From 540a2bcec1389a3a31c23b5275e73186be6102b2 Mon Sep 17 00:00:00 2001
From: Stefan Roese <sr@denx.de>
Date: Mon, 30 Nov 2020 13:14:23 +0100
Subject: mips: octeon: tools: Add update_octeon_header tool

Add a tool to update or insert an Octeon specific header into the U-Boot
image. This is needed e.g. for booting via SPI NOR, eMMC and NAND.

While working on this, move enum cvmx_board_types_enum and
cvmx_board_type_to_string() to cvmx-bootloader.h and remove the
unreferenced (unsupported) board definition.

Signed-off-by: Stefan Roese <sr@denx.de>
Cc: Aaron Williams <awilliams@marvell.com>
Cc: Chandrakala Chavva <cchavva@marvell.com>
Cc: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Reviewed-by: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
---
 tools/.gitignore             |   1 +
 tools/Makefile               |   3 +
 tools/update_octeon_header.c | 456 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 460 insertions(+)
 create mode 100644 tools/update_octeon_header.c

(limited to 'tools')

diff --git a/tools/.gitignore b/tools/.gitignore
index 82bdce2..a021ea9 100644
--- a/tools/.gitignore
+++ b/tools/.gitignore
@@ -32,5 +32,6 @@
 /spl_size_limit
 /sunxi-spl-image-builder
 /ubsha1
+/update_octeon_header
 /version.h
 /xway-swap-bytes
diff --git a/tools/Makefile b/tools/Makefile
index 51123fd..253a6b9 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -206,6 +206,9 @@ hostprogs-y += proftool
 hostprogs-$(CONFIG_STATIC_RELA) += relocate-rela
 hostprogs-$(CONFIG_RISCV) += prelink-riscv
 
+hostprogs-$(CONFIG_ARCH_OCTEON) += update_octeon_header
+update_octeon_header-objs := update_octeon_header.o lib/crc32.o
+
 hostprogs-y += fdtgrep
 fdtgrep-objs += $(LIBFDT_OBJS) common/fdt_region.o fdtgrep.o
 
