From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web11.38408.1629807740413534809 for ; Tue, 24 Aug 2021 05:22:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@9elements.com header.s=google header.b=ba4E2LDe; spf=pass (domain: 9elements.com, ip: 209.85.210.169, mailfrom: patrick.rudolph@9elements.com) Received: by mail-pf1-f169.google.com with SMTP id y190so18236115pfg.7 for ; Tue, 24 Aug 2021 05:22:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=9elements.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=B9Ts2o3Twu5hELLAYu1Tm7W3RKA1lcJ+D91z1o78Fpo=; b=ba4E2LDeiEMMqR/aUu/uPEZfud0VOCLfQgOEK1zxlNeybUd7Yf7iBEs/OuxE77en+D 1rnFeN3+nBR/5+3pmJEhsw10INXZHvhoz4vITK6osbivLkOKZtaVs77SCPsTOFZ4lgxC 2qusC/Udct5M8+IBAGdXe4rvi8lCgLGTHYi4wlENqZaDSp9ZifR/AfADZ6FcAzmXEqIl RaO8C0n2D6+mm4SsgNXiH7SjEha/CBESQGap/wyIY/ieGJDeFQZ1+2wt7kpPpb1MUxNx 63VmBaqZREj16vJkxpNSde7zKwHImau/66rw7fCpuI7W/LTenaLA2AGA+PZr4NjNh3lT W5mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=B9Ts2o3Twu5hELLAYu1Tm7W3RKA1lcJ+D91z1o78Fpo=; b=dTwuN3bFoef6KoE6NeypLejgiFVGJ8sMmSiJdXOcOiCKhIORb8zUlYAsxrKM6CKEsE qMnVP9MMNEi9Gr522VKVjgkoNAMi9a336f+SsbvgyhhgqHPXdqS6yiSBCnKraOHlQPad oN8SD6j781Oln+V7kiImH8zVhxlCNnOwN8ZVv+qol5IgMDW81APo5VvzrGEsH+PiaZBk qgL7r5nfL7i8Ne3bp+bjPeJDYL9BU19xJiEGxOD+ExvkOVshlrIVDKMkjJCSdFmzFCBU lYsGY8po6Nb4y75iDbcDzjx8KzsC8xdhXVvMfJ8wduxTz+ed7CzWiaqkNwrWoAeBGS6D 3RQQ== X-Gm-Message-State: AOAM533lt0ZJg6TR/EnHSHn5hXSZsfIyhOhh97Uk4c3Vyh04XeUMf38P eIAGE4iMdl2ogghF2VhU31sJB/v7ZfulQFamz19fZHd3KpoSyg== X-Google-Smtp-Source: ABdhPJxYpqesF7ac6BaQSbpwSiSpzMWsFGlOPwTxeKJRM3sWA/S0l2R6ab8zsTLjxEFZ+fbRsZKnc5crxVKRfqk35hI= X-Received: by 2002:a62:7a15:0:b0:3ed:820a:6242 with SMTP id v21-20020a627a15000000b003ed820a6242mr3529730pfc.4.1629807739685; Tue, 24 Aug 2021 05:22:19 -0700 (PDT) MIME-Version: 1.0 References: <20210802104633.2833333-1-gjb@semihalf.com> <20210802104633.2833333-3-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-3-gjb@semihalf.com> From: "Patrick Rudolph" Date: Tue, 24 Aug 2021 14:22:08 +0200 Message-ID: Subject: Re: [edk2-devel] [PATCH v8 02/11] SecurityPkg: Create library for enrolling Secure Boot variables. To: devel@edk2.groups.io, gjb@semihalf.com Content-Type: multipart/alternative; boundary="00000000000060608605ca4d2f0b" --00000000000060608605ca4d2f0b Content-Type: text/plain; charset="UTF-8" Hi Grzegorz, I tried this patch, but I cannot enroll the DBX downloaded from here: https://uefi.org/revocationlistfile Is it even possible with current code? Did you test DBX enrollment as well using the revocation list file? Regards, Patrick On Mon, Aug 2, 2021 at 12:47 PM Grzegorz Bernacki wrote: > This commits add library, which consist functions to > enrolll Secure Boot keys and initialize Secure Boot > default variables. Some of the functions was moved > from SecureBootConfigImpl.c file. > > Signed-off-by: Grzegorz Bernacki > Reviewed-by: Sunny Wang > Reviewed-by: Jiewen Yao > --- > SecurityPkg/SecurityPkg.dec > | 4 + > SecurityPkg/SecurityPkg.dsc > | 1 + > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > | 80 ++++ > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > | 134 ++++++ > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c > | 482 ++++++++++++++++++++ > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni > | 16 + > 6 files changed, 717 insertions(+) > create mode 100644 > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > create mode 100644 > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > create mode 100644 > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c > create mode 100644 > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni > > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec > index 8f3710e59f..e30c39f321 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -91,6 +91,10 @@ > ## @libraryclass Provides helper functions related to creation/removal > Secure Boot variables. > # > SecureBootVariableLib|Include/Library/SecureBootVariableLib.h > + > + ## @libraryclass Provides support to enroll Secure Boot keys. > + # > + > SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h > [Guids] > ## Security package token space guid. > # Include/Guid/SecurityPkgTokenSpace.h > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index 854f250625..99c227dad2 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -71,6 +71,7 @@ > > TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf > > MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf > > SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > + > SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > > [LibraryClasses.ARM] > # > diff --git > a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > new file mode 100644 > index 0000000000..a09abd29ce > --- /dev/null > +++ > b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > @@ -0,0 +1,80 @@ > +## @file > +# Provides initialization of Secure Boot keys and databases. > +# > +# Copyright (c) 2021, ARM Ltd. All rights reserved.
