From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web10.6965.1622033765487260081 for ; Wed, 26 May 2021 05:56:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=jhIuhdFK; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: jiewen.yao@intel.com) IronPort-SDR: xtyQXERDOU1XFbWp/mSxEoc+DEpuINZofq7v3RO0L3KyEApHVx4V/dKUCQAOcYDsYIvESfXVlJ GcVNyDtnZjig== X-IronPort-AV: E=McAfee;i="6200,9189,9996"; a="189576422" X-IronPort-AV: E=Sophos;i="5.82,331,1613462400"; d="scan'208";a="189576422" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 May 2021 05:56:04 -0700 IronPort-SDR: d+jSiyMaKNrh+STRqhyDlemk/A7r/BEVMkUi7AAneVV6Kg6TdMazqDYd7S/+AmGXMu/RQKlio4 WTDns4FiQDjw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.82,331,1613462400"; d="scan'208";a="397801383" Received: from fmsmsx606.amr.corp.intel.com ([10.18.126.86]) by orsmga006.jf.intel.com with ESMTP; 26 May 2021 05:56:03 -0700 Received: from fmsmsx602.amr.corp.intel.com (10.18.126.82) by fmsmsx606.amr.corp.intel.com (10.18.126.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Wed, 26 May 2021 05:56:02 -0700 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4 via Frontend Transport; Wed, 26 May 2021 05:56:02 -0700 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.173) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.4; Wed, 26 May 2021 05:56:01 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oVzlwJIIWhuhCh21s0L6qAvXtr/HTgTBJ9vHCFGlmftRWZ22y3FNMOxF5SXGFFYe81wl6QPpVOEJuMhS1ntGXpr5b17sgeihbL0b2u79ieMHbzJR2qIfryISaHmhYvX5GqnmMSq8xSwnbQWWSWd1V43Y0YgMsQGwvulITk8Bw5CxZoIecFU8eCvpGc0WxEgEsYxxjx99mgOoX7v4PHMMcmig3X7eIfpX1onuxAcf7Q7c1MtVcjEWzDg43kWEu2pc6EzPbddTd/asgtsiTBqMYTefoR3Bzm7ZXGgZXTPZMs2jRWPdPXyb9RG8simTrUOYQVdOPJpM8T0vWCVA3my9eg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nB4k29WBdfcE4MYQPmUtxNoz2TcjwD7+PPJxAyZ/Osk=; b=dPtpzGSFyT9+ToMsbDURqlRtMH8T1yjc1M0pMVtGteT47wmH6Jmx9bDruN4rSK9AYP7iDFwxRNPvCCzvTV54uy4wbToTkAXgZzQgvyoULx25aXRtkLcuHUkJPY5+EjbUpwQ0lcQ3jP5SaNPAf5KQ+w0Spugf2RJVSXSZMTD82mYbbz2Uts/XiMfA/FRNf0HlwmmbsbexESGw1tkse91kR7iTRW26f/uCEyme8GxVe0wbdvzHT72oENewMrafFJ0IBvfVacLrdJDJNWuETSKEAh01eoJFIP0Eao+h6x3Dg2KJDv60Y7W8r+lOdNe84BJ9f7LVC17W/b9XcZkltyBQ3A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nB4k29WBdfcE4MYQPmUtxNoz2TcjwD7+PPJxAyZ/Osk=; b=jhIuhdFKRQMFjEvsAiOruyME9kIKP16qJfuWVbfXpAMMWHOLVK6cVs7XPEsuK5VdXBanKFhGab2mRukodk3dOBFwjI9d/jip4vzHZUVMTazNilivb/ohraauxeqTcCmioNUgbFlDSpeJ6MN6xvHOmKsTGN+/OenEbL5HeBR4mXM= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH0PR11MB4998.namprd11.prod.outlook.com (2603:10b6:510:32::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20; Wed, 26 May 2021 12:56:00 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::547d:4eb3:f37e:dac4]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::547d:4eb3:f37e:dac4%7]) with mapi id 15.20.4173.020; Wed, 26 May 2021 12:56:00 +0000 From: "Yao, Jiewen" To: Grzegorz Bernacki , "devel@edk2.groups.io" CC: "leif@nuviainc.com" , "ardb+tianocore@kernel.org" , "Samer.El-Haj-Mahmoud@arm.com" , "sunny.Wang@arm.com" , "upstream@semihalf.com" , "Wang, Jian J" , "Xu, Min M" , "lersek@redhat.com" Subject: Re: [PATCH 1/6] SecurityPkg: Create library for setting Secure Boot variables. Thread-Topic: [PATCH 1/6] SecurityPkg: Create library for setting Secure Boot variables. Thread-Index: AQHXUhOF0tqV3nL8tUyES5SB+JsUNqr1t5CA Date: Wed, 26 May 2021 12:55:59 +0000 Message-ID: References: <20210526094204.73600-1-gjb@semihalf.com> <20210526094204.73600-3-gjb@semihalf.com> In-Reply-To: <20210526094204.73600-3-gjb@semihalf.