diff --git a/tools/update_octeon_header.c b/tools/update_octeon_header.c
new file mode 100644
index 0000000..8054cee
--- /dev/null
+++ b/tools/update_octeon_header.c
@@ -0,0 +1,456 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stddef.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <arpa/inet.h>
+#include <linux/compiler.h>
+#include <u-boot/crc.h>
+
+#include "mkimage.h"
+
+#include "../arch/mips/mach-octeon/include/mach/cvmx-bootloader.h"
+
+#define BUF_SIZE	(16 * 1024)
+#define NAME_LEN	100
+
+/* word offset */
+#define WOFFSETOF(type, elem)	(offsetof(type, elem) / 4)
+
+static int stage2_flag;
+static int stage_1_5_flag;
+static int stage_1_flag;
+
+/* Getoptions variables must be global */
+static int failsafe_flag;
+static int pciboot_flag;
+static int env_flag;
+
+static const struct option long_options[] = {
+	/* These options set a flag. */
+	{"failsafe", no_argument, &failsafe_flag, 1},
+	{"pciboot", no_argument, &pciboot_flag, 1},
+	{"nandstage2", no_argument, &stage2_flag, 1},
+	{"spistage2", no_argument, &stage2_flag, 1},
+	{"norstage2", no_argument, &stage2_flag, 1},
+	{"stage2", no_argument, &stage2_flag, 1},
+	{"stage1.5", no_argument, &stage_1_5_flag, 1},
+	{"stage1", no_argument, &stage_1_flag, 1},
+	{"environment", no_argument, &env_flag, 1},
+	/*
+	 * These options don't set a flag.
+	 * We distinguish them by their indices.
+	 */
+	{"board", required_argument, 0, 0},
+	{"text_base", required_argument, 0, 0},
+	{0, 0, 0, 0}
+};
+
+static int lookup_board_type(char *board_name)
+{
+	int i;
+	int board_type = 0;
+	char *substr = NULL;
+
+	/* Detect stage 2 bootloader boards */
+	if (strcasestr(board_name, "_stage2")) {
+		printf("Stage 2 bootloader detected from substring %s in name %s\n",
+		       "_stage2", board_name);
+		stage2_flag = 1;
+	} else {
+		printf("Stage 2 bootloader NOT detected from name \"%s\"\n",
+		       board_name);
+	}
+
+	if (strcasestr(board_name, "_stage1")) {
+		printf("Stage 1 bootloader detected from substring %s in name %s\n",
+		       "_stage1", board_name);
+		stage_1_flag = 1;
+	}
+
+	/* Generic is a special case since there are numerous sub-types */
+	if (!strncasecmp("generic", board_name, strlen("generic")))
+		return CVMX_BOARD_TYPE_GENERIC;
+
+	/*
+	 * If we're an eMMC stage 2 bootloader, cut off the _emmc_stage2
+	 * part of the name.
+	 */
+	substr = strcasestr(board_name, "_emmc_stage2");
+	if (substr && (substr[strlen("_emmc_stage2")] == '\0')) {
+		/*return CVMX_BOARD_TYPE_GENERIC;*/
+
+		printf("  Converting board name %s to ", board_name);
+		*substr = '\0';
+		printf("%s\n", board_name);
+	}
+
+	/*
+	 * If we're a NAND stage 2 bootloader, cut off the _nand_stage2
+	 * part of the name.
+	 */
+	substr = strcasestr(board_name, "_nand_stage2");
+	if (substr && (substr[strlen("_nand_stage2")] == '\0')) {
+		/*return CVMX_BOARD_TYPE_GENERIC;*/
+
+		printf("  Converting board name %s to ", board_name);
+		*substr = '\0';
+		printf("%s\n", board_name);
+	}
+
+	/*
+	 * If we're a SPI stage 2 bootloader, cut off the _spi_stage2
+	 * part of the name.
+	 */
+	substr = strcasestr(board_name, "_spi_stage2");
+	if (substr && (substr[strlen("_spi_stage2")] == '\0')) {
+		printf("  Converting board name %s to ", board_name);
+		*substr = '\0';
+		printf("%s\n", board_name);
+	}
+
+	for (i = CVMX_BOARD_TYPE_NULL; i < CVMX_BOARD_TYPE_MAX; i++)
+		if (!strcasecmp(cvmx_board_type_to_string(i), board_name))
+			board_type = i;
+
+	for (i = CVMX_BOARD_TYPE_CUST_DEFINED_MIN;
+	     i < CVMX_BOARD_TYPE_CUST_DEFINED_MAX; i++)
+		if (!strncasecmp(cvmx_board_type_to_string(i), board_name,
+				 strlen(cvmx_board_type_to_string(i))))
+			board_type = i;
+
+	for (i = CVMX_BOARD_TYPE_CUST_PRIVATE_MIN;
+	     i < CVMX_BOARD_TYPE_CUST_PRIVATE_MAX; i++)
+		if (!strncasecmp(cvmx_board_type_to_string(i), board_name,
+				 strlen(cvmx_board_type_to_string(i))))
+			board_type = i;
+
+	return board_type;
+}
+
+static void usage(void)
+{
+	printf("Usage: update_octeon_header <filename> <board_name> [--failsafe] [--text_base=0xXXXXX]\n");
+}
+
+int main(int argc, char *argv[])
+{
+	int fd;
+	uint8_t buf[BUF_SIZE];
+	uint32_t data_crc = 0;
+	int len;
+	int data_len = 0;
