CreateVault: Fix sign.command and update signing docs

Fix operation of `sign.command` when printable characters occur immediately before `=BEGIN OC VAULT=`. `strings` finds the location of the first printable character in such a sequence. `hexdump` automatically works on 16 byte boundaries, so still finds the correct offset. Use `BASE_ALIGNAS` to enforce the required alignment, which will not be correct on all builds unless enforced (note alignment is required purely for locating the structure correctly from external script as above, not for reading in C). Remove struct packing, since structs had better be naturally packed anyway (if not, reading from them without arbitrary-alignment-safe code, as we do, would be undefined behaviour). Add static asserts to confirm expected size as required by `sign.command`. Update the docs to refer to `sign.command` rather than to include the signing commands explicitly - otherwise we have two places that need to be kept in sync for signing commands, and note that the commands in the two places were already out of sync. Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
2025-12-08 19:25:01 +00:00 · 2024-11-24 10:04:54 +00:00 · 2024-11-24 10:04:54 +00:00 · 35bcb134f1
commit 35bcb134f1
parent c7779e7721
9 changed files with 33 additions and 28 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -6,6 +6,7 @@ OpenCore Changelog
 - Added Arrow Lake CPU detection
 - Fixed Raptor Lake CPU detection
 - Supported booting with TuneD in Fedora 41 in OpenLinuxBoot
+- Fixed failure of vault `sign.command` to insert signature in correct location in some circumstances

 #### v1.0.2
 - Fixed error in macrecovery when running headless, thx @mkorje
--- a/Docs/Configuration.md5
+++ b/Docs/Configuration.md5
@ -1 +1 @@
-803349296249f30c802a43fbe92926c6
+fa42399c09fbdc260b41745484b4a752
--- a/Docs/Configuration.pdf
+++ b/Docs/Configuration.pdf
--- a/Docs/Configuration.tex
+++ b/Docs/Configuration.tex
@ -4724,7 +4724,7 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:oem-board   # SMBIOS Type2 ProductNam
  \href{https://github.com/acidanthera/OpenCorePkg/tree/master/Utilities/CreateVault}{RsaTool}.


-  The complete set of commands to:
+  The steps to binary patch \texttt{OpenCore.efi} are:

  \begin{itemize}
  \tightlist
@ -4734,14 +4734,9 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:oem-board   # SMBIOS Type2 ProductNam
  \item Create \texttt{vault.sig}.
  \end{itemize}

-  Can look as follows:
+  A script to do this is privided in OpenCore releases:
 \begin{lstlisting}[label=createvault, style=ocbash]
-cd /Volumes/EFI/EFI/OC
-/path/to/create_vault.sh .
-/path/to/RsaTool -sign vault.plist vault.sig vault.pub
-off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16))
-dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc
-rm vault.pub
+/Utilities/CreateVault/sign.command /Volumes/EFI/EFI/OC
 \end{lstlisting}

  \emph{Note 1}: While it may appear obvious, an external
--- a/Docs/Differences/Differences.pdf
+++ b/Docs/Differences/Differences.pdf
--- a/Docs/Differences/Differences.tex
+++ b/Docs/Differences/Differences.tex
@ -1,7 +1,7 @@
 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
-%DIF DEL PreviousConfiguration.tex   Sat Nov  9 05:47:31 2024
-%DIF ADD ../Configuration.tex        Wed Nov 20 08:35:03 2024
+%DIF DEL PreviousConfiguration.tex   Tue Nov 26 03:15:30 2024
+%DIF ADD ../Configuration.tex        Tue Nov 26 03:15:30 2024

 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@ -4785,7 +4785,7 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:oem-board   # SMBIOS Type2 ProductNam
  \href{https://github.com/acidanthera/OpenCorePkg/tree/master/Utilities/CreateVault}{RsaTool}.


