From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120])
 by mx.groups.io with SMTP id smtpd.web12.6927.1622033461355318201
 for <devel@edk2.groups.io>;
 Wed, 26 May 2021 05:51:01 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=RsNV/P4Y;
 spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: jiewen.yao@intel.com)
IronPort-SDR: q0wREjKJvcXoLpeLNjK8iCKDx42T9ervsn5Q89rwCOCutwiKHKY7e7FwiCMqARElwuwVa5oyz3
 iSTpnWFWKVGQ==
X-IronPort-AV: E=McAfee;i="6200,9189,9995"; a="200558485"
X-IronPort-AV: E=Sophos;i="5.82,331,1613462400"; 
   d="scan'208";a="200558485"
Received: from fmsmga007.fm.intel.com ([10.253.24.52])
  by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 May 2021 05:50:59 -0700
IronPort-SDR: ZjVj2S1hQaYnNiU3KWrzTFDkgv6XEvfU9zBE0/ch1IbpdsBuzc3dTxLj/VqP385Kkz9Jv5ycra
 4TN7hPMu4Hlg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.82,331,1613462400"; 
   d="scan'208";a="409248116"
Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81])
  by fmsmga007.fm.intel.com with ESMTP; 26 May 2021 05:50:58 -0700
Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by
 fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.4; Wed, 26 May 2021 05:50:56 -0700
Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by
 fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4
 via Frontend Transport; Wed, 26 May 2021 05:50:56 -0700
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.47) by
 edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2242.4; Wed, 26 May 2021 05:50:55 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=RdPX49ylqQiPKBnI1ivih9t1jmW/5aaBsPxwa+Wr1F/V/rVB+Z4ZpXSpbLBRS7dDW8FlvvR9cTYLjKZ7PNqpck8dOhfIELTVmWoX7c4Ilm9RgTv9p7N7lMe2ZQ6OxVa8JBiHV76vlyvsGHpGDGlxG+HcEbKHtwdxUeF4B2rqUkrTFwZZjuxrXWX/Iqi3N1HOLL2eFT+yB6taEKrWTtOC8BlcD+/e5QnBxsz/XTsBOzL57f+EFz/fXVpnpHkNmLTCtHtayi8s5TtPShn6OVqZDBMdsXQoa0RgYRwgQ33G+mm0kWg4xDhnGQtIUIvucUGnq9rAFk3/xx6PvwHYabUs6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=IlrnYnvWx0ocpKIuaSqxcQJD903P48AkkzWxWtEr5XU=;
 b=DBEoHjrTkjxSsLzFQUYZ7CxJeUndq5ZreDv8qIRWbdN+88KfiyhzmDzBgJvZ7JLLUD5JV2/F6luydiNJ+PkDJCgU0cnXyZWeeco2eaLJ+Xt4/Zo6Hn+CcNwnQr6z38GWEsAVae1DzF9NcZu62N8Nr2u74NGY5yYCRpteuBxnH0orISESGF9VzUQBytju6X0VX+bTm8i/RU6GFHTylclYw+XOvnNpYKKdlBAlXZV0DMaKN9WNpqjDX3xcaPvFApad8vunZVSuwXlpZZqeExL0csberRP4+MxKxHujY9Xy+q0Rr6RFe+IMq7BK6Y+tLq40iY/isWxG39gyEel7AXFzTA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=IlrnYnvWx0ocpKIuaSqxcQJD903P48AkkzWxWtEr5XU=;
 b=RsNV/P4YC8UNqBHhBfNs12ghesnNdc3Pog1L7SdA6CoKLxPU8iwkX1+/kqYfgZLHHCzzGWy7vFC0nexQ+huuRKOggk6VLj+GET/3JqjnlWc9sOS2kB+oA+3swWB4V15qMl/yHQlI7j1XQKZrX4nWhgcYfo+nOK2HYvW4FSXHDqo=
Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14)
 by PH0PR11MB5144.namprd11.prod.outlook.com (2603:10b6:510:3e::20) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.27; Wed, 26 May
 2021 12:50:54 +0000
Received: from PH0PR11MB4885.namprd11.prod.outlook.com
 ([fe80::547d:4eb3:f37e:dac4]) by PH0PR11MB4885.namprd11.prod.outlook.com
 ([fe80::547d:4eb3:f37e:dac4%7]) with mapi id 15.20.4173.020; Wed, 26 May 2021
 12:50:54 +0000
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: Grzegorz Bernacki <gjb@semihalf.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "leif@nuviainc.com" <leif@nuviainc.com>, "ardb+tianocore@kernel.org"
	<ardb+tianocore@kernel.org>, "Samer.El-Haj-Mahmoud@arm.com"
	<Samer.El-Haj-Mahmoud@arm.com>, "sunny.Wang@arm.com" <sunny.Wang@arm.com>,
	"upstream@semihalf.com" <upstream@semihalf.com>, "Wang, Jian J"
	<jian.j.wang@intel.com>, "Xu, Min M" <min.m.xu@intel.com>,
	"lersek@redhat.com" <lersek@redhat.com>
Subject: Re: [PATCH 4/6] SecurityPkg: Add SecEnrollDefaultKeys application.
