diff --git a/Changelog.md b/Changelog.md index 741ab07d2a1..480a389c686 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ OpenCore Changelog - Added Arrow Lake CPU detection - Fixed Raptor Lake CPU detection - Supported booting with TuneD in Fedora 41 in OpenLinuxBoot +- Fixed failure of vault `sign.command` to insert signature in correct location in some circumstances #### v1.0.2 - Fixed error in macrecovery when running headless, thx @mkorje diff --git a/Docs/Configuration.tex b/Docs/Configuration.tex index 707439e05b3..b74e45a6a11 100755 --- a/Docs/Configuration.tex +++ b/Docs/Configuration.tex @@ -4724,7 +4724,7 @@ \subsection{Security Properties}\label{miscsecurityprops} \href{https://github.com/acidanthera/OpenCorePkg/tree/master/Utilities/CreateVault}{RsaTool}. - The complete set of commands to: + The steps to binary patch \texttt{OpenCore.efi} are: \begin{itemize} \tightlist @@ -4734,14 +4734,9 @@ \subsection{Security Properties}\label{miscsecurityprops} \item Create \texttt{vault.sig}. \end{itemize} - Can look as follows: + A script to do this is privided in OpenCore releases: \begin{lstlisting}[label=createvault, style=ocbash] -cd /Volumes/EFI/EFI/OC -/path/to/create_vault.sh . -/path/to/RsaTool -sign vault.plist vault.sig vault.pub -off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16)) -dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc -rm vault.pub +/Utilities/CreateVault/sign.command /Volumes/EFI/EFI/OC \end{lstlisting} \emph{Note 1}: While it may appear obvious, an external diff --git a/Library/OcMainLib/OpenCoreVault.c b/Library/OcMainLib/OpenCoreVault.c index af5a54f3492..99c287b1571 100644 --- a/Library/OcMainLib/OpenCoreVault.c +++ b/Library/OcMainLib/OpenCoreVault.c @@ -14,24 +14,21 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include -#pragma pack(push, 1) - -typedef PACKED struct { +typedef struct { OC_RSA_PUBLIC_KEY_HDR Hdr; UINT64 Data[(2 * (2048 / OC_CHAR_BIT)) / sizeof (UINT64)]; } OC_RSA_PUBLIC_KEY_2048; -typedef PACKED struct { +typedef struct { CHAR8 StartMagic[16]; OC_RSA_PUBLIC_KEY_2048 VaultKey; CHAR8 EndMagic[16]; } OC_BUILTIN_VAULT_KEY; -#pragma pack(pop) - +BASE_ALIGNAS (16) STATIC OC_BUILTIN_VAULT_KEY - mOpenCoreVaultKey = { +mOpenCoreVaultKey = { .StartMagic = { '=', 'B', 'E', 'G', 'I', 'N', ' ', 'O', 'C', ' ', 'V', 'A', 'U', 'L', 'T', '=' }, .EndMagic = { '=', '=', 'E', 'N', 'D', ' ', 'O', 'C', ' ', 'V', 'A', 'U', 'L', 'T', '=', '=' } }; @@ -44,6 +41,19 @@ OcGetVaultKey ( UINT32 Index; BOOLEAN AllZero; + STATIC_ASSERT ( + sizeof (OC_RSA_PUBLIC_KEY_2048) == sizeof (((OC_RSA_PUBLIC_KEY_2048 *)NULL)->Hdr) + sizeof (((OC_RSA_PUBLIC_KEY_2048 *)NULL)->Data), + "OC_RSA_PUBLIC_KEY_2048 is not naturally packed" + ); + STATIC_ASSERT ( + OFFSET_OF (OC_BUILTIN_VAULT_KEY, VaultKey) == 16, + "offsetof(OC_BUILTIN_VAULT_KEY.VaultKey)" + ); + STATIC_ASSERT ( + OFFSET_OF (OC_BUILTIN_VAULT_KEY, EndMagic) == 16 + sizeof (OC_RSA_PUBLIC_KEY_2048), + "offsetof(OC_BUILTIN_VAULT_KEY.EndMagic)" + ); + // // TODO: Perhaps try to get the key from firmware too? // diff --git a/Utilities/CreateVault/sign.command b/Utilities/CreateVault/sign.command index ffbdec17f07..cbb2366b934 100755 --- a/Utilities/CreateVault/sign.command +++ b/Utilities/CreateVault/sign.command @@ -61,7 +61,7 @@ echo "Signing ${OCBin}..." ./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}" echo "Bin-patching ${OCBin}..." -off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16)) +off=$((0x$(/usr/bin/hexdump -C "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16)) if [ "${off}" -le 16 ]; then abort "${OCBin} is borked" fi