-  The complete set of commands to:
+  The \DIFdelbegin \DIFdel{complete set of commands to }\DIFdelend \DIFaddbegin \DIFadd{steps to binary patch }\texttt{\DIFadd{OpenCore.efi}} \DIFadd{are}\DIFaddend :

  \begin{itemize}
  \tightlist
@ -4795,15 +4795,18 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:oem-board   # SMBIOS Type2 ProductNam
  \item Create \texttt{vault.sig}.
  \end{itemize}

-  Can look as follows:
-\begin{lstlisting}[label=createvault, style=ocbash]
-cd /Volumes/EFI/EFI/OC
-/path/to/create_vault.sh .
-/path/to/RsaTool -sign vault.plist vault.sig vault.pub
-off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16))
-dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc
-rm vault.pub
+  \DIFdelbegin \DIFdel{Can look as follows}\DIFdelend \DIFaddbegin \DIFadd{A script to do this is privided in OpenCore releases}\DIFaddend :
+\DIFmodbegin
+\begin{lstlisting}[label=createvault, style=ocbash,alsolanguage=DIFcode]
+%DIF < cd /Volumes/EFI/EFI/OC
+%DIF < /path/to/create_vault.sh .
+%DIF < /path/to/RsaTool -sign vault.plist vault.sig vault.pub
+%DIF < off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16))
+%DIF < dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc
+%DIF < rm vault.pub
+%DIF > /Utilities/CreateVault/sign.command /Volumes/EFI/EFI/OC
 \end{lstlisting}
+\DIFmodend

  \emph{Note 1}: While it may appear obvious, an external
  method is required to verify \texttt{OpenCore.efi} and \texttt{BOOTx64.efi} for
--- a/Docs/Errata/Errata.pdf
+++ b/Docs/Errata/Errata.pdf
--- a/Library/OcMainLib/OpenCoreVault.c
+++ b/Library/OcMainLib/OpenCoreVault.c
@ -14,24 +14,21 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.

 #include <Library/OcMainLib.h>

-#pragma pack(push, 1)
-
-typedef PACKED struct {
+typedef struct {
  OC_RSA_PUBLIC_KEY_HDR    Hdr;
  UINT64                   Data[(2 * (2048 / OC_CHAR_BIT)) / sizeof (UINT64)];
 } OC_RSA_PUBLIC_KEY_2048;

-typedef PACKED struct {
+typedef struct {
  CHAR8                     StartMagic[16];
  OC_RSA_PUBLIC_KEY_2048    VaultKey;
  CHAR8                     EndMagic[16];
 } OC_BUILTIN_VAULT_KEY;

-#pragma pack(pop)
-
+BASE_ALIGNAS (16)
 STATIC
 OC_BUILTIN_VAULT_KEY
-  mOpenCoreVaultKey = {
+mOpenCoreVaultKey = {
  .StartMagic = { '=', 'B', 'E', 'G', 'I', 'N', ' ', 'O', 'C', ' ', 'V', 'A', 'U', 'L', 'T', '=' },
  .EndMagic   = { '=', '=', 'E', 'N', 'D', ' ', 'O', 'C', ' ', 'V', 'A', 'U', 'L', 'T', '=', '=' }
 };
@ -44,6 +41,15 @@ OcGetVaultKey (
  UINT32   Index;
  BOOLEAN  AllZero;

+  STATIC_ASSERT (
+    sizeof (OC_RSA_PUBLIC_KEY_2048) == 528,
+    "sizeof(OC_RSA_PUBLIC_KEY_2048)"
+    );
+  STATIC_ASSERT (
+    sizeof (OC_BUILTIN_VAULT_KEY) == sizeof (OC_RSA_PUBLIC_KEY_2048) + 32,
+    "sizeof(OC_BUILTIN_VAULT_KEY)"
+    );
+
  //
  // TODO: Perhaps try to get the key from firmware too?
  //
--- a/Utilities/CreateVault/sign.command
+++ b/Utilities/CreateVault/sign.command
@ -61,7 +61,7 @@ echo "Signing ${OCBin}..."
 ./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"

 echo "Bin-patching ${OCBin}..."
-off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
+off=$((0x$(/usr/bin/hexdump -C "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
 if [ "${off}" -le 16 ]; then
  abort "${OCBin} is borked"
 fi