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: semihalf.com; dkim=none (message not signed) header.d=none;semihalf.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [101.87.139.49] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: db29ccdc-b8a0-4774-256e-08d920459c91 x-ms-traffictypediagnostic: PH0PR11MB4998: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:276; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: z5lqeKYe+DgTdvy4apy4hMbI3W0OP0Brrm+vrhH3dWhafjH6gHCzP4500aTEHTJepVTLdTtHy9I+n0MYT6c0JXFiT/zXJsy2wZNi8p5SE2LDJLG9BDK1PmfYuHDmxGEq6hYDIFqC8hBlQ2hjbPIO2eR5JiiliWMQ9cdc3zmIN7sxkgi25gmATiLrgraV32GupRRg67d62MljlbC2/ayE45zF1xEKCyFOlEh+wCJZohL6HU1xrnAcKpVqA2h/ynIqKB1yN2Nb5d55plzfFyUIM9n8kqtmLOgNNSgv0myvnojAXsJRLThBRY8AywrQI7wpk6pQN6wRpPngwLPagPnLUT3sY2c9iHsjjwiTA4Tn8O9/wRMbU//X5iGVc4djdbv5JZnG68CjksIqKZSaJqCXjEHQTJxxmH8zn/NE8J1gfmOYd50kGvL+QMxyVHZpD55Wse3Hf8nWtNLVxP/TmLeEchIjEs33rkCBA+k5cPB6cC12y/OA3oNGEh3XBM8R66oyw4s4YvGQLf8pHBpP/5QPxudBEZaBnO/WQRjbxyVBSB0mtdBGiOSNgnvi0QItc1sPDzLSgQ4jlaaOBxMPQJdQpM+RbHIXKgz1wyMtOVM1t9c= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(346002)(396003)(39860400002)(376002)(136003)(366004)(86362001)(30864003)(19627235002)(186003)(66446008)(66556008)(66946007)(7696005)(33656002)(110136005)(71200400001)(6506007)(53546011)(54906003)(5660300002)(55016002)(26005)(9686003)(8676002)(8936002)(15650500001)(4326008)(2906002)(76116006)(83380400001)(478600001)(64756008)(66476007)(122000001)(38100700002)(316002)(52536014)(579004)(559001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?wLAMDeD8PZ/F+Fb3R6jtASRWvEYSa0VV3961g7e9/RukRNoCxQfvDIoVXsej?= =?us-ascii?Q?6fGjcSr2kEQJTN6bYQwI4mdzZi+xb71G6JgJJ/yZcTXw/csJMleV6AUpkRu3?= =?us-ascii?Q?ftL1Zo0HJ2zzWqZvkqnM1K7Uj8jOIgL7AUMdS3H8iQfQfvUL6NXmDqzperIr?= =?us-ascii?Q?suo9TsJhuqFd3KEFR+VFBPdU75eWy28VH7Y01erQ9Lu4BYflg3fPO8lgmSes?= =?us-ascii?Q?pC+DLrtiEV16hWY7GhSb2u6RH/HF2AxNK/bOFyyEXueCIYOwxHLYlhYkuuzo?= =?us-ascii?Q?ch6EYtu85pvzsO50YXqhjM56YCauzv5yvDk8dpaw49h13RKChn2PvtkxIQWJ?= =?us-ascii?Q?lcq1oFz1+I8HL1V5qaBWDriBs5/DIspBOdWn9YFOsZF+EjDQvtqsbWdX7nzn?= =?us-ascii?Q?v1uxz1Sjn5NBiqpoAIrsUfa9VRA8C0UNJ4V2JIVnf9eRI+HyYvnc6kb2VSs4?= =?us-ascii?Q?T2R0A/NzoyaqtgWjk3AiBr/3fkR7P5QNLLXi8TGoAZkxARBgGqTX+q6HgZb+?= =?us-ascii?Q?zEi6cJ5lBuvegCjLy9xf9AeKpsI1WH8Q2hxRVIhul5JKdTFyi80y3jkihgzH?= =?us-ascii?Q?Ak5qnYqgCduzg1ujiu+jDPlJNU2xDsmLlsevetxAoDk7tyZ04Wl8HFI9wn77?= =?us-ascii?Q?np+uYwl4pM46TPCXCTbfhrtSnCwSRMx/7EYl5SRFnGiNPMwqQoIqwhVz247V?= =?us-ascii?Q?won69hxB0oVrcH8GP/VOK5JEaH93KW0p9N5URrF2ZSD4XVFAI7FbV0lmiOrZ?= =?us-ascii?Q?NYPealZip0QH+Ui+KzIoX/xEqUkqNurxMxgkUKBm68/5ia8ZzZDw5EUi9W/b?= =?us-ascii?Q?PBevovcbQuHTR3FjZyZDGcsGYtXz2wCNImr8TrgSLKQe90Z+UMjhAA9kGGbD?= =?us-ascii?Q?8JMmSlFdmZ16wpw/1sCHYT0aIOyV9e4iviKArMTajA1BWkDfyHuhuqvZiG1A?= =?us-ascii?Q?jsSehcWrYRp0P8dlECk4NkaCStoAJLNSEzkVslgE1d2Ypm/dvdzJw4Bc37pO?= =?us-ascii?Q?W3WjQLZUFE/qv4vFSH8ceUWDnC1nH44qR2RhRDG1xeCF+EFG2k5CM/mTxgeS?= =?us-ascii?Q?YzTwjbOhq9yamn98F5J9HcnUbIM9N6qUJS375WYilvACeH0aNaZkJMbVxaVD?= =?us-ascii?Q?tA+oFut/WDodYjxQMTh9EXres+OTtTIHqMQLhceX+dtjukpRn2nLTCO38SDE?= =?us-ascii?Q?GYTUEPoSM7oApbYS07E4Gq9PUZfIpGUziaS2kK7sNuXROC56eTpWkjG8TpD1?= =?us-ascii?Q?Bp912Hxq8u+JeGwInO48BqtCEsATtZlE1e18nPizE8QifANbwoUp1tgBJnFC?