Thread-Topic: [PATCH 4/6] SecurityPkg: Add SecEnrollDefaultKeys application.
Thread-Index: AQHXUhOGL5wu58IAJEuPwvDX0C7whar1tuyA
Date: Wed, 26 May 2021 12:50:54 +0000
Message-ID: <PH0PR11MB4885A080F8ECA839A6142C658C249@PH0PR11MB4885.namprd11.prod.outlook.com>
References: <20210526094204.73600-1-gjb@semihalf.com>
 <20210526094204.73600-6-gjb@semihalf.com>
In-Reply-To: <20210526094204.73600-6-gjb@semihalf.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.5.1.3
dlp-product: dlpe-windows
dlp-reaction: no-action
authentication-results: semihalf.com; dkim=none (message not signed)
 header.d=none;semihalf.com; dmarc=none action=none header.from=intel.com;
x-originating-ip: [101.87.139.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fe105789-0db0-4931-7de0-08d92044e6ac
x-ms-traffictypediagnostic: PH0PR11MB5144:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <PH0PR11MB51449583965414BC211F5C3A8C249@PH0PR11MB5144.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3276;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: b03uhlh9J/xghv6MDjPMUwpzQlmTuD3ia0Oa2fZrMWBtFu7HVZkNPwI6DL+A7LTCp4I0mfrePiykWYXLv6utTcFKFj6G+ARe7zzNB6R34S14RBAgSj3+/3ZNlBn8mqKioEuzp6zlsAEiFfvBlIO3FmftF676tq9ph5Li0Iwmfus3r9ZM6Xn97hXron1nD+fpMZz/CrkVkECGDX4AynMhRxkiYLw3DA928LvVqK9nA8oGmH37MFirLpJFwqHd0chZK6TsafI+I/reo9v4axM1YpLSZ5VSZqgBP6yxyLlxL63IqqSQRDjd9vY1tuvZthMpaMeNi1WtJefw5zjF3cYN7akwRFzjT4WPpFRXLK8plgvBKKXtryDz0am2476AEW4Fl+XL0v7tb9wi5G7I0FMC/fICFXb8DLIfe5piY7IjdvqzNI4qwkgJrVyPYnBxcsBodV9evx3ANI3jXeIvnGWURleUMAGCj8NtGfg4HuK+ZxwXJ6TUh1aaSxumOL1qpdPU2v3UghnyZxrlGwYjTwROrG4/Tfxf/FbKQf/9tDT4EifpIFou+qCk7aKHGmXkYzjgq03+4eLX68h4Bm7IT8eFCbZzCALHSpGdZU008nwjuwAZyd0no/qfrENZeyheywv3eNyJffiCuUzP70d0+Umav9sTK6GMRlfEGk5bMe5XKrfHTHYkNl95TW+o33yg6VucQFGLGtgLQzT13y0CXYkzEcLI+xd+FRme3gnHw2bqTb4=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(376002)(346002)(39860400002)(136003)(396003)(19627235002)(8676002)(52536014)(15650500001)(122000001)(71200400001)(478600001)(5660300002)(64756008)(26005)(33656002)(6506007)(7696005)(53546011)(110136005)(4326008)(38100700002)(316002)(2906002)(54906003)(8936002)(55016002)(966005)(66476007)(66446008)(66946007)(76116006)(9686003)(186003)(86362001)(83380400001)(66556008);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?wCIGI8RiD2d8IJ2igoIt7g6AsVFBiNU99KhbW/ZDFRE0Q6UIcRSIKVRkUP/V?=
 =?us-ascii?Q?2VwfNIwAvlFbC4dXoVjOL8N3UeE0j7qN90VIxUoEoty9vC7nRJ+uyZHBC3ZD?=
 =?us-ascii?Q?qpNCJHDktuil/4ZOl0MKlYoRx42R5cfUPzFIWhLyabyz+cJjQXjVwTjgyfBC?=
 =?us-ascii?Q?lyD/uXwL3jr6wpZKaPDTiUSmdoBLB7Il2GGH5YWP8wpr5ukO8z7hRyFBH+VB?=
