Generic.System.EfiSignatures

Collect Efi Signature information from the client.


name: Generic.System.EfiSignatures
description: |
  Collect Efi Signature information from the client.

type: CLIENT
export: |
    -- GUIDs are taken from
    -- https://github.com/chipsec/chipsec/blob/main/chipsec/hal/uefi_common.py
    LET PROFILE = '''[
      ["EfiSignatures", 0, [
        ["__tmp", 0, "uint32"],
        ["__Signatures", 0, "Union", {
          "selector": "x=>x.__tmp < 257",
          "choices": {
            "true": "EfiSignaturesListAttrib",
            "false": "EfiSignaturesList"
          }
        }],
        ["Signatures", 0, "Value", {"value": "x=>x.__Signatures.Signatures"}]
      ]],
      ["EfiSignaturesListAttrib", 0, [
        ["__Attributes", 0, "uint32"],
        ["Signatures", 4, "Array", {"type": "Signature", "count": 1000}]
      ]],
      ["EfiSignaturesList", 0, [
        ["Signatures", 0, "Array", {"type": "Signature", "count": 1000}]
      ]],
      ["Signature", "x=>x.__ListSize", [
        ["__Type", 0, "GUID"],
        ["Type", 0, "Value", {"value": "x=>x.__Type.Value"}],
        ["__ListSize", 16, "uint32"],
        ["__HeaderSize", 20, "uint32"],
        ["Payload", 24, "Union", {
          "selector": "x=>x.Type",
          "choices": {
            "{a5c059a1-94e4-4aa7-87b5-ab155c2bf072}": "Cert",
            "{c1c41626-504c-4092-aca9-41f936934328}": "HashList"
          }
        }]
      ]],
      ["Cert", "x=>x.__SignatureSize + 4", [
        ["__SignatureSize", 0, "uint32"],
        ["__Owner", 4, "GUID"],
        ["Owner", 0, "Value", {"value": "x=>x.__Owner.Value"}],
        ["__Data", 20, "String", {"length": "x=>x.__SignatureSize - 16", "term": "", "max_length": 10000}],
        ["Cert", 0, "Value", {"value": "x=>parse_x509(data=x.__Data)[0]"}]
      ]],
      ["HashList", 0, [
        ["__SignatureSize", 0, "uint32"],
        ["Hashes", 4, "Array", {"type": "Hash", "count": 1000, "sentinel": "x=>x.Owner = '{00000000-0000-0000-0000-000000000000}'"}]
      ]],
      ["Hash", 48, [
        ["__Owner", 0, "GUID"],
        ["Owner", 0, "Value", {"value": "x=>x.__Owner.Value"}],
        ["__Data", 16, "String", {"length": 32, "term": ""}],
        ["Hash", 0, "Value", {"value": "x=>format(format='%048x', args=[x.__Data])"}]
      ]],
      ["GUID", 16, [
        ["__D1", 0, "uint32"],
        ["__D2", 4, "uint16"],
        ["__D3", 6, "uint16"],
        ["__D4", 8, "String", {"term": "", "length": 2}],
        ["__D5", 10, "String", {"term": "", "length": 6}],
        ["Value", 0, "Value", {
          "value": "x=>format(format='{%08x-%04x-%04x-%02x-%02x}', args=[x.__D1, x.__D2, x.__D3, x.__D4, x.__D5])"
        }]
      ]]
    ]'''

    LET GetSignatures(Namespace, Name) = Select Name as Name,
       parse_binary(accessor="data", filename=Value,
                    profile=PROFILE, struct="EfiSignatures").Signatures as Signatures
    FROM efivariables(namespace=Namespace, name=Name, value=True)

sources:
  - name: Certificates
    query: |
      LET PK = Select * FROM foreach(
          row=GetSignatures(Namespace="{8be4df61-93ca-11d2-aa0d-00e098032b8c}", Name="PK"),
          query={
              Select * From foreach(
                  row=Signatures,
                  query={
                      Select Name, Owner, Cert as Certificate From Payload
                  })
          })
      LET DB = Select * FROM foreach(
          row=GetSignatures(Namespace="{d719b2cb-3d3a-4596-a3bc-dad00e67656f}", Name="db"),
          query={
              Select * From foreach(
                  row=Signatures,
                  query={
                      Select Name, Owner, Cert as Certificate From Payload
                  })
          })

       Select * from chain(
          a={ Select * From PK },
          b={ Select * From DB })

  - name: Hashes
    query: |
      Select * FROM foreach(
          row=GetSignatures(Namespace="{d719b2cb-3d3a-4596-a3bc-dad00e67656f}", Name="dbx"),
          query={
              Select * From foreach(
                  row=Signatures,
                  query={
                      Select * FROM foreach(
                          row=Payload.Hashes,
                          query={
                              Select Name, Owner, Hash From scope()
                          })
                  })
          })