* [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app
@ 2019-04-27 0:53 Laszlo Ersek
2019-04-27 0:53 ` [PATCH 01/16] OvmfPkg: introduce EnrollDefaultKeys application Laszlo Ersek
` (19 more replies)
0 siblings, 20 replies; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Repo: https://github.com/lersek/edk2.git
Branch: enroll_bz_1747
Please see the goal / use case in the BZ.
Anatomy of the series:
- Patch 01 adds the application as-is from RHEL, as the starting point
for upstreaming (preserves continuity).
- Patches 02 through 13 clean up various coding style warts, and add
documentation, without functional changes.
- Patches 14 through 16 replace the hard-coded Red Hat certificate
(enrolled as PK and 1st KEK) with a certificate read dynamically from
SMBIOS (enrolled the same way), originating from the VMM.
I've successfully re-run the Secure Boot Logo Test in Windows HCK, after
enabling SB in the VM-under-test with this application. I'll attach the
test log in a separate email (sent in response to this one).
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Thanks,
Laszlo
Laszlo Ersek (16):
OvmfPkg: introduce EnrollDefaultKeys application
OvmfPkg/EnrollDefaultKeys: update @file comment blocks
OvmfPkg/EnrollDefaultKeys: refresh INF file
ArmVirtPkg: build EnrollDefaultKeys.efi
OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart
OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes
OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in
identifiers
OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv.
specifiers
OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
OvmfPkg/EnrollDefaultKeys: split out certificate and signature
constants
OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
OvmfPkg/EnrollDefaultKeys: describe functions with leading comment
blocks
OvmfPkg/EnrollDefaultKeys: document the steps of the entry point
function
OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS
table
OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1
ArmVirtPkg/ArmVirt.dsc.inc | 1 +
ArmVirtPkg/ArmVirtQemu.dsc | 1 +
ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
OvmfPkg/EnrollDefaultKeys/AuthData.c | 440 ++++++++++++
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 706 ++++++++++++++++++++
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 138 ++++
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 ++
OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++
OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++
OvmfPkg/OvmfPkg.dec | 2 +
OvmfPkg/OvmfPkgIa32.dsc | 2 +
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
OvmfPkg/OvmfPkgX64.dsc | 2 +
13 files changed, 1447 insertions(+)
create mode 100644 OvmfPkg/EnrollDefaultKeys/AuthData.c
create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
create mode 100644 OvmfPkg/Include/Guid/MicrosoftVendor.h
create mode 100644 OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
--
2.19.1.3.g30247aa5d201
^ permalink raw reply [flat|nested] 39+ messages in thread
* [PATCH 01/16] OvmfPkg: introduce EnrollDefaultKeys application
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-30 5:21 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 02/16] OvmfPkg/EnrollDefaultKeys: update @file comment blocks Laszlo Ersek
` (18 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
Add the OvmfPkg/EnrollDefaultKeys shell application source as it is at the
"edk2-20190308git89910a39dcfd-2.el8" tag in RHEL8's downstream "edk2"
package.
Further patches in this series will replace Red Hat-specific bits in the
application, with a conduit to pass in parameters directly from the host
side, on both QEMU and Xen.
(Note: at the moment, Xen doesn't support Secure Boot, due to lacking a
standards-conformant variable driver stack. However, that could change
soon
<https://fosdem.org/2019/schedule/event/vai_implementing_uefi_variable_services_in_qemu/>,
and then this facility will become useful on Xen too.)
The use case for this application (including why it is only being added to
the DSC files) is explained in detail in
<https://bugzilla.tianocore.org/show_bug.cgi?id=1747#c0>.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/OvmfPkgIa32.dsc | 2 +
OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
OvmfPkg/OvmfPkgX64.dsc | 2 +
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 +
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 1015 ++++++++++++++++++++
5 files changed, 1073 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 98a8467e86ab..36a0f87258dd 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -190,16 +190,17 @@ [LibraryClasses]
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
!endif
!if $(TLS_ENABLE) == TRUE
TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
!endif
ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
!if $(TPM2_ENABLE) == TRUE
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
@@ -858,16 +859,17 @@ [Components]
<PcdsFixedAtBuild>
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
!endif
OvmfPkg/PlatformDxe/Platform.inf
OvmfPkg/IoMmuDxe/IoMmuDxe.inf
!if $(SMM_REQUIRE) == TRUE
OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 1f722fc9872c..9b341e17d7ff 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -195,16 +195,17 @@ [LibraryClasses]
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
!endif
!if $(TLS_ENABLE) == TRUE
TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
!endif
ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
!if $(TPM2_ENABLE) == TRUE
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
@@ -867,16 +868,17 @@ [Components.X64]
<PcdsFixedAtBuild>
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
!endif
OvmfPkg/PlatformDxe/Platform.inf
OvmfPkg/AmdSevDxe/AmdSevDxe.inf
OvmfPkg/IoMmuDxe/IoMmuDxe.inf
!if $(SMM_REQUIRE) == TRUE
OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 2927ee07b835..a0f87f74dab9 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -195,16 +195,17 @@ [LibraryClasses]
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
!endif
!if $(TLS_ENABLE) == TRUE
TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
!endif
ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
!if $(TPM2_ENABLE) == TRUE
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
@@ -865,16 +866,17 @@ [Components]
<PcdsFixedAtBuild>
gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
}
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
!endif
OvmfPkg/PlatformDxe/Platform.inf
OvmfPkg/AmdSevDxe/AmdSevDxe.inf
OvmfPkg/IoMmuDxe/IoMmuDxe.inf
!if $(SMM_REQUIRE) == TRUE
OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
new file mode 100644
index 000000000000..0ad86a2843e6
--- /dev/null
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
@@ -0,0 +1,52 @@
+## @file
+# Enroll default PK, KEK, DB.
+#
+# Copyright (C) 2014, Red Hat, Inc.
+#
+# This program and the accompanying materials are licensed and made available
+# under the terms and conditions of the BSD License which accompanies this
+# distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED.
+##
+
+[Defines]
+ INF_VERSION = 0x00010006
+ BASE_NAME = EnrollDefaultKeys
+ FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
+ MODULE_TYPE = UEFI_APPLICATION
+ VERSION_STRING = 0.1
+ ENTRY_POINT = ShellCEntryLib
+
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ EnrollDefaultKeys.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ ShellPkg/ShellPkg.dec
+
+[Guids]
+ gEfiCertPkcs7Guid
+ gEfiCertSha256Guid
+ gEfiCertX509Guid
+ gEfiCustomModeEnableGuid
+ gEfiGlobalVariableGuid
+ gEfiImageSecurityDatabaseGuid
+ gEfiSecureBootEnableDisableGuid
+
+[LibraryClasses]
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ ShellCEntryLib
+ UefiLib
+ UefiRuntimeServicesTableLib
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
new file mode 100644
index 000000000000..dd413df12de3
--- /dev/null
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -0,0 +1,1015 @@
+/** @file
+ Enroll default PK, KEK, DB.
+
+ Copyright (C) 2014, Red Hat, Inc.
+
+ This program and the accompanying materials are licensed and made available
+ under the terms and conditions of the BSD License which accompanies this
+ distribution. The full text of the license may be found at
+ http://opensource.org/licenses/bsd-license.
+
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
+ WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+**/
+#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
+#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
+#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
+#include <Library/BaseMemoryLib.h> // CopyGuid()
+#include <Library/DebugLib.h> // ASSERT()
+#include <Library/MemoryAllocationLib.h> // FreePool()
+#include <Library/ShellCEntryLib.h> // ShellAppMain()
+#include <Library/UefiLib.h> // AsciiPrint()
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+
+//
+// We'll use the certificate below as both Platform Key and as first Key
+// Exchange Key.
+//
+// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
+// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
+//
+STATIC CONST UINT8 RedHatPkKek1[] = {
+ 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
+ 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
+ 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
+ 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
+ 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
+ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
+ 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
+ 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
+ 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
+ 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
+ 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
+ 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
+ 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
+ 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
+ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
+ 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
+ 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
+ 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
+ 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
+ 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
+ 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
+ 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
+ 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
+ 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
+ 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
+ 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
+ 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
+ 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
+ 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
+ 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
+ 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
+ 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
+ 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
+ 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
+ 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
+ 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
+ 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
+ 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
+ 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
+ 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
+ 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
+ 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
+ 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
+ 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
+ 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
+ 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
+ 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
+ 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
+ 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
+ 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
+ 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
+ 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
+ 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
+ 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
+ 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
+ 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
+ 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
+ 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
+ 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
+ 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
+ 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
+ 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
+ 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
+ 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
+ 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
+};
+
+//
+// Second KEK: "Microsoft Corporation KEK CA 2011".
+// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
+//
+// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
+//
+STATIC CONST UINT8 MicrosoftKEK[] = {
+ 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
+ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
+ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
+ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
+ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
+ 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
+ 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
+ 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
+ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
+ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
+ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
+ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
+ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
+ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
+ 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
+ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
+ 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
+ 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
+ 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
+ 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
+ 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
+ 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
+ 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
+ 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
+ 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
+ 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
+ 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
+ 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
+ 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
+ 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
+ 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
+ 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
+ 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
+ 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
+ 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
+ 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
+ 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
+ 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
+ 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
+ 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
+ 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
+ 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
+ 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
+ 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
+ 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
+ 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
+ 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
+ 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
+ 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
+ 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
+ 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
+ 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
+ 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
+ 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
+ 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
+ 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
+ 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
+ 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
+ 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
+ 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
+ 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
+ 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
+ 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
+ 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
+ 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
+ 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
+ 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
+ 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
+ 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
+ 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
+ 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
+ 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
+ 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
+ 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
+ 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
+ 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
+ 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
+ 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
+ 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
+ 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
+ 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
+ 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
+ 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
+ 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
+ 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
+ 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
+ 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
+ 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
+ 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
+ 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
+ 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
+ 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
+ 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
+ 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
+ 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
+ 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
+ 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
+ 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
+ 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
+ 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
+ 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
+};
+
+//
+// First DB entry: "Microsoft Windows Production PCA 2011"
+// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
+//
+// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
+// rooted in this certificate.
+//
+STATIC CONST UINT8 MicrosoftPCA[] = {
+ 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+ 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
+ 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
+ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
+ 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
+ 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
+ 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
+ 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
+ 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
+ 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
+ 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
+ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
+ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
+ 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
+ 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
+ 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+ 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
+ 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
+ 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
+ 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
+ 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
+ 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
+ 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
+ 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
+ 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
+ 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
+ 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
+ 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
+ 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
+ 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
+ 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
+ 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
+ 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
+ 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
+ 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
+ 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
+ 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
+ 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
+ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
+ 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
+ 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
+ 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
+ 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
+ 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
+ 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
+ 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
+ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
+ 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
+ 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
+ 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
+ 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
+ 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
+ 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
+ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
+ 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
+ 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
+ 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
+ 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
+ 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
+ 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
+ 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
+ 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
+ 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
+ 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
+ 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
+ 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
+ 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
+ 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
+ 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
+ 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
+ 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
+ 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
+ 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
+ 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
+ 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
+ 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
+ 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
+ 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
+ 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
+ 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
+ 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
+ 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
+ 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
+ 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
+ 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
+ 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
+ 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
+ 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
+ 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
+ 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
+ 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
+ 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
+ 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
+ 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
+ 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
+ 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
+ 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
+ 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
+ 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
+ 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
+ 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
+ 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
+ 0x62, 0x1c, 0x59, 0x7e
+};
+
+//
+// Second DB entry: "Microsoft Corporation UEFI CA 2011"
+// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
+//
+// To verify the "shim" binary and PCI expansion ROMs with.
+//
+STATIC CONST UINT8 MicrosoftUefiCA[] = {
+ 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
+ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
+ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
+ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
+ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
+ 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
+ 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
+ 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
+ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
+ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
+ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
+ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
+ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
+ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
+ 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
+ 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
+ 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
+ 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
+ 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
+ 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
+ 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
+ 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
+ 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
+ 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
+ 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
+ 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
+ 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
+ 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
+ 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
+ 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
+ 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
+ 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
+ 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
+ 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
+ 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
+ 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
+ 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
+ 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
+ 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
+ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
+ 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
+ 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
+ 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
+ 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
+ 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
+ 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
+ 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
+ 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
+ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
+ 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
+ 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
+ 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
+ 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
+ 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
+ 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
+ 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
+ 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
+ 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
+ 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
+ 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
+ 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
+ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
+ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
+ 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
+ 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
+ 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
+ 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
+ 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
+ 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
+ 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
+ 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
+ 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
+ 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
+ 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
+ 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
+ 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
+ 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
+ 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
+ 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
+ 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
+ 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
+ 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
+ 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
+ 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
+ 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
+ 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
+ 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
+ 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
+ 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
+ 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
+ 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
+ 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
+ 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
+ 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
+ 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
+ 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
+ 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
+ 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
+ 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
+ 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
+ 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
+ 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
+ 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
+ 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
+ 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
+};
+
+//
+// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
+// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
+// expects that the "dbx" variable exist.
+//
+// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
+// writes (excerpt):
+//
+// Windows 8.1 Secure Boot Key Creation and Management Guidance
+// 1. Secure Boot, Windows 8.1 and Key Management
+// 1.4 Signature Databases (Db and Dbx)
+// 1.4.3 Forbidden Signature Database (dbx)
+//
+// The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when
+// verifying images before checking db and any matches must prevent the
+// image from executing. The database may contain multiple certificates,
+// keys, and hashes in order to identify forbidden images. The Windows
+// Hardware Certification Requirements state that a dbx must be present, so
+// any dummy value, such as the SHA-256 hash of 0, may be used as a safe
+// placeholder until such time as Microsoft begins delivering dbx updates.
+//
+// The byte array below captures the SHA256 checksum of the empty file,
+// blacklisting it for loading & execution. This qualifies as a dummy, since
+// the empty file is not a valid UEFI binary anyway.
+//
+// Technically speaking, we could also capture an official (although soon to be
+// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
+// the terms and conditions on distributing that binary aren't exactly light
+// reading, so let's best steer clear of it, and follow the "dummy entry"
+// practice recommended -- in natural English langauge -- in the
+// above-referenced TechNet article.
+//
+STATIC CONST UINT8 mSha256OfDevNull[] = {
+ 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
+ 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
+ 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
+};
+
+//
+// The following test cases of the Secure Boot Logo Test in the Microsoft
+// Hardware Certification Kit:
+//
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
+//
+// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
+// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
+// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
+// certificates:
+//
+// - "Microsoft Corporation KEK CA 2011" (in KEK)
+// - "Microsoft Windows Production PCA 2011" (in db)
+// - "Microsoft Corporation UEFI CA 2011" (in db)
+//
+// This is despite the fact that the UEFI specification requires
+// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
+// application or driver) that enrolled and therefore owns
+// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
+// EFI_SIGNATURE_DATA.SignatureData.
+//
+STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
+ 0x77fa9abd, 0x0359, 0x4d32,
+ { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
+};
+
+//
+// The most important thing about the variable payload is that it is a list of
+// lists, where the element size of any given *inner* list is constant.
+//
+// Since X509 certificates vary in size, each of our *inner* lists will contain
+// one element only (one X.509 certificate). This is explicitly mentioned in
+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
+//
+// The list structure looks as follows:
+//
+// struct EFI_VARIABLE_AUTHENTICATION_2 { |
+// struct EFI_TIME { |
+// UINT16 Year; |
+// UINT8 Month; |
+// UINT8 Day; |
+// UINT8 Hour; |
+// UINT8 Minute; |
+// UINT8 Second; |
+// UINT8 Pad1; |
+// UINT32 Nanosecond; |
+// INT16 TimeZone; |
+// UINT8 Daylight; |
+// UINT8 Pad2; |
+// } TimeStamp; |
+// |
+// struct WIN_CERTIFICATE_UEFI_GUID { | |
+// struct WIN_CERTIFICATE { | |
+// UINT32 dwLength; ----------------------------------------+ |
+// UINT16 wRevision; | |
+// UINT16 wCertificateType; | |
+// } Hdr; | +- DataSize
+// | |
+// EFI_GUID CertType; | |
+// UINT8 CertData[1] = { <--- "struct hack" | |
+// struct EFI_SIGNATURE_LIST { | | |
+// EFI_GUID SignatureType; | | |
+// UINT32 SignatureListSize; -------------------------+ | |
+// UINT32 SignatureHeaderSize; | | |
+// UINT32 SignatureSize; ---------------------------+ | | |
+// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
+// v | | |
+// struct EFI_SIGNATURE_DATA { | | | |
+// EFI_GUID SignatureOwner; | | | |
+// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
+// X.509 payload | | | |
+// } | | | |
+// } Signatures[]; | | |
+// } SigLists[]; | |
+// }; | |
+// } AuthInfo; | |
+// }; |
+//
+// Given that the "struct hack" invokes undefined behavior (which is why C99
+// introduced the flexible array member), and because subtracting those pesky
+// sizes of 1 is annoying, and because the format is fully specified in the
+// UEFI specification, we'll introduce two matching convenience structures that
+// are customized for our X.509 purposes.
+//
+#pragma pack(1)
+typedef struct {
+ EFI_TIME TimeStamp;
+
+ //
+ // dwLength covers data below
+ //
+ UINT32 dwLength;
+ UINT16 wRevision;
+ UINT16 wCertificateType;
+ EFI_GUID CertType;
+} SINGLE_HEADER;
+
+typedef struct {
+ //
+ // SignatureListSize covers data below
+ //
+ EFI_GUID SignatureType;
+ UINT32 SignatureListSize;
+ UINT32 SignatureHeaderSize; // constant 0
+ UINT32 SignatureSize;
+
+ //
+ // SignatureSize covers data below
+ //
+ EFI_GUID SignatureOwner;
+
+ //
+ // X.509 certificate follows
+ //
+} REPEATING_HEADER;
+#pragma pack()
+
+/**
+ Enroll a set of certificates in a global variable, overwriting it.
+
+ The variable will be rewritten with NV+BS+RT+AT attributes.
+
+ @param[in] VariableName The name of the variable to overwrite.
+
+ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
+ overwrite.
+
+ @param[in] CertType The GUID determining the type of all the
+ certificates in the set that is passed in. For
+ example, gEfiCertX509Guid stands for DER-encoded
+ X.509 certificates, while gEfiCertSha256Guid stands
+ for SHA256 image hashes.
+
+ @param[in] ... A list of
+
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ IN CONST EFI_GUID *OwnerGuid
+
+ triplets. If the first component of a triplet is
+ NULL, then the other two components are not
+ accessed, and processing is terminated. The list of
+ certificates is enrolled in the variable specified,
+ overwriting it. The OwnerGuid component identifies
+ the agent installing the certificate.
+
+ @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert
+ value is NULL), or one of the CertSize values
+ is 0, or one of the CertSize values would
+ overflow the accumulated UINT32 data size.
+
+ @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable
+ payload.
+
+ @retval EFI_SUCCESS Enrollment successful; the variable has been
+ overwritten (or created).
+
+ @return Error codes from gRT->GetTime() and
+ gRT->SetVariable().
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+EnrollListOfCerts (
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN EFI_GUID *CertType,
+ ...
+ )
+{
+ UINTN DataSize;
+ SINGLE_HEADER *SingleHeader;
+ REPEATING_HEADER *RepeatingHeader;
+ VA_LIST Marker;
+ CONST UINT8 *Cert;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINT8 *Position;
+
+ Status = EFI_SUCCESS;
+
+ //
+ // compute total size first, for UINT32 range check, and allocation
+ //
+ DataSize = sizeof *SingleHeader;
+ VA_START (Marker, CertType);
+ for (Cert = VA_ARG (Marker, CONST UINT8 *);
+ Cert != NULL;
+ Cert = VA_ARG (Marker, CONST UINT8 *)) {
+ UINTN CertSize;
+
+ CertSize = VA_ARG (Marker, UINTN);
+ (VOID)VA_ARG (Marker, CONST EFI_GUID *);
+
+ if (CertSize == 0 ||
+ CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
+ DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
+ Status = EFI_INVALID_PARAMETER;
+ break;
+ }
+ DataSize += sizeof *RepeatingHeader + CertSize;
+ }
+ VA_END (Marker);
+
+ if (DataSize == sizeof *SingleHeader) {
+ Status = EFI_INVALID_PARAMETER;
+ }
+ if (EFI_ERROR (Status)) {
+ goto Out;
+ }
+
+ Data = AllocatePool (DataSize);
+ if (Data == NULL) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto Out;
+ }
+
+ Position = Data;
+
+ SingleHeader = (SINGLE_HEADER *)Position;
+ Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
+ if (EFI_ERROR (Status)) {
+ goto FreeData;
+ }
+ SingleHeader->TimeStamp.Pad1 = 0;
+ SingleHeader->TimeStamp.Nanosecond = 0;
+ SingleHeader->TimeStamp.TimeZone = 0;
+ SingleHeader->TimeStamp.Daylight = 0;
+ SingleHeader->TimeStamp.Pad2 = 0;
+#if 0
+ SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp;
+#else
+ //
+ // This looks like a bug in edk2. According to the UEFI specification,
+ // dwLength is "The length of the entire certificate, including the length of
+ // the header, in bytes". That shouldn't stop right after CertType -- it
+ // should include everything below it.
+ //
+ SingleHeader->dwLength = sizeof *SingleHeader
+ - sizeof SingleHeader->TimeStamp;
+#endif
+ SingleHeader->wRevision = 0x0200;
+ SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+ CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
+ Position += sizeof *SingleHeader;
+
+ VA_START (Marker, CertType);
+ for (Cert = VA_ARG (Marker, CONST UINT8 *);
+ Cert != NULL;
+ Cert = VA_ARG (Marker, CONST UINT8 *)) {
+ UINTN CertSize;
+ CONST EFI_GUID *OwnerGuid;
+
+ CertSize = VA_ARG (Marker, UINTN);
+ OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
+
+ RepeatingHeader = (REPEATING_HEADER *)Position;
+ CopyGuid (&RepeatingHeader->SignatureType, CertType);
+ RepeatingHeader->SignatureListSize =
+ (UINT32)(sizeof *RepeatingHeader + CertSize);
+ RepeatingHeader->SignatureHeaderSize = 0;
+ RepeatingHeader->SignatureSize =
+ (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);
+ CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
+ Position += sizeof *RepeatingHeader;
+
+ CopyMem (Position, Cert, CertSize);
+ Position += CertSize;
+ }
+ VA_END (Marker);
+
+ ASSERT (Data + DataSize == Position);
+
+ Status = gRT->SetVariable (VariableName, VendorGuid,
+ (EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS |
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
+ DataSize, Data);
+
+FreeData:
+ FreePool (Data);
+
+Out:
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
+ VendorGuid, Status);
+ }
+ return Status;
+}
+
+
+STATIC
+EFI_STATUS
+EFIAPI
+GetExact (
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ OUT VOID *Data,
+ IN UINTN DataSize,
+ IN BOOLEAN AllowMissing
+ )
+{
+ UINTN Size;
+ EFI_STATUS Status;
+
+ Size = DataSize;
+ Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
+ if (EFI_ERROR (Status)) {
+ if (Status == EFI_NOT_FOUND && AllowMissing) {
+ ZeroMem (Data, DataSize);
+ return EFI_SUCCESS;
+ }
+
+ AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
+ VendorGuid, Status);
+ return Status;
+ }
+
+ if (Size != DataSize) {
+ AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
+ "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
+ return EFI_PROTOCOL_ERROR;
+ }
+
+ return EFI_SUCCESS;
+}
+
+typedef struct {
+ UINT8 SetupMode;
+ UINT8 SecureBoot;
+ UINT8 SecureBootEnable;
+ UINT8 CustomMode;
+ UINT8 VendorKeys;
+} SETTINGS;
+
+STATIC
+EFI_STATUS
+EFIAPI
+GetSettings (
+ OUT SETTINGS *Settings
+ )
+{
+ EFI_STATUS Status;
+
+ Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
+ &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
+ &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
+ &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
+ sizeof Settings->SecureBootEnable, TRUE);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
+ &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
+ &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
+ return Status;
+}
+
+STATIC
+VOID
+EFIAPI
+PrintSettings (
+ IN CONST SETTINGS *Settings
+ )
+{
+ AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
+ "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
+ Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
+}
+
+
+INTN
+EFIAPI
+ShellAppMain (
+ IN UINTN Argc,
+ IN CHAR16 **Argv
+ )
+{
+ EFI_STATUS Status;
+ SETTINGS Settings;
+
+ Status = GetSettings (&Settings);
+ if (EFI_ERROR (Status)) {
+ return 1;
+ }
+ PrintSettings (&Settings);
+
+ if (Settings.SetupMode != 1) {
+ AsciiPrint ("error: already in User Mode\n");
+ return 1;
+ }
+
+ if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
+ Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
+ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
+ (EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS),
+ sizeof Settings.CustomMode, &Settings.CustomMode);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
+ &gEfiCustomModeEnableGuid, Status);
+ return 1;
+ }
+ }
+
+ Status = EnrollListOfCerts (
+ EFI_IMAGE_SECURITY_DATABASE,
+ &gEfiImageSecurityDatabaseGuid,
+ &gEfiCertX509Guid,
+ MicrosoftPCA, sizeof MicrosoftPCA, &mMicrosoftOwnerGuid,
+ MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid,
+ NULL);
+ if (EFI_ERROR (Status)) {
+ return 1;
+ }
+
+ Status = EnrollListOfCerts (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ &gEfiImageSecurityDatabaseGuid,
+ &gEfiCertSha256Guid,
+ mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
+ NULL);
+ if (EFI_ERROR (Status)) {
+ return 1;
+ }
+
+ Status = EnrollListOfCerts (
+ EFI_KEY_EXCHANGE_KEY_NAME,
+ &gEfiGlobalVariableGuid,
+ &gEfiCertX509Guid,
+ RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
+ MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid,
+ NULL);
+ if (EFI_ERROR (Status)) {
+ return 1;
+ }
+
+ Status = EnrollListOfCerts (
+ EFI_PLATFORM_KEY_NAME,
+ &gEfiGlobalVariableGuid,
+ &gEfiCertX509Guid,
+ RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
+ NULL);
+ if (EFI_ERROR (Status)) {
+ return 1;
+ }
+
+ Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
+ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ sizeof Settings.CustomMode, &Settings.CustomMode);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
+ &gEfiCustomModeEnableGuid, Status);
+ return 1;
+ }
+
+ Status = GetSettings (&Settings);
+ if (EFI_ERROR (Status)) {
+ return 1;
+ }
+ PrintSettings (&Settings);
+
+ if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
+ Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
+ Settings.VendorKeys != 0) {
+ AsciiPrint ("error: unexpected\n");
+ return 1;
+ }
+
+ AsciiPrint ("info: success\n");
+ return 0;
+}
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 02/16] OvmfPkg/EnrollDefaultKeys: update @file comment blocks
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
2019-04-27 0:53 ` [PATCH 01/16] OvmfPkg: introduce EnrollDefaultKeys application Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-30 5:13 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 03/16] OvmfPkg/EnrollDefaultKeys: refresh INF file Laszlo Ersek
` (17 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
Refresh the sentence that states the purpose of the application.
Extend the copyright notice to the year 2019.
Replace the 2-clause BSD License banner with the BSD-2-Clause-Patent SPDX
ID.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 13 +++----------
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 12 +++---------
2 files changed, 6 insertions(+), 19 deletions(-)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
index 0ad86a2843e6..1e579f495143 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
@@ -1,21 +1,14 @@
## @file
-# Enroll default PK, KEK, DB.
+# Enroll default PK, KEK, db, dbx.
#
-# Copyright (C) 2014, Red Hat, Inc.
+# Copyright (C) 2014-2019, Red Hat, Inc.
#
-# This program and the accompanying materials are licensed and made available
-# under the terms and conditions of the BSD License which accompanies this
-# distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.
-#
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
-# IMPLIED.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
##
[Defines]
INF_VERSION = 0x00010006
BASE_NAME = EnrollDefaultKeys
FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
MODULE_TYPE = UEFI_APPLICATION
VERSION_STRING = 0.1
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index dd413df12de3..b354ec6f81c8 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -1,20 +1,14 @@
/** @file
- Enroll default PK, KEK, DB.
+ Enroll default PK, KEK, db, dbx.
- Copyright (C) 2014, Red Hat, Inc.
+ Copyright (C) 2014-2019, Red Hat, Inc.
- This program and the accompanying materials are licensed and made available
- under the terms and conditions of the BSD License which accompanies this
- distribution. The full text of the license may be found at
- http://opensource.org/licenses/bsd-license.
-
- THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
- WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
#include <Library/BaseMemoryLib.h> // CopyGuid()
#include <Library/DebugLib.h> // ASSERT()
#include <Library/MemoryAllocationLib.h> // FreePool()
#include <Library/ShellCEntryLib.h> // ShellAppMain()
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 03/16] OvmfPkg/EnrollDefaultKeys: refresh INF file
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
2019-04-27 0:53 ` [PATCH 01/16] OvmfPkg: introduce EnrollDefaultKeys application Laszlo Ersek
2019-04-27 0:53 ` [PATCH 02/16] OvmfPkg/EnrollDefaultKeys: update @file comment blocks Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-29 12:25 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 04/16] ArmVirtPkg: build EnrollDefaultKeys.efi Laszlo Ersek
` (16 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
Bump INF_VERSION to the latest edk2 INF specification.
Regenerate FILE_GUID to distinguish this application from downstream-only
versions.
Remove the VALID_ARCHITECTURES comment as there is nothing ISA or platform
specific in the application.
Ensure all sections apart from [Defines] are alphabetically sorted.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
index 1e579f495143..3a215df50863 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
@@ -2,33 +2,29 @@
# Enroll default PK, KEK, db, dbx.
#
# Copyright (C) 2014-2019, Red Hat, Inc.
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
[Defines]
- INF_VERSION = 0x00010006
+ INF_VERSION = 1.28
BASE_NAME = EnrollDefaultKeys
- FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
+ FILE_GUID = A0BAA8A3-041D-48A8-BC87-C36D121B5E3D
MODULE_TYPE = UEFI_APPLICATION
VERSION_STRING = 0.1
ENTRY_POINT = ShellCEntryLib
-#
-# VALID_ARCHITECTURES = IA32 X64
-#
-
[Sources]
EnrollDefaultKeys.c
[Packages]
- MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec
ShellPkg/ShellPkg.dec
[Guids]
gEfiCertPkcs7Guid
gEfiCertSha256Guid
gEfiCertX509Guid
gEfiCustomModeEnableGuid
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 04/16] ArmVirtPkg: build EnrollDefaultKeys.efi
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (2 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 03/16] OvmfPkg/EnrollDefaultKeys: refresh INF file Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-29 12:26 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 05/16] OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart Laszlo Ersek
` (15 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io; +Cc: Ard Biesheuvel
Having removed VALID_ARCHITECTURES from
"OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf", it now makes sense to
reflect the related platform DSC bits from OvmfPkg to ArmVirtPkg.
Build "EnrollDefaultKeys.efi" as part of ArmVirtQemu and ArmVirtQemuKernel
(which are the ArmVirtPkg platforms that include SecureBootConfigDxe too).