 =?us-ascii?Q?jxQm3IslrhpiofANeHLJ5M9Vfv7Rxv70RFk8W29YPM4jR9nPfiHy3VeYuKaL?=
 =?us-ascii?Q?qwEPnSkKim42e8m90RYlQ2Pkt7gDbIX5/UwzUxdcEJgQb/FjyMaxo8bgClri?=
 =?us-ascii?Q?PJS7jVyJPybzgJdaZuPC19HpQ2DCzYUwUTBx50USXOvND05tSIIj2k+8uVG6?=
 =?us-ascii?Q?ocZVT7/r55sF72Yfx5EMxwUo6+pIIjuJaz4C+ATtOB2/8RiwgE9dvxTJ0CTo?=
 =?us-ascii?Q?+ioUaweyAoOyiapOoSWqbZIHt3eb9n4U53H4P5Fq9gAl1ZG7Pi5HUvALlAFd?=
 =?us-ascii?Q?Y6aJbWPobbpPO6LD5w5JWmNs3socJvPShKzV9o+nXsFhoi+9Yclr+/gH+Fev?=
 =?us-ascii?Q?2qOc1xZfIuZttdojWVOHN9/n9+Ch3pjZP0z8xg4v5xE2M9kyrsuH0dZbG/HG?=
 =?us-ascii?Q?hRbTg0RVkbwSUGu08mzFWCgYin+zfqWshjAOrl0npNiZ5MJg2/Egi/BFgsXT?=
 =?us-ascii?Q?DFHS/XqQ6nOmvj0zuusTqwwn6PJm54UJWl+PayTOcDOCUNGp8q/zA+lzib7G?=
 =?us-ascii?Q?fiSFEyiq38bEvun2DG9e0ww5nUN3Fn2i0AMCcf8dxEO2HT4SE4F+pPcx0SYX?=
 =?us-ascii?Q?IH4K/FrEa/q1p23yyemzfaTWuxUdi+8brFLPeQMEyfkFzo4cWGlii0JwLCnD?=
 =?us-ascii?Q?5XkKRD9bwfIeGvfYFz25BfSs1P3uNlmtMExQioIIyqE/7lYm4LLQJQXRtRFe?=
 =?us-ascii?Q?rn+nMuxcHSoFmqXDMbIb2YoIPhwyIsapkMtSfsZaMPp3yAjUFPJffdaUMHN6?=
 =?us-ascii?Q?hW2hHPMnCdLau/Alb1NPKBMQM7CsfJBCTsT6DQE++3ZvfhX9KUxBItZdstfK?=
 =?us-ascii?Q?oWaYLUVXa+25JA8M6AY+b9hOfpR/mMyiPd6ITfvq8MwhfuPNkRGczIqWbC3B?=
 =?us-ascii?Q?8zWfQ6UR55hDmAXFbtjyXVB1dnFWo/Egj2SObhO0l7m+HXNmOwTP1OEeCvap?=
 =?us-ascii?Q?6Zk1Q73yrGhS0NjdK9mA5j4fnQeavQYkdEEnOcicKwB/hllzXjBRZYtETxS/?=
 =?us-ascii?Q?TeFSor0a/YDEeHKNDSh/eEhuGcKad8gCUGXJojsgCbDHe6PYqfI4fJD8wdPG?=
 =?us-ascii?Q?htUUrcgrsxD1v2PXPlgXfmx9?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fe105789-0db0-4931-7de0-08d92044e6ac
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 May 2021 12:50:54.8310
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Y3r/7CRrGlfMwYinZ8kdhYJODlKlCaLDcG1MJEhQXOE4uZQ29ahGrT1HButSvHZod/61tcYqoXobZxwqA/fLew==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5144
Return-Path: jiewen.yao@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi
I have not reviewed all patches.

Just a quick comment: I don't think we allow ShellPkg dependency in Securit=
ytPkg.

You may refer to https://github.com/tianocore/edk2/blob/master/MdeModulePkg=
/Application/CapsuleApp/CapsuleApp.inf


Thank you
Yao Jiewen

> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Wednesday, May 26, 2021 5:42 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> Mahmoud@arm.com; sunny.Wang@arm.com; gjb@semihalf.com;
> upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com
> Subject: [PATCH 4/6] SecurityPkg: Add SecEnrollDefaultKeys application.
>=20
> This application allows user to force key enrollment from
> Secure Boot default variables.
