Parse UEFI variables db and dbx that contain signatures, certificates and hashes. On a Linux system using UEFI, these variables are readable from /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f, /sys/firmware/efi/efivars/dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c, /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f and /sys/firmware/efi/efivars/dbxDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c. ("d719b2cb-3d3a-4596-a3bc-dad00e67656f" is defined as EFI_IMAGE_SECURITY_DATABASE_GUID and "8be4df61-93ca-11d2-aa0d-00e098032b8c" as EFI_GLOBAL_VARIABLE). Each file contains an EFI attribute (32-bit integer) followed by a list of EFI_SIGNATURE_LIST structures.
This page hosts a formal specification of UEFI Variable with Signature List using Kaitai Struct. This specification can be automatically translated into a variety of programming languages to get a parsing library.
# This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild
use strict;
use warnings;
use IO::KaitaiStruct 0.009_000;
########################################################################
package EfivarSignatureList;
our @ISA = 'IO::KaitaiStruct::Struct';
sub from_file {
my ($class, $filename) = @_;
my $fd;
open($fd, '<', $filename) or return undef;
binmode($fd);
return new($class, IO::KaitaiStruct::Stream->new($fd));
}
sub new {
my ($class, $_io, $_parent, $_root) = @_;
my $self = IO::KaitaiStruct::Struct->new($_io);
bless $self, $class;
$self->{_parent} = $_parent;
$self->{_root} = $_root || $self;;
$self->_read();
return $self;
}
sub _read {
my ($self) = @_;
$self->{var_attributes} = EfivarSignatureList::EfiVarAttr->new($self->{_io}, $self, $self->{_root});
$self->{signatures} = ();
while (!$self->{_io}->is_eof()) {
push @{$self->{signatures}}, EfivarSignatureList::SignatureList->new($self->{_io}, $self, $self->{_root});
}
}
sub var_attributes {
my ($self) = @_;
return $self->{var_attributes};
}
sub signatures {
my ($self) = @_;
return $self->{signatures};
}
########################################################################
package EfivarSignatureList::SignatureList;
our @ISA = 'IO::KaitaiStruct::Struct';
sub from_file {
my ($class, $filename) = @_;
my $fd;
open($fd, '<', $filename) or return undef;
binmode($fd);
return new($class, IO::KaitaiStruct::Stream->new($fd));
}
sub new {
my ($class, $_io, $_parent, $_root) = @_;
my $self = IO::KaitaiStruct::Struct->new($_io);
bless $self, $class;
$self->{_parent} = $_parent;
$self->{_root} = $_root || $self;;
$self->_read();
return $self;
}
sub _read {
my ($self) = @_;
$self->{signature_type} = $self->{_io}->read_bytes(16);
$self->{len_signature_list} = $self->{_io}->read_u4le();
$self->{len_signature_header} = $self->{_io}->read_u4le();
$self->{len_signature} = $self->{_io}->read_u4le();
$self->{header} = $self->{_io}->read_bytes($self->len_signature_header());
if ($self->len_signature() > 0) {
$self->{_raw_signatures} = ();
$self->{signatures} = ();
my $n_signatures = int((($self->len_signature_list() - $self->len_signature_header()) - 28) / $self->len_signature());
for (my $i = 0; $i < $n_signatures; $i++) {
push @{$self->{_raw_signatures}}, $self->{_io}->read_bytes($self->len_signature());
my $io__raw_signatures = IO::KaitaiStruct::Stream->new($self->{_raw_signatures}[$i]);
push @{$self->{signatures}}, EfivarSignatureList::SignatureData->new($io__raw_signatures, $self, $self->{_root});
}
}
}
sub is_cert_sha512_x509 {
my ($self) = @_;