+	struct bootloader_header header;
+	char filename[NAME_LEN];
+	int i;
+	int option_index = 0;	/* getopt_long stores the option index here. */
+	char board_name[NAME_LEN] = { 0 };
+	char tmp_board_name[NAME_LEN] = { 0 };
+	int c;
+	int board_type = 0;
+	unsigned long long address = 0;
+	ssize_t ret;
+	const char *type_str = NULL;
+	int hdr_size = sizeof(struct bootloader_header);
+
+	/*
+	 * Compile time check, if the size of the bootloader_header structure
+	 * has changed.
+	 */
+	compiletime_assert(sizeof(struct bootloader_header) == 192,
+			   "Octeon bootloader header size changed (!= 192)!");
+
+	/* Bail out, if argument count is incorrect */
+	if (argc < 3) {
+		usage();
+		return -1;
+	}
+
+	debug("header size is: %d bytes\n", hdr_size);
+
+	/* Parse command line options using getopt_long */
+	while (1) {
+		c = getopt_long(argc, argv, "h", long_options, &option_index);
+
+		/* Detect the end of the options. */
+		if (c == -1)
+			break;
+
+		switch (c) {
+			/* All long options handled in case 0 */
+		case 0:
+			/* If this option set a flag, do nothing else now. */
+			if (long_options[option_index].flag != 0)
+				break;
+			debug("option(l) %s", long_options[option_index].name);
+
+			if (!optarg) {
+				usage();
+				return -1;
+			}
+			debug(" with arg %s\n", optarg);
+
+			if (!strcmp(long_options[option_index].name, "board")) {
+				if (strlen(optarg) >= NAME_LEN) {
+					printf("strncpy() issue detected!");
+					exit(-1);
+				}
+				strncpy(board_name, optarg, NAME_LEN);
+
+				printf("Using user supplied board name: %s\n",
+				       board_name);
+			} else if (!strcmp(long_options[option_index].name,
+					   "text_base")) {
+				address = strtoull(optarg, NULL, 0);
+				printf("Address of image is: 0x%llx\n",
+				       (unsigned long long)address);
+				if (!(address & 0xFFFFFFFFULL << 32)) {
+					if (address & 1 << 31) {
+						address |= 0xFFFFFFFFULL << 32;
+						printf("Converting address to 64 bit compatibility space: 0x%llx\n",
+						       address);
+					}
+				}
+			}
+			break;
+
+		case 'h':
+		case '?':
+			/* getopt_long already printed an error message. */
+			usage();
+			return -1;
+
+		default:
+			abort();
+		}
+	}
+
+	if (optind < argc) {
+		/*
+		 * We only support one argument - an optional bootloader
+		 * file name
+		 */
+		if (argc - optind > 2) {
+			fprintf(stderr, "non-option ARGV-elements: ");
+			while (optind < argc)
+				fprintf(stderr, "%s ", argv[optind++]);
+			fprintf(stderr, "\n");
+
+			usage();
+			return -1;
+		}
+	}
+
+	if (strlen(argv[optind]) >= NAME_LEN) {
+		fprintf(stderr, "strncpy() issue detected!");
+		exit(-1);
+	}
+	strncpy(filename, argv[optind], NAME_LEN);
+
+	if (board_name[0] == '\0') {
+		if (strlen(argv[optind + 1]) >= NAME_LEN) {
+			fprintf(stderr, "strncpy() issue detected!");
+			exit(-1);
+		}
+		strncpy(board_name, argv[optind + 1], NAME_LEN);
+	}
+
+	if (strlen(board_name) >= NAME_LEN) {
+		fprintf(stderr, "strncpy() issue detected!");
+		exit(-1);
+	}
+	strncpy(tmp_board_name, board_name, NAME_LEN);
+
+	fd = open(filename, O_RDWR);
+	if (fd < 0) {
+		fprintf(stderr, "Unable to open file: %s\n", filename);
+		exit(-1);
+	}
+
+	if (failsafe_flag)
+		printf("Setting failsafe flag\n");
+
+	if (strlen(board_name)) {
+		int offset = 0;
+
+		printf("Supplied board name of: %s\n", board_name);
+
+		if (strstr(board_name, "failsafe")) {
+			failsafe_flag = 1;
+			printf("Setting failsafe flag based on board name\n");
+		}
+		/* Skip leading octeon_ if present. */
+		if (!strncmp(board_name, "octeon_", 7))
+			offset = 7;
+
+		/*
+		 * Check to see if 'failsafe' is in the name.  If so, set the
+		 * failsafe flag.  Also, ignore extra trailing characters on
+		 * passed parameter when comparing against board names.
+		 * We actually use the configuration name from u-boot, so it
+		 * may have some other variant names.  Variants other than
+		 * failsafe _must_ be passed to this program explicitly
+		 */
+
+		board_type = lookup_board_type(board_name + offset);
+		if (!board_type) {
+			/* Retry with 'cust_' prefix to catch boards that are
+			 * in the customer section (such as nb5)
+			 */
+			sprintf(tmp_board_name, "cust_%s", board_name + offset);