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
ArmVirtPkg/ArmVirt.dsc.inc | 1 +
ArmVirtPkg/ArmVirtQemu.dsc | 1 +
ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
3 files changed, 3 insertions(+)
diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 82335541f964..1848d20531ab 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -46,16 +46,17 @@ [LibraryClasses.common]
DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf
DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServicesLib.inf
SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf
ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
#
# Ramdisk Requirements
#
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index d6ba3b6ae397..28c8fd551344 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -270,16 +270,17 @@ [Components.common]
BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
}
!if $(SECURE_BOOT_ENABLE) == TRUE
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
<LibraryClasses>
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
}
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
!endif
MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf {
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 129780548e4a..2a83c7469424 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -254,16 +254,17 @@ [Components.common]
BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
}
!if $(SECURE_BOOT_ENABLE) == TRUE
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
<LibraryClasses>
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
}
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
!endif
MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf {
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 05/16] OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (3 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 04/16] ArmVirtPkg: build EnrollDefaultKeys.efi Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-29 12:26 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 06/16] OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes Laszlo Ersek
` (14 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
In edk2, we should spell "#pragma pack(...)" with a space character in
front of the opening parenthesis. Fix up locations that suggest otherwise.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index b354ec6f81c8..aa827ac6aa81 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -596,17 +596,17 @@ STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
// }; |
//
// Given that the "struct hack" invokes undefined behavior (which is why C99
// introduced the flexible array member), and because subtracting those pesky
// sizes of 1 is annoying, and because the format is fully specified in the
// UEFI specification, we'll introduce two matching convenience structures that
// are customized for our X.509 purposes.
//
-#pragma pack(1)
+#pragma pack (1)
typedef struct {
EFI_TIME TimeStamp;
//
// dwLength covers data below
//
UINT32 dwLength;
UINT16 wRevision;
@@ -627,17 +627,17 @@ typedef struct {
// SignatureSize covers data below
//
EFI_GUID SignatureOwner;
//
// X.509 certificate follows
//
} REPEATING_HEADER;
-#pragma pack()
+#pragma pack ()
/**
Enroll a set of certificates in a global variable, overwriting it.
The variable will be rewritten with NV+BS+RT+AT attributes.
@param[in] VariableName The name of the variable to overwrite.
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 06/16] OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (4 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 05/16] OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-29 12:27 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 07/16] OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in identifiers Laszlo Ersek
` (13 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
In edk2, we should start the names of module-global variables with "m".
Rename the "RedHatPkKek1", "MicrosoftKEK", "MicrosoftPCA",
"MicrosoftUefiCA" variables accordingly, with the following command:
sed --regexp-extended --in-place \
--expression='s,\<(RedHatPkKek1|Microsoft(KEK|PCA|UefiCA))\>,m\1,g' \
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index aa827ac6aa81..fb30f4906df7 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -17,17 +17,17 @@
//
// We'll use the certificate below as both Platform Key and as first Key
// Exchange Key.
//
// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
//
-STATIC CONST UINT8 RedHatPkKek1[] = {
+STATIC CONST UINT8 mRedHatPkKek1[] = {
0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
@@ -98,17 +98,17 @@ STATIC CONST UINT8 RedHatPkKek1[] = {
};
//
// Second KEK: "Microsoft Corporation KEK CA 2011".
// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
//
// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
//
-STATIC CONST UINT8 MicrosoftKEK[] = {
+STATIC CONST UINT8 mMicrosoftKEK[] = {
0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -225,17 +225,17 @@ STATIC CONST UINT8 MicrosoftKEK[] = {
//
// First DB entry: "Microsoft Windows Production PCA 2011"
// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
//
// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
// rooted in this certificate.
//
-STATIC CONST UINT8 MicrosoftPCA[] = {
+STATIC CONST UINT8 mMicrosoftPCA[] = {
0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -350,17 +350,17 @@ STATIC CONST UINT8 MicrosoftPCA[] = {
};
//
// Second DB entry: "Microsoft Corporation UEFI CA 2011"
// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
//
// To verify the "shim" binary and PCI expansion ROMs with.
//
-STATIC CONST UINT8 MicrosoftUefiCA[] = {
+STATIC CONST UINT8 mMicrosoftUefiCA[] = {
0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -938,18 +938,18 @@ ShellAppMain (
return 1;
}
}
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid,
&gEfiCertX509Guid,
- MicrosoftPCA, sizeof MicrosoftPCA, &mMicrosoftOwnerGuid,
- MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid,
+ mMicrosoftPCA, sizeof mMicrosoftPCA, &mMicrosoftOwnerGuid,
+ mMicrosoftUefiCA, sizeof mMicrosoftUefiCA, &mMicrosoftOwnerGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE1,
&gEfiImageSecurityDatabaseGuid,
@@ -959,28 +959,28 @@ ShellAppMain (
if (EFI_ERROR (Status)) {
return 1;
}
Status = EnrollListOfCerts (
EFI_KEY_EXCHANGE_KEY_NAME,
&gEfiGlobalVariableGuid,
&gEfiCertX509Guid,
- RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
- MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid,
+ mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid,
+ mMicrosoftKEK, sizeof mMicrosoftKEK, &mMicrosoftOwnerGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Status = EnrollListOfCerts (
EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid,
&gEfiCertX509Guid,
- RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
+ mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiGlobalVariableGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 07/16] OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in identifiers
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (5 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 06/16] OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-30 5:10 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 08/16] OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv. specifiers Laszlo Ersek
` (12 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
According to the edk2 coding standards, "[w]hen all letters in an acronym
are capitalized, it makes the prior and subsequent words visually
difficult to distinguish".
Fix the spellings of three acronyms, accordingly:
- "KEK" (Key Exchange Key) should be written as "Kek", in "mMicrosoftKEK",
- "CA" (Certificate Authority) should be written as "Ca", in
"mMicrosoftUefiCA",
- "PCA" (Production Certificate Authority) should be written as "Pca", in
"mMicrosoftPCA".
Generate the changes with:
sed --regexp-extended --in-place \
--expression='s,\<mMicrosoftKEK\>,mMicrosoftKek,g' \
--expression='s,\<mMicrosoftUefiCA\>,mMicrosoftUefiCa,g' \
--expression='s,\<mMicrosoftPCA\>,mMicrosoftPca,g' \
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index fb30f4906df7..be0e4d8f8e96 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -98,17 +98,17 @@ STATIC CONST UINT8 mRedHatPkKek1[] = {
};
//
// Second KEK: "Microsoft Corporation KEK CA 2011".
// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
//
// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
//
-STATIC CONST UINT8 mMicrosoftKEK[] = {
+STATIC CONST UINT8 mMicrosoftKek[] = {
0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -225,17 +225,17 @@ STATIC CONST UINT8 mMicrosoftKEK[] = {
//
// First DB entry: "Microsoft Windows Production PCA 2011"
// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
//
// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
// rooted in this certificate.
//
-STATIC CONST UINT8 mMicrosoftPCA[] = {
+STATIC CONST UINT8 mMicrosoftPca[] = {
0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -350,17 +350,17 @@ STATIC CONST UINT8 mMicrosoftPCA[] = {
};
//
// Second DB entry: "Microsoft Corporation UEFI CA 2011"
// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
//
// To verify the "shim" binary and PCI expansion ROMs with.
//
-STATIC CONST UINT8 mMicrosoftUefiCA[] = {
+STATIC CONST UINT8 mMicrosoftUefiCa[] = {
0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -938,18 +938,18 @@ ShellAppMain (
return 1;
}
}
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid,
&gEfiCertX509Guid,
- mMicrosoftPCA, sizeof mMicrosoftPCA, &mMicrosoftOwnerGuid,
- mMicrosoftUefiCA, sizeof mMicrosoftUefiCA, &mMicrosoftOwnerGuid,
+ mMicrosoftPca, sizeof mMicrosoftPca, &mMicrosoftOwnerGuid,
+ mMicrosoftUefiCa, sizeof mMicrosoftUefiCa, &mMicrosoftOwnerGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE1,
&gEfiImageSecurityDatabaseGuid,
@@ -960,17 +960,17 @@ ShellAppMain (
return 1;
}
Status = EnrollListOfCerts (
EFI_KEY_EXCHANGE_KEY_NAME,
&gEfiGlobalVariableGuid,
&gEfiCertX509Guid,
mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid,
- mMicrosoftKEK, sizeof mMicrosoftKEK, &mMicrosoftOwnerGuid,
+ mMicrosoftKek, sizeof mMicrosoftKek, &mMicrosoftOwnerGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Status = EnrollListOfCerts (
EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid,
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 08/16] OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv. specifiers
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (6 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 07/16] OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in identifiers Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-29 12:28 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 09/16] OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file Laszlo Ersek
` (11 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
The GetExact(), GetSettings(), PrintSettings() functions are only called
from within "EnrollDefaultKeys.c", and none of them take variable
arguments. Drop their EFIAPI calling convention specifiers.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index be0e4d8f8e96..671efef8d6ad 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -806,17 +806,16 @@ Out:
VendorGuid, Status);
}
return Status;
}
STATIC
EFI_STATUS
-EFIAPI
GetExact (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
OUT VOID *Data,
IN UINTN DataSize,
IN BOOLEAN AllowMissing
)
{
@@ -850,17 +849,16 @@ typedef struct {
UINT8 SecureBoot;
UINT8 SecureBootEnable;
UINT8 CustomMode;
UINT8 VendorKeys;
} SETTINGS;
STATIC
EFI_STATUS
-EFIAPI
GetSettings (
OUT SETTINGS *Settings
)
{
EFI_STATUS Status;
Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
&Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
@@ -889,17 +887,16 @@ GetSettings (
Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
&Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
return Status;
}
STATIC
VOID
-EFIAPI
PrintSettings (
IN CONST SETTINGS *Settings
)
{
AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
"CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
}
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 09/16] OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (7 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 08/16] OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv. specifiers Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-29 12:30 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 10/16] OvmfPkg/EnrollDefaultKeys: split out certificate and signature constants Laszlo Ersek
` (10 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
"EnrollDefaultKeys.c" defines three structure types: SINGLE_HEADER,
REPEATING_HEADER, and SETTINGS. The definitions are scattered over the C
file, and lack high-level summary comments.
Extract the structures to "EnrollDefaultKeys.h", and add the missing
comments.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 1 +
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 121 ++++++++++++++++++++
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 101 +---------------
3 files changed, 124 insertions(+), 99 deletions(-)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
index 3a215df50863..9f315a8e6d90 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
@@ -11,16 +11,17 @@ [Defines]
BASE_NAME = EnrollDefaultKeys
FILE_GUID = A0BAA8A3-041D-48A8-BC87-C36D121B5E3D
MODULE_TYPE = UEFI_APPLICATION
VERSION_STRING = 0.1
ENTRY_POINT = ShellCEntryLib
[Sources]
EnrollDefaultKeys.c
+ EnrollDefaultKeys.h
[Packages]
MdeModulePkg/MdeModulePkg.dec
MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec
ShellPkg/ShellPkg.dec
[Guids]
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
new file mode 100644
index 000000000000..9bcd87ff4f44
--- /dev/null
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
@@ -0,0 +1,121 @@
+/** @file
+ Type definitions for the EnrollDefaultKeys application.
+
+ Copyright (C) 2014-2019, Red Hat, Inc.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef ENROLL_DEFAULT_KEYS_H_
+#define ENROLL_DEFAULT_KEYS_H_
+
+#include <Uefi/UefiBaseType.h>
+
+//
+// Convenience structure types for constructing "signature lists" for
+// authenticated UEFI variables.
+//
+// The most important thing about the variable payload is that it is a list of
+// lists, where the element size of any given *inner* list is constant.
+//
+// Since X509 certificates vary in size, each of our *inner* lists will contain
+// one element only (one X.509 certificate). This is explicitly mentioned in
+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
+//
+// The list structure looks as follows:
+//
+// struct EFI_VARIABLE_AUTHENTICATION_2 { |
+// struct EFI_TIME { |
+// UINT16 Year; |
+// UINT8 Month; |
+// UINT8 Day; |
+// UINT8 Hour; |
+// UINT8 Minute; |
+// UINT8 Second; |
+// UINT8 Pad1; |
+// UINT32 Nanosecond; |
+// INT16 TimeZone; |
+// UINT8 Daylight; |
+// UINT8 Pad2; |
+// } TimeStamp; |
+// |
+// struct WIN_CERTIFICATE_UEFI_GUID { | |
+// struct WIN_CERTIFICATE { | |
+// UINT32 dwLength; ----------------------------------------+ |
+// UINT16 wRevision; | |
+// UINT16 wCertificateType; | |
+// } Hdr; | +- DataSize
+// | |
+// EFI_GUID CertType; | |
+// UINT8 CertData[1] = { <--- "struct hack" | |
+// struct EFI_SIGNATURE_LIST { | | |
+// EFI_GUID SignatureType; | | |
+// UINT32 SignatureListSize; -------------------------+ | |
+// UINT32 SignatureHeaderSize; | | |
+// UINT32 SignatureSize; ---------------------------+ | | |
+// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
+// v | | |
+// struct EFI_SIGNATURE_DATA { | | | |
+// EFI_GUID SignatureOwner; | | | |
+// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
+// X.509 payload | | | |
+// } | | | |
+// } Signatures[]; | | |
+// } SigLists[]; | |
+// }; | |
+// } AuthInfo; | |
+// }; |
+//
+// Given that the "struct hack" invokes undefined behavior (which is why C99
+// introduced the flexible array member), and because subtracting those pesky
+// sizes of 1 is annoying, and because the format is fully specified in the
+// UEFI specification, we'll introduce two matching convenience structures that
+// are customized for our X.509 purposes.
+//
+#pragma pack (1)
+typedef struct {
+ EFI_TIME TimeStamp;
+
+ //
+ // dwLength covers data below
+ //
+ UINT32 dwLength;
+ UINT16 wRevision;
+ UINT16 wCertificateType;
+ EFI_GUID CertType;
+} SINGLE_HEADER;
+
+typedef struct {
+ //
+ // SignatureListSize covers data below
+ //
+ EFI_GUID SignatureType;
+ UINT32 SignatureListSize;
+ UINT32 SignatureHeaderSize; // constant 0
+ UINT32 SignatureSize;
+
+ //
+ // SignatureSize covers data below
+ //
+ EFI_GUID SignatureOwner;
+
+ //
+ // X.509 certificate follows
+ //
+} REPEATING_HEADER;
+#pragma pack ()
+
+
+//
+// A structure that collects the values of UEFI variables related to Secure
+// Boot.
+//
+typedef struct {
+ UINT8 SetupMode;
+ UINT8 SecureBoot;
+ UINT8 SecureBootEnable;
+ UINT8 CustomMode;
+ UINT8 VendorKeys;
+} SETTINGS;
+
+#endif /* ENROLL_DEFAULT_KEYS_H_ */
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index 671efef8d6ad..fefea6638887 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -10,16 +10,18 @@
#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
#include <Library/BaseMemoryLib.h> // CopyGuid()
#include <Library/DebugLib.h> // ASSERT()
#include <Library/MemoryAllocationLib.h> // FreePool()
#include <Library/ShellCEntryLib.h> // ShellAppMain()
#include <Library/UefiLib.h> // AsciiPrint()
#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+#include "EnrollDefaultKeys.h"
+
//
// We'll use the certificate below as both Platform Key and as first Key
// Exchange Key.
//
// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
//
STATIC CONST UINT8 mRedHatPkKek1[] = {
@@ -538,107 +540,16 @@ STATIC CONST UINT8 mSha256OfDevNull[] = {
// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
// EFI_SIGNATURE_DATA.SignatureData.
//
STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
0x77fa9abd, 0x0359, 0x4d32,
{ 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
};
-//
-// The most important thing about the variable payload is that it is a list of
-// lists, where the element size of any given *inner* list is constant.
-//
-// Since X509 certificates vary in size, each of our *inner* lists will contain
-// one element only (one X.509 certificate). This is explicitly mentioned in
-// the UEFI specification, in "28.4.1 Signature Database", in a Note.
-//
-// The list structure looks as follows:
-//
-// struct EFI_VARIABLE_AUTHENTICATION_2 { |
-// struct EFI_TIME { |
-// UINT16 Year; |
-// UINT8 Month; |
-// UINT8 Day; |
-// UINT8 Hour; |
-// UINT8 Minute; |
-// UINT8 Second; |
-// UINT8 Pad1; |
-// UINT32 Nanosecond; |
-// INT16 TimeZone; |
-// UINT8 Daylight; |
-// UINT8 Pad2; |
-// } TimeStamp; |
-// |
-// struct WIN_CERTIFICATE_UEFI_GUID { | |
-// struct WIN_CERTIFICATE { | |
-// UINT32 dwLength; ----------------------------------------+ |
-// UINT16 wRevision; | |
-// UINT16 wCertificateType; | |
-// } Hdr; | +- DataSize
-// | |
-// EFI_GUID CertType; | |
-// UINT8 CertData[1] = { <--- "struct hack" | |
-// struct EFI_SIGNATURE_LIST { | | |
-// EFI_GUID SignatureType; | | |
-// UINT32 SignatureListSize; -------------------------+ | |
-// UINT32 SignatureHeaderSize; | | |
-// UINT32 SignatureSize; ---------------------------+ | | |
-// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
-// v | | |
-// struct EFI_SIGNATURE_DATA { | | | |
-// EFI_GUID SignatureOwner; | | | |
-// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
-// X.509 payload | | | |
-// } | | | |
-// } Signatures[]; | | |
-// } SigLists[]; | |
-// }; | |
-// } AuthInfo; | |
-// }; |
-//
-// Given that the "struct hack" invokes undefined behavior (which is why C99
-// introduced the flexible array member), and because subtracting those pesky
-// sizes of 1 is annoying, and because the format is fully specified in the
-// UEFI specification, we'll introduce two matching convenience structures that
-// are customized for our X.509 purposes.
-//
-#pragma pack (1)
-typedef struct {
- EFI_TIME TimeStamp;
-
- //
- // dwLength covers data below
- //
- UINT32 dwLength;
- UINT16 wRevision;
- UINT16 wCertificateType;
- EFI_GUID CertType;
-} SINGLE_HEADER;
-
-typedef struct {
- //
- // SignatureListSize covers data below
- //
- EFI_GUID SignatureType;
- UINT32 SignatureListSize;
- UINT32 SignatureHeaderSize; // constant 0
- UINT32 SignatureSize;
-
- //
- // SignatureSize covers data below
- //
- EFI_GUID SignatureOwner;
-
- //
- // X.509 certificate follows
- //
-} REPEATING_HEADER;
-#pragma pack ()
-
/**
Enroll a set of certificates in a global variable, overwriting it.
The variable will be rewritten with NV+BS+RT+AT attributes.
@param[in] VariableName The name of the variable to overwrite.
@param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
@@ -839,24 +750,16 @@ GetExact (
AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
"got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
return EFI_PROTOCOL_ERROR;
}
return EFI_SUCCESS;
}
-typedef struct {
- UINT8 SetupMode;
- UINT8 SecureBoot;
- UINT8 SecureBootEnable;
- UINT8 CustomMode;
- UINT8 VendorKeys;
-} SETTINGS;
-
STATIC
EFI_STATUS
GetSettings (
OUT SETTINGS *Settings
)
{
EFI_STATUS Status;
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 10/16] OvmfPkg/EnrollDefaultKeys: split out certificate and signature constants
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (8 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 09/16] OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-29 12:33 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 11/16] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID Laszlo Ersek
` (9 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
A large portion of "EnrollDefaultKeys.c" is hex-encoded X509 certificates,
GUIDs, and signatures. These objects are constants, unlikely to see
changes anytime soon. Move them out of the way, to "AuthData.c", so we can
more easily work on functions in "EnrollDefaultKeys.c".
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 1 +
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 24 +-
OvmfPkg/EnrollDefaultKeys/{EnrollDefaultKeys.c => AuthData.c} | 402 +--------------
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 540 +-------------------
4 files changed, 53 insertions(+), 914 deletions(-)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
index 9f315a8e6d90..3f093c768585 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
@@ -10,16 +10,17 @@ [Defines]
INF_VERSION = 1.28
BASE_NAME = EnrollDefaultKeys
FILE_GUID = A0BAA8A3-041D-48A8-BC87-C36D121B5E3D
MODULE_TYPE = UEFI_APPLICATION
VERSION_STRING = 0.1
ENTRY_POINT = ShellCEntryLib
[Sources]
+ AuthData.c
EnrollDefaultKeys.c
EnrollDefaultKeys.h
[Packages]
MdeModulePkg/MdeModulePkg.dec
MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec
ShellPkg/ShellPkg.dec
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
index 9bcd87ff4f44..07f4aa04e469 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
@@ -1,10 +1,11 @@
/** @file
- Type definitions for the EnrollDefaultKeys application.
+ Type definitions and object declarations for the EnrollDefaultKeys
+ application.
Copyright (C) 2014-2019, Red Hat, Inc.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef ENROLL_DEFAULT_KEYS_H_
#define ENROLL_DEFAULT_KEYS_H_
@@ -113,9 +114,30 @@ typedef struct {
typedef struct {
UINT8 SetupMode;
UINT8 SecureBoot;
UINT8 SecureBootEnable;
UINT8 CustomMode;
UINT8 VendorKeys;
} SETTINGS;
+
+//
+// Refer to "AuthData.c" for details on the following objects.
+//
+extern CONST UINT8 mRedHatPkKek1[];
+extern CONST UINTN mSizeOfRedHatPkKek1;
+
+extern CONST UINT8 mMicrosoftKek[];
+extern CONST UINTN mSizeOfMicrosoftKek;
+
+extern CONST UINT8 mMicrosoftPca[];
+extern CONST UINTN mSizeOfMicrosoftPca;
+
+extern CONST UINT8 mMicrosoftUefiCa[];
+extern CONST UINTN mSizeOfMicrosoftUefiCa;
+
+extern CONST UINT8 mSha256OfDevNull[];
+extern CONST UINTN mSizeOfSha256OfDevNull;
+
+extern CONST EFI_GUID mMicrosoftOwnerGuid;
+
#endif /* ENROLL_DEFAULT_KEYS_H_ */
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c
similarity index 74%
copy from OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
copy to OvmfPkg/EnrollDefaultKeys/AuthData.c
index fefea6638887..e0a543785fb5 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
@@ -1,35 +1,27 @@
/** @file
- Enroll default PK, KEK, db, dbx.
+ Certificate and signature constants for the EnrollDefaultKeys application.
Copyright (C) 2014-2019, Red Hat, Inc.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
-#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
-#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
-#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
-#include <Library/BaseMemoryLib.h> // CopyGuid()
-#include <Library/DebugLib.h> // ASSERT()
-#include <Library/MemoryAllocationLib.h> // FreePool()
-#include <Library/ShellCEntryLib.h> // ShellAppMain()
-#include <Library/UefiLib.h> // AsciiPrint()
-#include <Library/UefiRuntimeServicesTableLib.h> // gRT
#include "EnrollDefaultKeys.h"
+
//
// We'll use the certificate below as both Platform Key and as first Key
// Exchange Key.
//
// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
//
-STATIC CONST UINT8 mRedHatPkKek1[] = {
+CONST UINT8 mRedHatPkKek1[] = {
0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
@@ -94,23 +86,26 @@ STATIC CONST UINT8 mRedHatPkKek1[] = {
0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
};
+CONST UINTN mSizeOfRedHatPkKek1 = sizeof mRedHatPkKek1;
+
+
//
// Second KEK: "Microsoft Corporation KEK CA 2011".
// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
//
// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
//
-STATIC CONST UINT8 mMicrosoftKek[] = {
+CONST UINT8 mMicrosoftKek[] = {
0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -220,24 +215,27 @@ STATIC CONST UINT8 mMicrosoftKek[] = {
0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
};
+CONST UINTN mSizeOfMicrosoftKek = sizeof mMicrosoftKek;
+
+
//
// First DB entry: "Microsoft Windows Production PCA 2011"
// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
//
// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
// rooted in this certificate.
//
-STATIC CONST UINT8 mMicrosoftPca[] = {
+CONST UINT8 mMicrosoftPca[] = {
0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -346,23 +344,26 @@ STATIC CONST UINT8 mMicrosoftPca[] = {
0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
0x62, 0x1c, 0x59, 0x7e
};
+CONST UINTN mSizeOfMicrosoftPca = sizeof mMicrosoftPca;
+
+
//
// Second DB entry: "Microsoft Corporation UEFI CA 2011"
// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
//
// To verify the "shim" binary and PCI expansion ROMs with.
//
-STATIC CONST UINT8 mMicrosoftUefiCa[] = {
+CONST UINT8 mMicrosoftUefiCa[] = {
0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -475,16 +476,19 @@ STATIC CONST UINT8 mMicrosoftUefiCa[] = {
0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
};
+CONST UINTN mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa;
+
+
//
// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
// expects that the "dbx" variable exist.
//
// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
// writes (excerpt):
//
@@ -507,22 +511,25 @@ STATIC CONST UINT8 mMicrosoftUefiCa[] = {
//
// Technically speaking, we could also capture an official (although soon to be
// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
// the terms and conditions on distributing that binary aren't exactly light
// reading, so let's best steer clear of it, and follow the "dummy entry"
// practice recommended -- in natural English langauge -- in the
// above-referenced TechNet article.
//
-STATIC CONST UINT8 mSha256OfDevNull[] = {
+CONST UINT8 mSha256OfDevNull[] = {
0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
};
+CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull;
+
+
//
// The following test cases of the Secure Boot Logo Test in the Microsoft
// Hardware Certification Kit:
//
// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
//
// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
@@ -535,375 +542,12 @@ STATIC CONST UINT8 mSha256OfDevNull[] = {
// - "Microsoft Corporation UEFI CA 2011" (in db)
//
// This is despite the fact that the UEFI specification requires
// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
// application or driver) that enrolled and therefore owns
// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
// EFI_SIGNATURE_DATA.SignatureData.
//
-STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
+CONST EFI_GUID mMicrosoftOwnerGuid = {
0x77fa9abd, 0x0359, 0x4d32,
{ 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
};
-
-/**
- Enroll a set of certificates in a global variable, overwriting it.
-
- The variable will be rewritten with NV+BS+RT+AT attributes.
-
- @param[in] VariableName The name of the variable to overwrite.
-
- @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
- overwrite.
-
- @param[in] CertType The GUID determining the type of all the
- certificates in the set that is passed in. For
- example, gEfiCertX509Guid stands for DER-encoded
- X.509 certificates, while gEfiCertSha256Guid stands
- for SHA256 image hashes.
-
- @param[in] ... A list of
-
- IN CONST UINT8 *Cert,
- IN UINTN CertSize,
- IN CONST EFI_GUID *OwnerGuid
-
- triplets. If the first component of a triplet is
- NULL, then the other two components are not
- accessed, and processing is terminated. The list of
- certificates is enrolled in the variable specified,
- overwriting it. The OwnerGuid component identifies
- the agent installing the certificate.
-
- @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert
- value is NULL), or one of the CertSize values
- is 0, or one of the CertSize values would
- overflow the accumulated UINT32 data size.
-
- @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable
- payload.
-
- @retval EFI_SUCCESS Enrollment successful; the variable has been
- overwritten (or created).
-
- @return Error codes from gRT->GetTime() and
- gRT->SetVariable().
-**/
-STATIC
-EFI_STATUS
-EFIAPI
-EnrollListOfCerts (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN EFI_GUID *CertType,
- ...
- )
-{
- UINTN DataSize;
- SINGLE_HEADER *SingleHeader;
- REPEATING_HEADER *RepeatingHeader;
- VA_LIST Marker;
- CONST UINT8 *Cert;
- EFI_STATUS Status;
- UINT8 *Data;
- UINT8 *Position;
-
- Status = EFI_SUCCESS;
-
- //
- // compute total size first, for UINT32 range check, and allocation
- //
- DataSize = sizeof *SingleHeader;
- VA_START (Marker, CertType);
- for (Cert = VA_ARG (Marker, CONST UINT8 *);
- Cert != NULL;
- Cert = VA_ARG (Marker, CONST UINT8 *)) {
- UINTN CertSize;
-
- CertSize = VA_ARG (Marker, UINTN);
- (VOID)VA_ARG (Marker, CONST EFI_GUID *);
-
- if (CertSize == 0 ||
- CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
- DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
- Status = EFI_INVALID_PARAMETER;
- break;
- }
- DataSize += sizeof *RepeatingHeader + CertSize;
- }
- VA_END (Marker);
-
- if (DataSize == sizeof *SingleHeader) {
- Status = EFI_INVALID_PARAMETER;
- }
- if (EFI_ERROR (Status)) {
- goto Out;
- }
-
- Data = AllocatePool (DataSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Out;
- }
-
- Position = Data;
-
- SingleHeader = (SINGLE_HEADER *)Position;
- Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
- if (EFI_ERROR (Status)) {
- goto FreeData;
- }
- SingleHeader->TimeStamp.Pad1 = 0;
- SingleHeader->TimeStamp.Nanosecond = 0;
- SingleHeader->TimeStamp.TimeZone = 0;
- SingleHeader->TimeStamp.Daylight = 0;
- SingleHeader->TimeStamp.Pad2 = 0;
-#if 0
- SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp;
-#else
- //
- // This looks like a bug in edk2. According to the UEFI specification,
- // dwLength is "The length of the entire certificate, including the length of
- // the header, in bytes". That shouldn't stop right after CertType -- it
- // should include everything below it.