return $self->{is_cert_sha512_x509} if ($self->{is_cert_sha512_x509});
$self->{is_cert_sha512_x509} = $self->signature_type() eq pack('C*', (99, 191, 109, 68, 2, 37, 218, 76, 188, 250, 36, 101, 210, 176, 254, 157));
return $self->{is_cert_sha512_x509};
}
sub is_cert_sha224 {
my ($self) = @_;
return $self->{is_cert_sha224} if ($self->{is_cert_sha224});
$self->{is_cert_sha224} = $self->signature_type() eq pack('C*', (51, 82, 110, 11, 92, 166, 201, 68, 148, 7, 217, 171, 131, 191, 200, 189));
return $self->{is_cert_sha224};
}
sub is_cert_x509 {
my ($self) = @_;
return $self->{is_cert_x509} if ($self->{is_cert_x509});
$self->{is_cert_x509} = $self->signature_type() eq pack('C*', (161, 89, 192, 165, 228, 148, 167, 74, 135, 181, 171, 21, 92, 43, 240, 114));
return $self->{is_cert_x509};
}
sub is_cert_sha256_x509 {
my ($self) = @_;
return $self->{is_cert_sha256_x509} if ($self->{is_cert_sha256_x509});
$self->{is_cert_sha256_x509} = $self->signature_type() eq pack('C*', (146, 164, 210, 59, 192, 150, 121, 64, 180, 32, 252, 249, 142, 241, 3, 237));
return $self->{is_cert_sha256_x509};
}
sub is_cert_rsa2048_key {
my ($self) = @_;
return $self->{is_cert_rsa2048_key} if ($self->{is_cert_rsa2048_key});
$self->{is_cert_rsa2048_key} = $self->signature_type() eq pack('C*', (232, 102, 87, 60, 156, 38, 52, 78, 170, 20, 237, 119, 110, 133, 179, 182));
return $self->{is_cert_rsa2048_key};
}
sub is_cert_sha512 {
my ($self) = @_;
return $self->{is_cert_sha512} if ($self->{is_cert_sha512});
$self->{is_cert_sha512} = $self->signature_type() eq pack('C*', (174, 15, 62, 9, 196, 166, 80, 79, 159, 27, 212, 30, 43, 137, 193, 154));
return $self->{is_cert_sha512};
}
sub is_cert_sha384 {
my ($self) = @_;
return $self->{is_cert_sha384} if ($self->{is_cert_sha384});
$self->{is_cert_sha384} = $self->signature_type() eq pack('C*', (7, 83, 62, 255, 208, 159, 201, 72, 133, 241, 138, 213, 108, 112, 30, 1));
return $self->{is_cert_sha384};
}
sub is_cert_sha1 {
my ($self) = @_;
return $self->{is_cert_sha1} if ($self->{is_cert_sha1});
$self->{is_cert_sha1} = $self->signature_type() eq pack('C*', (18, 165, 108, 130, 16, 207, 201, 74, 177, 135, 190, 1, 73, 102, 49, 189));
return $self->{is_cert_sha1};
}
sub is_cert_rsa2048_sha1 {
my ($self) = @_;
return $self->{is_cert_rsa2048_sha1} if ($self->{is_cert_rsa2048_sha1});
$self->{is_cert_rsa2048_sha1} = $self->signature_type() eq pack('C*', (79, 68, 248, 103, 67, 135, 241, 72, 163, 40, 30, 170, 184, 115, 96, 128));
return $self->{is_cert_rsa2048_sha1};
}
sub is_cert_sha256 {
my ($self) = @_;
return $self->{is_cert_sha256} if ($self->{is_cert_sha256});
$self->{is_cert_sha256} = $self->signature_type() eq pack('C*', (38, 22, 196, 193, 76, 80, 146, 64, 172, 169, 65, 249, 54, 147, 67, 40));
return $self->{is_cert_sha256};
}
sub is_cert_sha384_x509 {
my ($self) = @_;
return $self->{is_cert_sha384_x509} if ($self->{is_cert_sha384_x509});
$self->{is_cert_sha384_x509} = $self->signature_type() eq pack('C*', (110, 135, 118, 112, 194, 128, 230, 78, 170, 210, 40, 179, 73, 166, 134, 91));
return $self->{is_cert_sha384_x509};
}
sub is_cert_rsa2048_sha256 {
my ($self) = @_;
return $self->{is_cert_rsa2048_sha256} if ($self->{is_cert_rsa2048_sha256});
$self->{is_cert_rsa2048_sha256} = $self->signature_type() eq pack('C*', (144, 97, 179, 226, 155, 135, 61, 74, 173, 141, 242, 231, 187, 163, 39, 132));
return $self->{is_cert_rsa2048_sha256};
}
sub is_cert_der_pkcs7 {
my ($self) = @_;
