Intel Extensible Firmware Interface User Manual

Extensible Firmware Interface Specification

15-104

12/01/02

Version 1.10

The left-hand string must appear exactly as shown. The right-hand string must be a unique GUID
for every manifest file created. The Win32 function UuidCreate() can be used for this on Win32
systems. The GUID is a binary value that must be base-64 encoded. Base-64 is a simple encoding
scheme for representing binary values that uses only printing characters. Base-64 encoding is
described in [BASE-64].

Name: (a memory-type data object name)

This identifies the section that carries the integrity data for the target Data Object. The right-hand
string must obey the syntax for memory-type references, that is, it is of the form
“

memory:SomeUniqueName

.” The “

memory:

” part of this string must appear exactly. The

“

SomeUniqueName

” part is chosen by the caller. It must be unique within the section names in

this manifest file. The entire “

memory:SomeUniqueName

” string must match exactly the

corresponding string in the signer’s information file described below. Furthermore, this entire
string must match the value given for the

SectionName

parameter to this function. Note that the

target Data Object cannot be found directly from this manifest. A caller verifying the Data Object
integrity must load the Data Object into memory and specify its memory location explicitly to this
verification function through the

DataObject

parameter.

Digest-Algorithms: SHA-1

This enumerates the digest algorithms for which integrity data is included for the data object. For
systems with DSA signing, SHA-1 hash, and 1024-bit key length, the digest algorithm must be
“

SHA-1

.” For systems with RSA signing, MD5 hash, and 512-bit key length, the digest algorithm

must be “

MD5

.” Multiple algorithms can be specified as a whitespace-separated list. For every

digest algorithm

XXX

listed, there must also be a corresponding

XXX-Digest

line.

SHA-1-Digest: (base-64 representation of a SHA-1 digest of the data object)

Gives the corresponding digest value for the data object. The value is base-64 encoded.

//**********************************************************
// Signer’s Information File Example
//**********************************************************

The signer’s information file must include a section whose name matches the reserved data object
section name of the section in the Manifest file. This section in the signer’s information file carries
the integrity data for the corresponding section in the manifest file. An example signer’s
information file is shown below.

Signature-Version: 2.0
SignerInformationPersistentId: (base-64 representation of a
unique GUID)
SignerInformationName: BIS_VerifiableObjectSignerInfoName

Name: (a memory-type data object name)
Digest-Algorithms: SHA-1
SHA-1-Digest: (base-64 representation of a SHA-1 digest of the
corresponding manifest section)

A line-by-line description of this signer’s information file is as follows.

Signature-Version: 2.0

This is a standard header line that all signed manifests have. It must appear exactly as shown.

SignerInformationPersistentId: (base-64 representation of a unique GUID)