+			board_type = lookup_board_type(tmp_board_name);
+		}
+
+		/* reset to original value */
+		strncpy(tmp_board_name, board_name, NAME_LEN);
+		if (!board_type) {
+			/*
+			 * Retry with 'cust_private_' prefix to catch boards
+			 * that are in the customer private section
+			 */
+			sprintf(tmp_board_name, "cust_private_%s",
+				board_name + offset);
+			board_type = lookup_board_type(tmp_board_name);
+		}
+
+		if (!board_type) {
+			fprintf(stderr,
+				"ERROR: unable to determine board type\n");
+			exit(-1);
+		}
+		printf("Board type is: %d: %s\n", board_type,
+		       cvmx_board_type_to_string(board_type));
+	} else {
+		fprintf(stderr, "Board name must be specified!\n");
+		exit(-1);
+	}
+
+	/*
+	 * Check to see if there is either an existing header, or that there
+	 * are zero valued bytes where we want to put the header
+	 */
+	len = read(fd, buf, BUF_SIZE);
+	if (len > 0) {
+		/*
+		 * Copy the header, as the first word (jump instruction, needs
+		 * to remain the same.
+		 */
+		memcpy(&header, buf, hdr_size);
+		/*
+		 * Check to see if we have zero bytes (excluding first 4, which
+		 * are the jump instruction)
+		 */
+		for (i = 1; i < hdr_size / 4; i++) {
+			if (((uint32_t *)buf)[i]) {
+				fprintf(stderr,
+					"ERROR: non-zero word found %x in location %d required for header, aborting\n",
+				       ((uint32_t *)buf)[i], i);
+				exit(-1);
+			}
+		}
+		printf("Zero bytes found in header location, adding header.\n");
+
+	} else {
+		fprintf(stderr, "Unable to read from file %s\n", filename);
+		exit(-1);
+	}
+
+	/* Read data bytes and generate CRC */
+	lseek(fd, hdr_size, SEEK_SET);
+
+	while ((len = read(fd, buf, BUF_SIZE)) > 0) {
+		data_crc = crc32(data_crc, buf, len);
+		data_len += len;
+	}
+	printf("CRC of data: 0x%x, length: %d\n", data_crc, data_len);
+
+	/* Now create the new header */
+	header.magic = htonl(BOOTLOADER_HEADER_MAGIC);
+	header.maj_rev = htons(BOOTLOADER_HEADER_CURRENT_MAJOR_REV);
+	header.min_rev = htons(BOOTLOADER_HEADER_CURRENT_MINOR_REV);
+	header.dlen = htonl(data_len);
+	header.dcrc = htonl(data_crc);
+	header.board_type = htons(board_type);
+	header.address = address;
+	if (failsafe_flag)
+		header.flags |= htonl(BL_HEADER_FLAG_FAILSAFE);
+
+	printf("Stage 2 flag is %sset\n", stage2_flag ? "" : "not ");
+	printf("Stage 1 flag is %sset\n", stage_1_flag ? "" : "not ");
+	if (pciboot_flag)
+		header.image_type = htons(BL_HEADER_IMAGE_PCIBOOT);
+	else if (stage2_flag)
+		header.image_type = htons(BL_HEADER_IMAGE_STAGE2);
+	else if (stage_1_flag)
+		header.image_type = htons(BL_HEADER_IMAGE_STAGE1);
+	else if (env_flag)
+		header.image_type = htons(BL_HEADER_IMAGE_UBOOT_ENV);
+	else if (stage_1_5_flag || stage_1_flag)
+		header.image_type = htons(BL_HEADER_IMAGE_PRE_UBOOT);
+	else
+		header.image_type = htons(BL_HEADER_IMAGE_NOR);
+
+	switch (ntohs(header.image_type)) {
+	case BL_HEADER_IMAGE_UNKNOWN:
+		type_str = "Unknown";
+		break;
+	case BL_HEADER_IMAGE_STAGE1:
+		type_str = "Stage 1";
+		break;
+	case BL_HEADER_IMAGE_STAGE2:
+		type_str = "Stage 2";
+		break;
+	case BL_HEADER_IMAGE_PRE_UBOOT:
+		type_str = "Pre-U-Boot";
+		break;
+	case BL_HEADER_IMAGE_STAGE3:
+		type_str = "Stage 3";
+		break;
+	case BL_HEADER_IMAGE_NOR:
+		type_str = "NOR";
+		break;
+	case BL_HEADER_IMAGE_PCIBOOT:
+		type_str = "PCI Boot";
+		break;
+	case BL_HEADER_IMAGE_UBOOT_ENV:
+		type_str = "U-Boot Environment";
+		break;
+	default:
+		if (ntohs(header.image_type) >= BL_HEADER_IMAGE_CUST_RESERVED_MIN &&
+		    ntohs(header.image_type) <= BL_HEADER_IMAGE_CUST_RESERVED_MAX)
+			type_str = "Customer Reserved";
+		else
+			type_str = "Unsupported";
+	}
+	printf("Header image type: %s\n", type_str);
+	header.hlen = htons(hdr_size);
+
+	/* Now compute header CRC over all of the header excluding the CRC */
+	header.hcrc = crc32(0, (void *)&header, 12);
+	header.hcrc = htonl(crc32(header.hcrc, ((void *)&(header)) + 16,
+				  hdr_size - 16));
+
+	/* Seek to beginning of file */
+	lseek(fd, 0, SEEK_SET);
+
+	/* Write header to file */
+	ret = write(fd, &header, hdr_size);
+	if (ret < 0)
+		perror("write");
+
+	close(fd);
+
+	printf("Header CRC: 0x%x\n", ntohl(header.hcrc));
+	return 0;
+}
-- 
cgit v1.1