- //
- SingleHeader->dwLength = sizeof *SingleHeader
- - sizeof SingleHeader->TimeStamp;
-#endif
- SingleHeader->wRevision = 0x0200;
- SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
- CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
- Position += sizeof *SingleHeader;
-
- VA_START (Marker, CertType);
- for (Cert = VA_ARG (Marker, CONST UINT8 *);
- Cert != NULL;
- Cert = VA_ARG (Marker, CONST UINT8 *)) {
- UINTN CertSize;
- CONST EFI_GUID *OwnerGuid;
-
- CertSize = VA_ARG (Marker, UINTN);
- OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
-
- RepeatingHeader = (REPEATING_HEADER *)Position;
- CopyGuid (&RepeatingHeader->SignatureType, CertType);
- RepeatingHeader->SignatureListSize =
- (UINT32)(sizeof *RepeatingHeader + CertSize);
- RepeatingHeader->SignatureHeaderSize = 0;
- RepeatingHeader->SignatureSize =
- (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);
- CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
- Position += sizeof *RepeatingHeader;
-
- CopyMem (Position, Cert, CertSize);
- Position += CertSize;
- }
- VA_END (Marker);
-
- ASSERT (Data + DataSize == Position);
-
- Status = gRT->SetVariable (VariableName, VendorGuid,
- (EFI_VARIABLE_NON_VOLATILE |
- EFI_VARIABLE_BOOTSERVICE_ACCESS |
- EFI_VARIABLE_RUNTIME_ACCESS |
- EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
- DataSize, Data);
-
-FreeData:
- FreePool (Data);
-
-Out:
- if (EFI_ERROR (Status)) {
- AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
- VendorGuid, Status);
- }
- return Status;
-}
-
-
-STATIC
-EFI_STATUS
-GetExact (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- OUT VOID *Data,
- IN UINTN DataSize,
- IN BOOLEAN AllowMissing
- )
-{
- UINTN Size;
- EFI_STATUS Status;
-
- Size = DataSize;
- Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
- if (EFI_ERROR (Status)) {
- if (Status == EFI_NOT_FOUND && AllowMissing) {
- ZeroMem (Data, DataSize);
- return EFI_SUCCESS;
- }
-
- AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
- VendorGuid, Status);
- return Status;
- }
-
- if (Size != DataSize) {
- AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
- "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
- return EFI_PROTOCOL_ERROR;
- }
-
- return EFI_SUCCESS;
-}
-
-STATIC
-EFI_STATUS
-GetSettings (
- OUT SETTINGS *Settings
- )
-{
- EFI_STATUS Status;
-
- Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
- &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
- &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
- &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
- sizeof Settings->SecureBootEnable, TRUE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
- &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
- &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
- return Status;
-}
-
-STATIC
-VOID
-PrintSettings (
- IN CONST SETTINGS *Settings
- )
-{
- AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
- "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
- Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
-}
-
-
-INTN
-EFIAPI
-ShellAppMain (
- IN UINTN Argc,
- IN CHAR16 **Argv
- )
-{
- EFI_STATUS Status;
- SETTINGS Settings;
-
- Status = GetSettings (&Settings);
- if (EFI_ERROR (Status)) {
- return 1;
- }
- PrintSettings (&Settings);
-
- if (Settings.SetupMode != 1) {
- AsciiPrint ("error: already in User Mode\n");
- return 1;
- }
-
- if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
- Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
- Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
- (EFI_VARIABLE_NON_VOLATILE |
- EFI_VARIABLE_BOOTSERVICE_ACCESS),
- sizeof Settings.CustomMode, &Settings.CustomMode);
- if (EFI_ERROR (Status)) {
- AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid, Status);
- return 1;
- }
- }
-
- Status = EnrollListOfCerts (
- EFI_IMAGE_SECURITY_DATABASE,
- &gEfiImageSecurityDatabaseGuid,
- &gEfiCertX509Guid,
- mMicrosoftPca, sizeof mMicrosoftPca, &mMicrosoftOwnerGuid,
- mMicrosoftUefiCa, sizeof mMicrosoftUefiCa, &mMicrosoftOwnerGuid,
- NULL);
- if (EFI_ERROR (Status)) {
- return 1;
- }
-
- Status = EnrollListOfCerts (
- EFI_IMAGE_SECURITY_DATABASE1,
- &gEfiImageSecurityDatabaseGuid,
- &gEfiCertSha256Guid,
- mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
- NULL);
- if (EFI_ERROR (Status)) {
- return 1;
- }
-
- Status = EnrollListOfCerts (
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- &gEfiCertX509Guid,
- mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid,
- mMicrosoftKek, sizeof mMicrosoftKek, &mMicrosoftOwnerGuid,
- NULL);
- if (EFI_ERROR (Status)) {
- return 1;
- }
-
- Status = EnrollListOfCerts (
- EFI_PLATFORM_KEY_NAME,
- &gEfiGlobalVariableGuid,
- &gEfiCertX509Guid,
- mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiGlobalVariableGuid,
- NULL);
- if (EFI_ERROR (Status)) {
- return 1;
- }
-
- Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
- Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof Settings.CustomMode, &Settings.CustomMode);
- if (EFI_ERROR (Status)) {
- AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid, Status);
- return 1;
- }
-
- Status = GetSettings (&Settings);
- if (EFI_ERROR (Status)) {
- return 1;
- }
- PrintSettings (&Settings);
-
- if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
- Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
- Settings.VendorKeys != 0) {
- AsciiPrint ("error: unexpected\n");
- return 1;
- }
-
- AsciiPrint ("info: success\n");
- return 0;
-}
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index fefea6638887..528718b15ae9 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -12,544 +12,16 @@
#include <Library/DebugLib.h> // ASSERT()
#include <Library/MemoryAllocationLib.h> // FreePool()
#include <Library/ShellCEntryLib.h> // ShellAppMain()
#include <Library/UefiLib.h> // AsciiPrint()
#include <Library/UefiRuntimeServicesTableLib.h> // gRT
#include "EnrollDefaultKeys.h"
-//
-// We'll use the certificate below as both Platform Key and as first Key
-// Exchange Key.
-//
-// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
-// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
-//
-STATIC CONST UINT8 mRedHatPkKek1[] = {
- 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
- 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
- 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
- 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
- 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
- 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
- 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
- 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
- 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
- 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
- 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
- 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
- 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
- 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
- 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
- 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
- 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
- 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
- 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
- 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
- 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
- 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
- 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
- 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
- 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
- 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
- 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
- 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
- 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
- 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
- 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
- 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
- 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
- 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
- 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
- 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
- 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
- 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
- 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
- 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
- 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
- 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
- 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
- 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
- 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
- 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
- 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
- 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
- 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
- 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
- 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
- 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
- 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
- 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
- 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
- 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
- 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
- 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
- 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
- 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
- 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
- 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
- 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
- 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
- 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
- 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
- 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
-};
-
-//
-// Second KEK: "Microsoft Corporation KEK CA 2011".
-// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
-//
-// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
-//
-STATIC CONST UINT8 mMicrosoftKek[] = {
- 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
- 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
- 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
- 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
- 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
- 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
- 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
- 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
- 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
- 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
- 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
- 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
- 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
- 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
- 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
- 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
- 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
- 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
- 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
- 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
- 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
- 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
- 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
- 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
- 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
- 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
- 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
- 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
- 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
- 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
- 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
- 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
- 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
- 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
- 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
- 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
- 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
- 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
- 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
- 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
- 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
- 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
- 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
- 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
- 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
- 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
- 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
- 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
- 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
- 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
- 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
- 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
- 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
- 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
- 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
- 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
- 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
- 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
- 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
- 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
- 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
- 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
- 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
- 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
- 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
- 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
- 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
- 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
- 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
- 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
- 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
- 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
- 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
- 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
- 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
- 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
- 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
- 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
- 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
- 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
- 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
- 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
- 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
- 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
- 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
- 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
- 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
- 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
- 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
- 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
- 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
- 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
- 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
- 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
- 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
- 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
- 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
- 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
- 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
- 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
- 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
- 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
- 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
- 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
- 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
- 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
- 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
- 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
- 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
-};
-
-//
-// First DB entry: "Microsoft Windows Production PCA 2011"
-// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
-//
-// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
-// rooted in this certificate.
-//
-STATIC CONST UINT8 mMicrosoftPca[] = {
- 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
- 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
- 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
- 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
- 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
- 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
- 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
- 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
- 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
- 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
- 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
- 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
- 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
- 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
- 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
- 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
- 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
- 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
- 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
- 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
- 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
- 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
- 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
- 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
- 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
- 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
- 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
- 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
- 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
- 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
- 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
- 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
- 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
- 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
- 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
- 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
- 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
- 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
- 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
- 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
- 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
- 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
- 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
- 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
- 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
- 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
- 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
- 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
- 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
- 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
- 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
- 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
- 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
- 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
- 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
- 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
- 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
- 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
- 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
- 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
- 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
- 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
- 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
- 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
- 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
- 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
- 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
- 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
- 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
- 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
- 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
- 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
- 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
- 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
- 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
- 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
- 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
- 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
- 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
- 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
- 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
- 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
- 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
- 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
- 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
- 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
- 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
- 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
- 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
- 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
- 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
- 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
- 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
- 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
- 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
- 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
- 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
- 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
- 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
- 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
- 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
- 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
- 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
- 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
- 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
- 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
- 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
- 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
- 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
- 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
- 0x62, 0x1c, 0x59, 0x7e
-};
-
-//
-// Second DB entry: "Microsoft Corporation UEFI CA 2011"
-// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
-//
-// To verify the "shim" binary and PCI expansion ROMs with.
-//
-STATIC CONST UINT8 mMicrosoftUefiCa[] = {
- 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
- 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
- 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
- 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
- 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
- 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
- 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
- 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
- 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
- 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
- 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
- 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
- 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
- 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
- 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
- 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
- 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
- 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
- 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
- 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
- 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
- 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
- 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
- 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
- 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
- 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
- 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
- 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
- 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
- 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
- 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
- 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
- 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
- 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
- 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
- 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
- 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
- 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
- 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
- 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
- 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
- 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
- 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
- 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
- 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
- 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
- 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
- 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
- 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
- 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
- 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
- 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
- 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
- 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
- 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
- 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
- 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
- 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
- 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
- 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
- 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
- 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
- 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
- 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
- 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
- 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
- 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
- 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
- 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
- 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
- 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
- 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
- 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
- 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
- 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
- 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
- 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
- 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
- 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
- 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
- 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
- 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
- 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
- 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
- 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
- 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
- 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
- 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
- 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
- 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
- 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
- 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
- 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
- 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
- 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
- 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
- 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
- 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
- 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
- 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
- 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
- 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
- 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
- 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
- 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
- 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
- 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
- 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
- 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
- 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
- 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
- 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
-};
-
-//
-// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
-// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
-// expects that the "dbx" variable exist.
-//
-// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
-// writes (excerpt):
-//
-// Windows 8.1 Secure Boot Key Creation and Management Guidance
-// 1. Secure Boot, Windows 8.1 and Key Management
-// 1.4 Signature Databases (Db and Dbx)
-// 1.4.3 Forbidden Signature Database (dbx)
-//
-// The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when
-// verifying images before checking db and any matches must prevent the
-// image from executing. The database may contain multiple certificates,
-// keys, and hashes in order to identify forbidden images. The Windows
-// Hardware Certification Requirements state that a dbx must be present, so
-// any dummy value, such as the SHA-256 hash of 0, may be used as a safe
-// placeholder until such time as Microsoft begins delivering dbx updates.
-//
-// The byte array below captures the SHA256 checksum of the empty file,
-// blacklisting it for loading & execution. This qualifies as a dummy, since
-// the empty file is not a valid UEFI binary anyway.
-//
-// Technically speaking, we could also capture an official (although soon to be
-// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
-// the terms and conditions on distributing that binary aren't exactly light
-// reading, so let's best steer clear of it, and follow the "dummy entry"
-// practice recommended -- in natural English langauge -- in the
-// above-referenced TechNet article.
-//
-STATIC CONST UINT8 mSha256OfDevNull[] = {
- 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
- 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
- 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
-};
-
-//
-// The following test cases of the Secure Boot Logo Test in the Microsoft
-// Hardware Certification Kit:
-//
-// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
-// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
-//
-// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
-// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
-// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
-// certificates:
-//
-// - "Microsoft Corporation KEK CA 2011" (in KEK)
-// - "Microsoft Windows Production PCA 2011" (in db)
-// - "Microsoft Corporation UEFI CA 2011" (in db)
-//
-// This is despite the fact that the UEFI specification requires
-// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
-// application or driver) that enrolled and therefore owns
-// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
-// EFI_SIGNATURE_DATA.SignatureData.
-//
-STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
- 0x77fa9abd, 0x0359, 0x4d32,
- { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
-};
-
/**
Enroll a set of certificates in a global variable, overwriting it.
The variable will be rewritten with NV+BS+RT+AT attributes.
@param[in] VariableName The name of the variable to overwrite.
@param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
@@ -838,49 +310,49 @@ ShellAppMain (
return 1;
}
}
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid,
&gEfiCertX509Guid,
- mMicrosoftPca, sizeof mMicrosoftPca, &mMicrosoftOwnerGuid,
- mMicrosoftUefiCa, sizeof mMicrosoftUefiCa, &mMicrosoftOwnerGuid,
+ mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGuid,
+ mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE1,
&gEfiImageSecurityDatabaseGuid,
&gEfiCertSha256Guid,
- mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
+ mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Status = EnrollListOfCerts (
EFI_KEY_EXCHANGE_KEY_NAME,
&gEfiGlobalVariableGuid,
&gEfiCertX509Guid,
- mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid,
- mMicrosoftKek, sizeof mMicrosoftKek, &mMicrosoftOwnerGuid,
+ mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
+ mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Status = EnrollListOfCerts (
EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid,
&gEfiCertX509Guid,
- mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiGlobalVariableGuid,
+ mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 11/16] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (9 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 10/16] OvmfPkg/EnrollDefaultKeys: split out certificate and signature constants Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-30 5:11 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 12/16] OvmfPkg/EnrollDefaultKeys: describe functions with leading comment blocks Laszlo Ersek
` (8 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
The GUID
77FA9ABD-0359-4D32-BD60-28F4E78F784B
is specified in MSDN, at
<https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>, therefore it
deserves an entry in the package DEC file, and a header file under
"Include/Guid".
(Arguably, this GUID declaration / definition could even live under
SecurityPkg, but the edk2 tradition has been to hoist GUIDs,
protocols/PPIs, and lib classes from OvmfPkg to a core package only when
dependent C code is added to the core package.)
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/OvmfPkg.dec | 1 +
OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++++++++++++++++++++
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 2 +
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 2 -
OvmfPkg/EnrollDefaultKeys/AuthData.c | 28 ----------
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 7 +--
6 files changed, 62 insertions(+), 33 deletions(-)
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index cc2a4909afd4..922e061cc85c 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -72,16 +72,17 @@ [LibraryClasses]
[Guids]
gUefiOvmfPkgTokenSpaceGuid = {0x93bb96af, 0xb9f2, 0x4eb8, {0x94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}}
gEfiXenInfoGuid = {0xd3b46f3b, 0xd441, 0x1244, {0x9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}}
gOvmfPlatformConfigGuid = {0x7235c51c, 0x0c80, 0x4cab, {0x87, 0xac, 0x3b, 0x08, 0x4a, 0x63, 0x04, 0xb1}}
gVirtioMmioTransportGuid = {0x837dca9e, 0xe874, 0x4d82, {0xb2, 0x9a, 0x23, 0xfe, 0x0e, 0x23, 0xd1, 0xe2}}
gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}}
gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}}
gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}}
+ gMicrosoftVendorGuid = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}}
[Protocols]
gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}}
gXenBusProtocolGuid = {0x3d3ca290, 0xb9a5, 0x11e3, {0xb7, 0x5d, 0xb8, 0xac, 0x6f, 0x7d, 0x65, 0xe6}}
gXenIoProtocolGuid = {0x6efac84f, 0x0ab0, 0x4747, {0x81, 0xbe, 0x85, 0x55, 0x62, 0x59, 0x04, 0x49}}
gIoMmuAbsentProtocolGuid = {0xf8775d50, 0x8abd, 0x4adf, {0x92, 0xac, 0x85, 0x3e, 0x51, 0xf6, 0xc8, 0xdc}}
gEfiLegacy8259ProtocolGuid = {0x38321dba, 0x4fe0, 0x4e17, {0x8a, 0xec, 0x41, 0x30, 0x55, 0xea, 0xed, 0xc1}}
diff --git a/OvmfPkg/Include/Guid/MicrosoftVendor.h b/OvmfPkg/Include/Guid/MicrosoftVendor.h
new file mode 100644
index 000000000000..db7a326c3194
--- /dev/null
+++ b/OvmfPkg/Include/Guid/MicrosoftVendor.h
@@ -0,0 +1,55 @@
+/** @file
+ Declare the GUID that is expected:
+
+ - as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and
+ RSA2048 Secure Boot certificates issued by/for Microsoft,
+
+ - as UEFI variable vendor GUID in association with (unspecified)
+ Microsoft-owned variables.
+
+ Copyright (C) 2014-2019, Red Hat, Inc.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Specification Reference:
+ - MSDN: System.Fundamentals.Firmware at
+ <https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>.
+**/
+
+#ifndef MICROSOFT_VENDOR_H_
+#define MICROSOFT_VENDOR_H_
+
+#include <Uefi/UefiBaseType.h>
+
+//
+// The following test cases of the Secure Boot Logo Test in the Microsoft
+// Hardware Certification Kit:
+//
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
+//
+// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
+// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
+// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
+// certificates:
+//
+// - "Microsoft Corporation KEK CA 2011" (in KEK)
+// - "Microsoft Windows Production PCA 2011" (in db)
+// - "Microsoft Corporation UEFI CA 2011" (in db)
+//
+// This is despite the fact that the UEFI specification requires
+// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
+// application or driver) that enrolled and therefore owns
+// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
+// EFI_SIGNATURE_DATA.SignatureData.
+//
+#define MICROSOFT_VENDOR_GUID \
+ { 0x77fa9abd, \
+ 0x0359, \
+ 0x4d32, \
+ { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \
+ }
+
+extern EFI_GUID gMicrosoftVendorGuid;
+
+#endif /* MICROSOFT_VENDOR_H_ */
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
index 3f093c768585..28db52586a9b 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
@@ -17,27 +17,29 @@ [Defines]
[Sources]
AuthData.c
EnrollDefaultKeys.c
EnrollDefaultKeys.h
[Packages]
MdeModulePkg/MdeModulePkg.dec
MdePkg/MdePkg.dec
+ OvmfPkg/OvmfPkg.dec
SecurityPkg/SecurityPkg.dec
ShellPkg/ShellPkg.dec
[Guids]
gEfiCertPkcs7Guid
gEfiCertSha256Guid
gEfiCertX509Guid
gEfiCustomModeEnableGuid
gEfiGlobalVariableGuid
gEfiImageSecurityDatabaseGuid
gEfiSecureBootEnableDisableGuid
+ gMicrosoftVendorGuid
[LibraryClasses]
BaseMemoryLib
DebugLib
MemoryAllocationLib
ShellCEntryLib
UefiLib
UefiRuntimeServicesTableLib
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
index 07f4aa04e469..e3a7e43da4e3 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
@@ -133,11 +133,9 @@ extern CONST UINT8 mMicrosoftPca[];
extern CONST UINTN mSizeOfMicrosoftPca;
extern CONST UINT8 mMicrosoftUefiCa[];
extern CONST UINTN mSizeOfMicrosoftUefiCa;
extern CONST UINT8 mSha256OfDevNull[];
extern CONST UINTN mSizeOfSha256OfDevNull;
-extern CONST EFI_GUID mMicrosoftOwnerGuid;
-
#endif /* ENROLL_DEFAULT_KEYS_H_ */
diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c
index e0a543785fb5..9a96dcc440b3 100644
--- a/OvmfPkg/EnrollDefaultKeys/AuthData.c
+++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
@@ -518,36 +518,8 @@ CONST UINTN mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa;
//
CONST UINT8 mSha256OfDevNull[] = {
0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
};
CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull;
-
-
-//
-// The following test cases of the Secure Boot Logo Test in the Microsoft
-// Hardware Certification Kit:
-//
-// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
-// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
-//
-// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
-// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
-// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
-// certificates:
-//
-// - "Microsoft Corporation KEK CA 2011" (in KEK)
-// - "Microsoft Windows Production PCA 2011" (in db)
-// - "Microsoft Corporation UEFI CA 2011" (in db)
-//
-// This is despite the fact that the UEFI specification requires
-// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
-// application or driver) that enrolled and therefore owns
-// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
-// EFI_SIGNATURE_DATA.SignatureData.
-//
-CONST EFI_GUID mMicrosoftOwnerGuid = {
- 0x77fa9abd, 0x0359, 0x4d32,
- { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
-};
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index 528718b15ae9..e4f6a50e008b 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -3,16 +3,17 @@
Copyright (C) 2014-2019, Red Hat, Inc.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
+#include <Guid/MicrosoftVendor.h> // gMicrosoftVendorGuid
#include <Library/BaseMemoryLib.h> // CopyGuid()
#include <Library/DebugLib.h> // ASSERT()
#include <Library/MemoryAllocationLib.h> // FreePool()
#include <Library/ShellCEntryLib.h> // ShellAppMain()
#include <Library/UefiLib.h> // AsciiPrint()
#include <Library/UefiRuntimeServicesTableLib.h> // gRT
#include "EnrollDefaultKeys.h"
@@ -310,18 +311,18 @@ ShellAppMain (
return 1;
}
}
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid,
&gEfiCertX509Guid,
- mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGuid,
- mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGuid,
+ mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,
+ mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE1,
&gEfiImageSecurityDatabaseGuid,
@@ -332,17 +333,17 @@ ShellAppMain (
return 1;
}
Status = EnrollListOfCerts (
EFI_KEY_EXCHANGE_KEY_NAME,
&gEfiGlobalVariableGuid,
&gEfiCertX509Guid,
mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
- mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid,
+ mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
Status = EnrollListOfCerts (
EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid,
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 12/16] OvmfPkg/EnrollDefaultKeys: describe functions with leading comment blocks
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (10 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 11/16] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-30 5:12 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 13/16] OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function Laszlo Ersek
` (7 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
The GetExact(), GetSettings(), PrintSettings(), and ShellAppMain()
functions lack leading comment blocks. Supply those.
While at it, make sure that every such comment block is preceded by two
blank lines.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 73 ++++++++++++++++++++
1 file changed, 73 insertions(+)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index e4f6a50e008b..07297c631f38 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -13,16 +13,17 @@
#include <Library/DebugLib.h> // ASSERT()
#include <Library/MemoryAllocationLib.h> // FreePool()
#include <Library/ShellCEntryLib.h> // ShellAppMain()
#include <Library/UefiLib.h> // AsciiPrint()
#include <Library/UefiRuntimeServicesTableLib.h> // gRT
#include "EnrollDefaultKeys.h"
+
/**
Enroll a set of certificates in a global variable, overwriting it.
The variable will be rewritten with NV+BS+RT+AT attributes.
@param[in] VariableName The name of the variable to overwrite.
@param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
@@ -188,16 +189,54 @@ Out:
if (EFI_ERROR (Status)) {
AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
VendorGuid, Status);
}
return Status;
}
+/**
+ Read a UEFI variable into a caller-allocated buffer, enforcing an exact size.
+
+ @param[in] VariableName The name of the variable to read; passed to
+ gRT->GetVariable().
+
+ @param[in] VendorGuid The vendor (namespace) GUID of the variable to read;
+ passed to gRT->GetVariable().
+
+ @param[out] Data The caller-allocated buffer that is supposed to
+ receive the variable's contents. On error, the
+ contents of Data are indeterminate.
+
+ @param[in] DataSize The size in bytes that the caller requires the UEFI
+ variable to have. The caller is responsible for
+ providing room for DataSize bytes in Data.
+
+ @param[in] AllowMissing If FALSE, the variable is required to exist. If
+ TRUE, the variable is permitted to be missing.
+
+ @retval EFI_SUCCESS The UEFI variable exists, has the required size
+ (DataSize), and has been read into Data.
+
+ @retval EFI_SUCCESS The UEFI variable doesn't exist, and
+ AllowMissing is TRUE. DataSize bytes in Data
+ have been zeroed out.
+
+ @retval EFI_NOT_FOUND The UEFI variable doesn't exist, and
+ AllowMissing is FALSE.
+
+ @retval EFI_BUFFER_TOO_SMALL The UEFI variable exists, but its size is
+ greater than DataSize.
+
+ @retval EFI_PROTOCOL_ERROR The UEFI variable exists, but its size is
+ smaller than DataSize.
+
+ @return Error codes propagated from gRT->GetVariable().
+**/
STATIC
EFI_STATUS
GetExact (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
OUT VOID *Data,
IN UINTN DataSize,
IN BOOLEAN AllowMissing
@@ -223,16 +262,41 @@ GetExact (
AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
"got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
return EFI_PROTOCOL_ERROR;
}
return EFI_SUCCESS;
}
+
+/**
+ Populate a SETTINGS structure from the underlying UEFI variables.
+
+ The following UEFI variables are standard variables:
+ - L"SetupMode" (EFI_SETUP_MODE_NAME)
+ - L"SecureBoot" (EFI_SECURE_BOOT_MODE_NAME)
+ - L"VendorKeys" (EFI_VENDOR_KEYS_VARIABLE_NAME)
+
+ The following UEFI variables are edk2 extensions:
+ - L"SecureBootEnable" (EFI_SECURE_BOOT_ENABLE_NAME)
+ - L"CustomMode" (EFI_CUSTOM_MODE_NAME)
+
+ The L"SecureBootEnable" UEFI variable is permitted to be missing, in which
+ case the corresponding field in the SETTINGS object will be zeroed out. The
+ rest of the covered UEFI variables are required to exist; otherwise, the
+ function will fail.
+
+ @param[out] Settings The SETTINGS object to fill.
+
+ @retval EFI_SUCCESS Settings has been populated.
+
+ @return Error codes propagated from the GetExact() function. The
+ contents of Settings are indeterminate.
+**/
STATIC
EFI_STATUS
GetSettings (
OUT SETTINGS *Settings
)
{
EFI_STATUS Status;
@@ -261,28 +325,37 @@ GetSettings (
return Status;
}
Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
&Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
return Status;
}
+
+/**
+ Print the contents of a SETTINGS structure to the UEFI console.
+
+ @param[in] Settings The SETTINGS object to print the contents of.
+**/
STATIC
VOID
PrintSettings (
IN CONST SETTINGS *Settings
)
{
AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
"CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
}
+/**
+ Entry point function of this shell application.
+**/
INTN
EFIAPI
ShellAppMain (
IN UINTN Argc,
IN CHAR16 **Argv
)
{
EFI_STATUS Status;
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 13/16] OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (11 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 12/16] OvmfPkg/EnrollDefaultKeys: describe functions with leading comment blocks Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-29 12:36 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 14/16] OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID Laszlo Ersek
` (6 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
The entry point function of EnrollDefaultKeys finishes with a sanity
check, verifying the values of the Secure Boot-related "control"
variables. Add a diagram to explain why we expect the values we do.
While at it, write comments on the rest of the entry point function.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 54 ++++++++++++++++++++
1 file changed, 54 insertions(+)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index 07297c631f38..9c4a0f06fb4d 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -356,92 +356,146 @@ EFIAPI
ShellAppMain (
IN UINTN Argc,
IN CHAR16 **Argv
)
{
EFI_STATUS Status;
SETTINGS Settings;
+ //
+ // If we're not in Setup Mode, we can't do anything.
+ //
Status = GetSettings (&Settings);
if (EFI_ERROR (Status)) {
return 1;
}
PrintSettings (&Settings);
if (Settings.SetupMode != 1) {
AsciiPrint ("error: already in User Mode\n");
return 1;
}
+ //
+ // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature
+ // checks on those variable writes.
+ //
if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
(EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS),
sizeof Settings.CustomMode, &Settings.CustomMode);
if (EFI_ERROR (Status)) {
AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
&gEfiCustomModeEnableGuid, Status);
return 1;
}
}
+ //
+ // Enroll db.
+ //
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid,
&gEfiCertX509Guid,
mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,
mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
+ //
+ // Enroll dbx.
+ //
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE1,
&gEfiImageSecurityDatabaseGuid,
&gEfiCertSha256Guid,
mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
+ //
+ // Enroll KEK.
+ //
Status = EnrollListOfCerts (
EFI_KEY_EXCHANGE_KEY_NAME,
&gEfiGlobalVariableGuid,
&gEfiCertX509Guid,
mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
+ //
+ // Enroll PK, leaving Setup Mode (entering User Mode) at once.
+ //
Status = EnrollListOfCerts (
EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid,
&gEfiCertX509Guid,
mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid,
NULL);
if (EFI_ERROR (Status)) {
return 1;
}
+ //
+ // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid
+ // signatures.
+ //
Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
sizeof Settings.CustomMode, &Settings.CustomMode);
if (EFI_ERROR (Status)) {
AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
&gEfiCustomModeEnableGuid, Status);
return 1;
}
+ //
+ // Final sanity check:
+ //
+ // [SetupMode]
+ // (read-only, standardized by UEFI)
+ // / \_
+ // 0 1, default
+ // / \_
+ // PK enrolled no PK enrolled yet,
+ // (this is called "User Mode") PK enrollment possible
+ // |
+ // |
+ // [SecureBootEnable]
+ // (read-write, edk2-specific, boot service only)
+ // / \_
+ // 0 1, default
+ // / \_
+ // [SecureBoot]=0 [SecureBoot]=1
+ // (read-only, standardized by UEFI) (read-only, standardized by UEFI)
+ // images are not verified images are verified, platform is
+ // operating in Secure Boot mode
+ // |
+ // |
+ // [CustomMode]
+ // (read-write, edk2-specific, boot service only)
+ // / \_
+ // 0, default 1
+ // / \_
+ // PK, KEK, db, dbx PK, KEK, db, dbx
+ // updates are verified updates are not verified
+ //
Status = GetSettings (&Settings);
if (EFI_ERROR (Status)) {
return 1;
}
PrintSettings (&Settings);
if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 14/16] OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (12 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 13/16] OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-30 5:24 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 15/16] OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS table Laszlo Ersek
` (5 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
For the EnrollDefaultKeys application, the hypervisor is expected to add a
string entry to the "OEM Strings" (Type 11) SMBIOS table, with the
following format:
4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK and first KEK>
The string representation of the GUID at the front is the "application
prefix", in terms of QEMU commit
<https://git.qemu.org/?p=qemu.git;a=commit;h=2d6dcbf93fb0>.
Introduce this GUID in the usual manner.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/OvmfPkg.dec | 1 +
OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 922e061cc85c..0e555c5c78c5 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -67,16 +67,17 @@ [LibraryClasses]
## @libraryclass Manage XenBus device path and I/O handles
#
XenIoMmioLib|Include/Library/XenIoMmioLib.h
[Guids]
gUefiOvmfPkgTokenSpaceGuid = {0x93bb96af, 0xb9f2, 0x4eb8, {0x94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}}
gEfiXenInfoGuid = {0xd3b46f3b, 0xd441, 0x1244, {0x9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}}
+ gOvmfPkKek1AppPrefixGuid = {0x4e32566d, 0x8e9e, 0x4f52, {0x81, 0xd3, 0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}}
gOvmfPlatformConfigGuid = {0x7235c51c, 0x0c80, 0x4cab, {0x87, 0xac, 0x3b, 0x08, 0x4a, 0x63, 0x04, 0xb1}}
gVirtioMmioTransportGuid = {0x837dca9e, 0xe874, 0x4d82, {0xb2, 0x9a, 0x23, 0xfe, 0x0e, 0x23, 0xd1, 0xe2}}
gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}}
gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}}
gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}}
gMicrosoftVendorGuid = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}}
[Protocols]
diff --git a/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h b/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
new file mode 100644
index 000000000000..e05d2fe021b7
--- /dev/null
+++ b/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
@@ -0,0 +1,45 @@
+/** @file
+ Declare the application prefix string as a GUID, for locating the PK/KEK1
+ X509 certificate to enroll, in the "OEM Strings" SMBIOS table.
+
+ Copyright (C) 2019, Red Hat, Inc.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Specification Reference:
+ - https://git.qemu.org/?p=qemu.git;a=commit;h=2d6dcbf93fb0
+ - https://libvirt.org/formatdomain.html#elementsSysinfo
+ - https://bugs.launchpad.net/qemu/+bug/1826200
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1747
+**/
+
+#ifndef OVMF_PK_KEK1_APP_PREFIX_H_
+#define OVMF_PK_KEK1_APP_PREFIX_H_
+
+#include <Uefi/UefiBaseType.h>
+
+//
+// For the EnrollDefaultKeys application, the hypervisor is expected to add a
+// string entry to the "OEM Strings" (Type 11) SMBIOS table, with the following
+// format:
+//
+// 4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK and first KEK>
+//
+// The string representation of the GUID at the front is the "application
+// prefix". It is matched by EnrollDefaultKeys case-insensitively.
+//
+// The base64-encoded blob following the application prefix and the colon (:)
+// is an X509 certificate in DER representation; the hypervisor instructs
+// EnrollDefaultKeys to enroll this certificate as both Platform Key and first
+// Key Exchange Key.
+//
+#define OVMF_PK_KEK1_APP_PREFIX_GUID \
+ { 0x4e32566d, \
+ 0x8e9e, \
+ 0x4f52, \
+ { 0x81, 0xd3, 0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27 }, \
+ }
+
+extern EFI_GUID gOvmfPkKek1AppPrefixGuid;
+
+#endif /* OVMF_PK_KEK1_APP_PREFIX_H_ */
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 15/16] OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS table
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (13 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 14/16] OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-30 5:34 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 16/16] OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1 Laszlo Ersek
` (4 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
Disconnect the certificate that is enrolled as both Platform Key and first
Key Exchange Key from Red Hat: expect the hypervisor to specify it, as
part of SMBIOS.
Example usage with QEMU:
* Generate self-signed X509 certificate:
openssl req \
-x509 \
-newkey rsa:2048 \
-outform PEM \
-keyout PkKek1.private.key \
-out PkKek1.pem
(where "PEM" simply means "DER + base64 + header + footer").
