CreateVault: Fix sign.command and update signing docs

Fix operation of `sign.command` when printable characters occur immediately before `=BEGIN OC VAULT=`. `strings` finds the location of the first printable character in such a sequence. `hexdump` automatically works on 16 byte boundaries, so still finds the correct offset. Use `BASE_ALIGNAS` to force (and document) the required alignment, though it should be correct without it. Update the docs to refer to `sign.command` rather than to include the signing commands explicitly - otherwise we have two places that need to be kept in sync for signing commands, and note that the commands in the two places were already out of sync. Signed-off-by: Mike Beaton <[email protected]>
acidanthera · Nov 24, 2024 · bc434fe · bc434fe
1 parent c7779e7
commit bc434fe
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 10 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -6,6 +6,7 @@ OpenCore Changelog
 - Added Arrow Lake CPU detection
 - Fixed Raptor Lake CPU detection
 - Supported booting with TuneD in Fedora 41 in OpenLinuxBoot
+- Fixed failure of vault `sign.command` to insert signature in correct location in some circumstances
 
 #### v1.0.2
 - Fixed error in macrecovery when running headless, thx @mkorje

diff --git a/Docs/Configuration.tex b/Docs/Configuration.tex
@@ -4724,7 +4724,7 @@ \subsection{Security Properties}\label{miscsecurityprops}
   \href{https://github.com/acidanthera/OpenCorePkg/tree/master/Utilities/CreateVault}{RsaTool}.
 
 
-  The complete set of commands to:
+  The steps to binary patch \texttt{OpenCore.efi} are:
 
   \begin{itemize}
   \tightlist
@@ -4734,14 +4734,9 @@ \subsection{Security Properties}\label{miscsecurityprops}
   \item Create \texttt{vault.sig}.
   \end{itemize}
 
-  Can look as follows:
+  A script to do this is privided in OpenCore releases:
 \begin{lstlisting}[label=createvault, style=ocbash]
-cd /Volumes/EFI/EFI/OC
-/path/to/create_vault.sh .
-/path/to/RsaTool -sign vault.plist vault.sig vault.pub
-off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16))
-dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc
-rm vault.pub
+/Utilities/CreateVault/sign.command /Volumes/EFI/EFI/OC
 \end{lstlisting}
 
   \emph{Note 1}: While it may appear obvious, an external

diff --git a/Library/OcMainLib/OpenCoreVault.c b/Library/OcMainLib/OpenCoreVault.c
@@ -22,7 +22,7 @@ typedef PACKED struct {
 } OC_RSA_PUBLIC_KEY_2048;
 
 typedef PACKED struct {
-  CHAR8                     StartMagic[16];
+  BASE_ALIGNAS (16) CHAR8   StartMagic[16];
   OC_RSA_PUBLIC_KEY_2048    VaultKey;
   CHAR8                     EndMagic[16];
 } OC_BUILTIN_VAULT_KEY;

diff --git a/Utilities/CreateVault/sign.command b/Utilities/CreateVault/sign.command
@@ -61,7 +61,7 @@ echo "Signing ${OCBin}..."
 ./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"
 
 echo "Bin-patching ${OCBin}..."
-off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
+off=$((0x$(/usr/bin/hexdump -C "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
 if [ "${off}" -le 16 ]; then
   abort "${OCBin} is borked"
 fi