From f31e83d6cf44fccd25be48b67dd69aaff6c5e1f4 Mon Sep 17 00:00:00 2001
From: Simon Glass <sjg@chromium.org>
Date: Mon, 9 Nov 2020 07:45:02 -0700
Subject: binman: Handle tool paths containing '~' correctly

At present if CROSS_COMPILE contains a tilde, such as
~/.buildman-toolchains/gcc-7.3.0-nolibc/i386-linux/bin/i386-linux-gcc
then binman gives a confusing error:

   binman: Error 255 running '~/..buildman-toolchains/gcc-7.3.0- ...

Fix this by expanding it out before running the tool.

Signed-off-by: Simon Glass <sjg@chromium.org>
---
 tools/patman/tools.py | 1 +
 1 file changed, 1 insertion(+)

(limited to 'tools')

diff --git a/tools/patman/tools.py b/tools/patman/tools.py
index bbb157d..05b1a1d 100644
--- a/tools/patman/tools.py
+++ b/tools/patman/tools.py
@@ -333,6 +333,7 @@ def Run(name, *args, **kwargs):
         elif for_host:
             name, extra_args = GetHostCompileTool(name)
             args = tuple(extra_args) + args
+        name = os.path.expanduser(name)  # Expand paths containing ~
         all_args = (name,) + args
         result = command.RunPipe([all_args], capture=True, capture_stderr=True,
                                  env=env, raise_on_error=False, binary=binary)
-- 
cgit v1.1


From 73253d7765cd7da4f34ff64622913c40a7e23635 Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@cjr.nz>
Date: Tue, 8 Dec 2020 20:10:48 -0300
Subject: tools: add a simple script to generate EFI variables

This script generates EFI variables for U-Boot variable store format.

A few examples:

  - Generating secure boot keys

    $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \
            -keyout PK.key -out PK.crt -nodes -days 365
    $ efisiglist -a -c PK.crt -o foo.esl
    $ tools/efivar.py set -i ubootefi.var -n db -d foo.esl -t file
    $ tools/efivar.py set -i ubootefi.var -n kek -d foo.esl -t file
    $ tools/efivar.py set -i ubootefi.var -n pk -d foo.esl -t file

  - Printing out variables

    $ tools/efivar.py set -i ubootefi.var -n var1 -d foo -t str
    $ tools/efivar.py set -i ubootefi.var -n var2 -d bar -t str
    $ tools/efivar.py print -i ubootefi.var
    var1:
        8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID
        NV|BS|RT, DataSize = 0x3
        0000000000: 66 6F 6F                                          foo
    var2:
        8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID
        NV|BS|RT, DataSize = 0x3
        0000000000: 62 61 72                                          bar

    - Removing variables

      $ tools/efivar.py del -i ubootefi.var -n var1
      $ tools/efivar.py set -i ubootefi.var -n var1 -a nv,bs -d foo -t str
      $ tools/efivar.py print -i ubootefi.var -n var1
      var1:
          8be4df61-93ca-11d2-aa0d-00e098032b8c EFI_GLOBAL_VARIABLE_GUID
          NV|BS, DataSize = 0x3
          0000000000: 66 6F 6F                                        foo
      $ tools/efivar.py del -i ubootefi.var -n var1
      err: attributes don't match
      $ tools/efivar.py del -i ubootefi.var -n var1 -a nv,bs
      $ tools/efivar.py print -i ubootefi.var -n var1
      err: variable not found

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>

Correct examples in commit message.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 tools/efivar.py | 380 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 380 insertions(+)
 create mode 100755 tools/efivar.py

(limited to 'tools')