return $self->{is_cert_der_pkcs7} if ($self->{is_cert_der_pkcs7});
$self->{is_cert_der_pkcs7} = $self->signature_type() eq pack('C*', (157, 210, 175, 74, 223, 104, 238, 73, 138, 169, 52, 125, 55, 86, 101, 167));
return $self->{is_cert_der_pkcs7};
}
sub signature_type {
my ($self) = @_;
return $self->{signature_type};
}
sub len_signature_list {
my ($self) = @_;
return $self->{len_signature_list};
}
sub len_signature_header {
my ($self) = @_;
return $self->{len_signature_header};
}
sub len_signature {
my ($self) = @_;
return $self->{len_signature};
}
sub header {
my ($self) = @_;
return $self->{header};
}
sub signatures {
my ($self) = @_;
return $self->{signatures};
}
sub _raw_signatures {
my ($self) = @_;
return $self->{_raw_signatures};
}
########################################################################
package EfivarSignatureList::SignatureData;
our @ISA = 'IO::KaitaiStruct::Struct';
sub from_file {
my ($class, $filename) = @_;
my $fd;
open($fd, '<', $filename) or return undef;
binmode($fd);
return new($class, IO::KaitaiStruct::Stream->new($fd));
}
sub new {
my ($class, $_io, $_parent, $_root) = @_;
my $self = IO::KaitaiStruct::Struct->new($_io);
bless $self, $class;
$self->{_parent} = $_parent;
$self->{_root} = $_root || $self;;
$self->_read();
return $self;
}
sub _read {
my ($self) = @_;
$self->{owner} = $self->{_io}->read_bytes(16);
$self->{data} = $self->{_io}->read_bytes_full();
}
sub owner {
my ($self) = @_;
return $self->{owner};
}
sub data {
my ($self) = @_;
return $self->{data};
}
########################################################################
package EfivarSignatureList::EfiVarAttr;
our @ISA = 'IO::KaitaiStruct::Struct';
sub from_file {
my ($class, $filename) = @_;
my $fd;
open($fd, '<', $filename) or return undef;
binmode($fd);
return new($class, IO::KaitaiStruct::Stream->new($fd));
}
sub new {
my ($class, $_io, $_parent, $_root) = @_;
my $self = IO::KaitaiStruct::Struct->new($_io);
bless $self, $class;
$self->{_parent} = $_parent;
$self->{_root} = $_root || $self;;
$self->_read();
return $self;
}
sub _read {
my ($self) = @_;
$self->{enhanced_authenticated_access} = $self->{_io}->read_bits_int_be(1);
$self->{append_write} = $self->{_io}->read_bits_int_be(1);
$self->{time_based_authenticated_write_access} = $self->{_io}->read_bits_int_be(1);
$self->{authenticated_write_access} = $self->{_io}->read_bits_int_be(1);
$self->{hardware_error_record} = $self->{_io}->read_bits_int_be(1);
$self->{runtime_access} = $self->{_io}->read_bits_int_be(1);
$self->{bootservice_access} = $self->{_io}->read_bits_int_be(1);
$self->{non_volatile} = $self->{_io}->read_bits_int_be(1);
$self->{reserved1} = $self->{_io}->read_bits_int_be(24);
}
sub enhanced_authenticated_access {
my ($self) = @_;
return $self->{enhanced_authenticated_access};
}
sub append_write {
my ($self) = @_;
return $self->{append_write};
}
sub time_based_authenticated_write_access {
my ($self) = @_;
return $self->{time_based_authenticated_write_access};
}
sub authenticated_write_access {
my ($self) = @_;
return $self->{authenticated_write_access};
}
sub hardware_error_record {
my ($self) = @_;
return $self->{hardware_error_record};
}
sub runtime_access {
my ($self) = @_;
return $self->{runtime_access};
}
sub bootservice_access {
my ($self) = @_;
return $self->{bootservice_access};
}
sub non_volatile {
my ($self) = @_;
return $self->{non_volatile};
}
sub reserved1 {
my ($self) = @_;
return $self->{reserved1};
}
1;