> +# Copyright (c) 2021, Semihalf All rights reserved.
> +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION = 0x00010005 > + BASE_NAME = SecureBootVariableLib > + MODULE_UNI_FILE = SecureBootVariableLib.uni > + FILE_GUID = 18192DD0-9430-45F1-80C7-5C52061CD183 > + MODULE_TYPE = DXE_DRIVER > + VERSION_STRING = 1.0 > + LIBRARY_CLASS = > SecureBootVariableProvisionLib|DXE_DRIVER DXE_RUNTIME_DRIVER > UEFI_APPLICATION > + > +# > +# The following information is for reference only and not required by the > build tools. > +# > +# VALID_ARCHITECTURES = IA32 X64 AARCH64 > +# > + > +[Sources] > + SecureBootVariableProvisionLib.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + CryptoPkg/CryptoPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + BaseCryptLib > + DxeServicesLib > + SecureBootVariableLib > + > +[Guids] > + ## CONSUMES ## Variable:L"SetupMode" > + ## PRODUCES ## Variable:L"SetupMode" > + ## CONSUMES ## Variable:L"SecureBoot" > + ## PRODUCES ## Variable:L"SecureBoot" > + ## PRODUCES ## Variable:L"PK" > + ## PRODUCES ## Variable:L"KEK" > + ## CONSUMES ## Variable:L"PKDefault" > + ## CONSUMES ## Variable:L"KEKDefault" > + ## CONSUMES ## Variable:L"dbDefault" > + ## CONSUMES ## Variable:L"dbxDefault" > + ## CONSUMES ## Variable:L"dbtDefault" > + gEfiGlobalVariableGuid > + > + ## SOMETIMES_CONSUMES ## Variable:L"DB" > + ## SOMETIMES_CONSUMES ## Variable:L"DBX" > + ## SOMETIMES_CONSUMES ## Variable:L"DBT" > + gEfiImageSecurityDatabaseGuid > + > + ## CONSUMES ## Variable:L"SecureBootEnable" > + ## PRODUCES ## Variable:L"SecureBootEnable" > + gEfiSecureBootEnableDisableGuid > + > + ## CONSUMES ## Variable:L"CustomMode" > + ## PRODUCES ## Variable:L"CustomMode" > + gEfiCustomModeEnableGuid > + > + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES > + gEfiCertX509Guid ## CONSUMES > + gEfiCertPkcs7Guid ## CONSUMES > + > + gDefaultPKFileGuid > + gDefaultKEKFileGuid > + gDefaultdbFileGuid > + gDefaultdbxFileGuid > + gDefaultdbtFileGuid > + > diff --git a/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > new file mode 100644 > index 0000000000..ba8009b5cd > --- /dev/null > +++ b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > @@ -0,0 +1,134 @@ > +/** @file > + Provides a functions to enroll keys based on default values. > + > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
> +Copyright (c) 2021, ARM Ltd. All rights reserved.
> +Copyright (c) 2021, Semihalf All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ > +#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ > + > +/** > + Sets the content of the 'db' variable based on 'dbDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime() > and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbFromDefault ( > + VOID > +); > + > +/** > + Sets the content of the 'dbx' variable based on 'dbxDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime() > and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbxFromDefault ( > + VOID > +); > + > +/** > + Sets the content of the 'dbt' variable based on 'dbtDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime() > and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbtFromDefault ( > + VOID > +); > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime() > and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollKEKFromDefault ( > + VOID > +); > + > +/** > + Sets the content of the 'PK' variable based on 'PKDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime() > and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollPKFromDefault ( > + VOID > +); > + > +/** > + Initializes PKDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitPKDefault ( > + IN VOID > + ); > + > +/** > + Initializes KEKDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitKEKDefault ( > + IN VOID > + ); > + > +/** > + Initializes dbDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitDbDefault ( > + IN VOID > + ); > + > +/** > + Initializes dbtDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitDbtDefault ( > + IN VOID > + ); > + > +/** > + Initializes dbxDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitDbxDefault ( > + IN VOID > + ); > +#endif > diff --git > a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c > b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c > new file mode 100644 > index 0000000000..848f7ce929 > --- /dev/null > +++ > b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c > @@ -0,0 +1,482 @@ > +/** @file > + This library provides functions to set/clear Secure Boot > + keys and databases. > + > + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> + (C) Copyright 2018 Hewlett Packard Enterprise Development LP
> + Copyright (c) 2021, ARM Ltd. All rights reserved.
> + Copyright (c) 2021, Semihalf All rights reserved.