= =?us-ascii?Q?IAhG/rXKYJ2M2MlpzgAu6GyA?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: db29ccdc-b8a0-4774-256e-08d920459c91 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 May 2021 12:55:59.9891 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: bz31WnQLs+x327/ziWE/vCmlsxHMlcWaN3n90FdhuwxapOvZOtrdYrChvqNl1eKA9Ob38iqApUtIje62AAVxYA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4998 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi I think the naming SecBootVariableLib Is confusing. "Sec" usually means SEC phase. If it is about UEFI secure boot, you may jus= t name it SecureBootVariableLib. Also don't use SecBootXXX as function name, please use SecureBootXXX. Please done use CheckSetupMode(). The "Check" is bad naming style, because = it don't tell you what PASS/FAIL, TRUE/FALSE means. If you want to fetch, y= ou can just use GetSetupMode(). Thank you Yao Jiewen > -----Original Message----- > From: Grzegorz Bernacki > Sent: Wednesday, May 26, 2021 5:42 PM > To: devel@edk2.groups.io > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj- > Mahmoud@arm.com; sunny.Wang@arm.com; gjb@semihalf.com; > upstream@semihalf.com; Yao, Jiewen ; Wang, Jian J > ; Xu, Min M ; > lersek@redhat.com > Subject: [PATCH 1/6] SecurityPkg: Create library for setting Secure Boot > variables. >=20 > This commits add library, which consist functions related > creation/removal Secure Boot variables. Some of the functions > was moved from SecureBootConfigImpl.c file. >=20 > Signed-off-by: Grzegorz Bernacki > --- > SecurityPkg/SecurityPkg.dsc = | 1 + > SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf = | 79 > ++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx > e.inf | 1 + > SecurityPkg/Include/Library/SecBootVariableLib.h = | 252 +++++ > SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c = | 979 > ++++++++++++++++++++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.c | 189 +--- > SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni = | 16 + > 7 files changed, 1329 insertions(+), 188 deletions(-) > create mode 100644 > SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf > create mode 100644 SecurityPkg/Include/Library/SecBootVariableLib.h > create mode 100644 > SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c > create mode 100644 > SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni >=20 > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index bd4b810bce..c7658e00cb 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -70,6 +70,7 @@ > RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf >=20 > TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLo > gRecordLib.inf >=20 > MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockM > emoryLibNull.inf > + > SecBootDefaultKeyLib|SecurityPkg/Library/SecBootVariableLib/SecBootVariab= le > Lib.inf >=20 > [LibraryClasses.ARM] > # > diff --git a/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.in= f > b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf > new file mode 100644 > index 0000000000..357b3f27a5 > --- /dev/null > +++ b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf > @@ -0,0 +1,79 @@ > +## @file > +# Provides initialization of Secure Boot keys and databases. > +# > +# Copyright (c) 2021, ARM Ltd. All rights reserved.
> +# Copyright (c) 2021, Semihalf All rights reserved.
