) - 28) / len_signature());
        for (int i = 0; i < l_signatures; i++) {
            m__raw_signatures->push_back(std::move(m__io->read_bytes(len_signature())));
            kaitai::kstream* io__raw_signatures = new kaitai::kstream(m__raw_signatures->at(m__raw_signatures->size() - 1));
            m__io__raw_signatures->emplace_back(io__raw_signatures);
            m_signatures->push_back(std::move(std::unique_ptr<signature_data_t>(new signature_data_t(io__raw_signatures, this, m__root))));
        }
    }
}

efivar_signature_list_t::signature_list_t::~signature_list_t() {
    _clean_up();
}

void efivar_signature_list_t::signature_list_t::_clean_up() {
    if (!n_signatures) {
    }
}

bool efivar_signature_list_t::signature_list_t::is_cert_sha512_x509() {
    if (f_is_cert_sha512_x509)
        return m_is_cert_sha512_x509;
    m_is_cert_sha512_x509 = signature_type() == std::string("\x63\xBF\x6D\x44\x02\x25\xDA\x4C\xBC\xFA\x24\x65\xD2\xB0\xFE\x9D", 16);
    f_is_cert_sha512_x509 = true;
    return m_is_cert_sha512_x509;
}

bool efivar_signature_list_t::signature_list_t::is_cert_sha224() {
    if (f_is_cert_sha224)
        return m_is_cert_sha224;
    m_is_cert_sha224 = signature_type() == std::string("\x33\x52\x6E\x0B\x5C\xA6\xC9\x44\x94\x07\xD9\xAB\x83\xBF\xC8\xBD", 16);
    f_is_cert_sha224 = true;
    return m_is_cert_sha224;
}

bool efivar_signature_list_t::signature_list_t::is_cert_x509() {
    if (f_is_cert_x509)
        return m_is_cert_x509;
    m_is_cert_x509 = signature_type() == std::string("\xA1\x59\xC0\xA5\xE4\x94\xA7\x4A\x87\xB5\xAB\x15\x5C\x2B\xF0\x72", 16);
    f_is_cert_x509 = true;
    return m_is_cert_x509;
}

bool efivar_signature_list_t::signature_list_t::is_cert_sha256_x509() {
    if (f_is_cert_sha256_x509)
        return m_is_cert_sha256_x509;
    m_is_cert_sha256_x509 = signature_type() == std::string("\x92\xA4\xD2\x3B\xC0\x96\x79\x40\xB4\x20\xFC\xF9\x8E\xF1\x03\xED", 16);
    f_is_cert_sha256_x509 = true;
    return m_is_cert_sha256_x509;
}

bool efivar_signature_list_t::signature_list_t::is_cert_rsa2048_key() {
    if (f_is_cert_rsa2048_key)
        return m_is_cert_rsa2048_key;
    m_is_cert_rsa2048_key = signature_type() == std::string("\xE8\x66\x57\x3C\x9C\x26\x34\x4E\xAA\x14\xED\x77\x6E\x85\xB3\xB6", 16);
    f_is_cert_rsa2048_key = true;
    return m_is_cert_rsa2048_key;
}

bool efivar_signature_list_t::signature_list_t::is_cert_sha512() {
    if (f_is_cert_sha512)
        return m_is_cert_sha512;
    m_is_cert_sha512 = signature_type() == std::string("\xAE\x0F\x3E\x09\xC4\xA6\x50\x4F\x9F\x1B\xD4\x1E\x2B\x89\xC1\x9A", 16);
    f_is_cert_sha512 = true;
    return m_is_cert_sha512;
}

bool efivar_signature_list_t::signature_list_t::is_cert_sha384() {
    if (f_is_cert_sha384)
        return m_is_cert_sha384;
    m_is_cert_sha384 = signature_type() == std::string("\x07\x53\x3E\xFF\xD0\x9F\xC9\x48\x85\xF1\x8A\xD5\x6C\x70\x1E\x01", 16);
    f_is_cert_sha384 = true;
    return m_is_cert_sha384;
}

bool efivar_signature_list_t::signature_list_t::is_cert_sha1() {
    if (f_is_cert_sha1)
        return m_is_cert_sha1;
    m_is_cert_sha1 = signature_type() == std::string("\x12\xA5\x6C\x82\x10\xCF\xC9\x4A\xB1\x87\xBE\x01\x49\x66\x31\xBD", 16);
    f_is_cert_sha1 = true;
    return m_is_cert_sha1;
}