> + SPDX-License-Identifier: BSD-2-Clause-Patent > +**/ > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +/** > + Enroll a key/certificate based on a default variable. > + > + @param[in] VariableName The name of the key/database. > + @param[in] DefaultName The name of the default variable. > + @param[in] VendorGuid The namespace (ie. vendor GUID) of the > variable > + > + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating > AuthHeader. > + @retval EFI_SUCCESS Successful enrollment. > + @return Error codes from GetTime () and > SetVariable (). > +**/ > +STATIC > +EFI_STATUS > +EnrollFromDefault ( > + IN CHAR16 *VariableName, > + IN CHAR16 *DefaultName, > + IN EFI_GUID *VendorGuid > + ) > +{ > + VOID *Data; > + UINTN DataSize; > + EFI_STATUS Status; > + > + Status = EFI_SUCCESS; > + > + DataSize = 0; > + Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, > &DataSize); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", > DefaultName, Status)); > + return Status; > + } > + > + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", > Status)); > + return Status; > + } > + > + // > + // Allocate memory for auth variable > + // > + Status = gRT->SetVariable ( > + VariableName, > + VendorGuid, > + (EFI_VARIABLE_NON_VOLATILE | > + EFI_VARIABLE_BOOTSERVICE_ACCESS | > + EFI_VARIABLE_RUNTIME_ACCESS | > + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), > + DataSize, > + Data > + ); > + > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, > VariableName, > + VendorGuid, Status)); > + } > + > + if (Data != NULL) { > + FreePool (Data); > + } > + > + return Status; > +} > + > +/** Initializes PKDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +**/ > +EFI_STATUS > +SecureBootInitPKDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status == EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + > + Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, > &EfiSig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + Status = gRT->SetVariable ( > + EFI_PK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes KEKDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +**/ > +EFI_STATUS > +SecureBootInitKEKDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status == EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + > + Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, > &EfiSig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + > + Status = gRT->SetVariable ( > + EFI_KEK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +**/ > +EFI_STATUS > +SecureBootInitDbDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status == EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DB_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { > + return Status; > + } > + > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_DB_DEFAULT_VARIABLE_NAME)); > + > + Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, > &EfiSig); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status = gRT->SetVariable ( > + EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_DB_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbxDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +**/ > +EFI_STATUS > +SecureBootInitDbxDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status == EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + > + Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, > &EfiSig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + Status = gRT->SetVariable ( > + EFI_DBX_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbtDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +**/ > +EFI_STATUS > +SecureBootInitDbtDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status == EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DBT_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_DBT_DEFAULT_VARIABLE_NAME)); > + > + Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, > &EfiSig); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status = gRT->SetVariable ( > + EFI_DBT_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_DBT_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return EFI_SUCCESS; > +} > + > +/** > + Sets the content of the 'db' variable based on 'dbDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime > () and SetVariable () > +**/ > +EFI_STATUS > +EFIAPI > +EnrollDbFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status = EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE, > + EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'dbx' variable based on 'dbxDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime > () and SetVariable () > +**/ > +EFI_STATUS > +EFIAPI > +EnrollDbxFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status = EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE1, > + EFI_DBX_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'dbt' variable based on 'dbtDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime > () and SetVariable () > +**/ > +EFI_STATUS > +EFIAPI > +EnrollDbtFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status = EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE2, > + EFI_DBT_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid); > + > + return Status; > +} > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime > () and SetVariable () > +**/ > +EFI_STATUS > +EFIAPI > +EnrollKEKFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status = EnrollFromDefault ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + EFI_KEK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime > () and SetVariable () > +**/ > +EFI_STATUS > +EFIAPI > +EnrollPKFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status = EnrollFromDefault ( > + EFI_PLATFORM_KEY_NAME, > + EFI_PK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > diff --git > a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni > b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni > new file mode 100644 > index 0000000000..68d928ef30 > --- /dev/null > +++ > b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni > @@ -0,0 +1,16 @@ > +// /** @file > +// > +// Provides initialization of Secure Boot keys and databases. > +// > +// Copyright (c) 2021, ARM Ltd. All rights reserved.
> +// Copyright (c) 2021, Semihalf All rights reserved.
> +// > +// SPDX-License-Identifier: BSD-2-Clause-Patent > +// > +// **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Provides > functions to initialize PK, KEK and databases based on default variables." > + > +#string STR_MODULE_DESCRIPTION #language en-US "Provides > functions to initialize PK, KEK and databases based on default variables." > + > -- > 2.25.1 > > > > > > > --00000000000060608605ca4d2f0b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Grzegorz,
I tried this = patch, but I cannot enroll the DBX downloaded from here:

Is it even possible with current code?= Did you test DBX enrollment as well using the revocation list file?

Regards,
Patrick

On Mon, Aug 2, 2= 021 at 12:47 PM Grzegorz Bernacki <g= jb@semihalf.com> wrote:
This commits add library, which consist functions to
enrolll Secure Boot keys and initialize Secure Boot
default variables. Some of the functions was moved
=C2=A0from SecureBootConfigImpl.c file.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
---
=C2=A0SecurityPkg/SecurityPkg.dec=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A04 +
=C2=A0SecurityPkg/SecurityPkg.dsc=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A01 +
=C2=A0SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.inf |=C2=A0 80 ++++
=C2=A0SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 | 134 ++++++
=C2=A0SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.c=C2=A0 =C2=A0| 482 ++++++++++++++++++++
=C2=A0SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.uni |=C2=A0 16 +
=C2=A06 files changed, 717 insertions(+)
=C2=A0create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib= /SecureBootVariableProvisionLib.inf
=C2=A0create mode 100644 SecurityPkg/Include/Library/SecureBootVariableProv= isionLib.h
=C2=A0create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib= /SecureBootVariableProvisionLib.c
=C2=A0create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib= /SecureBootVariableProvisionLib.uni

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 8f3710e59f..e30c39f321 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -91,6 +91,10 @@
=C2=A0 =C2=A0## @libraryclass=C2=A0 Provides helper functions related to cr= eation/removal Secure Boot variables.
=C2=A0 =C2=A0#
=C2=A0 =C2=A0SecureBootVariableLib|Include/Library/SecureBootVariableLib.h<= br> +
+=C2=A0 ## @libraryclass=C2=A0 Provides support to enroll Secure Boot keys.=
+=C2=A0 #
+=C2=A0 SecureBootVariableProvisionLib|Include/Library/SecureBootVariablePr= ovisionLib.h
=C2=A0[Guids]
=C2=A0 =C2=A0## Security package token space guid.