> +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D SecBootVariableLib > + MODULE_UNI_FILE =3D SecBootVariableLib.uni > + FILE_GUID =3D D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6= F > + MODULE_TYPE =3D DXE_DRIVER > + VERSION_STRING =3D 1.0 > + LIBRARY_CLASS =3D SecBootVariableLib|DXE_DRIVER > DXE_RUNTIME_DRIVER UEFI_APPLICATION > + > +# > +# The following information is for reference only and not required by th= e build > tools. > +# > +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 > +# > + > +[Sources] > + SecBootVariableLib.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + CryptoPkg/CryptoPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + BaseCryptLib > + DxeServicesLib > + > +[Guids] > + ## CONSUMES ## Variable:L"SetupMode" > + ## PRODUCES ## Variable:L"SetupMode" > + ## CONSUMES ## Variable:L"SecureBoot" > + ## PRODUCES ## Variable:L"SecureBoot" > + ## PRODUCES ## Variable:L"PK" > + ## PRODUCES ## Variable:L"KEK" > + ## CONSUMES ## Variable:L"PKDefault" > + ## CONSUMES ## Variable:L"KEKDefault" > + ## CONSUMES ## Variable:L"dbDefault" > + ## CONSUMES ## Variable:L"dbxDefault" > + ## CONSUMES ## Variable:L"dbtDefault" > + gEfiGlobalVariableGuid > + > + ## SOMETIMES_CONSUMES ## Variable:L"DB" > + ## SOMETIMES_CONSUMES ## Variable:L"DBX" > + ## SOMETIMES_CONSUMES ## Variable:L"DBT" > + gEfiImageSecurityDatabaseGuid > + > + ## CONSUMES ## Variable:L"SecureBootEnable" > + ## PRODUCES ## Variable:L"SecureBootEnable" > + gEfiSecureBootEnableDisableGuid > + > + ## CONSUMES ## Variable:L"CustomMode" > + ## PRODUCES ## Variable:L"CustomMode" > + gEfiCustomModeEnableGuid > + > + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES > + gEfiCertX509Guid ## CONSUMES > + gEfiCertPkcs7Guid ## CONSUMES > + > + gDefaultPKFileGuid > + gDefaultKEKFileGuid > + gDefaultdbFileGuid > + gDefaultdbxFileGuid > + gDefaultdbtFileGuid > + > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > index 573efa6379..ae93712569 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > @@ -54,6 +54,7 @@ > DevicePathLib > FileExplorerLib > PeCoffLib > + SecBootVariableLib >=20 > [Guids] > ## SOMETIMES_CONSUMES ## Variable:L"CustomMode" > diff --git a/SecurityPkg/Include/Library/SecBootVariableLib.h > b/SecurityPkg/Include/Library/SecBootVariableLib.h > new file mode 100644 > index 0000000000..e7988ea648 > --- /dev/null > +++ b/SecurityPkg/Include/Library/SecBootVariableLib.h > @@ -0,0 +1,252 @@ > +/** @file > + Provides a function to enroll keys based on default values. > + > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
> +Copyright (c) 2021, ARM Ltd. All rights reserved.
> +Copyright (c) 2021, Semihalf All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef __SEC_BOOT_VARIABLE_LIB_H__ > +#define __SEC_BOOT_VARIABLE_LIB_H__ > + > +/** > + > + Set the platform secure boot mode into "Custom" or "Standard" mode. > + > + @param[in] SecureBootMode New secure boot mode: > STANDARD_SECURE_BOOT_MODE or > + CUSTOM_SECURE_BOOT_MODE. > + > + @return EFI_SUCCESS The platform has switched to the sp= ecial mode > successfully. > + @return other Fail to operate the secure boot mod= e. > + > +--*/ > +EFI_STATUS > +SetSecureBootMode ( > + IN UINT8 SecureBootMode > +); > + > +/** > + Fetches the value of SetupMode variable. > + > + @param[out] SetupMode Pointer to UINT8 for SetupMode outpu= t > + > + @retval other Error codes from GetVariable. > +--*/ > +BOOLEAN > +EFIAPI > +CheckSetupMode ( > + OUT UINT8 *SetupMode > +); > + > +/** > + Create a time based data payload by concatenating the > EFI_VARIABLE_AUTHENTICATION_2 > + descriptor with the input data. NO authentication is required in this = function. > + > + @param[in, out] DataSize On input, the size of Data buffer in = bytes. > + On output, the size of data returned = in Data > + buffer in bytes. > + @param[in, out] Data On input, Pointer to data buffer to b= e wrapped > or > + pointer to NULL to wrap an empty payl= oad. > + On output, Pointer to the new payload= date buffer allocated > from pool, > + it's caller's responsibility to free = the memory when finish > using it. > + > + @retval EFI_SUCCESS Create time based payload successfull= y. > + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources > to create time based payload. > + @retval EFI_INVALID_PARAMETER The parameter is invalid. > + @retval Others Unexpected error happens. > + > +--*/ > +EFI_STATUS > +CreateTimeBasedPayload ( > + IN OUT UINTN *DataSize, > + IN OUT UINT8 **Data > +); > + > +/** > + Sets the content of the 'db' variable based on 'dbDefault' variable co= ntent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'db' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDb ( > + VOID > +); > + > +/** > + Sets the content of the 'dbx' variable based on 'dbxDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbxFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'dbx' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbx ( > + VOID > +); > + > +/** > + Sets the content of the 'dbt' variable based on 'dbtDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbtFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'dbt' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbt ( > + VOID > +); > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollKEKFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'KEK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteKEK ( > + VOID > +); > + > +/** > + Sets the content of the 'PK' variable based on 'PKDefault' variable co= ntent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollPKFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'PK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeletePlatformKey ( > + VOID > +); > + > +/** Initializes PKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecBootInitPKDefault ( > + IN VOID > + ); > + > +/** Initializes KEKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecBootInitKEKDefault ( > + IN VOID > + ); > + > +/** Initializes dbDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecBootInitdbDefault ( > + IN VOID > + ); > + > +/** Initializes dbtDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecBootInitdbtDefault ( > + IN VOID > + ); > + > +/** Initializes dbxDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecBootInitdbxDefault ( > + IN VOID > + ); > +#endif > diff --git a/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c > b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c > new file mode 100644 > index 0000000000..8cbaa7d60a > --- /dev/null > +++ b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c > @@ -0,0 +1,979 @@ > +/** @file > + This library provides functions to set/clear Secure Boot > + keys and databases. > + > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
> +Copyright (c) 2021, ARM Ltd. All rights reserved.
