Cryptographic Validation For Authenticated Variables#327
Closed
Flickdm wants to merge 4 commits into
Closed
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds cryptographic verification capabilities to the UEFI authenticated variable tools by introducing a new verify command, a batch validation script, and automated CI workflow validation.
- Adds
verifycommand toauth_var_tool.pywith PKCS7 signature verification - Creates
validate_kek.pyscript for batch validation of KEK update files - Implements GitHub Actions workflow for automated KEK validation on pull requests
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 13 comments.
| File | Description |
|---|---|
| scripts/auth_var_tool.py | Adds cryptographic verification functionality with new verify command, PKCS7 certificate extraction, signature verification helpers, and enhanced describe output with human-readable hex strings |
| scripts/validate_kek.py | New script for validating KEK update files (single or batch) with JSON reporting, payload hash checking, and cryptographic signature verification |
| .github/workflows/validate-kek-updates.yml | New GitHub Actions workflow to automatically validate KEK files in pull requests, checking cryptographic signatures and expected payloads |
Comments suppressed due to low confidence (1)
scripts/auth_var_tool.py:669
- This import of module re is redundant, as it was previously imported on line 49.
import re
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Flickdm
changed the title
Flickdm
force-pushed
the
feature/auth_var/cryptographic_validation
branch
2 times, most recently
from
0d22290 to
ccc6aa3
Compare
Add signature verification support to auth_var_tool.py with PKCS7 parsing, certificate extraction, and signer verification. Add validate_kek.py to validate one file or a folder of KEK updates against expected variable metadata and payload hash, and emit JSON results for automation. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Flickdm
force-pushed
the
feature/auth_var/cryptographic_validation
branch
6 times, most recently
from
9304d82 to
984b2a7
Compare
Add a pull request workflow to run KEK validation checks in CI and surface failures early during review. Signed-off-by: Doug Flick dougflick@microsoft.com
Flickdm
force-pushed
the
feature/auth_var/cryptographic_validation
branch
2 times, most recently
from
76d1e69 to
2d85670
Compare
Flickdm
force-pushed
the
feature/auth_var/cryptographic_validation
branch
from
d51e132 to
358e77f
Compare
timddyer
approved these changes
Apr 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This pull request adds a new "verify" command to the
auth_var_tool.pyscript, enhancing its ability to cryptographically verify UEFI authenticated variables. It also improves the output of the "describe" command by converting hex-encoded certificate fields into human-readable text. The most important changes are summarized below:New Verification Functionality:
verifycommand that verifies the cryptographic signature of authenticated variables, checking PKCS7 structure validity, signature correctness, and presence of the signing certificate. This includes new helper functions for extracting certificates and verifying signatures from PKCS7 data. [1] [2] [3] [4] [5] [6]Improvements to Describe Output:
describecommand to convert ASN.1 hex-encoded certificate fields (such as subject and issuer names) into human-readable strings, making the output more user-friendly. [1] [2]Documentation and Usage Examples:
verifycommand and its arguments, ensuring users are aware of the new functionality. [1] [2]These changes make the tool more robust for workflows that require verification of signed UEFI variables and improve the clarity of output for certificate inspection.
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
How This Was Tested
Against every supplied KEK update
Appears to have caught a couple mistakes, reviewing them internally
Integration Instructions
N/A