authvar: 4-byte EFI var attrs header in output files

[jandryuk]

Hi,

authvar writes .auth files with 4-byte EFI var attrs header before the authenticated variable itself. This throws off the format (compared to sbsigntools sign-efi-sig-list), and firmware does not accept the file as valid. Removing the 4 bytes, the generated .auth file is equivalent to one generated by sbsigntools, which is accepted by my firmware setup screen. Is there a particular reason for the extra 4 bytes?

This code adds the attributes to the output file:

pesign/src/authvar_context.c

Lines 168 to 170 in 45d6cb7

	/* The attribute of the variable */
	memcpy(ptr, &ctx->attr, sizeof(ctx->attr));
	ptr += sizeof(ctx->attr);

My goal was to replace sign-efi-sig-list from sbsigntools with authvar to generate signed .auth files. For sbsigntools, I use:

cert-to-efi-sig-list -g $GUID PK.crt PK.esl
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k PK.key -c PK.crt PK PK.esl PK.auth

The authvar/efisecdb replacement is:

efisecdb -g "$GUID" -a -c PK.cer -o PK.esl
authvar -d "$nssdb" --set --valuefile PK.esl \
        --export PK.auth.tmp --sign "$signer" --name PK
dd if=PK.auth.tmp of=PK.auth bs=1 skip=4

[jandryuk]

efivarfs expects the 4-bytes of attrs ahead of the contents when writing. The generated files with the 4-byte header can be used to write efivars like so*:
cat db.auth > /sys/firmware/efi/efivars/db-$uuid

*I have written other UEFI variables this way, but this isn't working for db.auth.