> +Copyright (c) 2021, Semihalf All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include "Library/DxeServicesLib.h" > + > +/** Creates EFI Signature List structure. > + > + @param[in] Data A pointer to signature data. > + @param[in] Size Size of signature data. > + @param[out] SigList Created Signature List. > + > + @retval EFI_SUCCESS Signature List was created successfully= . > + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. > +--*/ > +STATIC > +EFI_STATUS > +CreateSigList ( > + IN VOID *Data, > + IN UINTN Size, > + OUT EFI_SIGNATURE_LIST **SigList > + ) > +{ > + UINTN SigListSize; > + EFI_SIGNATURE_LIST *TmpSigList; > + EFI_SIGNATURE_DATA *SigData; > + > + // > + // Allocate data for Signature Database > + // > + SigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DA= TA) - 1 > + Size; > + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize); > + if (TmpSigList =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + // > + // Only gEfiCertX509Guid type is supported > + // > + TmpSigList->SignatureListSize =3D (UINT32)SigListSize; > + TmpSigList->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNATURE_DATA) - = 1 + > Size); > + TmpSigList->SignatureHeaderSize =3D 0; > + CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid); > + > + // > + // Copy key data > + // > + SigData =3D (EFI_SIGNATURE_DATA *) (TmpSigList + 1); > + CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid); > + CopyMem (&SigData->SignatureData[0], Data, Size); > + > + *SigList =3D TmpSigList; > + > + return EFI_SUCCESS; > +} > + > +/** Adds new signature list to signature database. > + > + @param[in] SigLists A pointer to signature database. > + @param[in] SiglListAppend A signature list to be added. > + @param[out] *SigListOut Created signature database. > + @param[out] SigListsSize A size of created signature database. > + > + @retval EFI_SUCCESS Signature List was added successfully. > + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. > +--*/ > +STATIC > +EFI_STATUS > +ConcatenateSigList ( > + IN EFI_SIGNATURE_LIST *SigLists, > + IN EFI_SIGNATURE_LIST *SigListAppend, > + OUT EFI_SIGNATURE_LIST **SigListOut, > + IN OUT UINTN *SigListsSize > +) > +{ > + EFI_SIGNATURE_LIST *TmpSigList; > + UINT8 *Offset; > + UINTN NewSigListsSize; > + > + NewSigListsSize =3D *SigListsSize + SigListAppend->SignatureListSize; > + > + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSiz= e); > + if (TmpSigList =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + CopyMem (TmpSigList, SigLists, *SigListsSize); > + > + Offset =3D (UINT8 *)TmpSigList; > + Offset +=3D *SigListsSize; > + CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSi= ze); > + > + *SigListsSize =3D NewSigListsSize; > + *SigListOut =3D TmpSigList; > + return EFI_SUCCESS; > +} > + > +/** > + Create a EFI Signature List with data fetched from section specified a= s a > argument. > + Found keys are verified using RsaGetPublicKeyFromX509(). > + > + @param[in] KeyFileGuid A pointer to to the FFS filename GUID > + @param[out] SigListsSize A pointer to size of signature list > + @param[out] SigListsOut a pointer to a callee-allocated buffe= r with > signature lists > + > + @retval EFI_SUCCESS Create time based payload successfull= y. > + @retval EFI_NOT_FOUND Section with key has not been found. > + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. > + @retval Others Unexpected error happens. > + > +--*/ > +STATIC > +EFI_STATUS > +SecBootFetchData ( > + IN EFI_GUID *KeyFileGuid, > + OUT UINTN *SigListsSize, > + OUT EFI_SIGNATURE_LIST **SigListOut > +) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + EFI_SIGNATURE_LIST *TmpEfiSig; > + EFI_SIGNATURE_LIST *TmpEfiSig2; > + EFI_STATUS Status; > + VOID *Buffer; > + VOID *RsaPubKey; > + UINTN Size; > + UINTN KeyIndex; > + > + > + KeyIndex =3D 0; > + EfiSig =3D NULL; > + *SigListsSize =3D 0; > + while (1) { > + Status =3D GetSectionFromAnyFv ( > + KeyFileGuid, > + EFI_SECTION_RAW, > + KeyIndex, > + &Buffer, > + &Size > + ); > + > + if (Status =3D=3D EFI_SUCCESS) { > + RsaPubKey =3D NULL; > + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALS= E) { > + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION_= _, > KeyIndex)); > + if (EfiSig !=3D NULL) { > + FreePool(EfiSig); > + } > + FreePool(Buffer); > + return EFI_INVALID_PARAMETER; > + } > + > + Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); > + > + // > + // Concatenate lists if more than one section found > + // > + if (KeyIndex =3D=3D 0) { > + EfiSig =3D TmpEfiSig; > + *SigListsSize =3D TmpEfiSig->SignatureListSize; > + } else { > + ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize= ); > + FreePool (EfiSig); > + FreePool (TmpEfiSig); > + EfiSig =3D TmpEfiSig2; > + } > + > + KeyIndex++; > + FreePool (Buffer); > + } if (Status =3D=3D EFI_NOT_FOUND) { > + break; > + } > + }; > + > + if (KeyIndex =3D=3D 0) { > + return EFI_NOT_FOUND; > + } > + > + *SigListOut =3D EfiSig; > + > + return EFI_SUCCESS; > +} > + > +/** > + Create a time based data payload by concatenating the > EFI_VARIABLE_AUTHENTICATION_2 > + descriptor with the input data. NO authentication is required in this = function. > + > + @param[in, out] DataSize On input, the size of Data buffer in = bytes. > + On output, the size of data returned = in Data > + buffer in bytes. > + @param[in, out] Data On input, Pointer to data buffer to b= e wrapped > or > + pointer to NULL to wrap an empty payl= oad. > + On output, Pointer