* Strip the header, footer, and newline characters; prepend the
application prefix:
sed \
-e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
-e '/^-----END CERTIFICATE-----$/d' \
PkKek1.pem \
| tr -d '\n' \
> PkKek1.oemstr
* Pass the certificate to EnrollDefaultKeys with the following QEMU
option:
-smbios type=11,value="$(< PkKek1.oemstr)"
(Note: for the above option to work correctly, a QEMU version is needed
that includes commit 950c4e6c94b1 ("opts: don't silently truncate long
option values", 2018-05-09). The first upstream release with that commit
was v3.0.0.
Once <https://bugs.launchpad.net/qemu/+bug/1826200> is fixed, QEMU will
learn to read the file directly; passing the blob on the command will be
necessary no more.)
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 7 +
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 223 ++++++++++++++++++--
2 files changed, 217 insertions(+), 13 deletions(-)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
index 28db52586a9b..184f7972d52d 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
@@ -30,16 +30,23 @@ [Guids]
gEfiCertPkcs7Guid
gEfiCertSha256Guid
gEfiCertX509Guid
gEfiCustomModeEnableGuid
gEfiGlobalVariableGuid
gEfiImageSecurityDatabaseGuid
gEfiSecureBootEnableDisableGuid
gMicrosoftVendorGuid
+ gOvmfPkKek1AppPrefixGuid
+
+[Protocols]
+ gEfiSmbiosProtocolGuid ## CONSUMES
[LibraryClasses]
+ BaseLib
BaseMemoryLib
DebugLib
MemoryAllocationLib
+ PrintLib
ShellCEntryLib
+ UefiBootServicesTableLib
UefiLib
UefiRuntimeServicesTableLib
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index 9c4a0f06fb4d..b7b2e424c59e 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -4,26 +4,201 @@
Copyright (C) 2014-2019, Red Hat, Inc.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
#include <Guid/MicrosoftVendor.h> // gMicrosoftVendorGuid
+#include <Guid/OvmfPkKek1AppPrefix.h> // gOvmfPkKek1AppPrefixGuid
+#include <IndustryStandard/SmBios.h> // SMBIOS_HANDLE_PI_RESERVED
+#include <Library/BaseLib.h> // GUID_STRING_LENGTH
#include <Library/BaseMemoryLib.h> // CopyGuid()
#include <Library/DebugLib.h> // ASSERT()
#include <Library/MemoryAllocationLib.h> // FreePool()
+#include <Library/PrintLib.h> // AsciiSPrint()
#include <Library/ShellCEntryLib.h> // ShellAppMain()
+#include <Library/UefiBootServicesTableLib.h> // gBS
#include <Library/UefiLib.h> // AsciiPrint()
#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+#include <Protocol/Smbios.h> // EFI_SMBIOS_PROTOCOL
#include "EnrollDefaultKeys.h"
+/**
+ Fetch the X509 certificate (to be used as Platform Key and first Key Exchange
+ Key) from SMBIOS.
+
+ @param[out] PkKek1 The X509 certificate in DER encoding from the
+ hypervisor, to be enrolled as PK and first KEK
+ entry. On success, the caller is responsible for
+ releasing PkKek1 with FreePool().
+
+ @param[out] SizeOfPkKek1 The size of PkKek1 in bytes.
+
+ @retval EFI_SUCCESS PkKek1 and SizeOfPkKek1 have been set
+ successfully.
+
+ @retval EFI_NOT_FOUND An OEM String matching
+ OVMF_PK_KEK1_APP_PREFIX_GUID has not been
+ found.
+
+ @retval EFI_PROTOCOL_ERROR In the OEM String matching
+ OVMF_PK_KEK1_APP_PREFIX_GUID, the certificate
+ is empty, or it has invalid base64 encoding.
+
+ @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
+
+ @return Error codes from gBS->LocateProtocol().
+**/
+STATIC
+EFI_STATUS
+GetPkKek1 (
+ OUT UINT8 **PkKek1,
+ OUT UINTN *SizeOfPkKek1
+ )
+{
+ CONST CHAR8 *Base64Cert;
+ CHAR8 OvmfPkKek1AppPrefix[GUID_STRING_LENGTH + 1 + 1];
+ EFI_STATUS Status;
+ EFI_SMBIOS_PROTOCOL *Smbios;
+ EFI_SMBIOS_HANDLE Handle;
+ EFI_SMBIOS_TYPE Type;
+ EFI_SMBIOS_TABLE_HEADER *Header;
+ SMBIOS_TABLE_TYPE11 *OemStringsTable;
+ UINTN Base64CertLen;
+ UINTN DecodedCertSize;
+ UINT8 *DecodedCert;
+
+ Base64Cert = NULL;
+
+ //
+ // Format the application prefix, for OEM String matching.
+ //
+ AsciiSPrint (OvmfPkKek1AppPrefix, sizeof OvmfPkKek1AppPrefix, "%g:",
+ &gOvmfPkKek1AppPrefixGuid);
+
+ //
+ // Scan all "OEM Strings" tables.
+ //
+ Status = gBS->LocateProtocol (&gEfiSmbiosProtocolGuid, NULL,
+ (VOID **)&Smbios);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("error: failed to locate EFI_SMBIOS_PROTOCOL: %r\n", Status);
+ return Status;
+ }
+
+ Handle = SMBIOS_HANDLE_PI_RESERVED;
+ Type = SMBIOS_TYPE_OEM_STRINGS;
+ for (Status = Smbios->GetNext (Smbios, &Handle, &Type, &Header, NULL);
+ !EFI_ERROR (Status);
+ Status = Smbios->GetNext (Smbios, &Handle, &Type, &Header, NULL)) {
+ CONST CHAR8 *OemString;
+ UINTN Idx;
+
+ if (Header->Length < sizeof *OemStringsTable) {
+ //
+ // Malformed table header, skip to next.
+ //
+ continue;
+ }
+ OemStringsTable = (SMBIOS_TABLE_TYPE11 *)Header;
+
+ //
+ // Scan all strings in the unformatted area of the current "OEM Strings"
+ // table.
+ //
+ OemString = (CONST CHAR8 *)(OemStringsTable + 1);
+ for (Idx = 0; Idx < OemStringsTable->StringCount; ++Idx) {
+ CHAR8 CandidatePrefix[sizeof OvmfPkKek1AppPrefix];
+
+ //
+ // NUL-terminate the candidate prefix for case-insensitive comparison.
+ //
+ AsciiStrnCpyS (CandidatePrefix, sizeof CandidatePrefix, OemString,
+ GUID_STRING_LENGTH + 1);
+ if (AsciiStriCmp (OvmfPkKek1AppPrefix, CandidatePrefix) == 0) {
+ //
+ // The current string matches the prefix.
+ //
+ Base64Cert = OemString + GUID_STRING_LENGTH + 1;
+ break;
+ }
+ OemString += AsciiStrSize (OemString);
+ }
+
+ if (Idx < OemStringsTable->StringCount) {
+ //
+ // The current table has a matching string.
+ //
+ break;
+ }
+ }
+
+ if (EFI_ERROR (Status)) {
+ //
+ // No table with a matching string has been found.
+ //
+ AsciiPrint ("error: OEM String with app prefix %g not found: %r\n",
+ &gOvmfPkKek1AppPrefixGuid, Status);
+ return EFI_NOT_FOUND;
+ }
+
+ ASSERT (Base64Cert != NULL);
+ Base64CertLen = AsciiStrLen (Base64Cert);
+
+ //
+ // Verify the base64 encoding, and determine the decoded size.
+ //
+ DecodedCertSize = 0;
+ Status = Base64Decode (Base64Cert, Base64CertLen, NULL, &DecodedCertSize);
+ switch (Status) {
+ case EFI_BUFFER_TOO_SMALL:
+ if (DecodedCertSize > 0) {
+ break;
+ }
+ //
+ // Fall through: the above Base64Decode() call is ill-specified in BaseLib
+ // if Source decodes to zero bytes (for example if it consists of ignored
+ // whitespace only).
+ //
+ case EFI_SUCCESS:
+ AsciiPrint ("error: empty certificate after app prefix %g\n",
+ &gOvmfPkKek1AppPrefixGuid);
+ return EFI_PROTOCOL_ERROR;
+ default:
+ AsciiPrint ("error: invalid base64 string after app prefix %g\n",
+ &gOvmfPkKek1AppPrefixGuid);
+ return EFI_PROTOCOL_ERROR;
+ }
+
+ //
+ // Allocate the output buffer.
+ //
+ DecodedCert = AllocatePool (DecodedCertSize);
+ if (DecodedCert == NULL) {
+ AsciiPrint ("error: failed to allocate memory\n");
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ //
+ // Decoding will succeed at this point.
+ //
+ Status = Base64Decode (Base64Cert, Base64CertLen, DecodedCert,
+ &DecodedCertSize);
+ ASSERT_EFI_ERROR (Status);
+
+ *PkKek1 = DecodedCert;
+ *SizeOfPkKek1 = DecodedCertSize;
+ return EFI_SUCCESS;
+}
+
+
/**
Enroll a set of certificates in a global variable, overwriting it.
The variable will be rewritten with NV+BS+RT+AT attributes.
@param[in] VariableName The name of the variable to overwrite.
@param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
@@ -353,116 +528,133 @@ PrintSettings (
**/
INTN
EFIAPI
ShellAppMain (
IN UINTN Argc,
IN CHAR16 **Argv
)
{
+ INTN RetVal;
EFI_STATUS Status;
SETTINGS Settings;
+ UINT8 *PkKek1;
+ UINTN SizeOfPkKek1;
+
+ //
+ // Prepare for failure.
+ //
+ RetVal = 1;
//
// If we're not in Setup Mode, we can't do anything.
//
Status = GetSettings (&Settings);
if (EFI_ERROR (Status)) {
- return 1;
+ return RetVal;
}
PrintSettings (&Settings);
if (Settings.SetupMode != 1) {
AsciiPrint ("error: already in User Mode\n");
- return 1;
+ return RetVal;
+ }
+
+ //
+ // Fetch the X509 certificate (to be used as Platform Key and first Key
+ // Exchange Key) from SMBIOS.
+ //
+ Status = GetPkKek1 (&PkKek1, &SizeOfPkKek1);
+ if (EFI_ERROR (Status)) {
+ return RetVal;
}
//
// Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature
// checks on those variable writes.
//
if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
(EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS),
sizeof Settings.CustomMode, &Settings.CustomMode);
if (EFI_ERROR (Status)) {
AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
&gEfiCustomModeEnableGuid, Status);
- return 1;
+ goto FreePkKek1;
}
}
//
// Enroll db.
//
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid,
&gEfiCertX509Guid,
mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,
mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,
NULL);
if (EFI_ERROR (Status)) {
- return 1;
+ goto FreePkKek1;
}
//
// Enroll dbx.
//
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE1,
&gEfiImageSecurityDatabaseGuid,
&gEfiCertSha256Guid,
mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid,
NULL);
if (EFI_ERROR (Status)) {
- return 1;
+ goto FreePkKek1;
}
//
// Enroll KEK.
//
Status = EnrollListOfCerts (
EFI_KEY_EXCHANGE_KEY_NAME,
&gEfiGlobalVariableGuid,
&gEfiCertX509Guid,
- mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
+ PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid,
mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,
NULL);
if (EFI_ERROR (Status)) {
- return 1;
+ goto FreePkKek1;
}
//
// Enroll PK, leaving Setup Mode (entering User Mode) at once.
//
Status = EnrollListOfCerts (
EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid,
&gEfiCertX509Guid,
- mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid,
+ PkKek1, SizeOfPkKek1, &gEfiGlobalVariableGuid,
NULL);
if (EFI_ERROR (Status)) {
- return 1;
+ goto FreePkKek1;
}
//
// Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid
// signatures.
//
Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
sizeof Settings.CustomMode, &Settings.CustomMode);
if (EFI_ERROR (Status)) {
AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
&gEfiCustomModeEnableGuid, Status);
- return 1;
+ goto FreePkKek1;
}
//
// Final sanity check:
//
// [SetupMode]
// (read-only, standardized by UEFI)
// / \_
@@ -488,22 +680,27 @@ ShellAppMain (
// / \_
// 0, default 1
// / \_
// PK, KEK, db, dbx PK, KEK, db, dbx
// updates are verified updates are not verified
//
Status = GetSettings (&Settings);
if (EFI_ERROR (Status)) {
- return 1;
+ goto FreePkKek1;
}
PrintSettings (&Settings);
if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
Settings.VendorKeys != 0) {
AsciiPrint ("error: unexpected\n");
- return 1;
+ goto FreePkKek1;
}
AsciiPrint ("info: success\n");
- return 0;
+ RetVal = 0;
+
+FreePkKek1:
+ FreePool (PkKek1);
+
+ return RetVal;
}
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 16/16] OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (14 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 15/16] OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS table Laszlo Ersek
@ 2019-04-27 0:53 ` Laszlo Ersek
2019-04-30 5:35 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 1:07 ` [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (3 subsequent siblings)
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 0:53 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
The certificate
"Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
is no longer referenced; remove it.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 3 -
OvmfPkg/EnrollDefaultKeys/AuthData.c | 85 --------------------
2 files changed, 88 deletions(-)
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
index e3a7e43da4e3..8e61f0a77b90 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
@@ -118,19 +118,16 @@ typedef struct {
UINT8 CustomMode;
UINT8 VendorKeys;
} SETTINGS;
//
// Refer to "AuthData.c" for details on the following objects.
//
-extern CONST UINT8 mRedHatPkKek1[];
-extern CONST UINTN mSizeOfRedHatPkKek1;
-
extern CONST UINT8 mMicrosoftKek[];
extern CONST UINTN mSizeOfMicrosoftKek;
extern CONST UINT8 mMicrosoftPca[];
extern CONST UINTN mSizeOfMicrosoftPca;
extern CONST UINT8 mMicrosoftUefiCa[];
extern CONST UINTN mSizeOfMicrosoftUefiCa;
diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c
index 9a96dcc440b3..3b4856a01f48 100644
--- a/OvmfPkg/EnrollDefaultKeys/AuthData.c
+++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
@@ -4,101 +4,16 @@
Copyright (C) 2014-2019, Red Hat, Inc.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "EnrollDefaultKeys.h"
-//
-// We'll use the certificate below as both Platform Key and as first Key
-// Exchange Key.
-//
-// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
-// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
-//
-CONST UINT8 mRedHatPkKek1[] = {
- 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
- 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
- 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
- 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
- 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
- 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
- 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
- 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
- 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
- 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
- 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
- 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
- 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
- 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
- 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
- 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
- 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
- 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
- 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
- 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
- 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
- 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
- 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
- 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
- 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
- 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
- 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
- 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
- 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
- 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
- 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
- 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
- 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
- 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
- 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
- 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
- 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
- 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
- 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
- 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
- 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
- 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
- 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
- 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
- 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
- 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
- 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
- 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
- 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
- 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
- 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
- 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
- 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
- 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
- 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
- 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
- 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
- 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
- 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
- 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
- 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
- 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
- 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
- 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
- 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
- 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
- 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
-};
-
-CONST UINTN mSizeOfRedHatPkKek1 = sizeof mRedHatPkKek1;
-
-
//
// Second KEK: "Microsoft Corporation KEK CA 2011".
// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
//
// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
//
CONST UINT8 mMicrosoftKek[] = {
0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
--
2.19.1.3.g30247aa5d201
^ permalink raw reply related [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (15 preceding siblings ...)
2019-04-27 0:53 ` [PATCH 16/16] OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1 Laszlo Ersek
@ 2019-04-27 1:07 ` Laszlo Ersek
2019-04-27 8:14 ` Ard Biesheuvel
` (2 subsequent siblings)
19 siblings, 0 replies; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-27 1:07 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
[-- Attachment #1: Type: text/plain, Size: 3498 bytes --]
On 04/27/19 02:53, Laszlo Ersek wrote:
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Repo: https://github.com/lersek/edk2.git
> Branch: enroll_bz_1747
>
> Please see the goal / use case in the BZ.
>
> Anatomy of the series:
>
> - Patch 01 adds the application as-is from RHEL, as the starting point
> for upstreaming (preserves continuity).
>
> - Patches 02 through 13 clean up various coding style warts, and add
> documentation, without functional changes.
>
> - Patches 14 through 16 replace the hard-coded Red Hat certificate
> (enrolled as PK and 1st KEK) with a certificate read dynamically from
> SMBIOS (enrolled the same way), originating from the VMM.
>
> I've successfully re-run the Secure Boot Logo Test in Windows HCK, after
> enabling SB in the VM-under-test with this application. I'll attach the
> test log in a separate email (sent in response to this one).
Done.
Thanks
Laszlo
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
>
> Thanks,
> Laszlo
>
> Laszlo Ersek (16):
> OvmfPkg: introduce EnrollDefaultKeys application
> OvmfPkg/EnrollDefaultKeys: update @file comment blocks
> OvmfPkg/EnrollDefaultKeys: refresh INF file
> ArmVirtPkg: build EnrollDefaultKeys.efi
> OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart
> OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes
> OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in
> identifiers
> OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv.
> specifiers
> OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
> OvmfPkg/EnrollDefaultKeys: split out certificate and signature
> constants
> OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
> OvmfPkg/EnrollDefaultKeys: describe functions with leading comment
> blocks
> OvmfPkg/EnrollDefaultKeys: document the steps of the entry point
> function
> OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
> OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS
> table
> OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1
>
> ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> ArmVirtPkg/ArmVirtQemu.dsc | 1 +
> ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
> OvmfPkg/EnrollDefaultKeys/AuthData.c | 440 ++++++++++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 706 ++++++++++++++++++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 138 ++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 ++
> OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++
> OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++
> OvmfPkg/OvmfPkg.dec | 2 +
> OvmfPkg/OvmfPkgIa32.dsc | 2 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
> OvmfPkg/OvmfPkgX64.dsc | 2 +
> 13 files changed, 1447 insertions(+)
> create mode 100644 OvmfPkg/EnrollDefaultKeys/AuthData.c
> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> create mode 100644 OvmfPkg/Include/Guid/MicrosoftVendor.h
> create mode 100644 OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
>
[-- Attachment #2: Secure_Boot_Logo_Test.zip --]
[-- Type: application/zip, Size: 39265 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (16 preceding siblings ...)
2019-04-27 1:07 ` [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
@ 2019-04-27 8:14 ` Ard Biesheuvel
2019-04-30 7:51 ` [edk2-devel] " Gary Lin
2019-04-30 12:32 ` Laszlo Ersek
19 siblings, 0 replies; 39+ messages in thread
From: Ard Biesheuvel @ 2019-04-27 8:14 UTC (permalink / raw)
To: Laszlo Ersek
Cc: edk2-devel-groups-io, Anthony Perard, Jordan Justen, Julien Grall
On Sat, 27 Apr 2019 at 02:53, Laszlo Ersek <lersek@redhat.com> wrote:
>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Repo: https://github.com/lersek/edk2.git
> Branch: enroll_bz_1747
>
> Please see the goal / use case in the BZ.
>
> Anatomy of the series:
>
> - Patch 01 adds the application as-is from RHEL, as the starting point
> for upstreaming (preserves continuity).
>
> - Patches 02 through 13 clean up various coding style warts, and add
> documentation, without functional changes.
>
> - Patches 14 through 16 replace the hard-coded Red Hat certificate
> (enrolled as PK and 1st KEK) with a certificate read dynamically from
> SMBIOS (enrolled the same way), originating from the VMM.
>
> I've successfully re-run the Secure Boot Logo Test in Windows HCK, after
> enabling SB in the VM-under-test with this application. I'll attach the
> test log in a separate email (sent in response to this one).
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
>
> Thanks,
> Laszlo
>
> Laszlo Ersek (16):
> OvmfPkg: introduce EnrollDefaultKeys application
> OvmfPkg/EnrollDefaultKeys: update @file comment blocks
> OvmfPkg/EnrollDefaultKeys: refresh INF file
> ArmVirtPkg: build EnrollDefaultKeys.efi
> OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart
> OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes
> OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in
> identifiers
> OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv.
> specifiers
> OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
> OvmfPkg/EnrollDefaultKeys: split out certificate and signature
> constants
> OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
> OvmfPkg/EnrollDefaultKeys: describe functions with leading comment
> blocks
> OvmfPkg/EnrollDefaultKeys: document the steps of the entry point
> function
> OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
> OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS
> table
> OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1
>
I'm still quite unhappy about the way we are buying into using the MS
certs for everything even on ARM systems (where vendors care about
other certifications beyond the Windows Logo tests) but nonetheless, I
see that this has value for ARM as well as x86, so
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 03/16] OvmfPkg/EnrollDefaultKeys: refresh INF file
2019-04-27 0:53 ` [PATCH 03/16] OvmfPkg/EnrollDefaultKeys: refresh INF file Laszlo Ersek
@ 2019-04-29 12:25 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-29 12:25 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> Bump INF_VERSION to the latest edk2 INF specification.
>
> Regenerate FILE_GUID to distinguish this application from downstream-only
> versions.
>
> Remove the VALID_ARCHITECTURES comment as there is nothing ISA or platform
> specific in the application.
>
> Ensure all sections apart from [Defines] are alphabetically sorted.
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 10 +++-------
> 1 file changed, 3 insertions(+), 7 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> index 1e579f495143..3a215df50863 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> @@ -2,33 +2,29 @@
> # Enroll default PK, KEK, db, dbx.
> #
> # Copyright (C) 2014-2019, Red Hat, Inc.
> #
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> [Defines]
> - INF_VERSION = 0x00010006
> + INF_VERSION = 1.28
> BASE_NAME = EnrollDefaultKeys
> - FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
> + FILE_GUID = A0BAA8A3-041D-48A8-BC87-C36D121B5E3D
> MODULE_TYPE = UEFI_APPLICATION
> VERSION_STRING = 0.1
> ENTRY_POINT = ShellCEntryLib
>
> -#
> -# VALID_ARCHITECTURES = IA32 X64
> -#
> -
> [Sources]
> EnrollDefaultKeys.c
>
> [Packages]
> - MdePkg/MdePkg.dec
> MdeModulePkg/MdeModulePkg.dec
> + MdePkg/MdePkg.dec
> SecurityPkg/SecurityPkg.dec
> ShellPkg/ShellPkg.dec
>
> [Guids]
> gEfiCertPkcs7Guid
> gEfiCertSha256Guid
> gEfiCertX509Guid
> gEfiCustomModeEnableGuid
>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 04/16] ArmVirtPkg: build EnrollDefaultKeys.efi
2019-04-27 0:53 ` [PATCH 04/16] ArmVirtPkg: build EnrollDefaultKeys.efi Laszlo Ersek
@ 2019-04-29 12:26 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-29 12:26 UTC (permalink / raw)
To: devel, lersek; +Cc: Ard Biesheuvel
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> Having removed VALID_ARCHITECTURES from
> "OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf", it now makes sense to
> reflect the related platform DSC bits from OvmfPkg to ArmVirtPkg.
>
> Build "EnrollDefaultKeys.efi" as part of ArmVirtQemu and ArmVirtQemuKernel
> (which are the ArmVirtPkg platforms that include SecureBootConfigDxe too).
>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
> ---
> ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> ArmVirtPkg/ArmVirtQemu.dsc | 1 +
> ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
> 3 files changed, 3 insertions(+)
>
> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
> index 82335541f964..1848d20531ab 100644
> --- a/ArmVirtPkg/ArmVirt.dsc.inc
> +++ b/ArmVirtPkg/ArmVirt.dsc.inc
> @@ -46,16 +46,17 @@ [LibraryClasses.common]
> DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf
> DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
> UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
> UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
> HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
> UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServicesLib.inf
> SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf
> ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
> + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
> FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
>
> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
>
> #
> # Ramdisk Requirements
> #
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index d6ba3b6ae397..28c8fd551344 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -270,16 +270,17 @@ [Components.common]
> BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
> }
> !if $(SECURE_BOOT_ENABLE) == TRUE
> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> <LibraryClasses>
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> }
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> !else
> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> !endif
> MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
> EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf {
> diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> index 129780548e4a..2a83c7469424 100644
> --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> @@ -254,16 +254,17 @@ [Components.common]
> BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
> }
> !if $(SECURE_BOOT_ENABLE) == TRUE
> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> <LibraryClasses>
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> }
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> !else
> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> !endif
> MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
> MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
> EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf {
>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 05/16] OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart
2019-04-27 0:53 ` [PATCH 05/16] OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart Laszlo Ersek
@ 2019-04-29 12:26 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-29 12:26 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> In edk2, we should spell "#pragma pack(...)" with a space character in
> front of the opening parenthesis. Fix up locations that suggest otherwise.
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index b354ec6f81c8..aa827ac6aa81 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -596,17 +596,17 @@ STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
> // }; |
> //
> // Given that the "struct hack" invokes undefined behavior (which is why C99
> // introduced the flexible array member), and because subtracting those pesky
> // sizes of 1 is annoying, and because the format is fully specified in the
> // UEFI specification, we'll introduce two matching convenience structures that
> // are customized for our X.509 purposes.
> //
> -#pragma pack(1)
> +#pragma pack (1)
> typedef struct {
> EFI_TIME TimeStamp;
>
> //
> // dwLength covers data below
> //
> UINT32 dwLength;
> UINT16 wRevision;
> @@ -627,17 +627,17 @@ typedef struct {
> // SignatureSize covers data below
> //
> EFI_GUID SignatureOwner;
>
> //
> // X.509 certificate follows
> //
> } REPEATING_HEADER;
> -#pragma pack()
> +#pragma pack ()
>
> /**
> Enroll a set of certificates in a global variable, overwriting it.
>
> The variable will be rewritten with NV+BS+RT+AT attributes.
>
> @param[in] VariableName The name of the variable to overwrite.
>
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 06/16] OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes
2019-04-27 0:53 ` [PATCH 06/16] OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes Laszlo Ersek
@ 2019-04-29 12:27 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-29 12:27 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> In edk2, we should start the names of module-global variables with "m".
> Rename the "RedHatPkKek1", "MicrosoftKEK", "MicrosoftPCA",
> "MicrosoftUefiCA" variables accordingly, with the following command:
>
> sed --regexp-extended --in-place \
> --expression='s,\<(RedHatPkKek1|Microsoft(KEK|PCA|UefiCA))\>,m\1,g' \
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 18 +++++++++---------
> 1 file changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index aa827ac6aa81..fb30f4906df7 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -17,17 +17,17 @@
>
> //
> // We'll use the certificate below as both Platform Key and as first Key
> // Exchange Key.
> //
> // "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
> // SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
> //
> -STATIC CONST UINT8 RedHatPkKek1[] = {
> +STATIC CONST UINT8 mRedHatPkKek1[] = {
> 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
> 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
> 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
> 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
> 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
> 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
> 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
> @@ -98,17 +98,17 @@ STATIC CONST UINT8 RedHatPkKek1[] = {
> };
>
> //
> // Second KEK: "Microsoft Corporation KEK CA 2011".
> // SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
> //
> // "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
> //
> -STATIC CONST UINT8 MicrosoftKEK[] = {
> +STATIC CONST UINT8 mMicrosoftKEK[] = {
> 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
> 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> @@ -225,17 +225,17 @@ STATIC CONST UINT8 MicrosoftKEK[] = {
>
> //
> // First DB entry: "Microsoft Windows Production PCA 2011"
> // SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
> //
> // Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
> // rooted in this certificate.
> //
> -STATIC CONST UINT8 MicrosoftPCA[] = {
> +STATIC CONST UINT8 mMicrosoftPCA[] = {
> 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
> 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> @@ -350,17 +350,17 @@ STATIC CONST UINT8 MicrosoftPCA[] = {
> };
>
> //
> // Second DB entry: "Microsoft Corporation UEFI CA 2011"
> // SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
> //
> // To verify the "shim" binary and PCI expansion ROMs with.
> //
> -STATIC CONST UINT8 MicrosoftUefiCA[] = {
> +STATIC CONST UINT8 mMicrosoftUefiCA[] = {
> 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
> 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> @@ -938,18 +938,18 @@ ShellAppMain (
> return 1;
> }
> }
>
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE,
> &gEfiImageSecurityDatabaseGuid,
> &gEfiCertX509Guid,
> - MicrosoftPCA, sizeof MicrosoftPCA, &mMicrosoftOwnerGuid,
> - MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid,
> + mMicrosoftPCA, sizeof mMicrosoftPCA, &mMicrosoftOwnerGuid,
> + mMicrosoftUefiCA, sizeof mMicrosoftUefiCA, &mMicrosoftOwnerGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE1,
> &gEfiImageSecurityDatabaseGuid,
> @@ -959,28 +959,28 @@ ShellAppMain (
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_KEY_EXCHANGE_KEY_NAME,
> &gEfiGlobalVariableGuid,
> &gEfiCertX509Guid,
> - RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
> - MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid,
> + mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid,
> + mMicrosoftKEK, sizeof mMicrosoftKEK, &mMicrosoftOwnerGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_PLATFORM_KEY_NAME,
> &gEfiGlobalVariableGuid,
> &gEfiCertX509Guid,
> - RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
> + mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiGlobalVariableGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
> Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 08/16] OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv. specifiers
2019-04-27 0:53 ` [PATCH 08/16] OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv. specifiers Laszlo Ersek
@ 2019-04-29 12:28 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-29 12:28 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> The GetExact(), GetSettings(), PrintSettings() functions are only called
> from within "EnrollDefaultKeys.c", and none of them take variable
> arguments. Drop their EFIAPI calling convention specifiers.
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 3 ---
> 1 file changed, 3 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index be0e4d8f8e96..671efef8d6ad 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -806,17 +806,16 @@ Out:
> VendorGuid, Status);
> }
> return Status;
> }
>
>
> STATIC
> EFI_STATUS
> -EFIAPI
> GetExact (
> IN CHAR16 *VariableName,
> IN EFI_GUID *VendorGuid,
> OUT VOID *Data,
> IN UINTN DataSize,
> IN BOOLEAN AllowMissing
> )
> {
> @@ -850,17 +849,16 @@ typedef struct {
> UINT8 SecureBoot;
> UINT8 SecureBootEnable;
> UINT8 CustomMode;
> UINT8 VendorKeys;
> } SETTINGS;
>
> STATIC
> EFI_STATUS
> -EFIAPI
> GetSettings (
> OUT SETTINGS *Settings
> )
> {
> EFI_STATUS Status;
>
> Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
> &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
> @@ -889,17 +887,16 @@ GetSettings (
>
> Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
> &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
> return Status;
> }
>
> STATIC
> VOID
> -EFIAPI
> PrintSettings (
> IN CONST SETTINGS *Settings
> )
> {
> AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
> "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
> Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
> }
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 09/16] OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
2019-04-27 0:53 ` [PATCH 09/16] OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file Laszlo Ersek
@ 2019-04-29 12:30 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-29 12:30 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> "EnrollDefaultKeys.c" defines three structure types: SINGLE_HEADER,
> REPEATING_HEADER, and SETTINGS. The definitions are scattered over the C
> file, and lack high-level summary comments.
>
> Extract the structures to "EnrollDefaultKeys.h", and add the missing
> comments.