bool efivar_signature_list_t::signature_list_t::is_cert_rsa2048_sha1() {
    if (f_is_cert_rsa2048_sha1)
        return m_is_cert_rsa2048_sha1;
    m_is_cert_rsa2048_sha1 = signature_type() == std::string("\x4F\x44\xF8\x67\x43\x87\xF1\x48\xA3\x28\x1E\xAA\xB8\x73\x60\x80", 16);
    f_is_cert_rsa2048_sha1 = true;
    return m_is_cert_rsa2048_sha1;
}

bool efivar_signature_list_t::signature_list_t::is_cert_sha256() {
    if (f_is_cert_sha256)
        return m_is_cert_sha256;
    m_is_cert_sha256 = signature_type() == std::string("\x26\x16\xC4\xC1\x4C\x50\x92\x40\xAC\xA9\x41\xF9\x36\x93\x43\x28", 16);
    f_is_cert_sha256 = true;
    return m_is_cert_sha256;
}

bool efivar_signature_list_t::signature_list_t::is_cert_sha384_x509() {
    if (f_is_cert_sha384_x509)
        return m_is_cert_sha384_x509;
    m_is_cert_sha384_x509 = signature_type() == std::string("\x6E\x87\x76\x70\xC2\x80\xE6\x4E\xAA\xD2\x28\xB3\x49\xA6\x86\x5B", 16);
    f_is_cert_sha384_x509 = true;
    return m_is_cert_sha384_x509;
}

bool efivar_signature_list_t::signature_list_t::is_cert_rsa2048_sha256() {
    if (f_is_cert_rsa2048_sha256)
        return m_is_cert_rsa2048_sha256;
    m_is_cert_rsa2048_sha256 = signature_type() == std::string("\x90\x61\xB3\xE2\x9B\x87\x3D\x4A\xAD\x8D\xF2\xE7\xBB\xA3\x27\x84", 16);
    f_is_cert_rsa2048_sha256 = true;
    return m_is_cert_rsa2048_sha256;
}

bool efivar_signature_list_t::signature_list_t::is_cert_der_pkcs7() {
    if (f_is_cert_der_pkcs7)
        return m_is_cert_der_pkcs7;
    m_is_cert_der_pkcs7 = signature_type() == std::string("\x9D\xD2\xAF\x4A\xDF\x68\xEE\x49\x8A\xA9\x34\x7D\x37\x56\x65\xA7", 16);
    f_is_cert_der_pkcs7 = true;
    return m_is_cert_der_pkcs7;
}

efivar_signature_list_t::signature_data_t::signature_data_t(kaitai::kstream* p__io, efivar_signature_list_t::signature_list_t* p__parent, efivar_signature_list_t* p__root) : kaitai::kstruct(p__io) {
    m__parent = p__parent;
    m__root = p__root;
    _read();
}

void efivar_signature_list_t::signature_data_t::_read() {
    m_owner = m__io->read_bytes(16);
    m_data = m__io->read_bytes_full();
}

efivar_signature_list_t::signature_data_t::~signature_data_t() {
    _clean_up();
}

void efivar_signature_list_t::signature_data_t::_clean_up() {
}

efivar_signature_list_t::efi_var_attr_t::efi_var_attr_t(kaitai::kstream* p__io, efivar_signature_list_t* p__parent, efivar_signature_list_t* p__root) : kaitai::kstruct(p__io) {
    m__parent = p__parent;
    m__root = p__root;
    _read();
}

void efivar_signature_list_t::efi_var_attr_t::_read() {
    m_enhanced_authenticated_access = m__io->read_bits_int_be(1);
    m_append_write = m__io->read_bits_int_be(1);
    m_time_based_authenticated_write_access = m__io->read_bits_int_be(1);
    m_authenticated_write_access = m__io->read_bits_int_be(1);
    m_hardware_error_record = m__io->read_bits_int_be(1);
    m_runtime_access = m__io->read_bits_int_be(1);
    m_bootservice_access = m__io->read_bits_int_be(1);
    m_non_volatile = m__io->read_bits_int_be(1);
    m_reserved1 = m__io->read_bits_int_be(24);
}

efivar_signature_list_t::efi_var_attr_t::~efi_var_attr_t() {
    _clean_up();
}

void efivar_signature_list_t::efi_var_attr_t::_clean_up() {
}