=C2=A0 =C2=A0# Include/Guid/SecurityPkgTokenSpace.h
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 854f250625..99c227dad2 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -71,6 +71,7 @@
=C2=A0 =C2=A0TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/= TcgEventLogRecordLib.inf
=C2=A0 =C2=A0MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblock= MemoryLibNull.inf
=C2=A0 =C2=A0SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLi= b/SecureBootVariableLib.inf
+=C2=A0 SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariab= leProvisionLib/SecureBootVariableProvisionLib.inf

=C2=A0[LibraryClasses.ARM]
=C2=A0 =C2=A0#
diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootV= ariableProvisionLib.inf b/SecurityPkg/Library/SecureBootVariableProvisionLi= b/SecureBootVariableProvisionLib.inf
new file mode 100644
index 0000000000..a09abd29ce
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.inf
@@ -0,0 +1,80 @@
+## @file
+#=C2=A0 Provides initialization of Secure Boot keys and databases.
+#
+#=C2=A0 Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#=C2=A0 Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#
+#=C2=A0 SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+=C2=A0 INF_VERSION=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =3D 0x00010005
+=C2=A0 BASE_NAME=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =3D SecureBootVariableLib
+=C2=A0 MODULE_UNI_FILE=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =3D SecureBootVariableLib.uni
+=C2=A0 FILE_GUID=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =3D 18192DD0-9430-45F1-80C7-5C52061CD183
+=C2=A0 MODULE_TYPE=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =3D DXE_DRIVER
+=C2=A0 VERSION_STRING=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0=3D 1.0
+=C2=A0 LIBRARY_CLASS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =3D SecureBootVariableProvisionLib|DXE_DRIVER DXE_RUNTIME_DRIVER= UEFI_APPLICATION
+
+#
+# The following information is for reference only and not required by the = build tools.
+#
+#=C2=A0 VALID_ARCHITECTURES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D IA= 32 X64 AARCH64
+#
+
+[Sources]
+=C2=A0 SecureBootVariableProvisionLib.c
+
+[Packages]
+=C2=A0 MdePkg/MdePkg.dec
+=C2=A0 MdeModulePkg/MdeModulePkg.dec
+=C2=A0 SecurityPkg/SecurityPkg.dec
+=C2=A0 CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+=C2=A0 BaseLib
+=C2=A0 BaseMemoryLib
+=C2=A0 DebugLib
+=C2=A0 MemoryAllocationLib
+=C2=A0 BaseCryptLib
+=C2=A0 DxeServicesLib
+=C2=A0 SecureBootVariableLib
+
+[Guids]
+=C2=A0 ## CONSUMES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;SetupMode"
+=C2=A0 ## PRODUCES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;SetupMode"
+=C2=A0 ## CONSUMES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;SecureBoot"
+=C2=A0 ## PRODUCES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;SecureBoot"
+=C2=A0 ## PRODUCES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;PK"
+=C2=A0 ## PRODUCES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;KEK"
+=C2=A0 ## CONSUMES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;PKDefault"
+=C2=A0 ## CONSUMES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;KEKDefault"
+=C2=A0 ## CONSUMES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;dbDefault"
+=C2=A0 ## CONSUMES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;dbxDefault"
+=C2=A0 ## CONSUMES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;dbtDefault"
+=C2=A0 gEfiGlobalVariableGuid
+
+=C2=A0 ## SOMETIMES_CONSUMES=C2=A0 ## Variable:L"DB"
+=C2=A0 ## SOMETIMES_CONSUMES=C2=A0 ## Variable:L"DBX"
+=C2=A0 ## SOMETIMES_CONSUMES=C2=A0 ## Variable:L"DBT"
+=C2=A0 gEfiImageSecurityDatabaseGuid
+
+=C2=A0 ## CONSUMES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;SecureBootEnable"
+=C2=A0 ## PRODUCES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;SecureBootEnable"
+=C2=A0 gEfiSecureBootEnableDisableGuid
+
+=C2=A0 ## CONSUMES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;CustomMode"
+=C2=A0 ## PRODUCES=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ## Variable:L&= quot;CustomMode"
+=C2=A0 gEfiCustomModeEnableGuid
+
+=C2=A0 gEfiCertTypeRsa2048Sha256Guid=C2=A0 ## CONSUMES
+=C2=A0 gEfiCertX509Guid=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0## CONSUMES
+=C2=A0 gEfiCertPkcs7Guid=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 #= # CONSUMES
+
+=C2=A0 gDefaultPKFileGuid
+=C2=A0 gDefaultKEKFileGuid
+=C2=A0 gDefaultdbFileGuid
+=C2=A0 gDefaultdbxFileGuid
+=C2=A0 gDefaultdbtFileGuid
+
diff --git a/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h b= /SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
new file mode 100644
index 0000000000..ba8009b5cd
--- /dev/null
+++ b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
@@ -0,0 +1,134 @@
+/** @file
+=C2=A0 Provides a functions to enroll keys based on default values.
+
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR&g= t;
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_
+#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_
+
+/**
+=C2=A0 Sets the content of the 'db' variable based on 'dbDefau= lt' variable content.
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0 =C2=A0 If memory allocati= on for EFI_VARIABLE_AUTHENTICATION_2 fails
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 while VendorGuid is NU= LL.