>=20
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>  SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf |  48
> +++++++++
>  SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c   | 108
> ++++++++++++++++++++
>  2 files changed, 156 insertions(+)
>  create mode 100644
> SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf
>  create mode 100644
> SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c
>=20
> diff --git a/SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.=
inf
> b/SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf
> new file mode 100644
> index 0000000000..9d575ae0ac
> --- /dev/null
> +++ b/SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf
> @@ -0,0 +1,48 @@
> +## @file
> +#  Enroll PK, KEK, db, dbx from Default variables
> +#
> +#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +[Defines]
> +  INF_VERSION                    =3D 1.28
> +  BASE_NAME                      =3D SecEnrollDefaultKeysApp
> +  FILE_GUID                      =3D 6F18CB2F-1293-4BC1-ABB8-35F84C71812=
E
> +  MODULE_TYPE                    =3D UEFI_APPLICATION
> +  VERSION_STRING                 =3D 0.1
> +  ENTRY_POINT                    =3D ShellCEntryLib
> +
> +[Sources]
> +  SecEnrollDefaultKeysApp.c
> +
> +[Packages]
> +  MdeModulePkg/MdeModulePkg.dec
> +  MdePkg/MdePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +  ShellPkg/ShellPkg.dec
> +
> +[Guids]
> +  gEfiCertPkcs7Guid
> +  gEfiCertSha256Guid
> +  gEfiCertX509Guid
> +  gEfiCustomModeEnableGuid
> +  gEfiGlobalVariableGuid
> +  gEfiImageSecurityDatabaseGuid
> +  gEfiSecureBootEnableDisableGuid
> +
> +[Protocols]
> +  gEfiSmbiosProtocolGuid ## CONSUMES
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  DebugLib
> +  MemoryAllocationLib
> +  PrintLib
> +  ShellCEntryLib
> +  UefiBootServicesTableLib
> +  UefiLib
> +  UefiRuntimeServicesTableLib
> +  SecBootVariableLib
> diff --git a/SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.=
c
> b/SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c
> new file mode 100644
> index 0000000000..b66dd93a7a
> --- /dev/null
> +++ b/SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c
> @@ -0,0 +1,108 @@
> +/** @file
> +  Enroll default PK, KEK, db, dbx.
> +
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +
> +#include <Guid/AuthenticatedVariableFormat.h>    //
> gEfiCustomModeEnableGuid
> +#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
> +#include <Guid/ImageAuthentication.h>            //
> EFI_IMAGE_SECURITY_DATABASE
> +#include <Library/BaseLib.h>                     // GUID_STRING_LENGTH
> +#include <Library/BaseMemoryLib.h>               // CopyGuid()
> +#include <Library/DebugLib.h>                    // ASSERT()
> +#include <Library/MemoryAllocationLib.h>         // FreePool()
> +#include <Library/PrintLib.h>                    // AsciiSPrint()
> +#include <Library/ShellCEntryLib.h>              // ShellAppMain()
> +#include <Library/UefiBootServicesTableLib.h>    // gBS
> +#include <Library/UefiLib.h>                     // AsciiPrint()
> +#include <Library/UefiRuntimeServicesTableLib.h> // gRT
> +#include <Uefi/UefiMultiPhase.h>
> +#include <Library/SecBootVariableLib.h>
> +
> +#define FAIL(fmt...) AsciiPrint("SecEnrollDefaultKeysApp: " fmt)
> +
> +/**
> +  Entry point function of this shell application.
> +**/
> +INTN
> +EFIAPI
> +ShellAppMain (
> +  IN UINTN  Argc,
> +  IN CHAR16 **Argv
> +  )
> +{
> +  EFI_STATUS Status;
> +  UINT8      SetupMode;
> +
> +  Status =3D CheckSetupMode (&SetupMode);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot get SetupMode variable: %r\n", Status);
> +    return 1;
> +  }
> +
> +  if (SetupMode =3D=3D USER_MODE) {
> +    FAIL ("Skipped - USER_MODE\n");
> +    return 1;
> +  }
> +
> +  Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
> +    return 1;
> +  }
> +
> +  Status =3D EnrollDbFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll db: %r\n", Status);
> +    goto error;
> +  }
> +
> +  Status =3D EnrollDbxFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll dbt: %r\n", Status);
> +  }
> +
> +  Status =3D EnrollDbtFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll dbx: %r\n", Status);
> +  }
> +
> +  Status =3D EnrollKEKFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll KEK: %r\n", Status);
> +    goto cleardbs;
> +  }
> +
> +  Status =3D EnrollPKFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll PK: %r\n", Status);
> +    goto clearKEK;
> +  }
> +
> +  Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
> +      "Please do it manually, otherwise system can be easily compromised=
\n");
> +  }
> +  return 0;
> +
> +clearKEK:
> +  DeleteKEK ();
> +
> +cleardbs:
> +  DeleteDbt ();
> +  DeleteDbx ();
> +  DeleteDb ();
> +
> +error:
> +  Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    AsciiPrint ("SecEnrollDefaultKeysApp: Cannot set CustomMode to
> STANDARD_SECURE_BOOT_MODE\n"
> +      "Please do it manually, otherwise system can be easily compromised=
\n");
> +  }
> +
> +  return 1;
> +}
> --
> 2.25.1