diff --git a/tools/efivar.py b/tools/efivar.py
new file mode 100755
index 0000000..ebfcab2
--- /dev/null
+++ b/tools/efivar.py
@@ -0,0 +1,380 @@
+#!/usr/bin/env python3
+## SPDX-License-Identifier: GPL-2.0-only
+#
+# EFI variable store utilities.
+#
+# (c) 2020 Paulo Alcantara <palcantara@suse.de>
+#
+
+import os
+import struct
+import uuid
+import time
+import zlib
+import argparse
+from OpenSSL import crypto
+
+# U-Boot variable store format (version 1)
+UBOOT_EFI_VAR_FILE_MAGIC = 0x0161566966456255
+
+# UEFI variable attributes
+EFI_VARIABLE_NON_VOLATILE = 0x1
+EFI_VARIABLE_BOOTSERVICE_ACCESS = 0x2
+EFI_VARIABLE_RUNTIME_ACCESS = 0x4
+EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS = 0x10
+EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS = 0x20
+EFI_VARIABLE_READ_ONLY = 1 << 31
+NV_BS = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
+NV_BS_RT = NV_BS | EFI_VARIABLE_RUNTIME_ACCESS
+NV_BS_RT_AT = NV_BS_RT | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
+DEFAULT_VAR_ATTRS = NV_BS_RT
+
+# vendor GUIDs
+EFI_GLOBAL_VARIABLE_GUID = '8be4df61-93ca-11d2-aa0d-00e098032b8c'
+EFI_IMAGE_SECURITY_DATABASE_GUID = 'd719b2cb-3d3a-4596-a3bc-dad00e67656f'
+EFI_CERT_TYPE_PKCS7_GUID = '4aafd29d-68df-49ee-8aa9-347d375665a7'
+WIN_CERT_TYPE_EFI_GUID = 0x0ef1
+WIN_CERT_REVISION = 0x0200
+
+var_attrs = {
+        'NV': EFI_VARIABLE_NON_VOLATILE,
+        'BS': EFI_VARIABLE_BOOTSERVICE_ACCESS,
+        'RT': EFI_VARIABLE_RUNTIME_ACCESS,
+        'AT': EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
+        'RO': EFI_VARIABLE_READ_ONLY,
+        'AW': EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS,
+}
+
+var_guids = {
+        'EFI_GLOBAL_VARIABLE_GUID': EFI_GLOBAL_VARIABLE_GUID,
+        'EFI_IMAGE_SECURITY_DATABASE_GUID': EFI_IMAGE_SECURITY_DATABASE_GUID,
+}
+
+class EfiStruct:
+        # struct efi_var_file
+        var_file_fmt = '<QQLL'
+        var_file_size = struct.calcsize(var_file_fmt)
+        # struct efi_var_entry
+        var_entry_fmt = '<LLQ16s'
+        var_entry_size = struct.calcsize(var_entry_fmt)
+        # struct efi_time
+        var_time_fmt = '<H6BLh2B'
+        var_time_size = struct.calcsize(var_time_fmt)
+        # WIN_CERTIFICATE
+        var_win_cert_fmt = '<L2H'
+        var_win_cert_size = struct.calcsize(var_win_cert_fmt)
+        # WIN_CERTIFICATE_UEFI_GUID
+        var_win_cert_uefi_guid_fmt = var_win_cert_fmt+'16s'
+        var_win_cert_uefi_guid_size = struct.calcsize(var_win_cert_uefi_guid_fmt)
+
+class EfiVariable:
+    def __init__(self, size, attrs, time, guid, name, data):
+        self.size = size
+        self.attrs = attrs
+        self.time = time
+        self.guid = guid
+        self.name = name
+        self.data = data
+
+def calc_crc32(buf):
+    return zlib.crc32(buf) & 0xffffffff
+
+class EfiVariableStore:
+    def __init__(self, infile):
+        self.infile = infile
+        self.efi = EfiStruct()
+        if os.path.exists(self.infile) and os.stat(self.infile).st_size > self.efi.var_file_size:
+            with open(self.infile, 'rb') as f:
+                buf = f.read()
+                self._check_header(buf)
+                self.ents = buf[self.efi.var_file_size:]
+        else:
+            self.ents = bytearray()
+
+    def _check_header(self, buf):
+        hdr = struct.unpack_from(self.efi.var_file_fmt, buf, 0)
+        magic, crc32 = hdr[1], hdr[3]
+
+        if magic != UBOOT_EFI_VAR_FILE_MAGIC:
+            print("err: invalid magic number: %s"%hex(magic))
+            exit(1)
+        if crc32 != calc_crc32(buf[self.efi.var_file_size:]):
+            print("err: invalid crc32: %s"%hex(crc32))
+            exit(1)
+
+    def _get_var_name(self, buf):
+        name = ''
+        for i in range(0, len(buf) - 1, 2):
+            if not buf[i] and not buf[i+1]:
+                break
+            name += chr(buf[i])
+        return ''.join([chr(x) for x in name.encode('utf_16_le') if x]), i + 2
+
+    def _next_var(self, offs=0):
+        size, attrs, time, guid = struct.unpack_from(self.efi.var_entry_fmt, self.ents, offs)
+        data_fmt = str(size)+"s"
+        offs += self.efi.var_entry_size
+        name, namelen = self._get_var_name(self.ents[offs:])
+        offs += namelen
+        data = struct.unpack_from(data_fmt, self.ents, offs)[0]
+        # offset to next 8-byte aligned variable entry
+        offs = (offs + len(data) + 7) & ~7
+        return EfiVariable(size, attrs, time, uuid.UUID(bytes_le=guid), name, data), offs
+
+    def __iter__(self):
+        self.offs = 0
+        return self
+
+    def __next__(self):
+        if self.offs < len(self.ents):
+            var, noffs = self._next_var(self.offs)
+            self.offs = noffs
+            return var