+=C2=A0 @retval other=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Errors from GetVariable2(), GetTime() and SetVariab= le()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+=C2=A0 VOID
+);
+
+/**
+=C2=A0 Sets the content of the 'dbx' variable based on 'dbxDef= ault' variable content.
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0 =C2=A0 If memory allocati= on for EFI_VARIABLE_AUTHENTICATION_2 fails
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 while VendorGuid is NU= LL.
+=C2=A0 @retval other=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Errors from GetVariable2(), GetTime() and SetVariab= le()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+=C2=A0 VOID
+);
+
+/**
+=C2=A0 Sets the content of the 'dbt' variable based on 'dbtDef= ault' variable content.
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0 =C2=A0 If memory allocati= on for EFI_VARIABLE_AUTHENTICATION_2 fails
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 while VendorGuid is NU= LL.
+=C2=A0 @retval other=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Errors from GetVariable2(), GetTime() and SetVariab= le()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+=C2=A0 VOID
+);
+
+/**
+=C2=A0 Sets the content of the 'KEK' variable based on 'KEKDef= ault' variable content.
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0 =C2=A0 If memory allocati= on for EFI_VARIABLE_AUTHENTICATION_2 fails
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 while VendorGuid is NU= LL.
+=C2=A0 @retval other=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Errors from GetVariable2(), GetTime() and SetVariab= le()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+=C2=A0 VOID
+);
+
+/**
+=C2=A0 Sets the content of the 'PK' variable based on 'PKDefau= lt' variable content.
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0 =C2=A0 If memory allocati= on for EFI_VARIABLE_AUTHENTICATION_2 fails
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 while VendorGuid is NU= LL.
+=C2=A0 @retval other=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Errors from GetVariable2(), GetTime() and SetVariab= le()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+=C2=A0 VOID
+);
+
+/**
+=C2=A0 Initializes PKDefault variable with data from FFS section.
+
+=C2=A0 @retval=C2=A0 EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0V= ariable was initialized successfully.
+=C2=A0 @retval=C2=A0 EFI_UNSUPPORTED=C2=A0 =C2=A0 =C2=A0 =C2=A0Variable al= ready exists.
+--*/
+EFI_STATUS
+SecureBootInitPKDefault (
+=C2=A0 IN VOID
+=C2=A0 );
+
+/**
+=C2=A0 Initializes KEKDefault variable with data from FFS section.
+
+=C2=A0 @retval=C2=A0 EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0V= ariable was initialized successfully.
+=C2=A0 @retval=C2=A0 EFI_UNSUPPORTED=C2=A0 =C2=A0 =C2=A0 =C2=A0Variable al= ready exists.
+--*/
+EFI_STATUS
+SecureBootInitKEKDefault (
+=C2=A0 IN VOID
+=C2=A0 );
+
+/**
+=C2=A0 Initializes dbDefault variable with data from FFS section.
+
+=C2=A0 @retval=C2=A0 EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0V= ariable was initialized successfully.
+=C2=A0 @retval=C2=A0 EFI_UNSUPPORTED=C2=A0 =C2=A0 =C2=A0 =C2=A0Variable al= ready exists.
+--*/
+EFI_STATUS
+SecureBootInitDbDefault (
+=C2=A0 IN VOID
+=C2=A0 );
+
+/**
+=C2=A0 Initializes dbtDefault variable with data from FFS section.
+
+=C2=A0 @retval=C2=A0 EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0V= ariable was initialized successfully.
+=C2=A0 @retval=C2=A0 EFI_UNSUPPORTED=C2=A0 =C2=A0 =C2=A0 =C2=A0Variable al= ready exists.
+--*/
+EFI_STATUS
+SecureBootInitDbtDefault (
+=C2=A0 IN VOID
+=C2=A0 );
+
+/**
+=C2=A0 Initializes dbxDefault variable with data from FFS section.
+
+=C2=A0 @retval=C2=A0 EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0V= ariable was initialized successfully.
+=C2=A0 @retval=C2=A0 EFI_UNSUPPORTED=C2=A0 =C2=A0 =C2=A0 =C2=A0Variable al= ready exists.
+--*/
+EFI_STATUS
+SecureBootInitDbxDefault (
+=C2=A0 IN VOID
+=C2=A0 );
+#endif
diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootV= ariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/= SecureBootVariableProvisionLib.c
new file mode 100644
index 0000000000..848f7ce929
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.c
@@ -0,0 +1,482 @@
+/** @file
+=C2=A0 This library provides functions to set/clear Secure Boot
+=C2=A0 keys and databases.
+
+=C2=A0 Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.&= lt;BR>
+=C2=A0 (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR&= gt;
+=C2=A0 Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+=C2=A0 Copyright (c) 2021, Semihalf All rights reserved.<BR>
+=C2=A0 SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <Guid/GlobalVariable.h>
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+#include <Library/SecureBootVariableProvisionLib.h>
+
+/**
+=C2=A0 Enroll a key/certificate based on a default variable.
+
+=C2=A0 @param[in] VariableName=C2=A0 =C2=A0 =C2=A0 =C2=A0 The name of the = key/database.
+=C2=A0 @param[in] DefaultName=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0The name of= the default variable.
+=C2=A0 @param[in] VendorGuid=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 The namespa= ce (ie. vendor GUID) of the variable
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0Out of memory while alloca= ting AuthHeader.
+=C2=A0 @retval EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Succes= sful enrollment.