to the new payload= date buffer allocated > from pool, > + it's caller's responsibility to free = the memory when finish > using it. > + > + @retval EFI_SUCCESS Create time based payload successfull= y. > + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources > to create time based payload. > + @retval EFI_INVALID_PARAMETER The parameter is invalid. > + @retval Others Unexpected error happens. > + > +--*/ > +EFI_STATUS > +CreateTimeBasedPayload ( > + IN OUT UINTN *DataSize, > + IN OUT UINT8 **Data > + ) > +{ > + EFI_STATUS Status; > + UINT8 *NewData; > + UINT8 *Payload; > + UINTN PayloadSize; > + EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; > + UINTN DescriptorSize; > + EFI_TIME Time; > + > + if (Data =3D=3D NULL || DataSize =3D=3D NULL) { > + return EFI_INVALID_PARAMETER; > + } > + > + // > + // In Setup mode or Custom mode, the variable does not need to be sign= ed > but the > + // parameters to the SetVariable() call still need to be prepared as > authenticated > + // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor > without certificate > + // data in it. > + // > + Payload =3D *Data; > + PayloadSize =3D *DataSize; > + > + DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthIn= fo) > + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); > + NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); > + if (NewData =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { > + CopyMem (NewData + DescriptorSize, Payload, PayloadSize); > + } > + > + DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); > + > + ZeroMem (&Time, sizeof (EFI_TIME)); > + Status =3D gRT->GetTime (&Time, NULL); > + if (EFI_ERROR (Status)) { > + FreePool(NewData); > + return Status; > + } > + Time.Pad1 =3D 0; > + Time.Nanosecond =3D 0; > + Time.TimeZone =3D 0; > + Time.Daylight =3D 0; > + Time.Pad2 =3D 0; > + CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); > + > + DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF > (WIN_CERTIFICATE_UEFI_GUID, CertData); > + DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; > + DescriptorData->AuthInfo.Hdr.wCertificateType =3D > WIN_CERT_TYPE_EFI_GUID; > + CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); > + > + if (Payload !=3D NULL) { > + FreePool(Payload); > + } > + > + *DataSize =3D DescriptorSize + PayloadSize; > + *Data =3D NewData; > + return EFI_SUCCESS; > +} > + > +/** > + Internal helper function to delete a Variable given its name and GUID,= NO > authentication > + required. > + > + @param[in] VariableName Name of the Variable. > + @param[in] VendorGuid GUID of the Variable. > + > + @retval EFI_SUCCESS Variable deleted successfully. > + @retval Others The driver failed to start the device= . > + > +--*/ > +EFI_STATUS > +DeleteVariable ( > + IN CHAR16 *VariableName, > + IN EFI_GUID *VendorGuid > + ) > +{ > + EFI_STATUS Status; > + VOID* Variable; > + UINT8 *Data; > + UINTN DataSize; > + UINT32 Attr; > + > + GetVariable2 (VariableName, VendorGuid, &Variable, NULL); > + if (Variable =3D=3D NULL) { > + return EFI_SUCCESS; > + } > + FreePool (Variable); > + > + Data =3D NULL; > + DataSize =3D 0; > + Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS > + | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; > + > + Status =3D CreateTimeBasedPayload (&DataSize, &Data); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", > Status)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + VariableName, > + VendorGuid, > + Attr, > + DataSize, > + Data > + ); > + if (Data !=3D NULL) { > + FreePool (Data); > + } > + return Status; > +} > + > +/** > + > + Set the platform secure boot mode into "Custom" or "Standard" mode. > + > + @param[in] SecureBootMode New secure boot mode: > STANDARD_SECURE_BOOT_MODE or > + CUSTOM_SECURE_BOOT_MODE. > + > + @return EFI_SUCCESS The platform has switched to the sp= ecial mode > successfully. > + @return other Fail to operate the secure boot mod= e. > + > +--*/ > +EFI_STATUS > +SetSecureBootMode ( > + IN UINT8 SecureBootMode > + ) > +{ > + return gRT->SetVariable ( > + EFI_CUSTOM_MODE_NAME, > + &gEfiCustomModeEnableGuid, > + EFI_VARIABLE_NON_VOLATILE | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + sizeof (UINT8), > + &SecureBootMode > + ); > +} > + > + > +/** > + Enroll a key/certificate based on a default variable. > + > + @param[in] VariableName The name of the key/database. > + @param[in] DefaultName The name of the default variable. > + @param[in] VendorGuid The namespace (ie. vendor GUID) of the > variable > + > + > + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating > AuthHeader. > + @retval EFI_SUCCESS Successful enrollment. > + @return Error codes from GetTime () and SetVari= able (). > +--*/ > +STATIC > +EFI_STATUS > +EnrollFromDefault ( > + IN CHAR16 *VariableName, > + IN CHAR16 *DefaultName, > + IN EFI_GUID *VendorGuid > + ) > +{ > + VOID *Data; > + UINTN DataSize; > + EFI_STATUS Status; > + > + Status =3D EFI_SUCCESS; > + > + DataSize =3D 0; > + Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, > &DataSize); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultNam= e, > Status)); > + return Status; > + } > + > + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", > Status)); > + return Status; > + } > + > + // > + // Allocate memory for auth variable > + // > + Status =3D gRT->SetVariable ( > + VariableName, > + VendorGuid, > + (EFI_VARIABLE_NON_VOLATILE | > + EFI_VARIABLE_BOOTSERVICE_ACCESS | > + EFI_VARIABLE_RUNTIME_ACCESS | > + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), > + DataSize, > + Data > + ); > + > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, > VariableName, > + VendorGuid, Status)); > + } > + > + if (Data !