+        else:
+            raise StopIteration
+
+    def __len__(self):
+        return len(self.ents)
+
+    def _set_var(self, guid, name_data, size, attrs, tsec):
+        ent = struct.pack(self.efi.var_entry_fmt,
+                          size,
+                          attrs,
+                          tsec,
+                          uuid.UUID(guid).bytes_le)
+        ent += name_data
+        self.ents += ent
+
+    def del_var(self, guid, name, attrs):
+        offs = 0
+        while offs < len(self.ents):
+            var, loffs = self._next_var(offs)
+            if var.name == name and str(var.guid):
+                if var.attrs != attrs:
+                    print("err: attributes don't match")
+                    exit(1)
+                self.ents = self.ents[:offs] + self.ents[loffs:]
+                return
+            offs = loffs
+        print("err: variable not found")
+        exit(1)
+
+    def set_var(self, guid, name, data, size, attrs):
+        offs = 0
+        while offs < len(self.ents):
+            var, loffs = self._next_var(offs)
+            if var.name == name and str(var.guid) == guid:
+                if var.attrs != attrs:
+                    print("err: attributes don't match")
+                    exit(1)
+                # make room for updating var
+                self.ents = self.ents[:offs] + self.ents[loffs:]
+                break
+            offs = loffs
+
+        tsec = int(time.time()) if attrs & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS else 0
+        nd = name.encode('utf_16_le') + b"\x00\x00" + data
+        # U-Boot variable format requires the name + data blob to be 8-byte aligned
+        pad = ((len(nd) + 7) & ~7) - len(nd)
+        nd += bytes([0] * pad)
+
+        return self._set_var(guid, nd, size, attrs, tsec)
+
+    def save(self):
+        hdr = struct.pack(self.efi.var_file_fmt,
+                          0,
+                          UBOOT_EFI_VAR_FILE_MAGIC,
+                          len(self.ents) + self.efi.var_file_size,
+                          calc_crc32(self.ents))
+
+        with open(self.infile, 'wb') as f:
+            f.write(hdr)
+            f.write(self.ents)
+
+def parse_attrs(attrs):
+    v = DEFAULT_VAR_ATTRS
+    if attrs:
+        v = 0
+        for i in attrs.split(','):
+            v |= var_attrs[i.upper()]
+    return v
+
+def parse_data(val, vtype):
+    if not val or not vtype:
+        return None, 0
+    fmt = { 'u8': '<B', 'u16': '<H', 'u32': '<L', 'u64': '<Q' }
+    if vtype.lower() == 'file':
+        with open(val, 'rb') as f:
+            data = f.read()
+            return data, len(data)
+    if vtype.lower() == 'str':
+        data = val.encode('utf-8')
+        return data, len(data)
+    if vtype.lower() == 'nil':
+        return None, 0
+    i = fmt[vtype.lower()]
+    return struct.pack(i, int(val)), struct.calcsize(i)
+
+def parse_args(args):
+    name = args.name
+    attrs = parse_attrs(args.attrs)
+    guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID
+
+    if name.lower() == 'db' or name.lower() == 'dbx':
+        name = name.lower()
+        guid = EFI_IMAGE_SECURITY_DATABASE_GUID
+        attrs = NV_BS_RT_AT
+    elif name.lower() == 'pk' or name.lower() == 'kek':
+        name = name.upper()
+        guid = EFI_GLOBAL_VARIABLE_GUID
+        attrs = NV_BS_RT_AT
+
+    data, size = parse_data(args.data, args.type)
+    return guid, name, attrs, data, size
+
+def cmd_set(args):
+    env = EfiVariableStore(args.infile)
+    guid, name, attrs, data, size = parse_args(args)
+    env.set_var(guid=guid, name=name, data=data, size=size, attrs=attrs)
+    env.save()
+
+def print_var(var):
+    print(var.name+':')
+    print("    "+str(var.guid)+' '+''.join([x for x in var_guids if str(var.guid) == var_guids[x]]))
+    print("    "+'|'.join([x for x in var_attrs if var.attrs & var_attrs[x]])+", DataSize = %s"%hex(var.size))
+    hexdump(var.data)
+
+def cmd_print(args):
+    env = EfiVariableStore(args.infile)
+    if not args.name and not args.guid and not len(env):
+        return
+
+    found = False
+    for var in env:
+        if not args.name:
+            if args.guid and args.guid != str(var.guid):
+                continue
+            print_var(var)
+            found = True
+        else:
+            if args.name != var.name or (args.guid and args.guid != str(var.guid)):
+                continue
+            print_var(var)
+            found = True
+
+    if not found:
+        print("err: variable not found")
+        exit(1)
+
+def cmd_del(args):
+    env = EfiVariableStore(args.infile)
+    attrs = parse_attrs(args.attrs)
+    guid = args.guid if args.guid else EFI_GLOBAL_VARIABLE_GUID