+=C2=A0 @return=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 Error codes from GetTime () and SetVariable (). +**/
+STATIC
+EFI_STATUS
+EnrollFromDefault (
+=C2=A0 IN CHAR16=C2=A0 =C2=A0*VariableName,
+=C2=A0 IN CHAR16=C2=A0 =C2=A0*DefaultName,
+=C2=A0 IN EFI_GUID *VendorGuid
+=C2=A0 )
+{
+=C2=A0 VOID=C2=A0 =C2=A0 =C2=A0 =C2=A0*Data;
+=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0DataSize;
+=C2=A0 EFI_STATUS=C2=A0 Status;
+
+=C2=A0 Status =3D EFI_SUCCESS;
+
+=C2=A0 DataSize =3D 0;
+=C2=A0 Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, = &Data, &DataSize);
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 =C2=A0 DEBUG ((DEBUG_ERROR, "error: GetVariable (\"= ;%s): %r\n", DefaultName, Status));
+=C2=A0 =C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_ERROR, "Fail to create time-based data pa= yload: %r", Status));
+=C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 //
+=C2=A0 // Allocate memory for auth variable
+=C2=A0 //
+=C2=A0 Status =3D gRT->SetVariable (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 VariableNam= e,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 VendorGuid,=
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (EFI_VARIAB= LE_NON_VOLATILE |
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_V= ARIABLE_BOOTSERVICE_ACCESS |
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_V= ARIABLE_RUNTIME_ACCESS |
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_V= ARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 DataSize, +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Data
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 );
+
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g):= %r\n", __FUNCTION__, VariableName,
+=C2=A0 =C2=A0 =C2=A0 VendorGuid, Status));
+=C2=A0 }
+
+=C2=A0 if (Data !=3D NULL) {
+=C2=A0 =C2=A0 FreePool (Data);
+=C2=A0 }
+
+=C2=A0 return Status;
+}
+
+/** Initializes PKDefault variable with data from FFS section.
+
+=C2=A0 @retval=C2=A0 EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0V= ariable was initialized successfully.
+=C2=A0 @retval=C2=A0 EFI_UNSUPPORTED=C2=A0 =C2=A0 =C2=A0 =C2=A0Variable al= ready exists.
+**/
+EFI_STATUS
+SecureBootInitPKDefault (
+=C2=A0 IN VOID
+=C2=A0 )
+{
+=C2=A0 EFI_SIGNATURE_LIST *EfiSig;
+=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0SigList= sSize;
+=C2=A0 EFI_STATUS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Status;
+=C2=A0 UINT8=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0*Data;<= br> +=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0DataSiz= e;
+
+=C2=A0 //
+=C2=A0 // Check if variable exists, if so do not change it
+=C2=A0 //
+=C2=A0 Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlo= balVariableGuid, (VOID **) &Data, &DataSize);
+=C2=A0 if (Status =3D=3D EFI_SUCCESS) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is p= reserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+=C2=A0 =C2=A0 FreePool (Data);
+=C2=A0 =C2=A0 return EFI_UNSUPPORTED;
+=C2=A0 }
+
+=C2=A0 if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { +=C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 //
+=C2=A0 // Variable does not exist, can be initialized
+=C2=A0 //
+=C2=A0 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_= PK_DEFAULT_VARIABLE_NAME));
+
+=C2=A0 Status =3D SecureBootFetchData (&gDefaultPKFileGuid, &SigLi= stsSize, &EfiSig);
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Content for %s not found\n", = EFI_PK_DEFAULT_VARIABLE_NAME));
+=C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 Status =3D gRT->SetVariable (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EFI_PK_DEFA= ULT_VARIABLE_NAME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 &gEfiGl= obalVariableGuid,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EFI_VARIABL= E_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 SigListsSiz= e,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (VOID *)Efi= Sig
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 );
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_D= EFAULT_VARIABLE_NAME));
+=C2=A0 }
+
+=C2=A0 FreePool (EfiSig);
+
+=C2=A0 return Status;
+}
+
+/** Initializes KEKDefault variable with data from FFS section.
+
+=C2=A0 @retval=C2=A0 EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0V= ariable was initialized successfully.
+=C2=A0 @retval=C2=A0 EFI_UNSUPPORTED=C2=A0 =C2=A0 =C2=A0 =C2=A0Variable al= ready exists.
+**/
+EFI_STATUS
+SecureBootInitKEKDefault (
+=C2=A0 IN VOID
+=C2=A0 )
+{
+=C2=A0 EFI_SIGNATURE_LIST *EfiSig;
+=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0SigList= sSize;
+=C2=A0 EFI_STATUS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Status;
+=C2=A0 UINT8=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 *Data;
+=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0DataSiz= e;
+
+=C2=A0 //
+=C2=A0 // Check if variable exists, if so do not change it
+=C2=A0 //
+=C2=A0 Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGl= obalVariableGuid, (VOID **) &Data, &DataSize);
+=C2=A0 if (Status =3D=3D EFI_SUCCESS) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is p= reserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+=C2=A0 =C2=A0 FreePool (Data);
+=C2=A0 =C2=A0 return EFI_UNSUPPORTED;
+=C2=A0 }
+
+=C2=A0 if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { +=C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 //
+=C2=A0 // Variable does not exist, can be initialized
+=C2=A0 //
+=C2=A0 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_= KEK_DEFAULT_VARIABLE_NAME));
+
+=C2=A0 Status =3D SecureBootFetchData (&gDefaultKEKFileGuid, &SigL= istsSize, &EfiSig);
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Content for %s not found\n", = EFI_KEK_DEFAULT_VARIABLE_NAME));
+=C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+
+=C2=A0 Status =3D gRT->SetVariable (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EFI_KEK_DEF= AULT_VARIABLE_NAME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 &gEfiGl= obalVariableGuid,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EFI_VARIABL= E_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 SigListsSiz= e,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (VOID *)Efi= Sig
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 );
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_= DEFAULT_VARIABLE_NAME));
+=C2=A0 }
+
+=C2=A0 FreePool (EfiSig);
+
+=C2=A0 return Status;
+}
+
+/** Initializes dbDefault variable with data from FFS section.