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 1 +
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 121 ++++++++++++++++++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 101 +---------------
> 3 files changed, 124 insertions(+), 99 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> index 3a215df50863..9f315a8e6d90 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> @@ -11,16 +11,17 @@ [Defines]
> BASE_NAME = EnrollDefaultKeys
> FILE_GUID = A0BAA8A3-041D-48A8-BC87-C36D121B5E3D
> MODULE_TYPE = UEFI_APPLICATION
> VERSION_STRING = 0.1
> ENTRY_POINT = ShellCEntryLib
>
> [Sources]
> EnrollDefaultKeys.c
> + EnrollDefaultKeys.h
>
> [Packages]
> MdeModulePkg/MdeModulePkg.dec
> MdePkg/MdePkg.dec
> SecurityPkg/SecurityPkg.dec
> ShellPkg/ShellPkg.dec
>
> [Guids]
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> new file mode 100644
> index 000000000000..9bcd87ff4f44
> --- /dev/null
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> @@ -0,0 +1,121 @@
> +/** @file
> + Type definitions for the EnrollDefaultKeys application.
> +
> + Copyright (C) 2014-2019, Red Hat, Inc.
> +
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +
> +#ifndef ENROLL_DEFAULT_KEYS_H_
> +#define ENROLL_DEFAULT_KEYS_H_
> +
> +#include <Uefi/UefiBaseType.h>
> +
> +//
> +// Convenience structure types for constructing "signature lists" for
> +// authenticated UEFI variables.
> +//
> +// The most important thing about the variable payload is that it is a list of
> +// lists, where the element size of any given *inner* list is constant.
> +//
> +// Since X509 certificates vary in size, each of our *inner* lists will contain
> +// one element only (one X.509 certificate). This is explicitly mentioned in
> +// the UEFI specification, in "28.4.1 Signature Database", in a Note.
> +//
> +// The list structure looks as follows:
> +//
> +// struct EFI_VARIABLE_AUTHENTICATION_2 { |
> +// struct EFI_TIME { |
> +// UINT16 Year; |
> +// UINT8 Month; |
> +// UINT8 Day; |
> +// UINT8 Hour; |
> +// UINT8 Minute; |
> +// UINT8 Second; |
> +// UINT8 Pad1; |
> +// UINT32 Nanosecond; |
> +// INT16 TimeZone; |
> +// UINT8 Daylight; |
> +// UINT8 Pad2; |
> +// } TimeStamp; |
> +// |
> +// struct WIN_CERTIFICATE_UEFI_GUID { | |
> +// struct WIN_CERTIFICATE { | |
> +// UINT32 dwLength; ----------------------------------------+ |
> +// UINT16 wRevision; | |
> +// UINT16 wCertificateType; | |
> +// } Hdr; | +- DataSize
> +// | |
> +// EFI_GUID CertType; | |
> +// UINT8 CertData[1] = { <--- "struct hack" | |
> +// struct EFI_SIGNATURE_LIST { | | |
> +// EFI_GUID SignatureType; | | |
> +// UINT32 SignatureListSize; -------------------------+ | |
> +// UINT32 SignatureHeaderSize; | | |
> +// UINT32 SignatureSize; ---------------------------+ | | |
> +// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
> +// v | | |
> +// struct EFI_SIGNATURE_DATA { | | | |
> +// EFI_GUID SignatureOwner; | | | |
> +// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
> +// X.509 payload | | | |
> +// } | | | |
> +// } Signatures[]; | | |
> +// } SigLists[]; | |
> +// }; | |
> +// } AuthInfo; | |
> +// }; |
> +//
> +// Given that the "struct hack" invokes undefined behavior (which is why C99
> +// introduced the flexible array member), and because subtracting those pesky
> +// sizes of 1 is annoying, and because the format is fully specified in the
> +// UEFI specification, we'll introduce two matching convenience structures that
> +// are customized for our X.509 purposes.
> +//
> +#pragma pack (1)
> +typedef struct {
> + EFI_TIME TimeStamp;
> +
> + //
> + // dwLength covers data below
> + //
> + UINT32 dwLength;
> + UINT16 wRevision;
> + UINT16 wCertificateType;
> + EFI_GUID CertType;
> +} SINGLE_HEADER;
> +
> +typedef struct {
> + //
> + // SignatureListSize covers data below
> + //
> + EFI_GUID SignatureType;
> + UINT32 SignatureListSize;
> + UINT32 SignatureHeaderSize; // constant 0
> + UINT32 SignatureSize;
> +
> + //
> + // SignatureSize covers data below
> + //
> + EFI_GUID SignatureOwner;
> +
> + //
> + // X.509 certificate follows
> + //
> +} REPEATING_HEADER;
> +#pragma pack ()
> +
> +
> +//
> +// A structure that collects the values of UEFI variables related to Secure
> +// Boot.
> +//
> +typedef struct {
> + UINT8 SetupMode;
> + UINT8 SecureBoot;
> + UINT8 SecureBootEnable;
> + UINT8 CustomMode;
> + UINT8 VendorKeys;
> +} SETTINGS;
> +
> +#endif /* ENROLL_DEFAULT_KEYS_H_ */
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index 671efef8d6ad..fefea6638887 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -10,16 +10,18 @@
> #include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
> #include <Library/BaseMemoryLib.h> // CopyGuid()
> #include <Library/DebugLib.h> // ASSERT()
> #include <Library/MemoryAllocationLib.h> // FreePool()
> #include <Library/ShellCEntryLib.h> // ShellAppMain()
> #include <Library/UefiLib.h> // AsciiPrint()
> #include <Library/UefiRuntimeServicesTableLib.h> // gRT
>
> +#include "EnrollDefaultKeys.h"
> +
> //
> // We'll use the certificate below as both Platform Key and as first Key
> // Exchange Key.
> //
> // "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
> // SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
> //
> STATIC CONST UINT8 mRedHatPkKek1[] = {
> @@ -538,107 +540,16 @@ STATIC CONST UINT8 mSha256OfDevNull[] = {
> // EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
> // EFI_SIGNATURE_DATA.SignatureData.
> //
> STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
> 0x77fa9abd, 0x0359, 0x4d32,
> { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
> };
>
> -//
> -// The most important thing about the variable payload is that it is a list of
> -// lists, where the element size of any given *inner* list is constant.
> -//
> -// Since X509 certificates vary in size, each of our *inner* lists will contain
> -// one element only (one X.509 certificate). This is explicitly mentioned in
> -// the UEFI specification, in "28.4.1 Signature Database", in a Note.
> -//
> -// The list structure looks as follows:
> -//
> -// struct EFI_VARIABLE_AUTHENTICATION_2 { |
> -// struct EFI_TIME { |
> -// UINT16 Year; |
> -// UINT8 Month; |
> -// UINT8 Day; |
> -// UINT8 Hour; |
> -// UINT8 Minute; |
> -// UINT8 Second; |
> -// UINT8 Pad1; |
> -// UINT32 Nanosecond; |
> -// INT16 TimeZone; |
> -// UINT8 Daylight; |
> -// UINT8 Pad2; |
> -// } TimeStamp; |
> -// |
> -// struct WIN_CERTIFICATE_UEFI_GUID { | |
> -// struct WIN_CERTIFICATE { | |
> -// UINT32 dwLength; ----------------------------------------+ |
> -// UINT16 wRevision; | |
> -// UINT16 wCertificateType; | |
> -// } Hdr; | +- DataSize
> -// | |
> -// EFI_GUID CertType; | |
> -// UINT8 CertData[1] = { <--- "struct hack" | |
> -// struct EFI_SIGNATURE_LIST { | | |
> -// EFI_GUID SignatureType; | | |
> -// UINT32 SignatureListSize; -------------------------+ | |
> -// UINT32 SignatureHeaderSize; | | |
> -// UINT32 SignatureSize; ---------------------------+ | | |
> -// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
> -// v | | |
> -// struct EFI_SIGNATURE_DATA { | | | |
> -// EFI_GUID SignatureOwner; | | | |
> -// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
> -// X.509 payload | | | |
> -// } | | | |
> -// } Signatures[]; | | |
> -// } SigLists[]; | |
> -// }; | |
> -// } AuthInfo; | |
> -// }; |
> -//
> -// Given that the "struct hack" invokes undefined behavior (which is why C99
> -// introduced the flexible array member), and because subtracting those pesky
> -// sizes of 1 is annoying, and because the format is fully specified in the
> -// UEFI specification, we'll introduce two matching convenience structures that
> -// are customized for our X.509 purposes.
> -//
> -#pragma pack (1)
> -typedef struct {
> - EFI_TIME TimeStamp;
> -
> - //
> - // dwLength covers data below
> - //
> - UINT32 dwLength;
> - UINT16 wRevision;
> - UINT16 wCertificateType;
> - EFI_GUID CertType;
> -} SINGLE_HEADER;
> -
> -typedef struct {
> - //
> - // SignatureListSize covers data below
> - //
> - EFI_GUID SignatureType;
> - UINT32 SignatureListSize;
> - UINT32 SignatureHeaderSize; // constant 0
> - UINT32 SignatureSize;
> -
> - //
> - // SignatureSize covers data below
> - //
> - EFI_GUID SignatureOwner;
> -
> - //
> - // X.509 certificate follows
> - //
> -} REPEATING_HEADER;
> -#pragma pack ()
> -
> /**
> Enroll a set of certificates in a global variable, overwriting it.
>
> The variable will be rewritten with NV+BS+RT+AT attributes.
>
> @param[in] VariableName The name of the variable to overwrite.
>
> @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
> @@ -839,24 +750,16 @@ GetExact (
> AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
> "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
> return EFI_PROTOCOL_ERROR;
> }
>
> return EFI_SUCCESS;
> }
>
> -typedef struct {
> - UINT8 SetupMode;
> - UINT8 SecureBoot;
> - UINT8 SecureBootEnable;
> - UINT8 CustomMode;
> - UINT8 VendorKeys;
> -} SETTINGS;
> -
> STATIC
> EFI_STATUS
> GetSettings (
> OUT SETTINGS *Settings
> )
> {
> EFI_STATUS Status;
>
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 10/16] OvmfPkg/EnrollDefaultKeys: split out certificate and signature constants
2019-04-27 0:53 ` [PATCH 10/16] OvmfPkg/EnrollDefaultKeys: split out certificate and signature constants Laszlo Ersek
@ 2019-04-29 12:33 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-29 12:33 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> A large portion of "EnrollDefaultKeys.c" is hex-encoded X509 certificates,
> GUIDs, and signatures. These objects are constants, unlikely to see
> changes anytime soon. Move them out of the way, to "AuthData.c", so we can
> more easily work on functions in "EnrollDefaultKeys.c".
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 1 +
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 24 +-
> OvmfPkg/EnrollDefaultKeys/{EnrollDefaultKeys.c => AuthData.c} | 402 +--------------
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 540 +-------------------
> 4 files changed, 53 insertions(+), 914 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> index 9f315a8e6d90..3f093c768585 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> @@ -10,16 +10,17 @@ [Defines]
> INF_VERSION = 1.28
> BASE_NAME = EnrollDefaultKeys
> FILE_GUID = A0BAA8A3-041D-48A8-BC87-C36D121B5E3D
> MODULE_TYPE = UEFI_APPLICATION
> VERSION_STRING = 0.1
> ENTRY_POINT = ShellCEntryLib
>
> [Sources]
> + AuthData.c
> EnrollDefaultKeys.c
> EnrollDefaultKeys.h
>
> [Packages]
> MdeModulePkg/MdeModulePkg.dec
> MdePkg/MdePkg.dec
> SecurityPkg/SecurityPkg.dec
> ShellPkg/ShellPkg.dec
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> index 9bcd87ff4f44..07f4aa04e469 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> @@ -1,10 +1,11 @@
> /** @file
> - Type definitions for the EnrollDefaultKeys application.
> + Type definitions and object declarations for the EnrollDefaultKeys
> + application.
>
> Copyright (C) 2014-2019, Red Hat, Inc.
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
> **/
>
> #ifndef ENROLL_DEFAULT_KEYS_H_
> #define ENROLL_DEFAULT_KEYS_H_
> @@ -113,9 +114,30 @@ typedef struct {
> typedef struct {
> UINT8 SetupMode;
> UINT8 SecureBoot;
> UINT8 SecureBootEnable;
> UINT8 CustomMode;
> UINT8 VendorKeys;
> } SETTINGS;
>
> +
> +//
> +// Refer to "AuthData.c" for details on the following objects.
> +//
> +extern CONST UINT8 mRedHatPkKek1[];
> +extern CONST UINTN mSizeOfRedHatPkKek1;
> +
> +extern CONST UINT8 mMicrosoftKek[];
> +extern CONST UINTN mSizeOfMicrosoftKek;
> +
> +extern CONST UINT8 mMicrosoftPca[];
> +extern CONST UINTN mSizeOfMicrosoftPca;
> +
> +extern CONST UINT8 mMicrosoftUefiCa[];
> +extern CONST UINTN mSizeOfMicrosoftUefiCa;
> +
> +extern CONST UINT8 mSha256OfDevNull[];
> +extern CONST UINTN mSizeOfSha256OfDevNull;
> +
> +extern CONST EFI_GUID mMicrosoftOwnerGuid;
> +
> #endif /* ENROLL_DEFAULT_KEYS_H_ */
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c
> similarity index 74%
> copy from OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> copy to OvmfPkg/EnrollDefaultKeys/AuthData.c
> index fefea6638887..e0a543785fb5 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
> @@ -1,35 +1,27 @@
> /** @file
> - Enroll default PK, KEK, db, dbx.
> + Certificate and signature constants for the EnrollDefaultKeys application.
>
> Copyright (C) 2014-2019, Red Hat, Inc.
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
> **/
> -#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
> -#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
> -#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
> -#include <Library/BaseMemoryLib.h> // CopyGuid()
> -#include <Library/DebugLib.h> // ASSERT()
> -#include <Library/MemoryAllocationLib.h> // FreePool()
> -#include <Library/ShellCEntryLib.h> // ShellAppMain()
> -#include <Library/UefiLib.h> // AsciiPrint()
> -#include <Library/UefiRuntimeServicesTableLib.h> // gRT
>
> #include "EnrollDefaultKeys.h"
>
> +
> //
> // We'll use the certificate below as both Platform Key and as first Key
> // Exchange Key.
> //
> // "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
> // SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
> //
> -STATIC CONST UINT8 mRedHatPkKek1[] = {
> +CONST UINT8 mRedHatPkKek1[] = {
> 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
> 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
> 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
> 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
> 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
> 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
> 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
> @@ -94,23 +86,26 @@ STATIC CONST UINT8 mRedHatPkKek1[] = {
> 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
> 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
> 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
> 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
> 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
> 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
> };
>
> +CONST UINTN mSizeOfRedHatPkKek1 = sizeof mRedHatPkKek1;
> +
> +
> //
> // Second KEK: "Microsoft Corporation KEK CA 2011".
> // SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
> //
> // "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
> //
> -STATIC CONST UINT8 mMicrosoftKek[] = {
> +CONST UINT8 mMicrosoftKek[] = {
> 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
> 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> @@ -220,24 +215,27 @@ STATIC CONST UINT8 mMicrosoftKek[] = {
> 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
> 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
> 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
> 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
> 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
> 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
> };
>
> +CONST UINTN mSizeOfMicrosoftKek = sizeof mMicrosoftKek;
> +
> +
> //
> // First DB entry: "Microsoft Windows Production PCA 2011"
> // SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
> //
> // Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
> // rooted in this certificate.
> //
> -STATIC CONST UINT8 mMicrosoftPca[] = {
> +CONST UINT8 mMicrosoftPca[] = {
> 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
> 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> @@ -346,23 +344,26 @@ STATIC CONST UINT8 mMicrosoftPca[] = {
> 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
> 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
> 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
> 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
> 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
> 0x62, 0x1c, 0x59, 0x7e
> };
>
> +CONST UINTN mSizeOfMicrosoftPca = sizeof mMicrosoftPca;
> +
> +
> //
> // Second DB entry: "Microsoft Corporation UEFI CA 2011"
> // SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
> //
> // To verify the "shim" binary and PCI expansion ROMs with.
> //
> -STATIC CONST UINT8 mMicrosoftUefiCa[] = {
> +CONST UINT8 mMicrosoftUefiCa[] = {
> 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
> 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> @@ -475,16 +476,19 @@ STATIC CONST UINT8 mMicrosoftUefiCa[] = {
> 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
> 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
> 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
> 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
> 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
> 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
> };
>
> +CONST UINTN mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa;
> +
> +
> //
> // The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
> // of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
> // expects that the "dbx" variable exist.
> //
> // The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
> // writes (excerpt):
> //
> @@ -507,22 +511,25 @@ STATIC CONST UINT8 mMicrosoftUefiCa[] = {
> //
> // Technically speaking, we could also capture an official (although soon to be
> // obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
> // the terms and conditions on distributing that binary aren't exactly light
> // reading, so let's best steer clear of it, and follow the "dummy entry"
> // practice recommended -- in natural English langauge -- in the
> // above-referenced TechNet article.
> //
> -STATIC CONST UINT8 mSha256OfDevNull[] = {
> +CONST UINT8 mSha256OfDevNull[] = {
> 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
> 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
> 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
> };
>
> +CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull;
> +
> +
> //
> // The following test cases of the Secure Boot Logo Test in the Microsoft
> // Hardware Certification Kit:
> //
> // - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
> // - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
> //
> // expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
> @@ -535,375 +542,12 @@ STATIC CONST UINT8 mSha256OfDevNull[] = {
> // - "Microsoft Corporation UEFI CA 2011" (in db)
> //
> // This is despite the fact that the UEFI specification requires
> // EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
> // application or driver) that enrolled and therefore owns
> // EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
> // EFI_SIGNATURE_DATA.SignatureData.
> //
> -STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
> +CONST EFI_GUID mMicrosoftOwnerGuid = {
> 0x77fa9abd, 0x0359, 0x4d32,
> { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
> };
> -
> -/**
> - Enroll a set of certificates in a global variable, overwriting it.
> -
> - The variable will be rewritten with NV+BS+RT+AT attributes.
> -
> - @param[in] VariableName The name of the variable to overwrite.
> -
> - @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
> - overwrite.
> -
> - @param[in] CertType The GUID determining the type of all the
> - certificates in the set that is passed in. For
> - example, gEfiCertX509Guid stands for DER-encoded
> - X.509 certificates, while gEfiCertSha256Guid stands
> - for SHA256 image hashes.
> -
> - @param[in] ... A list of
> -
> - IN CONST UINT8 *Cert,
> - IN UINTN CertSize,
> - IN CONST EFI_GUID *OwnerGuid
> -
> - triplets. If the first component of a triplet is
> - NULL, then the other two components are not
> - accessed, and processing is terminated. The list of
> - certificates is enrolled in the variable specified,
> - overwriting it. The OwnerGuid component identifies
> - the agent installing the certificate.
> -
> - @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert
> - value is NULL), or one of the CertSize values
> - is 0, or one of the CertSize values would
> - overflow the accumulated UINT32 data size.
> -
> - @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable
> - payload.
> -
> - @retval EFI_SUCCESS Enrollment successful; the variable has been
> - overwritten (or created).
> -
> - @return Error codes from gRT->GetTime() and
> - gRT->SetVariable().
> -**/
> -STATIC
> -EFI_STATUS
> -EFIAPI
> -EnrollListOfCerts (
> - IN CHAR16 *VariableName,
> - IN EFI_GUID *VendorGuid,
> - IN EFI_GUID *CertType,
> - ...
> - )
> -{
> - UINTN DataSize;
> - SINGLE_HEADER *SingleHeader;
> - REPEATING_HEADER *RepeatingHeader;
> - VA_LIST Marker;
> - CONST UINT8 *Cert;
> - EFI_STATUS Status;
> - UINT8 *Data;
> - UINT8 *Position;
> -
> - Status = EFI_SUCCESS;
> -
> - //
> - // compute total size first, for UINT32 range check, and allocation
> - //
> - DataSize = sizeof *SingleHeader;
> - VA_START (Marker, CertType);
> - for (Cert = VA_ARG (Marker, CONST UINT8 *);
> - Cert != NULL;
> - Cert = VA_ARG (Marker, CONST UINT8 *)) {
> - UINTN CertSize;
> -
> - CertSize = VA_ARG (Marker, UINTN);
> - (VOID)VA_ARG (Marker, CONST EFI_GUID *);
> -
> - if (CertSize == 0 ||
> - CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
> - DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
> - Status = EFI_INVALID_PARAMETER;
> - break;
> - }
> - DataSize += sizeof *RepeatingHeader + CertSize;
> - }
> - VA_END (Marker);
> -
> - if (DataSize == sizeof *SingleHeader) {
> - Status = EFI_INVALID_PARAMETER;
> - }
> - if (EFI_ERROR (Status)) {
> - goto Out;
> - }
> -
> - Data = AllocatePool (DataSize);
> - if (Data == NULL) {
> - Status = EFI_OUT_OF_RESOURCES;
> - goto Out;
> - }
> -
> - Position = Data;
> -
> - SingleHeader = (SINGLE_HEADER *)Position;
> - Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
> - if (EFI_ERROR (Status)) {
> - goto FreeData;
> - }
> - SingleHeader->TimeStamp.Pad1 = 0;
> - SingleHeader->TimeStamp.Nanosecond = 0;
> - SingleHeader->TimeStamp.TimeZone = 0;
> - SingleHeader->TimeStamp.Daylight = 0;
> - SingleHeader->TimeStamp.Pad2 = 0;
> -#if 0
> - SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp;
> -#else
> - //
> - // This looks like a bug in edk2. According to the UEFI specification,
> - // dwLength is "The length of the entire certificate, including the length of
> - // the header, in bytes". That shouldn't stop right after CertType -- it
> - // should include everything below it.
> - //
> - SingleHeader->dwLength = sizeof *SingleHeader
> - - sizeof SingleHeader->TimeStamp;
> -#endif
> - SingleHeader->wRevision = 0x0200;
> - SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
> - CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
> - Position += sizeof *SingleHeader;
> -
> - VA_START (Marker, CertType);
> - for (Cert = VA_ARG (Marker, CONST UINT8 *);
> - Cert != NULL;
> - Cert = VA_ARG (Marker, CONST UINT8 *)) {
> - UINTN CertSize;
> - CONST EFI_GUID *OwnerGuid;
> -
> - CertSize = VA_ARG (Marker, UINTN);
> - OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
> -
> - RepeatingHeader = (REPEATING_HEADER *)Position;
> - CopyGuid (&RepeatingHeader->SignatureType, CertType);
> - RepeatingHeader->SignatureListSize =
> - (UINT32)(sizeof *RepeatingHeader + CertSize);
> - RepeatingHeader->SignatureHeaderSize = 0;
> - RepeatingHeader->SignatureSize =
> - (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);
> - CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
> - Position += sizeof *RepeatingHeader;
> -
> - CopyMem (Position, Cert, CertSize);
> - Position += CertSize;
> - }
> - VA_END (Marker);
> -
> - ASSERT (Data + DataSize == Position);
> -
> - Status = gRT->SetVariable (VariableName, VendorGuid,
> - (EFI_VARIABLE_NON_VOLATILE |
> - EFI_VARIABLE_BOOTSERVICE_ACCESS |
> - EFI_VARIABLE_RUNTIME_ACCESS |
> - EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
> - DataSize, Data);
> -
> -FreeData:
> - FreePool (Data);
> -
> -Out:
> - if (EFI_ERROR (Status)) {
> - AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
> - VendorGuid, Status);
> - }
> - return Status;
> -}
> -
> -
> -STATIC
> -EFI_STATUS
> -GetExact (
> - IN CHAR16 *VariableName,
> - IN EFI_GUID *VendorGuid,
> - OUT VOID *Data,
> - IN UINTN DataSize,
> - IN BOOLEAN AllowMissing
> - )
> -{
> - UINTN Size;
> - EFI_STATUS Status;
> -
> - Size = DataSize;
> - Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
> - if (EFI_ERROR (Status)) {
> - if (Status == EFI_NOT_FOUND && AllowMissing) {
> - ZeroMem (Data, DataSize);
> - return EFI_SUCCESS;
> - }
> -
> - AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
> - VendorGuid, Status);
> - return Status;
> - }
> -
> - if (Size != DataSize) {
> - AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
> - "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
> - return EFI_PROTOCOL_ERROR;
> - }
> -
> - return EFI_SUCCESS;
> -}
> -
> -STATIC
> -EFI_STATUS
> -GetSettings (
> - OUT SETTINGS *Settings
> - )
> -{
> - EFI_STATUS Status;
> -
> - Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
> - &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
> - if (EFI_ERROR (Status)) {
> - return Status;
> - }
> -
> - Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
> - &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
> - if (EFI_ERROR (Status)) {
> - return Status;
> - }
> -
> - Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
> - &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
> - sizeof Settings->SecureBootEnable, TRUE);
> - if (EFI_ERROR (Status)) {
> - return Status;
> - }
> -
> - Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> - &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
> - if (EFI_ERROR (Status)) {
> - return Status;
> - }
> -
> - Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
> - &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
> - return Status;
> -}
> -
> -STATIC
> -VOID
> -PrintSettings (
> - IN CONST SETTINGS *Settings
> - )
> -{
> - AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
> - "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
> - Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
> -}
> -
> -
> -INTN
> -EFIAPI
> -ShellAppMain (
> - IN UINTN Argc,
> - IN CHAR16 **Argv
> - )
> -{
> - EFI_STATUS Status;
> - SETTINGS Settings;
> -
> - Status = GetSettings (&Settings);
> - if (EFI_ERROR (Status)) {
> - return 1;
> - }
> - PrintSettings (&Settings);
> -
> - if (Settings.SetupMode != 1) {
> - AsciiPrint ("error: already in User Mode\n");
> - return 1;
> - }
> -
> - if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
> - Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
> - Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> - (EFI_VARIABLE_NON_VOLATILE |
> - EFI_VARIABLE_BOOTSERVICE_ACCESS),
> - sizeof Settings.CustomMode, &Settings.CustomMode);
> - if (EFI_ERROR (Status)) {
> - AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
> - &gEfiCustomModeEnableGuid, Status);
> - return 1;
> - }
> - }
> -
> - Status = EnrollListOfCerts (
> - EFI_IMAGE_SECURITY_DATABASE,
> - &gEfiImageSecurityDatabaseGuid,
> - &gEfiCertX509Guid,
> - mMicrosoftPca, sizeof mMicrosoftPca, &mMicrosoftOwnerGuid,
> - mMicrosoftUefiCa, sizeof mMicrosoftUefiCa, &mMicrosoftOwnerGuid,
> - NULL);
> - if (EFI_ERROR (Status)) {
> - return 1;
> - }
> -
> - Status = EnrollListOfCerts (
> - EFI_IMAGE_SECURITY_DATABASE1,
> - &gEfiImageSecurityDatabaseGuid,
> - &gEfiCertSha256Guid,
> - mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
> - NULL);
> - if (EFI_ERROR (Status)) {
> - return 1;
> - }
> -
> - Status = EnrollListOfCerts (
> - EFI_KEY_EXCHANGE_KEY_NAME,
> - &gEfiGlobalVariableGuid,
> - &gEfiCertX509Guid,
> - mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid,
> - mMicrosoftKek, sizeof mMicrosoftKek, &mMicrosoftOwnerGuid,
> - NULL);
> - if (EFI_ERROR (Status)) {
> - return 1;
> - }
> -
> - Status = EnrollListOfCerts (
> - EFI_PLATFORM_KEY_NAME,
> - &gEfiGlobalVariableGuid,
> - &gEfiCertX509Guid,
> - mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiGlobalVariableGuid,
> - NULL);
> - if (EFI_ERROR (Status)) {
> - return 1;
> - }
> -
> - Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
> - Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> - sizeof Settings.CustomMode, &Settings.CustomMode);
> - if (EFI_ERROR (Status)) {
> - AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
> - &gEfiCustomModeEnableGuid, Status);
> - return 1;
> - }
> -
> - Status = GetSettings (&Settings);
> - if (EFI_ERROR (Status)) {
> - return 1;
> - }
> - PrintSettings (&Settings);
> -
> - if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
> - Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
> - Settings.VendorKeys != 0) {
> - AsciiPrint ("error: unexpected\n");
> - return 1;
> - }
> -
> - AsciiPrint ("info: success\n");
> - return 0;
> -}
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index fefea6638887..528718b15ae9 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -12,544 +12,16 @@
> #include <Library/DebugLib.h> // ASSERT()
> #include <Library/MemoryAllocationLib.h> // FreePool()
> #include <Library/ShellCEntryLib.h> // ShellAppMain()
> #include <Library/UefiLib.h> // AsciiPrint()
> #include <Library/UefiRuntimeServicesTableLib.h> // gRT
>
> #include "EnrollDefaultKeys.h"
>
> -//
> -// We'll use the certificate below as both Platform Key and as first Key
> -// Exchange Key.
> -//
> -// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
> -// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
> -//
> -STATIC CONST UINT8 mRedHatPkKek1[] = {
> - 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
> - 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
> - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
> - 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
> - 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
> - 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
> - 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
> - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
> - 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
> - 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
> - 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
> - 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
> - 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
> - 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
> - 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
> - 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
> - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
> - 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
> - 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
> - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
> - 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
> - 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
> - 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
> - 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
> - 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
> - 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
> - 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
> - 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
> - 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
> - 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
> - 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
> - 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
> - 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
> - 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
> - 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
> - 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
> - 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
> - 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
> - 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
> - 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
> - 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
> - 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
> - 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
> - 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
> - 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
> - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
> - 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
> - 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
> - 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
> - 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
> - 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
> - 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
> - 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
> - 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
> - 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
> - 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
> - 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
> - 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
> - 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
> - 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
> - 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
> - 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
> - 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
> - 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
> - 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
> - 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
> - 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
> - 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
> - 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
> - 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
> - 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
> - 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
> -};
> -
> -//
> -// Second KEK: "Microsoft Corporation KEK CA 2011".
> -// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
> -//
> -// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
> -//
> -STATIC CONST UINT8 mMicrosoftKek[] = {
> - 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
> - 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
> - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> - 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> - 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> - 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> - 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> - 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
> - 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
> - 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
> - 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
> - 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
> - 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
> - 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
> - 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
> - 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
> - 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
> - 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
> - 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
> - 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
> - 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
> - 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
> - 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
> - 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
> - 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
> - 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
> - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
> - 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
> - 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
> - 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
> - 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
> - 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
> - 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
> - 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
> - 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
> - 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
> - 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
> - 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
> - 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
> - 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
> - 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
> - 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
> - 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
> - 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
> - 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
> - 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
> - 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
> - 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
> - 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
> - 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
> - 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
> - 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
> - 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
> - 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
> - 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
> - 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
> - 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
> - 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
> - 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
> - 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
> - 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
> - 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
> - 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
> - 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
> - 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
> - 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
> - 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
> - 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
> - 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
> - 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
> - 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
> - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
> - 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
> - 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
> - 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
> - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
> - 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
> - 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
> - 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
> - 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
> - 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
> - 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
> - 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
> - 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
> - 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
> - 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
> - 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
> - 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
> - 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
> - 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
> - 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
> - 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
> - 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
> - 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
> - 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
> - 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
> - 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
> - 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
> - 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
> - 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
> - 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
> - 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
> - 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
> - 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
> - 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
> - 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
> - 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
> - 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
> - 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
> - 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
> - 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
> - 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
> - 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
> - 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
> - 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
> - 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
> -};
> -
> -//
> -// First DB entry: "Microsoft Windows Production PCA 2011"
> -// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
> -//
> -// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
> -// rooted in this certificate.