=3D NULL) { > + FreePool (Data); > + } > + > + return Status; > +} > + > +/** Initializes PKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecBootInitPKDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiS= ig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_PK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes KEKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecBootInitKEKDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &Efi= Sig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + > + Status =3D gRT->SetVariable ( > + EFI_KEK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecBootInitdbDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DB_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_DB_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiS= ig); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_DB_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbxDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecBootInitdbxDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &Efi= Sig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DBX_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbtDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecBootInitdbtDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DBT_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_DBT_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &Efi= Sig); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DBT_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_DBT_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return EFI_SUCCESS; > +} > + > +/** > + Fetches the value of SetupMode variable. > + > + @param[out] SetupMode Pointer to UINT8 for SetupMode outpu= t > + > + @retval other Retval from GetVariable. > +--*/ > +BOOLEAN > +EFIAPI > +CheckSetupMode ( > + OUT UINT8 *SetupMode > +) > +{ > + UINTN Size; > + EFI_STATUS Status; > + > + Size =3D sizeof (*SetupMode); > + Status =3D gRT->GetVariable ( > + EFI_SETUP_MODE_NAME, > + &gEfiGlobalVariableGuid, > + NULL, > + &Size, > + SetupMode > + ); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + return EFI_SUCCESS; > +} > + > +/** > + Sets the content of the 'db' variable based on 'dbDefault' variable co= ntent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE, > + EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'db' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDb ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'dbx' variable based on 'dbxDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbxFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE1, > + EFI_DBX_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'dbx' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbx ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE1, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'dbt' variable based on 'dbtDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbtFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE2, > + EFI_DBT_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid); > + > + return Status; > +} > + > +/** > + Clears the content of the 'dbt' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbt ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE2, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollKEKFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + EFI_KEK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'KEK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteKEK ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollPKFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_PLATFORM_KEY_NAME, > + EFI_PK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Remove the PK variable. > + > + @retval EFI_SUCCESS Delete PK successfully. > + @retval Others Could not allow to delete PK. > + > +--*/ > +EFI_STATUS > +DeletePlatformKey ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D DeleteVariable ( > + EFI_PLATFORM_KEY_NAME, > + &gEfiGlobalVariableGuid > + ); > + return Status; > +} > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > index e82bfe7757..562f55b087 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > #include "SecureBootConfigImpl.h" > #include > +#include >=20 > CHAR16 mSecureBootStorageName[] =3D > L"SECUREBOOT_CONFIGURATION"; >=20 > @@ -237,168 +238,6 @@ SaveSecureBootVariable ( > return Status; > } >=20 > -/** > - Create a time based data payload by concatenating the > EFI_VARIABLE_AUTHENTICATION_2 > - descriptor with the input data. NO authentication is required in this = function. > - > - @param[in, out] DataSize On input, the size of Data buffer in = bytes. > - On output, the size of data returned = in Data > - buffer in bytes. > - @param[in, out] Data On input, Pointer to data buffer to b= e wrapped or > - pointer to NULL to wrap an empty payl= oad. > - On output, Pointer to the new payload= date buffer allocated > from pool, > - it's caller's responsibility to free = the memory when finish > using it. > - > - @retval EFI_SUCCESS Create time based payload successfull= y. > - @retval EFI_OUT_OF_RESOURCES There are not enough memory resources > to create time based payload. > - @retval EFI_INVALID_PARAMETER The parameter is invalid. > - @retval Others Unexpected error happens. > - > -**/ > -EFI_STATUS > -CreateTimeBasedPayload ( > - IN OUT UINTN *DataSize, > - IN OUT UINT8 **Data > - ) > -{ > - EFI_STATUS Status; > - UINT8 *NewData; > - UINT8 *Payload; > - UINTN PayloadSize; > - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; > - UINTN DescriptorSize; > - EFI_TIME Time; > - > - if (Data =3D=3D NULL || DataSize =3D=3D NULL) { > - return EFI_INVALID_PARAMETER; > - } > - > - // > - // In Setup mode or Custom mode, the variable does not need to be sign= ed but > the > - // parameters to the SetVariable() call still need to be prepared as > authenticated > - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor > without certificate > - // data in it. > - // > - Payload =3D *Data; > - PayloadSize =3D *DataSize; > - > - DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthIn= fo) > + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); > - NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); > - if (NewData =3D=3D NULL) { > - return EFI_OUT_OF_RESOURCES; > - } > - > - if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { > - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); > - } > - > - DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); > - > - ZeroMem (&Time, sizeof (EFI_TIME)); > - Status =3D gRT->GetTime (&Time, NULL); > - if (EFI_ERROR (Status)) { > - FreePool(NewData); > - return Status; > - } > - Time.Pad1 =3D 0; > - Time.Nanosecond =3D 0; > - Time.TimeZone =3D 0; > - Time.Daylight =3D 0; > - Time.Pad2 =3D 0; > - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); > - > - DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF > (WIN_CERTIFICATE_UEFI_GUID, CertData); > - DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; > - DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_GU= ID; > - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); > - > - if (Payload !=3D NULL) { > - FreePool(Payload); > - } > - > - *DataSize =3D DescriptorSize + PayloadSize; > - *Data =3D NewData; > - return EFI_SUCCESS; > -} > - > -/** > - Internal helper function to delete a Variable given its name and GUID,= NO > authentication > - required. > - > - @param[in] VariableName Name of the Variable. > - @param[in] VendorGuid GUID of the Variable. > - > - @retval EFI_SUCCESS Variable deleted successfully. > - @retval Others The driver failed to start the device= . > - > -**/ > -EFI_STATUS > -DeleteVariable ( > - IN CHAR16 *VariableName, > - IN EFI_GUID *VendorGuid > - ) > -{ > - EFI_STATUS Status; > - VOID* Variable; > - UINT8 *Data; > - UINTN DataSize; > - UINT32 Attr; > - > - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); > - if (Variable =3D=3D NULL) { > - return EFI_SUCCESS; > - } > - FreePool (Variable); > - > - Data =3D NULL; > - DataSize =3D 0; > - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS > - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; > - > - Status =3D CreateTimeBasedPayload (&DataSize, &Data); > - if (EFI_ERROR (Status)) { > - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", S= tatus)); > - return Status; > - } > - > - Status =3D gRT->SetVariable ( > - VariableName, > - VendorGuid, > - Attr, > - DataSize, > - Data > - ); > - if (Data !=3D NULL) { > - FreePool (Data); > - } > - return Status; > -} > - > -/** > - > - Set the platform secure boot mode into "Custom" or "Standard" mode. > - > - @param[in] SecureBootMode New secure boot mode: > STANDARD_SECURE_BOOT_MODE or > - CUSTOM_SECURE_BOOT_MODE. > - > - @return EFI_SUCCESS The platform has switched to the sp= ecial mode > successfully. > - @return other Fail to operate the secure boot mod= e. > - > -**/ > -EFI_STATUS > -SetSecureBootMode ( > - IN UINT8 SecureBootMode > - ) > -{ > - return gRT->SetVariable ( > - EFI_CUSTOM_MODE_NAME, > - &gEfiCustomModeEnableGuid, > - EFI_VARIABLE_NON_VOLATILE | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > - sizeof (UINT8), > - &SecureBootMode > - ); > -} > - > /** > This code checks if the encode type and key strength of X.509 > certificate is qualified. > @@ -646,32 +485,6 @@ ON_EXIT: > return Status; > } >=20 > -/** > - Remove the PK variable. > - > - @retval EFI_SUCCESS Delete PK successfully. > - @retval Others Could not allow to delete PK. > - > -**/ > -EFI_STATUS > -DeletePlatformKey ( > - VOID > -) > -{ > - EFI_STATUS Status; > - > - Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); > - if (EFI_ERROR (Status)) { > - return Status; > - } > - > - Status =3D DeleteVariable ( > - EFI_PLATFORM_KEY_NAME, > - &gEfiGlobalVariableGuid > - ); > - return Status; > -} > - > /** > Enroll a new KEK item from public key storing file (*.pbk). >=20 > diff --git a/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.un= i > b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni > new file mode 100644 > index 0000000000..2c51e4db53 > --- /dev/null > +++ b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni > @@ -0,0 +1,16 @@ > +// /** @file > +// > +// Provides initialization of Secure Boot keys and databases. > +// > +// Copyright (c) 2021, ARM Ltd. All rights reserved.
> +// Copyright (c) 2021, Semihalf All rights reserved.
> +// > +// SPDX-License-Identifier: BSD-2-Clause-Patent > +// > +// **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Provides functi= on to > initialize PK, KEK and databases based on default variables." > + > +#string STR_MODULE_DESCRIPTION #language en-US "Provides functi= on > to initialize PK, KEK and databases based on default variables." > + > -- > 2.25.1