+
+=C2=A0 @retval=C2=A0 EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0V= ariable was initialized successfully.
+=C2=A0 @retval=C2=A0 EFI_UNSUPPORTED=C2=A0 =C2=A0 =C2=A0 =C2=A0Variable al= ready exists.
+**/
+EFI_STATUS
+SecureBootInitDbDefault (
+=C2=A0 IN VOID
+=C2=A0 )
+{
+=C2=A0 EFI_SIGNATURE_LIST *EfiSig;
+=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0SigList= sSize;
+=C2=A0 EFI_STATUS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Status;
+=C2=A0 UINT8=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 *Data;
+=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0DataSiz= e;
+
+=C2=A0 Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlo= balVariableGuid, (VOID **) &Data, &DataSize);
+=C2=A0 if (Status =3D=3D EFI_SUCCESS) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is p= reserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+=C2=A0 =C2=A0 FreePool (Data);
+=C2=A0 =C2=A0 return EFI_UNSUPPORTED;
+=C2=A0 }
+
+=C2=A0 if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { +=C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_= DB_DEFAULT_VARIABLE_NAME));
+
+=C2=A0 Status =3D SecureBootFetchData (&gDefaultdbFileGuid, &SigLi= stsSize, &EfiSig);
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 Status =3D gRT->SetVariable (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EFI_DB_DEFA= ULT_VARIABLE_NAME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 &gEfiGl= obalVariableGuid,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EFI_VARIABL= E_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 SigListsSiz= e,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (VOID *)Efi= Sig
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 );
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Failed to set %s\n", E= FI_DB_DEFAULT_VARIABLE_NAME));
+=C2=A0 }
+
+=C2=A0 FreePool (EfiSig);
+
+=C2=A0 return Status;
+}
+
+/** Initializes dbxDefault variable with data from FFS section.
+
+=C2=A0 @retval=C2=A0 EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0V= ariable was initialized successfully.
+=C2=A0 @retval=C2=A0 EFI_UNSUPPORTED=C2=A0 =C2=A0 =C2=A0 =C2=A0Variable al= ready exists.
+**/
+EFI_STATUS
+SecureBootInitDbxDefault (
+=C2=A0 IN VOID
+=C2=A0 )
+{
+=C2=A0 EFI_SIGNATURE_LIST *EfiSig;
+=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0SigList= sSize;
+=C2=A0 EFI_STATUS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Status;
+=C2=A0 UINT8=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 *Data;
+=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0DataSiz= e;
+
+=C2=A0 //
+=C2=A0 // Check if variable exists, if so do not change it
+=C2=A0 //
+=C2=A0 Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGl= obalVariableGuid, (VOID **) &Data, &DataSize);
+=C2=A0 if (Status =3D=3D EFI_SUCCESS) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is p= reserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+=C2=A0 =C2=A0 FreePool (Data);
+=C2=A0 =C2=A0 return EFI_UNSUPPORTED;
+=C2=A0 }
+
+=C2=A0 if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { +=C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 //
+=C2=A0 // Variable does not exist, can be initialized
+=C2=A0 //
+=C2=A0 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_= DBX_DEFAULT_VARIABLE_NAME));
+
+=C2=A0 Status =3D SecureBootFetchData (&gDefaultdbxFileGuid, &SigL= istsSize, &EfiSig);
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Content for %s not found\n", = EFI_DBX_DEFAULT_VARIABLE_NAME));
+=C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 Status =3D gRT->SetVariable (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EFI_DBX_DEF= AULT_VARIABLE_NAME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 &gEfiGl= obalVariableGuid,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EFI_VARIABL= E_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 SigListsSiz= e,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (VOID *)Efi= Sig
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 );
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_= DEFAULT_VARIABLE_NAME));
+=C2=A0 }
+
+=C2=A0 FreePool (EfiSig);
+
+=C2=A0 return Status;
+}
+
+/** Initializes dbtDefault variable with data from FFS section.
+
+=C2=A0 @retval=C2=A0 EFI_SUCCESS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0V= ariable was initialized successfully.
+=C2=A0 @retval=C2=A0 EFI_UNSUPPORTED=C2=A0 =C2=A0 =C2=A0 =C2=A0Variable al= ready exists.