> -//
> -STATIC CONST UINT8 mMicrosoftPca[] = {
> - 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
> - 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
> - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> - 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> - 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> - 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> - 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> - 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
> - 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
> - 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
> - 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
> - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
> - 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
> - 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
> - 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
> - 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
> - 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
> - 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
> - 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
> - 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
> - 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
> - 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
> - 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
> - 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
> - 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
> - 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
> - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
> - 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
> - 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
> - 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
> - 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
> - 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
> - 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
> - 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
> - 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
> - 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
> - 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
> - 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
> - 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
> - 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
> - 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
> - 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
> - 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
> - 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
> - 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
> - 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
> - 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
> - 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
> - 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
> - 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
> - 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
> - 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
> - 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
> - 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
> - 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
> - 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
> - 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
> - 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
> - 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
> - 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
> - 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
> - 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
> - 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
> - 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
> - 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
> - 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
> - 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
> - 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
> - 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
> - 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
> - 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
> - 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
> - 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
> - 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
> - 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
> - 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
> - 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
> - 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
> - 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
> - 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
> - 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
> - 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
> - 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
> - 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
> - 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
> - 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
> - 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
> - 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
> - 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
> - 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
> - 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
> - 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
> - 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
> - 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
> - 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
> - 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
> - 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
> - 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
> - 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
> - 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
> - 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
> - 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
> - 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
> - 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
> - 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
> - 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
> - 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
> - 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
> - 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
> - 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
> - 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
> - 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
> - 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
> - 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
> - 0x62, 0x1c, 0x59, 0x7e
> -};
> -
> -//
> -// Second DB entry: "Microsoft Corporation UEFI CA 2011"
> -// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
> -//
> -// To verify the "shim" binary and PCI expansion ROMs with.
> -//
> -STATIC CONST UINT8 mMicrosoftUefiCa[] = {
> - 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
> - 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
> - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> - 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> - 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> - 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> - 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> - 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
> - 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
> - 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
> - 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
> - 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
> - 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
> - 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
> - 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
> - 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
> - 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
> - 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
> - 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
> - 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
> - 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
> - 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
> - 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
> - 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
> - 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
> - 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
> - 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
> - 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
> - 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
> - 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
> - 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
> - 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
> - 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
> - 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
> - 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
> - 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
> - 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
> - 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
> - 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
> - 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
> - 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
> - 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
> - 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
> - 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
> - 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
> - 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
> - 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
> - 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
> - 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
> - 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
> - 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
> - 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
> - 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
> - 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
> - 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
> - 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
> - 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
> - 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
> - 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
> - 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
> - 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
> - 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
> - 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
> - 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
> - 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
> - 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
> - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
> - 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
> - 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
> - 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
> - 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
> - 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
> - 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
> - 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
> - 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
> - 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
> - 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
> - 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
> - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
> - 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
> - 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
> - 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
> - 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
> - 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
> - 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
> - 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
> - 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
> - 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
> - 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
> - 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
> - 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
> - 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
> - 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
> - 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
> - 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
> - 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
> - 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
> - 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
> - 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
> - 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
> - 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
> - 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
> - 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
> - 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
> - 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
> - 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
> - 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
> - 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
> - 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
> - 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
> - 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
> - 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
> - 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
> - 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
> - 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
> - 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
> - 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
> - 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
> - 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
> -};
> -
> -//
> -// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
> -// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
> -// expects that the "dbx" variable exist.
> -//
> -// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
> -// writes (excerpt):
> -//
> -// Windows 8.1 Secure Boot Key Creation and Management Guidance
> -// 1. Secure Boot, Windows 8.1 and Key Management
> -// 1.4 Signature Databases (Db and Dbx)
> -// 1.4.3 Forbidden Signature Database (dbx)
> -//
> -// The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when
> -// verifying images before checking db and any matches must prevent the
> -// image from executing. The database may contain multiple certificates,
> -// keys, and hashes in order to identify forbidden images. The Windows
> -// Hardware Certification Requirements state that a dbx must be present, so
> -// any dummy value, such as the SHA-256 hash of 0, may be used as a safe
> -// placeholder until such time as Microsoft begins delivering dbx updates.
> -//
> -// The byte array below captures the SHA256 checksum of the empty file,
> -// blacklisting it for loading & execution. This qualifies as a dummy, since
> -// the empty file is not a valid UEFI binary anyway.
> -//
> -// Technically speaking, we could also capture an official (although soon to be
> -// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
> -// the terms and conditions on distributing that binary aren't exactly light
> -// reading, so let's best steer clear of it, and follow the "dummy entry"
> -// practice recommended -- in natural English langauge -- in the
> -// above-referenced TechNet article.
> -//
> -STATIC CONST UINT8 mSha256OfDevNull[] = {
> - 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
> - 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
> - 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
> -};
> -
> -//
> -// The following test cases of the Secure Boot Logo Test in the Microsoft
> -// Hardware Certification Kit:
> -//
> -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
> -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
> -//
> -// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
> -// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
> -// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
> -// certificates:
> -//
> -// - "Microsoft Corporation KEK CA 2011" (in KEK)
> -// - "Microsoft Windows Production PCA 2011" (in db)
> -// - "Microsoft Corporation UEFI CA 2011" (in db)
> -//
> -// This is despite the fact that the UEFI specification requires
> -// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
> -// application or driver) that enrolled and therefore owns
> -// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
> -// EFI_SIGNATURE_DATA.SignatureData.
> -//
> -STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
> - 0x77fa9abd, 0x0359, 0x4d32,
> - { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
> -};
> -
> /**
> Enroll a set of certificates in a global variable, overwriting it.
>
> The variable will be rewritten with NV+BS+RT+AT attributes.
>
> @param[in] VariableName The name of the variable to overwrite.
>
> @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
> @@ -838,49 +310,49 @@ ShellAppMain (
> return 1;
> }
> }
>
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE,
> &gEfiImageSecurityDatabaseGuid,
> &gEfiCertX509Guid,
> - mMicrosoftPca, sizeof mMicrosoftPca, &mMicrosoftOwnerGuid,
> - mMicrosoftUefiCa, sizeof mMicrosoftUefiCa, &mMicrosoftOwnerGuid,
> + mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGuid,
> + mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE1,
> &gEfiImageSecurityDatabaseGuid,
> &gEfiCertSha256Guid,
> - mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
> + mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_KEY_EXCHANGE_KEY_NAME,
> &gEfiGlobalVariableGuid,
> &gEfiCertX509Guid,
> - mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid,
> - mMicrosoftKek, sizeof mMicrosoftKek, &mMicrosoftOwnerGuid,
> + mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
> + mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_PLATFORM_KEY_NAME,
> &gEfiGlobalVariableGuid,
> &gEfiCertX509Guid,
> - mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiGlobalVariableGuid,
> + mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid,
> NULL);
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
> Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 13/16] OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function
2019-04-27 0:53 ` [PATCH 13/16] OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function Laszlo Ersek
@ 2019-04-29 12:36 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-29 12:36 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> The entry point function of EnrollDefaultKeys finishes with a sanity
> check, verifying the values of the Secure Boot-related "control"
> variables. Add a diagram to explain why we expect the values we do.
>
> While at it, write comments on the rest of the entry point function.
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 54 ++++++++++++++++++++
> 1 file changed, 54 insertions(+)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index 07297c631f38..9c4a0f06fb4d 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -356,92 +356,146 @@ EFIAPI
> ShellAppMain (
> IN UINTN Argc,
> IN CHAR16 **Argv
> )
> {
> EFI_STATUS Status;
> SETTINGS Settings;
>
> + //
> + // If we're not in Setup Mode, we can't do anything.
> + //
> Status = GetSettings (&Settings);
> if (EFI_ERROR (Status)) {
> return 1;
> }
> PrintSettings (&Settings);
>
> if (Settings.SetupMode != 1) {
> AsciiPrint ("error: already in User Mode\n");
> return 1;
> }
>
> + //
> + // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature
> + // checks on those variable writes.
> + //
> if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
> Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
> Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> (EFI_VARIABLE_NON_VOLATILE |
> EFI_VARIABLE_BOOTSERVICE_ACCESS),
> sizeof Settings.CustomMode, &Settings.CustomMode);
> if (EFI_ERROR (Status)) {
> AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
> &gEfiCustomModeEnableGuid, Status);
> return 1;
> }
> }
>
> + //
> + // Enroll db.
> + //
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE,
> &gEfiImageSecurityDatabaseGuid,
> &gEfiCertX509Guid,
> mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,
> mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> + //
> + // Enroll dbx.
> + //
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE1,
> &gEfiImageSecurityDatabaseGuid,
> &gEfiCertSha256Guid,
> mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> + //
> + // Enroll KEK.
> + //
> Status = EnrollListOfCerts (
> EFI_KEY_EXCHANGE_KEY_NAME,
> &gEfiGlobalVariableGuid,
> &gEfiCertX509Guid,
> mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
> mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> + //
> + // Enroll PK, leaving Setup Mode (entering User Mode) at once.
> + //
> Status = EnrollListOfCerts (
> EFI_PLATFORM_KEY_NAME,
> &gEfiGlobalVariableGuid,
> &gEfiCertX509Guid,
> mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> + //
> + // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid
> + // signatures.
> + //
> Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
> Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> sizeof Settings.CustomMode, &Settings.CustomMode);
> if (EFI_ERROR (Status)) {
> AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
> &gEfiCustomModeEnableGuid, Status);
> return 1;
> }
>
> + //
> + // Final sanity check:
> + //
> + // [SetupMode]
> + // (read-only, standardized by UEFI)
> + // / \_
> + // 0 1, default
> + // / \_
> + // PK enrolled no PK enrolled yet,
> + // (this is called "User Mode") PK enrollment possible
> + // |
> + // |
> + // [SecureBootEnable]
> + // (read-write, edk2-specific, boot service only)
> + // / \_
> + // 0 1, default
> + // / \_
> + // [SecureBoot]=0 [SecureBoot]=1
> + // (read-only, standardized by UEFI) (read-only, standardized by UEFI)
> + // images are not verified images are verified, platform is
> + // operating in Secure Boot mode
> + // |
> + // |
> + // [CustomMode]
> + // (read-write, edk2-specific, boot service only)
> + // / \_
> + // 0, default 1
> + // / \_
> + // PK, KEK, db, dbx PK, KEK, db, dbx
> + // updates are verified updates are not verified
> + //
Very helpful.
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
> Status = GetSettings (&Settings);
> if (EFI_ERROR (Status)) {
> return 1;
> }
> PrintSettings (&Settings);
>
> if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
> Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 07/16] OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in identifiers
2019-04-27 0:53 ` [PATCH 07/16] OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in identifiers Laszlo Ersek
@ 2019-04-30 5:10 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-30 5:10 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> According to the edk2 coding standards, "[w]hen all letters in an acronym
> are capitalized, it makes the prior and subsequent words visually
> difficult to distinguish".
>
> Fix the spellings of three acronyms, accordingly:
> - "KEK" (Key Exchange Key) should be written as "Kek", in "mMicrosoftKEK",
> - "CA" (Certificate Authority) should be written as "Ca", in
> "mMicrosoftUefiCA",
> - "PCA" (Production Certificate Authority) should be written as "Pca", in
> "mMicrosoftPCA".
>
> Generate the changes with:
>
> sed --regexp-extended --in-place \
> --expression='s,\<mMicrosoftKEK\>,mMicrosoftKek,g' \
> --expression='s,\<mMicrosoftUefiCA\>,mMicrosoftUefiCa,g' \
> --expression='s,\<mMicrosoftPCA\>,mMicrosoftPca,g' \
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index fb30f4906df7..be0e4d8f8e96 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -98,17 +98,17 @@ STATIC CONST UINT8 mRedHatPkKek1[] = {
> };
>
> //
> // Second KEK: "Microsoft Corporation KEK CA 2011".
> // SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
> //
> // "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
> //
> -STATIC CONST UINT8 mMicrosoftKEK[] = {
> +STATIC CONST UINT8 mMicrosoftKek[] = {
> 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
> 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> @@ -225,17 +225,17 @@ STATIC CONST UINT8 mMicrosoftKEK[] = {
>
> //
> // First DB entry: "Microsoft Windows Production PCA 2011"
> // SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
> //
> // Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
> // rooted in this certificate.
> //
> -STATIC CONST UINT8 mMicrosoftPCA[] = {
> +STATIC CONST UINT8 mMicrosoftPca[] = {
> 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
> 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> @@ -350,17 +350,17 @@ STATIC CONST UINT8 mMicrosoftPCA[] = {
> };
>
> //
> // Second DB entry: "Microsoft Corporation UEFI CA 2011"
> // SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
> //
> // To verify the "shim" binary and PCI expansion ROMs with.
> //
> -STATIC CONST UINT8 mMicrosoftUefiCA[] = {
> +STATIC CONST UINT8 mMicrosoftUefiCa[] = {
> 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
> 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
> 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> @@ -938,18 +938,18 @@ ShellAppMain (
> return 1;
> }
> }
>
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE,
> &gEfiImageSecurityDatabaseGuid,
> &gEfiCertX509Guid,
> - mMicrosoftPCA, sizeof mMicrosoftPCA, &mMicrosoftOwnerGuid,
> - mMicrosoftUefiCA, sizeof mMicrosoftUefiCA, &mMicrosoftOwnerGuid,
> + mMicrosoftPca, sizeof mMicrosoftPca, &mMicrosoftOwnerGuid,
> + mMicrosoftUefiCa, sizeof mMicrosoftUefiCa, &mMicrosoftOwnerGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE1,
> &gEfiImageSecurityDatabaseGuid,
> @@ -960,17 +960,17 @@ ShellAppMain (
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_KEY_EXCHANGE_KEY_NAME,
> &gEfiGlobalVariableGuid,
> &gEfiCertX509Guid,
> mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid,
> - mMicrosoftKEK, sizeof mMicrosoftKEK, &mMicrosoftOwnerGuid,
> + mMicrosoftKek, sizeof mMicrosoftKek, &mMicrosoftOwnerGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_PLATFORM_KEY_NAME,
> &gEfiGlobalVariableGuid,
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 11/16] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
2019-04-27 0:53 ` [PATCH 11/16] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID Laszlo Ersek
@ 2019-04-30 5:11 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-30 5:11 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> The GUID
>
> 77FA9ABD-0359-4D32-BD60-28F4E78F784B
>
> is specified in MSDN, at
> <https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>, therefore it
> deserves an entry in the package DEC file, and a header file under
> "Include/Guid".
>
> (Arguably, this GUID declaration / definition could even live under
> SecurityPkg, but the edk2 tradition has been to hoist GUIDs,
> protocols/PPIs, and lib classes from OvmfPkg to a core package only when
> dependent C code is added to the core package.)
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/OvmfPkg.dec | 1 +
> OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++++++++++++++++++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 2 +
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 2 -
> OvmfPkg/EnrollDefaultKeys/AuthData.c | 28 ----------
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 7 +--
> 6 files changed, 62 insertions(+), 33 deletions(-)
>
> diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
> index cc2a4909afd4..922e061cc85c 100644
> --- a/OvmfPkg/OvmfPkg.dec
> +++ b/OvmfPkg/OvmfPkg.dec
> @@ -72,16 +72,17 @@ [LibraryClasses]
> [Guids]
> gUefiOvmfPkgTokenSpaceGuid = {0x93bb96af, 0xb9f2, 0x4eb8, {0x94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}}
> gEfiXenInfoGuid = {0xd3b46f3b, 0xd441, 0x1244, {0x9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}}
> gOvmfPlatformConfigGuid = {0x7235c51c, 0x0c80, 0x4cab, {0x87, 0xac, 0x3b, 0x08, 0x4a, 0x63, 0x04, 0xb1}}
> gVirtioMmioTransportGuid = {0x837dca9e, 0xe874, 0x4d82, {0xb2, 0x9a, 0x23, 0xfe, 0x0e, 0x23, 0xd1, 0xe2}}
> gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}}
> gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}}
> gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}}
> + gMicrosoftVendorGuid = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}}
>
> [Protocols]
> gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}}
> gXenBusProtocolGuid = {0x3d3ca290, 0xb9a5, 0x11e3, {0xb7, 0x5d, 0xb8, 0xac, 0x6f, 0x7d, 0x65, 0xe6}}
> gXenIoProtocolGuid = {0x6efac84f, 0x0ab0, 0x4747, {0x81, 0xbe, 0x85, 0x55, 0x62, 0x59, 0x04, 0x49}}
> gIoMmuAbsentProtocolGuid = {0xf8775d50, 0x8abd, 0x4adf, {0x92, 0xac, 0x85, 0x3e, 0x51, 0xf6, 0xc8, 0xdc}}
> gEfiLegacy8259ProtocolGuid = {0x38321dba, 0x4fe0, 0x4e17, {0x8a, 0xec, 0x41, 0x30, 0x55, 0xea, 0xed, 0xc1}}
>
> diff --git a/OvmfPkg/Include/Guid/MicrosoftVendor.h b/OvmfPkg/Include/Guid/MicrosoftVendor.h
> new file mode 100644
> index 000000000000..db7a326c3194
> --- /dev/null
> +++ b/OvmfPkg/Include/Guid/MicrosoftVendor.h
> @@ -0,0 +1,55 @@
> +/** @file
> + Declare the GUID that is expected:
> +
> + - as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and
> + RSA2048 Secure Boot certificates issued by/for Microsoft,
> +
> + - as UEFI variable vendor GUID in association with (unspecified)
> + Microsoft-owned variables.
> +
> + Copyright (C) 2014-2019, Red Hat, Inc.
> +
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> + @par Specification Reference:
> + - MSDN: System.Fundamentals.Firmware at
> + <https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>.
> +**/
> +
> +#ifndef MICROSOFT_VENDOR_H_
> +#define MICROSOFT_VENDOR_H_
> +
> +#include <Uefi/UefiBaseType.h>
> +
> +//
> +// The following test cases of the Secure Boot Logo Test in the Microsoft
> +// Hardware Certification Kit:
> +//
> +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
> +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
> +//
> +// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
> +// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
> +// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
> +// certificates:
> +//
> +// - "Microsoft Corporation KEK CA 2011" (in KEK)
> +// - "Microsoft Windows Production PCA 2011" (in db)
> +// - "Microsoft Corporation UEFI CA 2011" (in db)
> +//
> +// This is despite the fact that the UEFI specification requires
> +// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
> +// application or driver) that enrolled and therefore owns
> +// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
> +// EFI_SIGNATURE_DATA.SignatureData.
> +//
> +#define MICROSOFT_VENDOR_GUID \
> + { 0x77fa9abd, \
> + 0x0359, \
> + 0x4d32, \
> + { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \
> + }
> +
> +extern EFI_GUID gMicrosoftVendorGuid;
> +
> +#endif /* MICROSOFT_VENDOR_H_ */
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> index 3f093c768585..28db52586a9b 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> @@ -17,27 +17,29 @@ [Defines]
> [Sources]
> AuthData.c
> EnrollDefaultKeys.c
> EnrollDefaultKeys.h
>
> [Packages]
> MdeModulePkg/MdeModulePkg.dec
> MdePkg/MdePkg.dec
> + OvmfPkg/OvmfPkg.dec
> SecurityPkg/SecurityPkg.dec
> ShellPkg/ShellPkg.dec
>
> [Guids]
> gEfiCertPkcs7Guid
> gEfiCertSha256Guid
> gEfiCertX509Guid
> gEfiCustomModeEnableGuid
> gEfiGlobalVariableGuid
> gEfiImageSecurityDatabaseGuid
> gEfiSecureBootEnableDisableGuid
> + gMicrosoftVendorGuid
>
> [LibraryClasses]
> BaseMemoryLib
> DebugLib
> MemoryAllocationLib
> ShellCEntryLib
> UefiLib
> UefiRuntimeServicesTableLib
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> index 07f4aa04e469..e3a7e43da4e3 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> @@ -133,11 +133,9 @@ extern CONST UINT8 mMicrosoftPca[];
> extern CONST UINTN mSizeOfMicrosoftPca;
>
> extern CONST UINT8 mMicrosoftUefiCa[];
> extern CONST UINTN mSizeOfMicrosoftUefiCa;
>
> extern CONST UINT8 mSha256OfDevNull[];
> extern CONST UINTN mSizeOfSha256OfDevNull;
>
> -extern CONST EFI_GUID mMicrosoftOwnerGuid;
> -
> #endif /* ENROLL_DEFAULT_KEYS_H_ */
> diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c
> index e0a543785fb5..9a96dcc440b3 100644
> --- a/OvmfPkg/EnrollDefaultKeys/AuthData.c
> +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
> @@ -518,36 +518,8 @@ CONST UINTN mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa;
> //
> CONST UINT8 mSha256OfDevNull[] = {
> 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
> 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
> 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
> };
>
> CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull;
> -
> -
> -//
> -// The following test cases of the Secure Boot Logo Test in the Microsoft
> -// Hardware Certification Kit:
> -//
> -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
> -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
> -//
> -// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
> -// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
> -// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
> -// certificates:
> -//
> -// - "Microsoft Corporation KEK CA 2011" (in KEK)
> -// - "Microsoft Windows Production PCA 2011" (in db)
> -// - "Microsoft Corporation UEFI CA 2011" (in db)
> -//
> -// This is despite the fact that the UEFI specification requires
> -// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
> -// application or driver) that enrolled and therefore owns
> -// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
> -// EFI_SIGNATURE_DATA.SignatureData.
> -//
> -CONST EFI_GUID mMicrosoftOwnerGuid = {
> - 0x77fa9abd, 0x0359, 0x4d32,
> - { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
> -};
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index 528718b15ae9..e4f6a50e008b 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -3,16 +3,17 @@
>
> Copyright (C) 2014-2019, Red Hat, Inc.
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
> **/
> #include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
> #include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
> #include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
> +#include <Guid/MicrosoftVendor.h> // gMicrosoftVendorGuid
> #include <Library/BaseMemoryLib.h> // CopyGuid()
> #include <Library/DebugLib.h> // ASSERT()
> #include <Library/MemoryAllocationLib.h> // FreePool()
> #include <Library/ShellCEntryLib.h> // ShellAppMain()
> #include <Library/UefiLib.h> // AsciiPrint()
> #include <Library/UefiRuntimeServicesTableLib.h> // gRT
>
> #include "EnrollDefaultKeys.h"
> @@ -310,18 +311,18 @@ ShellAppMain (
> return 1;
> }
> }
>
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE,
> &gEfiImageSecurityDatabaseGuid,
> &gEfiCertX509Guid,
> - mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGuid,
> - mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGuid,
> + mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,
> + mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE1,
> &gEfiImageSecurityDatabaseGuid,
> @@ -332,17 +333,17 @@ ShellAppMain (
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_KEY_EXCHANGE_KEY_NAME,
> &gEfiGlobalVariableGuid,
> &gEfiCertX509Guid,
> mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
> - mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid,
> + mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Status = EnrollListOfCerts (
> EFI_PLATFORM_KEY_NAME,
> &gEfiGlobalVariableGuid,
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 12/16] OvmfPkg/EnrollDefaultKeys: describe functions with leading comment blocks
2019-04-27 0:53 ` [PATCH 12/16] OvmfPkg/EnrollDefaultKeys: describe functions with leading comment blocks Laszlo Ersek
@ 2019-04-30 5:12 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-30 5:12 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> The GetExact(), GetSettings(), PrintSettings(), and ShellAppMain()
> functions lack leading comment blocks. Supply those.
>
> While at it, make sure that every such comment block is preceded by two
> blank lines.
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 73 ++++++++++++++++++++
> 1 file changed, 73 insertions(+)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index e4f6a50e008b..07297c631f38 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -13,16 +13,17 @@
> #include <Library/DebugLib.h> // ASSERT()
> #include <Library/MemoryAllocationLib.h> // FreePool()
> #include <Library/ShellCEntryLib.h> // ShellAppMain()
> #include <Library/UefiLib.h> // AsciiPrint()
> #include <Library/UefiRuntimeServicesTableLib.h> // gRT
>
> #include "EnrollDefaultKeys.h"
>
> +
> /**
> Enroll a set of certificates in a global variable, overwriting it.
>
> The variable will be rewritten with NV+BS+RT+AT attributes.
>
> @param[in] VariableName The name of the variable to overwrite.
>
> @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
> @@ -188,16 +189,54 @@ Out:
> if (EFI_ERROR (Status)) {
> AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
> VendorGuid, Status);
> }
> return Status;
> }
>
>
> +/**
> + Read a UEFI variable into a caller-allocated buffer, enforcing an exact size.
> +
> + @param[in] VariableName The name of the variable to read; passed to
> + gRT->GetVariable().
> +
> + @param[in] VendorGuid The vendor (namespace) GUID of the variable to read;
> + passed to gRT->GetVariable().
> +
> + @param[out] Data The caller-allocated buffer that is supposed to
> + receive the variable's contents. On error, the
> + contents of Data are indeterminate.
> +
> + @param[in] DataSize The size in bytes that the caller requires the UEFI
> + variable to have. The caller is responsible for
> + providing room for DataSize bytes in Data.
> +
> + @param[in] AllowMissing If FALSE, the variable is required to exist. If
> + TRUE, the variable is permitted to be missing.
> +
> + @retval EFI_SUCCESS The UEFI variable exists, has the required size
> + (DataSize), and has been read into Data.
> +
> + @retval EFI_SUCCESS The UEFI variable doesn't exist, and
> + AllowMissing is TRUE. DataSize bytes in Data
> + have been zeroed out.
> +
> + @retval EFI_NOT_FOUND The UEFI variable doesn't exist, and
> + AllowMissing is FALSE.
> +
> + @retval EFI_BUFFER_TOO_SMALL The UEFI variable exists, but its size is
> + greater than DataSize.
> +
> + @retval EFI_PROTOCOL_ERROR The UEFI variable exists, but its size is
> + smaller than DataSize.
> +
> + @return Error codes propagated from gRT->GetVariable().
> +**/
> STATIC
> EFI_STATUS
> GetExact (
> IN CHAR16 *VariableName,
> IN EFI_GUID *VendorGuid,
> OUT VOID *Data,
> IN UINTN DataSize,
> IN BOOLEAN AllowMissing
> @@ -223,16 +262,41 @@ GetExact (
> AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
> "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
> return EFI_PROTOCOL_ERROR;
> }
>
> return EFI_SUCCESS;
> }
>
> +
> +/**
> + Populate a SETTINGS structure from the underlying UEFI variables.
> +
> + The following UEFI variables are standard variables:
> + - L"SetupMode" (EFI_SETUP_MODE_NAME)
> + - L"SecureBoot" (EFI_SECURE_BOOT_MODE_NAME)
> + - L"VendorKeys" (EFI_VENDOR_KEYS_VARIABLE_NAME)
> +
> + The following UEFI variables are edk2 extensions:
> + - L"SecureBootEnable" (EFI_SECURE_BOOT_ENABLE_NAME)
> + - L"CustomMode" (EFI_CUSTOM_MODE_NAME)
> +
> + The L"SecureBootEnable" UEFI variable is permitted to be missing, in which
> + case the corresponding field in the SETTINGS object will be zeroed out. The
> + rest of the covered UEFI variables are required to exist; otherwise, the
> + function will fail.
> +
> + @param[out] Settings The SETTINGS object to fill.
> +
> + @retval EFI_SUCCESS Settings has been populated.
> +
> + @return Error codes propagated from the GetExact() function. The
> + contents of Settings are indeterminate.
> +**/
> STATIC
> EFI_STATUS
> GetSettings (
> OUT SETTINGS *Settings
> )
> {
> EFI_STATUS Status;
>
> @@ -261,28 +325,37 @@ GetSettings (
> return Status;
> }
>
> Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
> &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
> return Status;
> }
>
> +
> +/**
> + Print the contents of a SETTINGS structure to the UEFI console.
> +
> + @param[in] Settings The SETTINGS object to print the contents of.
> +**/
> STATIC
> VOID
> PrintSettings (
> IN CONST SETTINGS *Settings
> )
> {
> AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
> "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
> Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
> }
>
>
> +/**
> + Entry point function of this shell application.
> +**/
> INTN
> EFIAPI
> ShellAppMain (
> IN UINTN Argc,
> IN CHAR16 **Argv
> )
> {
> EFI_STATUS Status;
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 02/16] OvmfPkg/EnrollDefaultKeys: update @file comment blocks
2019-04-27 0:53 ` [PATCH 02/16] OvmfPkg/EnrollDefaultKeys: update @file comment blocks Laszlo Ersek
@ 2019-04-30 5:13 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-30 5:13 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> Refresh the sentence that states the purpose of the application.
>
> Extend the copyright notice to the year 2019.
>
> Replace the 2-clause BSD License banner with the BSD-2-Clause-Patent SPDX
> ID.
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 13 +++----------
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 12 +++---------
> 2 files changed, 6 insertions(+), 19 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> index 0ad86a2843e6..1e579f495143 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> @@ -1,21 +1,14 @@
> ## @file
> -# Enroll default PK, KEK, DB.
> +# Enroll default PK, KEK, db, dbx.
> #
> -# Copyright (C) 2014, Red Hat, Inc.
> +# Copyright (C) 2014-2019, Red Hat, Inc.
> #
> -# This program and the accompanying materials are licensed and made available
> -# under the terms and conditions of the BSD License which accompanies this
> -# distribution. The full text of the license may be found at
> -# http://opensource.org/licenses/bsd-license.
> -#
> -# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> -# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
> -# IMPLIED.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> [Defines]
> INF_VERSION = 0x00010006
> BASE_NAME = EnrollDefaultKeys
> FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
> MODULE_TYPE = UEFI_APPLICATION
> VERSION_STRING = 0.1
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index dd413df12de3..b354ec6f81c8 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -1,20 +1,14 @@
> /** @file
> - Enroll default PK, KEK, DB.
> + Enroll default PK, KEK, db, dbx.
>
> - Copyright (C) 2014, Red Hat, Inc.
> + Copyright (C) 2014-2019, Red Hat, Inc.
>
> - This program and the accompanying materials are licensed and made available
> - under the terms and conditions of the BSD License which accompanies this
> - distribution. The full text of the license may be found at
> - http://opensource.org/licenses/bsd-license.
> -
> - THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
> - WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> **/
> #include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
> #include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
> #include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
> #include <Library/BaseMemoryLib.h> // CopyGuid()
> #include <Library/DebugLib.h> // ASSERT()
> #include <Library/MemoryAllocationLib.h> // FreePool()
> #include <Library/ShellCEntryLib.h> // ShellAppMain()
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 01/16] OvmfPkg: introduce EnrollDefaultKeys application
2019-04-27 0:53 ` [PATCH 01/16] OvmfPkg: introduce EnrollDefaultKeys application Laszlo Ersek
@ 2019-04-30 5:21 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-30 5:21 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> Add the OvmfPkg/EnrollDefaultKeys shell application source as it is at the
> "edk2-20190308git89910a39dcfd-2.el8" tag in RHEL8's downstream "edk2"
> package.
>
> Further patches in this series will replace Red Hat-specific bits in the
> application, with a conduit to pass in parameters directly from the host
> side, on both QEMU and Xen.
>
> (Note: at the moment, Xen doesn't support Secure Boot, due to lacking a
> standards-conformant variable driver stack. However, that could change
> soon
> <https://fosdem.org/2019/schedule/event/vai_implementing_uefi_variable_services_in_qemu/>,
> and then this facility will become useful on Xen too.)
>
> The use case for this application (including why it is only being added to
> the DSC files) is explained in detail in
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1747#c0>.