+    env.del_var(guid, args.name, attrs)
+    env.save()
+
+def pkcs7_sign(cert, key, buf):
+    with open(cert, 'r') as f:
+        crt = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
+    with open(key, 'r') as f:
+        pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
+
+    PKCS7_BINARY = 0x80
+    PKCS7_DETACHED = 0x40
+    PKCS7_NOATTR = 0x100
+
+    bio_in = crypto._new_mem_buf(buf)
+    p7 = crypto._lib.PKCS7_sign(crt._x509, pkey._pkey, crypto._ffi.NULL, bio_in,
+                                PKCS7_BINARY|PKCS7_DETACHED|PKCS7_NOATTR)
+    bio_out = crypto._new_mem_buf()
+    crypto._lib.i2d_PKCS7_bio(bio_out, p7)
+    return crypto._bio_to_string(bio_out)
+
+# UEFI 2.8 Errata B "8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor"
+def cmd_sign(args):
+    guid, name, attrs, data, size = parse_args(args)
+    attrs |= EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
+    efi = EfiStruct()
+
+    tm = time.localtime()
+    etime = struct.pack(efi.var_time_fmt,
+                        tm.tm_year, tm.tm_mon, tm.tm_mday,
+                        tm.tm_hour, tm.tm_min, tm.tm_sec,
+                        0, 0, 0, 0, 0)
+
+    buf = name.encode('utf_16_le') + uuid.UUID(guid).bytes_le + attrs.to_bytes(4, byteorder='little') + etime
+    if data:
+        buf += data
+    sig = pkcs7_sign(args.cert, args.key, buf)
+
+    desc = struct.pack(efi.var_win_cert_uefi_guid_fmt,
+                       efi.var_win_cert_uefi_guid_size + len(sig),
+                       WIN_CERT_REVISION,
+                       WIN_CERT_TYPE_EFI_GUID,
+                       uuid.UUID(EFI_CERT_TYPE_PKCS7_GUID).bytes_le)
+
+    with open(args.outfile, 'wb') as f:
+        if data:
+            f.write(etime + desc + sig + data)
+        else:
+            f.write(etime + desc + sig)
+
+def main():
+    ap = argparse.ArgumentParser(description='EFI variable store utilities')
+    subp = ap.add_subparsers(help="sub-command help")
+
+    printp = subp.add_parser('print', help='get/list EFI variables')
+    printp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
+    printp.add_argument('--name', '-n', help='variable name')
+    printp.add_argument('--guid', '-g', help='vendor GUID')
+    printp.set_defaults(func=cmd_print)
+
+    setp = subp.add_parser('set', help='set EFI variable')
+    setp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
+    setp.add_argument('--name', '-n', required=True, help='variable name')
+    setp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
+    setp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
+    setp.add_argument('--type', '-t', help='variable type (values: file|u8|u16|u32|u64|str)')
+    setp.add_argument('--data', '-d', help='data or filename')
+    setp.set_defaults(func=cmd_set)
+
+    delp = subp.add_parser('del', help='delete EFI variable')
+    delp.add_argument('--infile', '-i', required=True, help='file to save the EFI variables')
+    delp.add_argument('--name', '-n', required=True, help='variable name')
+    delp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
+    delp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
+    delp.set_defaults(func=cmd_del)
+
+    signp = subp.add_parser('sign', help='sign time-based EFI payload')
+    signp.add_argument('--cert', '-c', required=True, help='x509 certificate filename in PEM format')
+    signp.add_argument('--key', '-k', required=True, help='signing certificate filename in PEM format')
+    signp.add_argument('--name', '-n', required=True, help='variable name')
+    signp.add_argument('--attrs', '-a', help='variable attributes (values: nv,bs,rt,at,ro,aw)')
+    signp.add_argument('--guid', '-g', help="vendor GUID (default: %s)"%EFI_GLOBAL_VARIABLE_GUID)
+    signp.add_argument('--type', '-t', required=True, help='variable type (values: file|u8|u16|u32|u64|str|nil)')
+    signp.add_argument('--data', '-d', help='data or filename')
+    signp.add_argument('--outfile', '-o', required=True, help='output filename of signed EFI payload')
+    signp.set_defaults(func=cmd_sign)
+
+    args = ap.parse_args()
+    args.func(args)
+
+def group(a, *ns):
+    for n in ns:
+        a = [a[i:i+n] for i in range(0, len(a), n)]
+    return a
+
+def join(a, *cs):
+    return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a
+
+def hexdump(data):
+    toHex = lambda c: '{:02X}'.format(c)
+    toChr = lambda c: chr(c) if 32 <= c < 127 else '.'
+    make = lambda f, *cs: join(group(list(map(f, data)), 8, 2), *cs)
+    hs = make(toHex, '  ', ' ')
+    cs = make(toChr, ' ', '')
+    for i, (h, c) in enumerate(zip(hs, cs)):
+        print ('    {:010X}: {:48}  {:16}'.format(i * 16, h, c))
+
+if __name__ == '__main__':
+    main()
-- 
cgit v1.1