+**/
+EFI_STATUS
+SecureBootInitDbtDefault (
+=C2=A0 IN VOID
+=C2=A0 )
+{
+=C2=A0 EFI_SIGNATURE_LIST *EfiSig;
+=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0SigList= sSize;
+=C2=A0 EFI_STATUS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Status;
+=C2=A0 UINT8=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 *Data;
+=C2=A0 UINTN=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0DataSiz= e;
+
+=C2=A0 //
+=C2=A0 // Check if variable exists, if so do not change it
+=C2=A0 //
+=C2=A0 Status =3D GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGl= obalVariableGuid, (VOID **) &Data, &DataSize);
+=C2=A0 if (Status =3D=3D EFI_SUCCESS) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is p= reserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+=C2=A0 =C2=A0 FreePool (Data);
+=C2=A0 =C2=A0 return EFI_UNSUPPORTED;
+=C2=A0 }
+
+=C2=A0 if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { +=C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 //
+=C2=A0 // Variable does not exist, can be initialized
+=C2=A0 //
+=C2=A0 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_= DBT_DEFAULT_VARIABLE_NAME));
+
+=C2=A0 Status =3D SecureBootFetchData (&gDefaultdbtFileGuid, &SigL= istsSize, &EfiSig);
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 =C2=A0 return Status;
+=C2=A0 }
+
+=C2=A0 Status =3D gRT->SetVariable (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EFI_DBT_DEF= AULT_VARIABLE_NAME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 &gEfiGl= obalVariableGuid,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EFI_VARIABL= E_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 SigListsSiz= e,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (VOID *)Efi= Sig
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 );
+=C2=A0 if (EFI_ERROR (Status)) {
+=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_= DEFAULT_VARIABLE_NAME));
+=C2=A0 }
+
+=C2=A0 FreePool (EfiSig);
+
+=C2=A0 return EFI_SUCCESS;
+}
+
+/**
+=C2=A0 Sets the content of the 'db' variable based on 'dbDefau= lt' variable content.
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0 =C2=A0 If memory allocati= on for EFI_VARIABLE_AUTHENTICATION_2 fails
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 while VendorGuid is NU= LL.
+=C2=A0 @retval other=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Errors from GetVariable2 (), GetTime () and SetVari= able ()
+**/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+=C2=A0 VOID
+)
+{
+=C2=A0 EFI_STATUS Status;
+
+=C2=A0 Status =3D EnrollFromDefault (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_IMAGE_SECURITY_DATABAS= E,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_DB_DEFAULT_VARIABLE_NA= ME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&gEfiImageSecurityData= baseGuid
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0);
+
+=C2=A0 return Status;
+}
+
+/**
+=C2=A0 Sets the content of the 'dbx' variable based on 'dbxDef= ault' variable content.
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0 =C2=A0 If memory allocati= on for EFI_VARIABLE_AUTHENTICATION_2 fails
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 while VendorGuid is NU= LL.
+=C2=A0 @retval other=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Errors from GetVariable2 (), GetTime () and SetVari= able ()
+**/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+=C2=A0 VOID
+)
+{
+=C2=A0 EFI_STATUS Status;
+
+=C2=A0 Status =3D EnrollFromDefault (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_IMAGE_SECURITY_DATABAS= E1,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_DBX_DEFAULT_VARIABLE_N= AME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&gEfiImageSecurityData= baseGuid
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0);
+
+=C2=A0 return Status;
+}
+
+/**
+=C2=A0 Sets the content of the 'dbt' variable based on 'dbtDef= ault' variable content.
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0 =C2=A0 If memory allocati= on for EFI_VARIABLE_AUTHENTICATION_2 fails
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 while VendorGuid is NU= LL.
+=C2=A0 @retval other=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Errors from GetVariable2 (), GetTime () and SetVari= able ()
+**/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+=C2=A0 VOID
+)
+{
+=C2=A0 EFI_STATUS Status;
+
+=C2=A0 Status =3D EnrollFromDefault (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_IMAGE_SECURITY_DATABAS= E2,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_DBT_DEFAULT_VARIABLE_N= AME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&gEfiImageSecurityData= baseGuid);
+
+=C2=A0 return Status;
+}
+
+/**
+=C2=A0 Sets the content of the 'KEK' variable based on 'KEKDef= ault' variable content.
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0 =C2=A0 If memory allocati= on for EFI_VARIABLE_AUTHENTICATION_2 fails
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 while VendorGuid is NU= LL.
+=C2=A0 @retval other=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Errors from GetVariable2 (), GetTime () and SetVari= able ()
+**/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+=C2=A0 VOID
+)
+{
+=C2=A0 EFI_STATUS Status;
+
+=C2=A0 Status =3D EnrollFromDefault (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_KEY_EXCHANGE_KEY_NAME,=
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_KEK_DEFAULT_VARIABLE_N= AME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&gEfiGlobalVariableGui= d
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0);
+
+=C2=A0 return Status;
+}
+
+/**
+=C2=A0 Sets the content of the 'KEK' variable based on 'KEKDef= ault' variable content.
+
+=C2=A0 @retval EFI_OUT_OF_RESOURCES=C2=A0 =C2=A0 =C2=A0 If memory allocati= on for EFI_VARIABLE_AUTHENTICATION_2 fails
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 while VendorGuid is NU= LL.
+=C2=A0 @retval other=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Errors from GetVariable2 (), GetTime () and SetVari= able ()
+**/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+=C2=A0 VOID
+)
+{
+=C2=A0 EFI_STATUS Status;
+
+=C2=A0 Status =3D EnrollFromDefault (
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_PLATFORM_KEY_NAME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0EFI_PK_DEFAULT_VARIABLE_NA= ME,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&gEfiGlobalVariableGui= d
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0);
+
+=C2=A0 return Status;
+}
diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootV= ariableProvisionLib.uni b/SecurityPkg/Library/SecureBootVariableProvisionLi= b/SecureBootVariableProvisionLib.uni
new file mode 100644
index 0000000000..68d928ef30
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.uni
@@ -0,0 +1,16 @@
+// /** @file
+//
+// Provides initialization of Secure Boot keys and databases.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0#language en-US "Provides functions to initialize PK, KEK and datab= ases based on default variables."
+
+#string STR_MODULE_DESCRIPTION=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 #language= en-US "Provides functions to initialize PK, KEK and databases based o= n default variables."
+
--
2.25.1






--00000000000060608605ca4d2f0b--