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
> ---
> OvmfPkg/OvmfPkgIa32.dsc | 2 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
> OvmfPkg/OvmfPkgX64.dsc | 2 +
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 +
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 1015 ++++++++++++++++++++
> 5 files changed, 1073 insertions(+)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index 98a8467e86ab..36a0f87258dd 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -190,16 +190,17 @@ [LibraryClasses]
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
>
> !if $(TLS_ENABLE) == TRUE
> TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> !endif
>
> ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
> + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>
> !if $(TPM2_ENABLE) == TRUE
> Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
> @@ -858,16 +859,17 @@ [Components]
> <PcdsFixedAtBuild>
> gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF
> gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
> gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
> }
>
> !if $(SECURE_BOOT_ENABLE) == TRUE
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> !endif
>
> OvmfPkg/PlatformDxe/Platform.inf
> OvmfPkg/IoMmuDxe/IoMmuDxe.inf
>
> !if $(SMM_REQUIRE) == TRUE
> OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
> OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 1f722fc9872c..9b341e17d7ff 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -195,16 +195,17 @@ [LibraryClasses]
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
>
> !if $(TLS_ENABLE) == TRUE
> TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> !endif
>
> ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
> + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>
> !if $(TPM2_ENABLE) == TRUE
> Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
> @@ -867,16 +868,17 @@ [Components.X64]
> <PcdsFixedAtBuild>
> gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF
> gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
> gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
> }
>
> !if $(SECURE_BOOT_ENABLE) == TRUE
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> !endif
>
> OvmfPkg/PlatformDxe/Platform.inf
> OvmfPkg/AmdSevDxe/AmdSevDxe.inf
> OvmfPkg/IoMmuDxe/IoMmuDxe.inf
>
> !if $(SMM_REQUIRE) == TRUE
> OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 2927ee07b835..a0f87f74dab9 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -195,16 +195,17 @@ [LibraryClasses]
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
>
> !if $(TLS_ENABLE) == TRUE
> TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> !endif
>
> ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
> + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>
> !if $(TPM2_ENABLE) == TRUE
> Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
> @@ -865,16 +866,17 @@ [Components]
> <PcdsFixedAtBuild>
> gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF
> gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
> gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
> }
>
> !if $(SECURE_BOOT_ENABLE) == TRUE
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> !endif
>
> OvmfPkg/PlatformDxe/Platform.inf
> OvmfPkg/AmdSevDxe/AmdSevDxe.inf
> OvmfPkg/IoMmuDxe/IoMmuDxe.inf
>
> !if $(SMM_REQUIRE) == TRUE
> OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> new file mode 100644
> index 000000000000..0ad86a2843e6
> --- /dev/null
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> @@ -0,0 +1,52 @@
> +## @file
> +# Enroll default PK, KEK, DB.
> +#
> +# Copyright (C) 2014, Red Hat, Inc.
> +#
> +# This program and the accompanying materials are licensed and made available
> +# under the terms and conditions of the BSD License which accompanies this
> +# distribution. The full text of the license may be found at
> +# http://opensource.org/licenses/bsd-license.
> +#
> +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
> +# IMPLIED.
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010006
> + BASE_NAME = EnrollDefaultKeys
> + FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
> + MODULE_TYPE = UEFI_APPLICATION
> + VERSION_STRING = 0.1
> + ENTRY_POINT = ShellCEntryLib
> +
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + EnrollDefaultKeys.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> + ShellPkg/ShellPkg.dec
> +
> +[Guids]
> + gEfiCertPkcs7Guid
> + gEfiCertSha256Guid
> + gEfiCertX509Guid
> + gEfiCustomModeEnableGuid
> + gEfiGlobalVariableGuid
> + gEfiImageSecurityDatabaseGuid
> + gEfiSecureBootEnableDisableGuid
> +
> +[LibraryClasses]
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + ShellCEntryLib
> + UefiLib
> + UefiRuntimeServicesTableLib
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> new file mode 100644
> index 000000000000..dd413df12de3
> --- /dev/null
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -0,0 +1,1015 @@
> +/** @file
> + Enroll default PK, KEK, DB.
> +
> + Copyright (C) 2014, Red Hat, Inc.
> +
> + This program and the accompanying materials are licensed and made available
> + under the terms and conditions of the BSD License which accompanies this
> + distribution. The full text of the license may be found at
> + http://opensource.org/licenses/bsd-license.
> +
> + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
> + WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
> +**/
> +#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
> +#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
> +#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
> +#include <Library/BaseMemoryLib.h> // CopyGuid()
> +#include <Library/DebugLib.h> // ASSERT()
> +#include <Library/MemoryAllocationLib.h> // FreePool()
> +#include <Library/ShellCEntryLib.h> // ShellAppMain()
> +#include <Library/UefiLib.h> // AsciiPrint()
> +#include <Library/UefiRuntimeServicesTableLib.h> // gRT
> +
> +//
> +// We'll use the certificate below as both Platform Key and as first Key
> +// Exchange Key.
> +//
> +// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
> +// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
> +//
> +STATIC CONST UINT8 RedHatPkKek1[] = {
> + 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
> + 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
> + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
> + 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
> + 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
> + 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
> + 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
> + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
> + 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
> + 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
> + 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
> + 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
> + 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
> + 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
> + 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
> + 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
> + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
> + 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
> + 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
> + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
> + 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
> + 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
> + 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
> + 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
> + 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
> + 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
> + 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
> + 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
> + 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
> + 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
> + 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
> + 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
> + 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
> + 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
> + 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
> + 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
> + 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
> + 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
> + 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
> + 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
> + 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
> + 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
> + 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
> + 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
> + 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
> + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
> + 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
> + 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
> + 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
> + 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
> + 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
> + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
> + 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
> + 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
> + 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
> + 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
> + 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
> + 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
> + 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
> + 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
> + 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
> + 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
> + 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
> + 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
> + 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
> + 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
> + 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
> + 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
> + 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
> + 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
> + 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
> + 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
> +};
> +
> +//
> +// Second KEK: "Microsoft Corporation KEK CA 2011".
> +// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
> +//
> +// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
> +//
> +STATIC CONST UINT8 MicrosoftKEK[] = {
> + 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
> + 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
> + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> + 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> + 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> + 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> + 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> + 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
> + 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
> + 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
> + 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
> + 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
> + 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
> + 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
> + 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
> + 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
> + 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
> + 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
> + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
> + 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
> + 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
> + 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
> + 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
> + 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
> + 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
> + 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
> + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
> + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
> + 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
> + 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
> + 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
> + 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
> + 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
> + 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
> + 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
> + 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
> + 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
> + 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
> + 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
> + 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
> + 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
> + 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
> + 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
> + 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
> + 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
> + 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
> + 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
> + 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
> + 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
> + 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
> + 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
> + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
> + 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
> + 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
> + 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
> + 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
> + 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
> + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
> + 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
> + 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
> + 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
> + 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
> + 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
> + 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
> + 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
> + 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
> + 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
> + 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
> + 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
> + 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
> + 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
> + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
> + 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
> + 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
> + 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
> + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
> + 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
> + 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
> + 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
> + 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
> + 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
> + 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
> + 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
> + 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
> + 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
> + 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
> + 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
> + 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
> + 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
> + 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
> + 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
> + 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
> + 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
> + 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
> + 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
> + 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
> + 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
> + 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
> + 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
> + 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
> + 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
> + 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
> + 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
> + 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
> + 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
> + 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
> + 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
> + 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
> + 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
> + 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
> + 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
> + 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
> + 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
> + 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
> + 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
> + 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
> +};
> +
> +//
> +// First DB entry: "Microsoft Windows Production PCA 2011"
> +// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
> +//
> +// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
> +// rooted in this certificate.
> +//
> +STATIC CONST UINT8 MicrosoftPCA[] = {
> + 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
> + 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
> + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> + 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> + 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> + 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> + 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> + 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
> + 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
> + 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
> + 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
> + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
> + 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
> + 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
> + 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
> + 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
> + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
> + 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
> + 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
> + 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
> + 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
> + 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
> + 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
> + 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
> + 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
> + 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
> + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
> + 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
> + 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
> + 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
> + 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
> + 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
> + 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
> + 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
> + 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
> + 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
> + 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
> + 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
> + 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
> + 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
> + 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
> + 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
> + 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
> + 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
> + 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
> + 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
> + 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
> + 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
> + 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
> + 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
> + 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
> + 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
> + 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
> + 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
> + 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
> + 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
> + 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
> + 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
> + 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
> + 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
> + 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
> + 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
> + 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
> + 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
> + 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
> + 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
> + 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
> + 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
> + 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
> + 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
> + 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
> + 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
> + 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
> + 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
> + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
> + 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
> + 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
> + 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
> + 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
> + 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
> + 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
> + 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
> + 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
> + 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
> + 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
> + 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
> + 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
> + 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
> + 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
> + 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
> + 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
> + 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
> + 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
> + 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
> + 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
> + 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
> + 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
> + 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
> + 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
> + 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
> + 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
> + 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
> + 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
> + 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
> + 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
> + 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
> + 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
> + 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
> + 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
> + 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
> + 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
> + 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
> + 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
> + 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
> + 0x62, 0x1c, 0x59, 0x7e
> +};
> +
> +//
> +// Second DB entry: "Microsoft Corporation UEFI CA 2011"
> +// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
> +//
> +// To verify the "shim" binary and PCI expansion ROMs with.
> +//
> +STATIC CONST UINT8 MicrosoftUefiCA[] = {
> + 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
> + 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
> + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
> + 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
> + 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
> + 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
> + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
> + 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
> + 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
> + 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
> + 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
> + 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
> + 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
> + 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
> + 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
> + 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
> + 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
> + 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
> + 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
> + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
> + 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
> + 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
> + 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
> + 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
> + 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
> + 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
> + 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
> + 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
> + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
> + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
> + 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
> + 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
> + 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
> + 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
> + 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
> + 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
> + 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
> + 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
> + 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
> + 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
> + 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
> + 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
> + 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
> + 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
> + 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
> + 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
> + 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
> + 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
> + 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
> + 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
> + 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
> + 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
> + 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
> + 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
> + 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
> + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
> + 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
> + 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
> + 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
> + 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
> + 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
> + 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
> + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
> + 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
> + 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
> + 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
> + 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
> + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
> + 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
> + 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
> + 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
> + 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
> + 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
> + 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
> + 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
> + 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
> + 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
> + 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
> + 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
> + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
> + 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
> + 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
> + 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
> + 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
> + 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
> + 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
> + 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
> + 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
> + 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
> + 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
> + 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
> + 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
> + 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
> + 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
> + 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
> + 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
> + 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
> + 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
> + 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
> + 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
> + 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
> + 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
> + 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
> + 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
> + 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
> + 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
> + 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
> + 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
> + 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
> + 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
> + 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
> + 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
> + 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
> + 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
> + 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
> + 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
> + 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
> + 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
> + 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
> + 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
> +};
> +
> +//
> +// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
> +// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
> +// expects that the "dbx" variable exist.
> +//
> +// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
> +// writes (excerpt):
> +//
> +// Windows 8.1 Secure Boot Key Creation and Management Guidance
> +// 1. Secure Boot, Windows 8.1 and Key Management
> +// 1.4 Signature Databases (Db and Dbx)
> +// 1.4.3 Forbidden Signature Database (dbx)
> +//
> +// The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when
> +// verifying images before checking db and any matches must prevent the
> +// image from executing. The database may contain multiple certificates,
> +// keys, and hashes in order to identify forbidden images. The Windows
> +// Hardware Certification Requirements state that a dbx must be present, so
> +// any dummy value, such as the SHA-256 hash of 0, may be used as a safe
> +// placeholder until such time as Microsoft begins delivering dbx updates.
> +//
> +// The byte array below captures the SHA256 checksum of the empty file,
> +// blacklisting it for loading & execution. This qualifies as a dummy, since
> +// the empty file is not a valid UEFI binary anyway.
> +//
> +// Technically speaking, we could also capture an official (although soon to be
> +// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
> +// the terms and conditions on distributing that binary aren't exactly light
> +// reading, so let's best steer clear of it, and follow the "dummy entry"
> +// practice recommended -- in natural English langauge -- in the
> +// above-referenced TechNet article.
> +//
> +STATIC CONST UINT8 mSha256OfDevNull[] = {
> + 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
> + 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
> + 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
> +};
> +
> +//
> +// The following test cases of the Secure Boot Logo Test in the Microsoft
> +// Hardware Certification Kit:
> +//
> +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
> +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
> +//
> +// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
> +// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
> +// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
> +// certificates:
> +//
> +// - "Microsoft Corporation KEK CA 2011" (in KEK)
> +// - "Microsoft Windows Production PCA 2011" (in db)
> +// - "Microsoft Corporation UEFI CA 2011" (in db)
> +//
> +// This is despite the fact that the UEFI specification requires
> +// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
> +// application or driver) that enrolled and therefore owns
> +// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
> +// EFI_SIGNATURE_DATA.SignatureData.
> +//
> +STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
> + 0x77fa9abd, 0x0359, 0x4d32,
> + { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
> +};
> +
> +//
> +// The most important thing about the variable payload is that it is a list of
> +// lists, where the element size of any given *inner* list is constant.
> +//
> +// Since X509 certificates vary in size, each of our *inner* lists will contain
> +// one element only (one X.509 certificate). This is explicitly mentioned in
> +// the UEFI specification, in "28.4.1 Signature Database", in a Note.
> +//
> +// The list structure looks as follows:
> +//
> +// struct EFI_VARIABLE_AUTHENTICATION_2 { |
> +// struct EFI_TIME { |
> +// UINT16 Year; |
> +// UINT8 Month; |
> +// UINT8 Day; |
> +// UINT8 Hour; |
> +// UINT8 Minute; |
> +// UINT8 Second; |
> +// UINT8 Pad1; |
> +// UINT32 Nanosecond; |
> +// INT16 TimeZone; |
> +// UINT8 Daylight; |
> +// UINT8 Pad2; |
> +// } TimeStamp; |
> +// |
> +// struct WIN_CERTIFICATE_UEFI_GUID { | |
> +// struct WIN_CERTIFICATE { | |
> +// UINT32 dwLength; ----------------------------------------+ |
> +// UINT16 wRevision; | |
> +// UINT16 wCertificateType; | |
> +// } Hdr; | +- DataSize
> +// | |
> +// EFI_GUID CertType; | |
> +// UINT8 CertData[1] = { <--- "struct hack" | |
> +// struct EFI_SIGNATURE_LIST { | | |
> +// EFI_GUID SignatureType; | | |
> +// UINT32 SignatureListSize; -------------------------+ | |
> +// UINT32 SignatureHeaderSize; | | |
> +// UINT32 SignatureSize; ---------------------------+ | | |
> +// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
> +// v | | |
> +// struct EFI_SIGNATURE_DATA { | | | |
> +// EFI_GUID SignatureOwner; | | | |
> +// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
> +// X.509 payload | | | |
> +// } | | | |
> +// } Signatures[]; | | |
> +// } SigLists[]; | |
> +// }; | |
> +// } AuthInfo; | |
> +// }; |
> +//
> +// Given that the "struct hack" invokes undefined behavior (which is why C99
> +// introduced the flexible array member), and because subtracting those pesky
> +// sizes of 1 is annoying, and because the format is fully specified in the
> +// UEFI specification, we'll introduce two matching convenience structures that
> +// are customized for our X.509 purposes.
> +//
> +#pragma pack(1)
> +typedef struct {
> + EFI_TIME TimeStamp;
> +
> + //
> + // dwLength covers data below
> + //
> + UINT32 dwLength;
> + UINT16 wRevision;
> + UINT16 wCertificateType;
> + EFI_GUID CertType;
> +} SINGLE_HEADER;
> +
> +typedef struct {
> + //
> + // SignatureListSize covers data below
> + //
> + EFI_GUID SignatureType;
> + UINT32 SignatureListSize;
> + UINT32 SignatureHeaderSize; // constant 0
> + UINT32 SignatureSize;
> +
> + //
> + // SignatureSize covers data below
> + //
> + EFI_GUID SignatureOwner;
> +
> + //
> + // X.509 certificate follows
> + //
> +} REPEATING_HEADER;
> +#pragma pack()
> +
> +/**
> + Enroll a set of certificates in a global variable, overwriting it.
> +
> + The variable will be rewritten with NV+BS+RT+AT attributes.
> +
> + @param[in] VariableName The name of the variable to overwrite.
> +
> + @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
> + overwrite.
> +
> + @param[in] CertType The GUID determining the type of all the
> + certificates in the set that is passed in. For
> + example, gEfiCertX509Guid stands for DER-encoded
> + X.509 certificates, while gEfiCertSha256Guid stands
> + for SHA256 image hashes.
> +
> + @param[in] ... A list of
> +
> + IN CONST UINT8 *Cert,
> + IN UINTN CertSize,
> + IN CONST EFI_GUID *OwnerGuid
> +
> + triplets. If the first component of a triplet is
> + NULL, then the other two components are not
> + accessed, and processing is terminated. The list of
> + certificates is enrolled in the variable specified,
> + overwriting it. The OwnerGuid component identifies
> + the agent installing the certificate.
> +
> + @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert
> + value is NULL), or one of the CertSize values
> + is 0, or one of the CertSize values would
> + overflow the accumulated UINT32 data size.
> +
> + @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable
> + payload.
> +
> + @retval EFI_SUCCESS Enrollment successful; the variable has been
> + overwritten (or created).
> +
> + @return Error codes from gRT->GetTime() and
> + gRT->SetVariable().
> +**/
> +STATIC
> +EFI_STATUS
> +EFIAPI
> +EnrollListOfCerts (
> + IN CHAR16 *VariableName,
> + IN EFI_GUID *VendorGuid,
> + IN EFI_GUID *CertType,
> + ...
> + )
> +{
> + UINTN DataSize;
> + SINGLE_HEADER *SingleHeader;
> + REPEATING_HEADER *RepeatingHeader;
> + VA_LIST Marker;
> + CONST UINT8 *Cert;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINT8 *Position;
> +
> + Status = EFI_SUCCESS;
> +
> + //
> + // compute total size first, for UINT32 range check, and allocation
> + //
> + DataSize = sizeof *SingleHeader;
> + VA_START (Marker, CertType);
> + for (Cert = VA_ARG (Marker, CONST UINT8 *);
> + Cert != NULL;
> + Cert = VA_ARG (Marker, CONST UINT8 *)) {
> + UINTN CertSize;
> +
> + CertSize = VA_ARG (Marker, UINTN);
> + (VOID)VA_ARG (Marker, CONST EFI_GUID *);
> +
> + if (CertSize == 0 ||
> + CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
> + DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
> + Status = EFI_INVALID_PARAMETER;
> + break;
> + }
> + DataSize += sizeof *RepeatingHeader + CertSize;
> + }
> + VA_END (Marker);
> +
> + if (DataSize == sizeof *SingleHeader) {
> + Status = EFI_INVALID_PARAMETER;
> + }
> + if (EFI_ERROR (Status)) {
> + goto Out;
> + }
> +
> + Data = AllocatePool (DataSize);
> + if (Data == NULL) {
> + Status = EFI_OUT_OF_RESOURCES;
> + goto Out;
> + }
> +
> + Position = Data;
> +
> + SingleHeader = (SINGLE_HEADER *)Position;
> + Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
> + if (EFI_ERROR (Status)) {
> + goto FreeData;
> + }
> + SingleHeader->TimeStamp.Pad1 = 0;
> + SingleHeader->TimeStamp.Nanosecond = 0;
> + SingleHeader->TimeStamp.TimeZone = 0;
> + SingleHeader->TimeStamp.Daylight = 0;
> + SingleHeader->TimeStamp.Pad2 = 0;
> +#if 0
> + SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp;
> +#else
> + //
> + // This looks like a bug in edk2. According to the UEFI specification,
> + // dwLength is "The length of the entire certificate, including the length of
> + // the header, in bytes". That shouldn't stop right after CertType -- it
> + // should include everything below it.
> + //
> + SingleHeader->dwLength = sizeof *SingleHeader
> + - sizeof SingleHeader->TimeStamp;
> +#endif
> + SingleHeader->wRevision = 0x0200;
> + SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
> + CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
> + Position += sizeof *SingleHeader;
> +
> + VA_START (Marker, CertType);
> + for (Cert = VA_ARG (Marker, CONST UINT8 *);
> + Cert != NULL;
> + Cert = VA_ARG (Marker, CONST UINT8 *)) {
> + UINTN CertSize;
> + CONST EFI_GUID *OwnerGuid;
> +
> + CertSize = VA_ARG (Marker, UINTN);
> + OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
> +
> + RepeatingHeader = (REPEATING_HEADER *)Position;
> + CopyGuid (&RepeatingHeader->SignatureType, CertType);
> + RepeatingHeader->SignatureListSize =
> + (UINT32)(sizeof *RepeatingHeader + CertSize);
> + RepeatingHeader->SignatureHeaderSize = 0;
> + RepeatingHeader->SignatureSize =
> + (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);
> + CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
> + Position += sizeof *RepeatingHeader;
> +
> + CopyMem (Position, Cert, CertSize);
> + Position += CertSize;
> + }
> + VA_END (Marker);
> +
> + ASSERT (Data + DataSize == Position);
> +
> + Status = gRT->SetVariable (VariableName, VendorGuid,
> + (EFI_VARIABLE_NON_VOLATILE |
> + EFI_VARIABLE_BOOTSERVICE_ACCESS |
> + EFI_VARIABLE_RUNTIME_ACCESS |
> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
> + DataSize, Data);
> +
> +FreeData:
> + FreePool (Data);
> +
> +Out:
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
> + VendorGuid, Status);
> + }
> + return Status;
> +}
> +
> +
> +STATIC
> +EFI_STATUS
> +EFIAPI
> +GetExact (
> + IN CHAR16 *VariableName,
> + IN EFI_GUID *VendorGuid,
> + OUT VOID *Data,
> + IN UINTN DataSize,
> + IN BOOLEAN AllowMissing
> + )
> +{
> + UINTN Size;
> + EFI_STATUS Status;
> +
> + Size = DataSize;
> + Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
> + if (EFI_ERROR (Status)) {
> + if (Status == EFI_NOT_FOUND && AllowMissing) {
> + ZeroMem (Data, DataSize);
> + return EFI_SUCCESS;
> + }
> +
> + AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
> + VendorGuid, Status);
> + return Status;
> + }
> +
> + if (Size != DataSize) {
> + AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
> + "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
> + return EFI_PROTOCOL_ERROR;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +typedef struct {
> + UINT8 SetupMode;
> + UINT8 SecureBoot;
> + UINT8 SecureBootEnable;
> + UINT8 CustomMode;
> + UINT8 VendorKeys;
> +} SETTINGS;
> +
> +STATIC
> +EFI_STATUS
> +EFIAPI
> +GetSettings (
> + OUT SETTINGS *Settings
> + )
> +{
> + EFI_STATUS Status;
> +
> + Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
> + &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> +
> + Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
> + &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> +
> + Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
> + &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
> + sizeof Settings->SecureBootEnable, TRUE);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> +
> + Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> + &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> +
> + Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
> + &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
> + return Status;
> +}
> +
> +STATIC
> +VOID
> +EFIAPI
> +PrintSettings (
> + IN CONST SETTINGS *Settings
> + )
> +{
> + AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
> + "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
> + Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
> +}
> +
> +
> +INTN
> +EFIAPI
> +ShellAppMain (
> + IN UINTN Argc,
> + IN CHAR16 **Argv
> + )
> +{
> + EFI_STATUS Status;
> + SETTINGS Settings;
> +
> + Status = GetSettings (&Settings);
> + if (EFI_ERROR (Status)) {
> + return 1;
> + }
> + PrintSettings (&Settings);
> +
> + if (Settings.SetupMode != 1) {
> + AsciiPrint ("error: already in User Mode\n");
> + return 1;
> + }
> +
> + if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
> + Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
> + Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> + (EFI_VARIABLE_NON_VOLATILE |
> + EFI_VARIABLE_BOOTSERVICE_ACCESS),
> + sizeof Settings.CustomMode, &Settings.CustomMode);
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
> + &gEfiCustomModeEnableGuid, Status);
> + return 1;
> + }
> + }
> +
> + Status = EnrollListOfCerts (
> + EFI_IMAGE_SECURITY_DATABASE,
> + &gEfiImageSecurityDatabaseGuid,
> + &gEfiCertX509Guid,
> + MicrosoftPCA, sizeof MicrosoftPCA, &mMicrosoftOwnerGuid,
> + MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid,
> + NULL);
> + if (EFI_ERROR (Status)) {
> + return 1;
> + }
> +
> + Status = EnrollListOfCerts (
> + EFI_IMAGE_SECURITY_DATABASE1,
> + &gEfiImageSecurityDatabaseGuid,
> + &gEfiCertSha256Guid,
> + mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
> + NULL);
> + if (EFI_ERROR (Status)) {
> + return 1;
> + }
> +
> + Status = EnrollListOfCerts (
> + EFI_KEY_EXCHANGE_KEY_NAME,
> + &gEfiGlobalVariableGuid,
> + &gEfiCertX509Guid,
> + RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
> + MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid,
> + NULL);
> + if (EFI_ERROR (Status)) {
> + return 1;
> + }
> +
> + Status = EnrollListOfCerts (
> + EFI_PLATFORM_KEY_NAME,
> + &gEfiGlobalVariableGuid,
> + &gEfiCertX509Guid,
> + RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
> + NULL);
> + if (EFI_ERROR (Status)) {
> + return 1;
> + }
> +
> + Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
> + Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + sizeof Settings.CustomMode, &Settings.CustomMode);
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
> + &gEfiCustomModeEnableGuid, Status);
> + return 1;
> + }
> +
> + Status = GetSettings (&Settings);
> + if (EFI_ERROR (Status)) {
> + return 1;
> + }
> + PrintSettings (&Settings);
> +
> + if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
> + Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
> + Settings.VendorKeys != 0) {
> + AsciiPrint ("error: unexpected\n");
> + return 1;
> + }
> +
> + AsciiPrint ("info: success\n");
> + return 0;
> +}
>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 14/16] OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
2019-04-27 0:53 ` [PATCH 14/16] OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID Laszlo Ersek
@ 2019-04-30 5:24 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-30 5:24 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> For the EnrollDefaultKeys application, the hypervisor is expected to add a
> string entry to the "OEM Strings" (Type 11) SMBIOS table, with the
> following format:
>
> 4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK and first KEK>
>
> The string representation of the GUID at the front is the "application
> prefix", in terms of QEMU commit
> <https://git.qemu.org/?p=qemu.git;a=commit;h=2d6dcbf93fb0>.
>
> Introduce this GUID in the usual manner.
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/OvmfPkg.dec | 1 +
> OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++++++++++++++++++++
> 2 files changed, 46 insertions(+)
>
> diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
> index 922e061cc85c..0e555c5c78c5 100644
> --- a/OvmfPkg/OvmfPkg.dec
> +++ b/OvmfPkg/OvmfPkg.dec
> @@ -67,16 +67,17 @@ [LibraryClasses]
>
> ## @libraryclass Manage XenBus device path and I/O handles
> #
> XenIoMmioLib|Include/Library/XenIoMmioLib.h
>
> [Guids]
> gUefiOvmfPkgTokenSpaceGuid = {0x93bb96af, 0xb9f2, 0x4eb8, {0x94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}}
> gEfiXenInfoGuid = {0xd3b46f3b, 0xd441, 0x1244, {0x9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}}
> + gOvmfPkKek1AppPrefixGuid = {0x4e32566d, 0x8e9e, 0x4f52, {0x81, 0xd3, 0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}}
> gOvmfPlatformConfigGuid = {0x7235c51c, 0x0c80, 0x4cab, {0x87, 0xac, 0x3b, 0x08, 0x4a, 0x63, 0x04, 0xb1}}
> gVirtioMmioTransportGuid = {0x837dca9e, 0xe874, 0x4d82, {0xb2, 0x9a, 0x23, 0xfe, 0x0e, 0x23, 0xd1, 0xe2}}
> gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}}
> gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}}
> gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}}
> gMicrosoftVendorGuid = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}}
>
> [Protocols]
> diff --git a/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h b/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
> new file mode 100644
> index 000000000000..e05d2fe021b7
> --- /dev/null
> +++ b/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
> @@ -0,0 +1,45 @@
> +/** @file
> + Declare the application prefix string as a GUID, for locating the PK/KEK1
> + X509 certificate to enroll, in the "OEM Strings" SMBIOS table.
> +
> + Copyright (C) 2019, Red Hat, Inc.
> +
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> + @par Specification Reference:
> + - https://git.qemu.org/?p=qemu.git;a=commit;h=2d6dcbf93fb0
> + - https://libvirt.org/formatdomain.html#elementsSysinfo
> + - https://bugs.launchpad.net/qemu/+bug/1826200
> + - https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> +**/
> +
> +#ifndef OVMF_PK_KEK1_APP_PREFIX_H_
> +#define OVMF_PK_KEK1_APP_PREFIX_H_
> +
> +#include <Uefi/UefiBaseType.h>
> +
> +//
> +// For the EnrollDefaultKeys application, the hypervisor is expected to add a
> +// string entry to the "OEM Strings" (Type 11) SMBIOS table, with the following
> +// format:
> +//
> +// 4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK and first KEK>
> +//
> +// The string representation of the GUID at the front is the "application
> +// prefix". It is matched by EnrollDefaultKeys case-insensitively.
> +//
> +// The base64-encoded blob following the application prefix and the colon (:)
> +// is an X509 certificate in DER representation; the hypervisor instructs
> +// EnrollDefaultKeys to enroll this certificate as both Platform Key and first
> +// Key Exchange Key.
> +//
> +#define OVMF_PK_KEK1_APP_PREFIX_GUID \
> + { 0x4e32566d, \
> + 0x8e9e, \
> + 0x4f52, \
> + { 0x81, 0xd3, 0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27 }, \
> + }
> +
> +extern EFI_GUID gOvmfPkKek1AppPrefixGuid;
> +
> +#endif /* OVMF_PK_KEK1_APP_PREFIX_H_ */
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 15/16] OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS table
2019-04-27 0:53 ` [PATCH 15/16] OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS table Laszlo Ersek
@ 2019-04-30 5:34 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-30 5:34 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> Disconnect the certificate that is enrolled as both Platform Key and first
> Key Exchange Key from Red Hat: expect the hypervisor to specify it, as
> part of SMBIOS.
>
> Example usage with QEMU:
>
> * Generate self-signed X509 certificate:
>
> openssl req \
> -x509 \
> -newkey rsa:2048 \
> -outform PEM \
> -keyout PkKek1.private.key \
> -out PkKek1.pem
>
> (where "PEM" simply means "DER + base64 + header + footer").
>
> * Strip the header, footer, and newline characters; prepend the
> application prefix:
>
> sed \
> -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
> -e '/^-----END CERTIFICATE-----$/d' \
> PkKek1.pem \
> | tr -d '\n' \
> > PkKek1.oemstr
>
> * Pass the certificate to EnrollDefaultKeys with the following QEMU
> option:
>
> -smbios type=11,value="$(< PkKek1.oemstr)"
>
> (Note: for the above option to work correctly, a QEMU version is needed
> that includes commit 950c4e6c94b1 ("opts: don't silently truncate long
> option values", 2018-05-09). The first upstream release with that commit
> was v3.0.0.
>
> Once <https://bugs.launchpad.net/qemu/+bug/1826200> is fixed, QEMU will
> learn to read the file directly; passing the blob on the command will be
> necessary no more.)
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 7 +
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 223 ++++++++++++++++++--
> 2 files changed, 217 insertions(+), 13 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> index 28db52586a9b..184f7972d52d 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> @@ -30,16 +30,23 @@ [Guids]
> gEfiCertPkcs7Guid
> gEfiCertSha256Guid
> gEfiCertX509Guid
> gEfiCustomModeEnableGuid
> gEfiGlobalVariableGuid
> gEfiImageSecurityDatabaseGuid
> gEfiSecureBootEnableDisableGuid
> gMicrosoftVendorGuid
> + gOvmfPkKek1AppPrefixGuid
> +
> +[Protocols]
> + gEfiSmbiosProtocolGuid ## CONSUMES
>
> [LibraryClasses]
> + BaseLib
> BaseMemoryLib
> DebugLib
> MemoryAllocationLib
> + PrintLib
> ShellCEntryLib
> + UefiBootServicesTableLib
> UefiLib
> UefiRuntimeServicesTableLib
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index 9c4a0f06fb4d..b7b2e424c59e 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -4,26 +4,201 @@
> Copyright (C) 2014-2019, Red Hat, Inc.
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
> **/
> #include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
> #include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
> #include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
> #include <Guid/MicrosoftVendor.h> // gMicrosoftVendorGuid
> +#include <Guid/OvmfPkKek1AppPrefix.h> // gOvmfPkKek1AppPrefixGuid
> +#include <IndustryStandard/SmBios.h> // SMBIOS_HANDLE_PI_RESERVED
> +#include <Library/BaseLib.h> // GUID_STRING_LENGTH
> #include <Library/BaseMemoryLib.h> // CopyGuid()
> #include <Library/DebugLib.h> // ASSERT()
> #include <Library/MemoryAllocationLib.h> // FreePool()
> +#include <Library/PrintLib.h> // AsciiSPrint()
> #include <Library/ShellCEntryLib.h> // ShellAppMain()
> +#include <Library/UefiBootServicesTableLib.h> // gBS
> #include <Library/UefiLib.h> // AsciiPrint()
> #include <Library/UefiRuntimeServicesTableLib.h> // gRT
> +#include <Protocol/Smbios.h> // EFI_SMBIOS_PROTOCOL
>
> #include "EnrollDefaultKeys.h"
>
>
> +/**
> + Fetch the X509 certificate (to be used as Platform Key and first Key Exchange
> + Key) from SMBIOS.
> +
> + @param[out] PkKek1 The X509 certificate in DER encoding from the
> + hypervisor, to be enrolled as PK and first KEK
> + entry. On success, the caller is responsible for
> + releasing PkKek1 with FreePool().
> +
> + @param[out] SizeOfPkKek1 The size of PkKek1 in bytes.
> +
> + @retval EFI_SUCCESS PkKek1 and SizeOfPkKek1 have been set
> + successfully.
> +
> + @retval EFI_NOT_FOUND An OEM String matching
> + OVMF_PK_KEK1_APP_PREFIX_GUID has not been
> + found.
> +
> + @retval EFI_PROTOCOL_ERROR In the OEM String matching
> + OVMF_PK_KEK1_APP_PREFIX_GUID, the certificate
> + is empty, or it has invalid base64 encoding.
> +
> + @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
> +
> + @return Error codes from gBS->LocateProtocol().
> +**/
> +STATIC
> +EFI_STATUS
> +GetPkKek1 (
> + OUT UINT8 **PkKek1,
> + OUT UINTN *SizeOfPkKek1
> + )
> +{
> + CONST CHAR8 *Base64Cert;
> + CHAR8 OvmfPkKek1AppPrefix[GUID_STRING_LENGTH + 1 + 1];
> + EFI_STATUS Status;
> + EFI_SMBIOS_PROTOCOL *Smbios;
> + EFI_SMBIOS_HANDLE Handle;
> + EFI_SMBIOS_TYPE Type;
> + EFI_SMBIOS_TABLE_HEADER *Header;
> + SMBIOS_TABLE_TYPE11 *OemStringsTable;
> + UINTN Base64CertLen;
> + UINTN DecodedCertSize;
> + UINT8 *DecodedCert;
> +
> + Base64Cert = NULL;
> +
> + //
> + // Format the application prefix, for OEM String matching.
> + //
> + AsciiSPrint (OvmfPkKek1AppPrefix, sizeof OvmfPkKek1AppPrefix, "%g:",
> + &gOvmfPkKek1AppPrefixGuid);
> +
> + //
> + // Scan all "OEM Strings" tables.
> + //
> + Status = gBS->LocateProtocol (&gEfiSmbiosProtocolGuid, NULL,
> + (VOID **)&Smbios);
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("error: failed to locate EFI_SMBIOS_PROTOCOL: %r\n", Status);
> + return Status;
> + }
> +
> + Handle = SMBIOS_HANDLE_PI_RESERVED;
> + Type = SMBIOS_TYPE_OEM_STRINGS;
> + for (Status = Smbios->GetNext (Smbios, &Handle, &Type, &Header, NULL);
> + !EFI_ERROR (Status);
> + Status = Smbios->GetNext (Smbios, &Handle, &Type, &Header, NULL)) {
> + CONST CHAR8 *OemString;
> + UINTN Idx;
> +
> + if (Header->Length < sizeof *OemStringsTable) {
> + //
> + // Malformed table header, skip to next.
> + //
> + continue;
> + }
> + OemStringsTable = (SMBIOS_TABLE_TYPE11 *)Header;
> +
> + //
> + // Scan all strings in the unformatted area of the current "OEM Strings"
> + // table.
> + //
> + OemString = (CONST CHAR8 *)(OemStringsTable + 1);
> + for (Idx = 0; Idx < OemStringsTable->StringCount; ++Idx) {
> + CHAR8 CandidatePrefix[sizeof OvmfPkKek1AppPrefix];
> +
> + //
> + // NUL-terminate the candidate prefix for case-insensitive comparison.
> + //
> + AsciiStrnCpyS (CandidatePrefix, sizeof CandidatePrefix, OemString,
> + GUID_STRING_LENGTH + 1);
> + if (AsciiStriCmp (OvmfPkKek1AppPrefix, CandidatePrefix) == 0) {
> + //
> + // The current string matches the prefix.
> + //
> + Base64Cert = OemString + GUID_STRING_LENGTH + 1;
> + break;
> + }
> + OemString += AsciiStrSize (OemString);
> + }
> +
> + if (Idx < OemStringsTable->StringCount) {
> + //
> + // The current table has a matching string.
> + //
> + break;
> + }
> + }
> +
> + if (EFI_ERROR (Status)) {
> + //
> + // No table with a matching string has been found.
> + //
> + AsciiPrint ("error: OEM String with app prefix %g not found: %r\n",
> + &gOvmfPkKek1AppPrefixGuid, Status);
> + return EFI_NOT_FOUND;
> + }
> +
> + ASSERT (Base64Cert != NULL);
> + Base64CertLen = AsciiStrLen (Base64Cert);
> +
> + //
> + // Verify the base64 encoding, and determine the decoded size.
> + //
> + DecodedCertSize = 0;
> + Status = Base64Decode (Base64Cert, Base64CertLen, NULL, &DecodedCertSize);
> + switch (Status) {
> + case EFI_BUFFER_TOO_SMALL:
> + if (DecodedCertSize > 0) {
> + break;
> + }
> + //
> + // Fall through: the above Base64Decode() call is ill-specified in BaseLib
> + // if Source decodes to zero bytes (for example if it consists of ignored
> + // whitespace only).
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
> + //
> + case EFI_SUCCESS:
> + AsciiPrint ("error: empty certificate after app prefix %g\n",
> + &gOvmfPkKek1AppPrefixGuid);
> + return EFI_PROTOCOL_ERROR;
> + default:
> + AsciiPrint ("error: invalid base64 string after app prefix %g\n",
> + &gOvmfPkKek1AppPrefixGuid);
> + return EFI_PROTOCOL_ERROR;
> + }
> +
> + //
> + // Allocate the output buffer.
> + //
> + DecodedCert = AllocatePool (DecodedCertSize);
> + if (DecodedCert == NULL) {
> + AsciiPrint ("error: failed to allocate memory\n");
> + return EFI_OUT_OF_RESOURCES;
> + }
> +
> + //
> + // Decoding will succeed at this point.
> + //
> + Status = Base64Decode (Base64Cert, Base64CertLen, DecodedCert,
> + &DecodedCertSize);
> + ASSERT_EFI_ERROR (Status);
> +
> + *PkKek1 = DecodedCert;
> + *SizeOfPkKek1 = DecodedCertSize;
> + return EFI_SUCCESS;
> +}
> +
> +
> /**
> Enroll a set of certificates in a global variable, overwriting it.
>
> The variable will be rewritten with NV+BS+RT+AT attributes.
>
> @param[in] VariableName The name of the variable to overwrite.
>
> @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
> @@ -353,116 +528,133 @@ PrintSettings (
> **/
> INTN
> EFIAPI
> ShellAppMain (
> IN UINTN Argc,
> IN CHAR16 **Argv
> )
> {
> + INTN RetVal;
> EFI_STATUS Status;
> SETTINGS Settings;
> + UINT8 *PkKek1;
> + UINTN SizeOfPkKek1;
> +
> + //
> + // Prepare for failure.
> + //
> + RetVal = 1;
>
> //
> // If we're not in Setup Mode, we can't do anything.
> //
> Status = GetSettings (&Settings);
> if (EFI_ERROR (Status)) {
> - return 1;
> + return RetVal;
> }
> PrintSettings (&Settings);
>
> if (Settings.SetupMode != 1) {
> AsciiPrint ("error: already in User Mode\n");
> - return 1;
> + return RetVal;
> + }
> +
> + //
> + // Fetch the X509 certificate (to be used as Platform Key and first Key
> + // Exchange Key) from SMBIOS.
> + //
> + Status = GetPkKek1 (&PkKek1, &SizeOfPkKek1);
> + if (EFI_ERROR (Status)) {
> + return RetVal;
> }
>
> //
> // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature
> // checks on those variable writes.
> //
> if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
> Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
> Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> (EFI_VARIABLE_NON_VOLATILE |
> EFI_VARIABLE_BOOTSERVICE_ACCESS),
> sizeof Settings.CustomMode, &Settings.CustomMode);
> if (EFI_ERROR (Status)) {
> AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
> &gEfiCustomModeEnableGuid, Status);
> - return 1;
> + goto FreePkKek1;
> }
> }
>
> //
> // Enroll db.
> //
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE,
> &gEfiImageSecurityDatabaseGuid,
> &gEfiCertX509Guid,
> mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,
> mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> - return 1;
> + goto FreePkKek1;
> }
>
> //
> // Enroll dbx.
> //
> Status = EnrollListOfCerts (
> EFI_IMAGE_SECURITY_DATABASE1,
> &gEfiImageSecurityDatabaseGuid,
> &gEfiCertSha256Guid,
> mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> - return 1;
> + goto FreePkKek1;
> }
>
> //
> // Enroll KEK.
> //
> Status = EnrollListOfCerts (
> EFI_KEY_EXCHANGE_KEY_NAME,
> &gEfiGlobalVariableGuid,
> &gEfiCertX509Guid,
> - mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
> + PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid,
> mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> - return 1;
> + goto FreePkKek1;
> }
>
> //
> // Enroll PK, leaving Setup Mode (entering User Mode) at once.
> //
> Status = EnrollListOfCerts (
> EFI_PLATFORM_KEY_NAME,
> &gEfiGlobalVariableGuid,
> &gEfiCertX509Guid,
> - mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid,
> + PkKek1, SizeOfPkKek1, &gEfiGlobalVariableGuid,
> NULL);
> if (EFI_ERROR (Status)) {
> - return 1;
> + goto FreePkKek1;
> }
>
> //
> // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid
> // signatures.
> //
> Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
> Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
> EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> sizeof Settings.CustomMode, &Settings.CustomMode);
> if (EFI_ERROR (Status)) {
> AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
> &gEfiCustomModeEnableGuid, Status);
> - return 1;
> + goto FreePkKek1;
> }
>
> //
> // Final sanity check:
> //
> // [SetupMode]
> // (read-only, standardized by UEFI)
> // / \_
> @@ -488,22 +680,27 @@ ShellAppMain (
> // / \_
> // 0, default 1
> // / \_
> // PK, KEK, db, dbx PK, KEK, db, dbx
> // updates are verified updates are not verified
> //
> Status = GetSettings (&Settings);
> if (EFI_ERROR (Status)) {
> - return 1;
> + goto FreePkKek1;
> }
> PrintSettings (&Settings);
>
> if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
> Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
> Settings.VendorKeys != 0) {
> AsciiPrint ("error: unexpected\n");
> - return 1;
> + goto FreePkKek1;
> }
>
> AsciiPrint ("info: success\n");
> - return 0;
> + RetVal = 0;
> +
> +FreePkKek1:
> + FreePool (PkKek1);
> +
> + return RetVal;
> }
>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 16/16] OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1
2019-04-27 0:53 ` [PATCH 16/16] OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1 Laszlo Ersek
@ 2019-04-30 5:35 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 39+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-04-30 5:35 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> The certificate
>
> "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
> SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
>
> is no longer referenced; remove it.
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 3 -
> OvmfPkg/EnrollDefaultKeys/AuthData.c | 85 --------------------
> 2 files changed, 88 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> index e3a7e43da4e3..8e61f0a77b90 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> @@ -118,19 +118,16 @@ typedef struct {
> UINT8 CustomMode;
> UINT8 VendorKeys;
> } SETTINGS;
>
>
> //
> // Refer to "AuthData.c" for details on the following objects.
> //
> -extern CONST UINT8 mRedHatPkKek1[];
> -extern CONST UINTN mSizeOfRedHatPkKek1;
> -
> extern CONST UINT8 mMicrosoftKek[];
> extern CONST UINTN mSizeOfMicrosoftKek;
>
> extern CONST UINT8 mMicrosoftPca[];
> extern CONST UINTN mSizeOfMicrosoftPca;
>
> extern CONST UINT8 mMicrosoftUefiCa[];
> extern CONST UINTN mSizeOfMicrosoftUefiCa;
> diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c
> index 9a96dcc440b3..3b4856a01f48 100644
> --- a/OvmfPkg/EnrollDefaultKeys/AuthData.c
> +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
> @@ -4,101 +4,16 @@
> Copyright (C) 2014-2019, Red Hat, Inc.
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
> **/
>
> #include "EnrollDefaultKeys.h"
>
>
> -//
> -// We'll use the certificate below as both Platform Key and as first Key
> -// Exchange Key.
> -//
> -// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
> -// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
> -//
> -CONST UINT8 mRedHatPkKek1[] = {
> - 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
> - 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
> - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
> - 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
> - 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
> - 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
> - 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
> - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
> - 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
> - 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
> - 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
> - 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
> - 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
> - 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
> - 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
> - 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
> - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
> - 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
> - 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
> - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
> - 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
> - 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
> - 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
> - 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
> - 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
> - 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
> - 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
> - 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
> - 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
> - 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
> - 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
> - 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
> - 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
> - 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
> - 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
> - 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
> - 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
> - 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
> - 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
> - 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
> - 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
> - 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
> - 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
> - 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
> - 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
> - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
> - 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
> - 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
> - 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
> - 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
> - 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
> - 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
> - 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
> - 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
> - 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
> - 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
> - 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
> - 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
> - 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
> - 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
> - 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
> - 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
> - 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
> - 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
> - 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
> - 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
> - 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
> - 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
> - 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
> - 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
> - 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
> - 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
> -};
> -
> -CONST UINTN mSizeOfRedHatPkKek1 = sizeof mRedHatPkKek1;
> -
> -
> //
> // Second KEK: "Microsoft Corporation KEK CA 2011".
> // SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
> //
> // "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
> //
> CONST UINT8 mMicrosoftKek[] = {
> 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (17 preceding siblings ...)
2019-04-27 8:14 ` Ard Biesheuvel
@ 2019-04-30 7:51 ` Gary Lin
2019-04-30 12:32 ` Laszlo Ersek
19 siblings, 0 replies; 39+ messages in thread
From: Gary Lin @ 2019-04-30 7:51 UTC (permalink / raw)
To: devel, lersek; +Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall
On Sat, Apr 27, 2019 at 02:53:12AM +0200, Laszlo Ersek wrote:
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Repo: https://github.com/lersek/edk2.git
> Branch: enroll_bz_1747
>
> Please see the goal / use case in the BZ.
>
> Anatomy of the series:
>
> - Patch 01 adds the application as-is from RHEL, as the starting point
> for upstreaming (preserves continuity).
>
> - Patches 02 through 13 clean up various coding style warts, and add
> documentation, without functional changes.
>
> - Patches 14 through 16 replace the hard-coded Red Hat certificate
> (enrolled as PK and 1st KEK) with a certificate read dynamically from
> SMBIOS (enrolled the same way), originating from the VMM.
>
> I've successfully re-run the Secure Boot Logo Test in Windows HCK, after
> enabling SB in the VM-under-test with this application. I'll attach the
> test log in a separate email (sent in response to this one).
>
For the series, Reviewed-by: Gary Lin <glin@suse.com>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
>
> Thanks,
> Laszlo
>
> Laszlo Ersek (16):
> OvmfPkg: introduce EnrollDefaultKeys application
> OvmfPkg/EnrollDefaultKeys: update @file comment blocks
> OvmfPkg/EnrollDefaultKeys: refresh INF file
> ArmVirtPkg: build EnrollDefaultKeys.efi
> OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart
> OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes
> OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in
> identifiers
> OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv.
> specifiers
> OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
> OvmfPkg/EnrollDefaultKeys: split out certificate and signature
> constants
> OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
> OvmfPkg/EnrollDefaultKeys: describe functions with leading comment
> blocks
> OvmfPkg/EnrollDefaultKeys: document the steps of the entry point
> function
> OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
> OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS
> table
> OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1
>
> ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> ArmVirtPkg/ArmVirtQemu.dsc | 1 +
> ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
> OvmfPkg/EnrollDefaultKeys/AuthData.c | 440 ++++++++++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 706 ++++++++++++++++++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 138 ++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 ++
> OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++
> OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++
> OvmfPkg/OvmfPkg.dec | 2 +
> OvmfPkg/OvmfPkgIa32.dsc | 2 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
> OvmfPkg/OvmfPkgX64.dsc | 2 +
> 13 files changed, 1447 insertions(+)
> create mode 100644 OvmfPkg/EnrollDefaultKeys/AuthData.c
> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> create mode 100644 OvmfPkg/Include/Guid/MicrosoftVendor.h
> create mode 100644 OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
>
> --
> 2.19.1.3.g30247aa5d201
>
>
>
>
>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
` (18 preceding siblings ...)
2019-04-30 7:51 ` [edk2-devel] " Gary Lin
@ 2019-04-30 12:32 ` Laszlo Ersek
2019-04-30 19:42 ` Ard Biesheuvel
19 siblings, 1 reply; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-30 12:32 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Anthony Perard, Ard Biesheuvel, Jordan Justen, Julien Grall,
Gary Lin
On 04/27/19 02:53, Laszlo Ersek wrote:
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Repo: https://github.com/lersek/edk2.git
> Branch: enroll_bz_1747
>
> Please see the goal / use case in the BZ.
>
> Anatomy of the series:
>
> - Patch 01 adds the application as-is from RHEL, as the starting point
> for upstreaming (preserves continuity).
>
> - Patches 02 through 13 clean up various coding style warts, and add
> documentation, without functional changes.
>
> - Patches 14 through 16 replace the hard-coded Red Hat certificate
> (enrolled as PK and 1st KEK) with a certificate read dynamically from
> SMBIOS (enrolled the same way), originating from the VMM.
>
> I've successfully re-run the Secure Boot Logo Test in Windows HCK, after
> enabling SB in the VM-under-test with this application. I'll attach the
> test log in a separate email (sent in response to this one).
>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
>
> Thanks,
> Laszlo
>
> Laszlo Ersek (16):
> OvmfPkg: introduce EnrollDefaultKeys application
> OvmfPkg/EnrollDefaultKeys: update @file comment blocks
> OvmfPkg/EnrollDefaultKeys: refresh INF file
> ArmVirtPkg: build EnrollDefaultKeys.efi
> OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart
> OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes
> OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in
> identifiers
> OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv.
> specifiers
> OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
> OvmfPkg/EnrollDefaultKeys: split out certificate and signature
> constants
> OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
> OvmfPkg/EnrollDefaultKeys: describe functions with leading comment
> blocks
> OvmfPkg/EnrollDefaultKeys: document the steps of the entry point
> function
> OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
> OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS
> table
> OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1
>
> ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> ArmVirtPkg/ArmVirtQemu.dsc | 1 +
> ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
> OvmfPkg/EnrollDefaultKeys/AuthData.c | 440 ++++++++++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 706 ++++++++++++++++++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 138 ++++
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 ++
> OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++
> OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++
> OvmfPkg/OvmfPkg.dec | 2 +
> OvmfPkg/OvmfPkgIa32.dsc | 2 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
> OvmfPkg/OvmfPkgX64.dsc | 2 +
> 13 files changed, 1447 insertions(+)
> create mode 100644 OvmfPkg/EnrollDefaultKeys/AuthData.c
> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> create mode 100644 OvmfPkg/Include/Guid/MicrosoftVendor.h
> create mode 100644 OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
>
Thank you all for the quick reviews; the series has been pushed as
commit range 137cbff041fc..9fb2ce2f465d.
Cheers!
Laszlo
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app
2019-04-30 12:32 ` Laszlo Ersek
@ 2019-04-30 19:42 ` Ard Biesheuvel
2019-04-30 20:04 ` Laszlo Ersek
0 siblings, 1 reply; 39+ messages in thread
From: Ard Biesheuvel @ 2019-04-30 19:42 UTC (permalink / raw)
To: edk2-devel-groups-io, Laszlo Ersek
Cc: Anthony Perard, Jordan Justen, Julien Grall, Gary Lin
On Tue, 30 Apr 2019 at 14:32, Laszlo Ersek <lersek@redhat.com> wrote:
>
> On 04/27/19 02:53, Laszlo Ersek wrote:
> > Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> > Repo: https://github.com/lersek/edk2.git
> > Branch: enroll_bz_1747
> >
> > Please see the goal / use case in the BZ.
> >
> > Anatomy of the series:
> >
> > - Patch 01 adds the application as-is from RHEL, as the starting point
> > for upstreaming (preserves continuity).
> >
> > - Patches 02 through 13 clean up various coding style warts, and add
> > documentation, without functional changes.
> >
> > - Patches 14 through 16 replace the hard-coded Red Hat certificate
> > (enrolled as PK and 1st KEK) with a certificate read dynamically from
> > SMBIOS (enrolled the same way), originating from the VMM.
> >
> > I've successfully re-run the Secure Boot Logo Test in Windows HCK, after
> > enabling SB in the VM-under-test with this application. I'll attach the
> > test log in a separate email (sent in response to this one).
> >
> > Cc: Anthony Perard <anthony.perard@citrix.com>
> > Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Julien Grall <julien.grall@arm.com>
> >
> > Thanks,
> > Laszlo
> >
> > Laszlo Ersek (16):
> > OvmfPkg: introduce EnrollDefaultKeys application
> > OvmfPkg/EnrollDefaultKeys: update @file comment blocks
> > OvmfPkg/EnrollDefaultKeys: refresh INF file
> > ArmVirtPkg: build EnrollDefaultKeys.efi
> > OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart
> > OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes
> > OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in
> > identifiers
> > OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv.
> > specifiers
> > OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
> > OvmfPkg/EnrollDefaultKeys: split out certificate and signature
> > constants
> > OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
> > OvmfPkg/EnrollDefaultKeys: describe functions with leading comment
> > blocks
> > OvmfPkg/EnrollDefaultKeys: document the steps of the entry point
> > function
> > OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
> > OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS
> > table
> > OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1
> >
> > ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> > ArmVirtPkg/ArmVirtQemu.dsc | 1 +
> > ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
> > OvmfPkg/EnrollDefaultKeys/AuthData.c | 440 ++++++++++++
> > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 706 ++++++++++++++++++++
> > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 138 ++++
> > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 ++
> > OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++
> > OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++
> > OvmfPkg/OvmfPkg.dec | 2 +
> > OvmfPkg/OvmfPkgIa32.dsc | 2 +
> > OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
> > OvmfPkg/OvmfPkgX64.dsc | 2 +
> > 13 files changed, 1447 insertions(+)
> > create mode 100644 OvmfPkg/EnrollDefaultKeys/AuthData.c
> > create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> > create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> > create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> > create mode 100644 OvmfPkg/Include/Guid/MicrosoftVendor.h
> > create mode 100644 OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
> >
>
> Thank you all for the quick reviews; the series has been pushed as
> commit range 137cbff041fc..9fb2ce2f465d.
>
Unfortunately, it seems we are hitting another potential false
positive with GCC48:
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c: In function ‘ShellAppMain’:
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c:631:10: error:
‘SizeOfPkKek1’ may be used uninitialized in this function
[-Werror=maybe-uninitialized]
Status = EnrollListOfCerts (
^
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c:703:12: error: ‘PkKek1’
may be used uninitialized in this function
[-Werror=maybe-uninitialized]
FreePool (PkKek1);
Given the history, I wouldn't mind disabling this warning for GCC48
altogether (assuming it doesn't trigger on other compilers - my CI job
tries GCC48 first IIRC)
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app
2019-04-30 19:42 ` Ard Biesheuvel
@ 2019-04-30 20:04 ` Laszlo Ersek
0 siblings, 0 replies; 39+ messages in thread
From: Laszlo Ersek @ 2019-04-30 20:04 UTC (permalink / raw)
To: Ard Biesheuvel, edk2-devel-groups-io
Cc: Anthony Perard, Jordan Justen, Julien Grall, Gary Lin
On 04/30/19 21:42, Ard Biesheuvel wrote:
> On Tue, 30 Apr 2019 at 14:32, Laszlo Ersek <lersek@redhat.com> wrote:
>>
>> On 04/27/19 02:53, Laszlo Ersek wrote:
>>> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
>>> Repo: https://github.com/lersek/edk2.git
>>> Branch: enroll_bz_1747
>>>
>>> Please see the goal / use case in the BZ.
>>>
>>> Anatomy of the series:
>>>
>>> - Patch 01 adds the application as-is from RHEL, as the starting point
>>> for upstreaming (preserves continuity).
>>>
>>> - Patches 02 through 13 clean up various coding style warts, and add
>>> documentation, without functional changes.
>>>
>>> - Patches 14 through 16 replace the hard-coded Red Hat certificate
>>> (enrolled as PK and 1st KEK) with a certificate read dynamically from
>>> SMBIOS (enrolled the same way), originating from the VMM.
>>>
>>> I've successfully re-run the Secure Boot Logo Test in Windows HCK, after
>>> enabling SB in the VM-under-test with this application. I'll attach the
>>> test log in a separate email (sent in response to this one).
>>>
>>> Cc: Anthony Perard <anthony.perard@citrix.com>
>>> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>>> Cc: Julien Grall <julien.grall@arm.com>
>>>
>>> Thanks,
>>> Laszlo
>>>
>>> Laszlo Ersek (16):
>>> OvmfPkg: introduce EnrollDefaultKeys application
>>> OvmfPkg/EnrollDefaultKeys: update @file comment blocks
>>> OvmfPkg/EnrollDefaultKeys: refresh INF file
>>> ArmVirtPkg: build EnrollDefaultKeys.efi
>>> OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart
>>> OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes
>>> OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in
>>> identifiers
>>> OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv.
>>> specifiers
>>> OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
>>> OvmfPkg/EnrollDefaultKeys: split out certificate and signature
>>> constants
>>> OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
>>> OvmfPkg/EnrollDefaultKeys: describe functions with leading comment
>>> blocks
>>> OvmfPkg/EnrollDefaultKeys: document the steps of the entry point
>>> function
>>> OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
>>> OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS
>>> table
>>> OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1
>>>
>>> ArmVirtPkg/ArmVirt.dsc.inc | 1 +
>>> ArmVirtPkg/ArmVirtQemu.dsc | 1 +
>>> ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
>>> OvmfPkg/EnrollDefaultKeys/AuthData.c | 440 ++++++++++++
>>> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 706 ++++++++++++++++++++
>>> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 138 ++++
>>> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 ++
>>> OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++
>>> OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++
>>> OvmfPkg/OvmfPkg.dec | 2 +
>>> OvmfPkg/OvmfPkgIa32.dsc | 2 +
>>> OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
>>> OvmfPkg/OvmfPkgX64.dsc | 2 +
>>> 13 files changed, 1447 insertions(+)
>>> create mode 100644 OvmfPkg/EnrollDefaultKeys/AuthData.c
>>> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
>>> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
>>> create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
>>> create mode 100644 OvmfPkg/Include/Guid/MicrosoftVendor.h
>>> create mode 100644 OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
>>>
>>
>> Thank you all for the quick reviews; the series has been pushed as
>> commit range 137cbff041fc..9fb2ce2f465d.
>>
>
> Unfortunately, it seems we are hitting another potential false
> positive with GCC48:
yep, false positive :/
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c: In function ‘ShellAppMain’:
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c:631:10: error:
> ‘SizeOfPkKek1’ may be used uninitialized in this function
> [-Werror=maybe-uninitialized]
> Status = EnrollListOfCerts (
> ^
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c:703:12: error: ‘PkKek1’
> may be used uninitialized in this function
> [-Werror=maybe-uninitialized]
> FreePool (PkKek1);
>
> Given the history, I wouldn't mind disabling this warning for GCC48
> altogether (assuming it doesn't trigger on other compilers - my CI job
> tries GCC48 first IIRC)
>
Suppressing this warning just for GCC48, without introducing partial
overlap between BaseTools and the following three INF files:
- CryptoPkg/Library/OpensslLib/OpensslLib.inf
- CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
- MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf
doesn't look like an attractive task.
On the flipside, we have a dedicated kludge at least in
"ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.c".
I guess I'll try to send a patch soon, for "EnrollDefaultKeys.c". Sorry
about the breakage. :(
Thanks,
Laszlo
^ permalink raw reply [flat|nested] 39+ messages in thread
end of thread, other threads:[~2019-04-30 20:05 UTC | newest]
Thread overview: 39+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-27 0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
2019-04-27 0:53 ` [PATCH 01/16] OvmfPkg: introduce EnrollDefaultKeys application Laszlo Ersek
2019-04-30 5:21 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 02/16] OvmfPkg/EnrollDefaultKeys: update @file comment blocks Laszlo Ersek
2019-04-30 5:13 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 03/16] OvmfPkg/EnrollDefaultKeys: refresh INF file Laszlo Ersek
2019-04-29 12:25 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 04/16] ArmVirtPkg: build EnrollDefaultKeys.efi Laszlo Ersek
2019-04-29 12:26 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 05/16] OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart Laszlo Ersek
2019-04-29 12:26 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 06/16] OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes Laszlo Ersek
2019-04-29 12:27 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 07/16] OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in identifiers Laszlo Ersek
2019-04-30 5:10 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 08/16] OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv. specifiers Laszlo Ersek
2019-04-29 12:28 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 09/16] OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file Laszlo Ersek
2019-04-29 12:30 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 10/16] OvmfPkg/EnrollDefaultKeys: split out certificate and signature constants Laszlo Ersek
2019-04-29 12:33 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 11/16] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID Laszlo Ersek
2019-04-30 5:11 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 12/16] OvmfPkg/EnrollDefaultKeys: describe functions with leading comment blocks Laszlo Ersek
2019-04-30 5:12 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 13/16] OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function Laszlo Ersek
2019-04-29 12:36 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 14/16] OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID Laszlo Ersek
2019-04-30 5:24 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 15/16] OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS table Laszlo Ersek
2019-04-30 5:34 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 0:53 ` [PATCH 16/16] OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1 Laszlo Ersek
2019-04-30 5:35 ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27 1:07 ` [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
2019-04-27 8:14 ` Ard Biesheuvel
2019-04-30 7:51 ` [edk2-devel] " Gary Lin
2019-04-30 12:32 ` Laszlo Ersek
2019-04-30 19:42 ` Ard Biesheuvel
2019-04-30 20:04 ` Laszlo Ersek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox