From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web08.4560.1622703419695098157 for ; Wed, 02 Jun 2021 23:57:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=yM9p7dpn; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: min.m.xu@intel.com) IronPort-SDR: BfbbQuPtnN60Uh2xpK0F9pRALxmc0HG1H+Krv/lzCG5FfhqjO4z9dNOW6Atv87sIzKeHTQHu53 hOK2ke3VC28Q== X-IronPort-AV: E=McAfee;i="6200,9189,10003"; a="204009232" X-IronPort-AV: E=Sophos;i="5.83,244,1616482800"; d="scan'208";a="204009232" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jun 2021 23:56:57 -0700 IronPort-SDR: lL/rb3Aq1dVFEVQLk/viEZj+0DOzxd9/mqgSHgbiGEg8lk80LQpcF1RhoYmNTKbXHxSr5mq5NR 5GDEbSID5I5Q== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.83,244,1616482800"; d="scan'208";a="483355363" Received: from orsmsx605.amr.corp.intel.com ([10.22.229.18]) by fmsmga002.fm.intel.com with ESMTP; 02 Jun 2021 23:56:57 -0700 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Wed, 2 Jun 2021 23:56:56 -0700 Received: from orsmsx605.amr.corp.intel.com (10.22.229.18) by ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Wed, 2 Jun 2021 23:56:56 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4 via Frontend Transport; Wed, 2 Jun 2021 23:56:56 -0700 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.177) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.4; Wed, 2 Jun 2021 23:56:56 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kP6qyRxsMkutj1XiSyckvs0LJcLyg0ryKMiWqhsscuTzzOen0j6/HO6SYCWMHSdfmMlarF4q6v1JaxZWisEf6oiUGrAnhnRbGS/yyPSOBlG94hwxJ9/DREm++IR1TTpPYKgLOkn1GmzRl0Zo5ueGCx/8SUSj3v7afGg4wrnmRKP4bJPYM6rOoiLjzz1UbIzsD4/Y3vwPHO2fbNFTu+l/WN98VdgUr/85MqwUNpxbc2gUzbRCVldgk3vFNewBmNjct66ZzR+P57vU2GWxOcRwWgJmo/o9IO4OTxmivupbcDygCU6UXm11ycUod9611LJgGXm9ZSM29MAq/ILgogr0rQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Gi2CWWpZTvAKa8VrLRjCh8+zcHLzQ3cn5adxlzXN+SE=; b=dmdXff33O6nb1dEgdvNasmcGx8IlMHvy9rblHaCYaoFdf676QxTssvZy2RhbQNgaA9zPXKm7X0fP5SBfY4IExrMaeaZzUGVghF3JF1qcRfGuWICpbYgpTamyBW63N+oxUfkrHZ+Gy2KeoK4GtHgSlXID3RmOVz83r8IsBxYeM2Zb/TsRZRr/aTqgfuMPSK3eYI+eeIXO/a4jrq+4HTu9v3SNjfGJjEv3wCcF4vsFMjbtXBvEunPDDICeJlr3eQnhuFQudr+prdOcITVGJiexfO4B3f21Ivm4aNRbDaSi0RFIUBmq/wtH65mxzVfSPck6r/e4oqFIYnT3HUkbtqSBoA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Gi2CWWpZTvAKa8VrLRjCh8+zcHLzQ3cn5adxlzXN+SE=; b=yM9p7dpnWGhCcTjjO9JP1lz/WlgGmVxZ9aKWcb06PQBQvowgaS6Zaj+BRrt1sAB90roySD8780fi10w7ktddCGKB9l6+KPnqguhFu47bJ0ICxUkoewbkaHdPiw1qySG2NyygFMSP4OJVElhDHt9DJ1oGyibZudtF2wdH7FLPzxg= Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15) by PH0PR11MB5110.namprd11.prod.outlook.com (2603:10b6:510:3f::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.22; Thu, 3 Jun 2021 06:56:54 +0000 Received: from PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::b4be:3994:dd4d:7b9d]) by PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::b4be:3994:dd4d:7b9d%8]) with mapi id 15.20.4173.030; Thu, 3 Jun 2021 06:56:54 +0000 From: "Min Xu" To: Grzegorz Bernacki , "devel@edk2.groups.io" CC: "leif@nuviainc.com" , "ardb+tianocore@kernel.org" , "Samer.El-Haj-Mahmoud@arm.com" , "sunny.Wang@arm.com" , "mw@semihalf.com" , "upstream@semihalf.com" , "Yao, Jiewen" , "Wang, Jian J" , "lersek@redhat.com" Subject: Re: [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables. Thread-Topic: [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables. Thread-Index: AQHXVuffJSgxhFtIkEShVlVb75Uw7asB2dQw Date: Thu, 3 Jun 2021 06:56:54 +0000 Message-ID: References: <20210601131229.630611-1-gjb@semihalf.com> <20210601131229.630611-3-gjb@semihalf.com> In-Reply-To: <20210601131229.630611-3-gjb@semihalf.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: semihalf.com; dkim=none (message not signed) header.d=none;semihalf.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.142.25] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 1d38418b-7c43-4646-a401-08d9265cc5b6 x-ms-traffictypediagnostic: PH0PR11MB5110: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:147; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: JFx3Iqp5G3tqj0wbVvUVQ03kVSIahYzVVQdlSOfeEF414McNuNXkHXwFHjPjAD49TtyhtcP9qqGUbIX9Q8NDeQbKfNP7sITW+wYzIR1WQXykI9qa74Qz/7M1lHEmWLAmK/sHemOUY5W33oYCAcRN+Z+HV5fepCnuaRlMZppUiZm+8K1GR6BohhJamtxcHjwaWF0Uhf1Bx1wgh8/1GrPkzXdosyZuibSYkJa+Z4Wlgtp/W0EaySxRV+6vxrUufAGmF7T9f+AUc1cxxXnQcjMUD4Qf/d4ZmrPWzb33oIDcqpbmOzddBoB5b3cL0FPhvGYNXfKEPa6OzUDThb3EmfHvpmo8lRmqOzQQcFzD1MD0jXP0YHSOFu7cKj5Rdc+uJman9vcynncxRwPPGmh2C785hfAvuch//7cMyxTfph47ymBFo4t6KYLYxpBm8ZXExVRcp8S8io16d+fTpVeh/24v4+sNsE2KWDsBnzya/hsoyK9WzONsgVOsZVAp+X26clz0gTUyI483HtBuQTfbB+nHAmVCQ3KtEKK9w2uD1eBqN2QKywO0C7VkLiwS3kiKCxzugUoGLAbxmYnNzZ0b3b/RItvr39ph4AfH2ZDCGzTUjVE= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(346002)(136003)(366004)(396003)(376002)(4326008)(186003)(33656002)(122000001)(66946007)(15650500001)(19627235002)(53546011)(6506007)(66556008)(66446008)(66476007)(7696005)(64756008)(26005)(2906002)(52536014)(9686003)(71200400001)(86362001)(5660300002)(110136005)(55016002)(478600001)(30864003)(54906003)(38100700002)(316002)(76116006)(8676002)(83380400001)(8936002)(579004)(559001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?rRCEzywQ0Y9fftiC3jxnl3Jixx4PgPWqYdiah2OjYkbziIoaHDsbkHC9Zkff?= =?us-ascii?Q?Ln1kyg0U1Owa1j19PJQc7xg5yleF0NuBXX6rBlp3nPD01T+agJqWsfXLkch2?= =?us-ascii?Q?qq3On+Vel2vDOy/pnyc2VXpE6fpHlIuL5+ueJRURlkti/E/4n9+o0yNEpOr+?= =?us-ascii?Q?KsSlYK50UWUhTZprG6sFKg39CD1Dj+LiieLMqIh2QRZ1K9CU2rhy0OhlbPEp?= =?us-ascii?Q?ZHBHzSPVtC1f4aRcYzxVkL1Y+a4jNWMCl0qzbv5pIO6L9R6WXPfJAmCctmg/?= =?us-ascii?Q?HkLfOymnaGSHLDyFuwLRSPQwG8Jgq2MlUSCjbVVAc5k6ASAHBrgB01KpZNEh?= =?us-ascii?Q?GMwVAeg18OAGjPYa+D+HmhOBDVqUMwZSuBfXYqSRNFzzXXaqEfkbMj1OAv6F?= =?us-ascii?Q?SLxETjZje2RKTRy1wFX6rFFGbZSmBT+50y8P8BQm2yM4UXyGd/evxROWdd6R?= =?us-ascii?Q?YfxangDv8UV8isLiM2Wkmgj1M610aw0CY/tOaJ3tjdHPXXg0SgAkAw03hQ5/?= =?us-ascii?Q?URyfCm5O5EJG4v5+PV7jowGfr2W6w3mNO6mcXSE0r7/o6sWRdvOhQjj6/JMJ?= =?us-ascii?Q?4g/ebiyFWgeN4mjRAnE5o4Xia/PRv7gh52U83L73NycY7jFw5vYeK9F3k+a/?= =?us-ascii?Q?tt3JPlsewgWtXDDheU5TgAFp2hAVFOui0Z89KQrIGJ95HFwB90BSlFWZrnU8?= =?us-ascii?Q?64bHEDWxXrSrqG+98rp1ufIZgvck7/oVyn7ZekOhRQA/jlCwFM1SIxBiYMXa?= =?us-ascii?Q?2oSet0bsofsDewo5OnH/R6CXqtAfWnFS0gOzs2smuykpxUUTJFknVvb9HBVT?= =?us-ascii?Q?C86WX/WtYCP0u+7ABiKFCd+8su8CrbHXuXWXEeJaC16JVfWjOi236D07qEIK?= =?us-ascii?Q?51tk2AuNSMs2lgjrfvouA5KzGoTUMTm66Z5MD73A6SIAegnY3AQqgiwJBrA3?= =?us-ascii?Q?0a4f6hKDmXTFOQcuw8e1aoC8pECe7+HJkEaHQjBSjT2aKpr1PTrOFBa/ENOc?= =?us-ascii?Q?cwKYRCovH6ab8gcAAOc3yknyAbReaslgJhrJMT3bMN5UKwfHjpjje0vM/MIG?= =?us-ascii?Q?Xir68QOj/owC3o4reSOc/yHPbLY81T+KKMnQYtlF1HTPVnYckj3cM+QC9qXC?= =?us-ascii?Q?88vY9WHe4kSRU8FIQGIG5YCjmz0/SI6lgJCuF/hPYYdBiJp5LZ5rEkeQPoEW?= =?us-ascii?Q?lYgoQ+rKKQXhE4LiEAUbo2Hrz3VajMd3yDSegiWkrOBL7K5Emd69hQV/zrPl?= =?us-ascii?Q?c4tr/AD7uavEoJI+YAKooeNbceKHXxvXFU4KA8YoCWBLEJYwn6UsSkiggi3C?= =?us-ascii?Q?KsF81LnvBoaI5R2pG+H/i2wQ?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1d38418b-7c43-4646-a401-08d9265cc5b6 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jun 2021 06:56:54.3751 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: nhbSWQ6YT2+Aqi4x/ZhmKLbKj+b8/3uAQjP7aYNyHUGkDx71KfIpgX0jPQ3xkNEGtrXBACPmKQa/LPe8SuaTPg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5110 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On Tuesday, June 1, 2021 9:12 PM, Grzegorz Bernacki wrote: > This commits add library, which consist functions related creation/remova= l > Secure Boot variables. Some of the functions was moved from > SecureBootConfigImpl.c file. >=20 > Signed-off-by: Grzegorz Bernacki > --- > SecurityPkg/SecurityPkg.dsc = | 1 + > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf = | > 79 ++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf | 1 + > SecurityPkg/Include/Library/SecureBootVariableLib.h = | 252 > +++++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c = | > 979 ++++++++++++++++++++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c | 189 +--- > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > | 16 + > 7 files changed, 1329 insertions(+), 188 deletions(-) create mode 10064= 4 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni >=20 > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc in= dex > bd4b810bce..854f250625 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -70,6 +70,7 @@ > RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf >=20 > TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventL > ogRecordLib.inf >=20 > MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnbloc > kMemoryLibNull.inf > + > + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/Secure > + BootVariableLib.inf >=20 > [LibraryClasses.ARM] > # > diff --git > a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > new file mode 100644 > index 0000000000..84367841d5 > --- /dev/null > +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in > +++ f > @@ -0,0 +1,79 @@ > +## @file > +# Provides initialization of Secure Boot keys and databases. > +# > +# Copyright (c) 2021, ARM Ltd. All rights reserved.
# Copyright > +(c) 2021, Semihalf All rights reserved.
# # > +SPDX-License-Identifier: BSD-2-Clause-Patent # ## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D SecureBootVariableLib > + MODULE_UNI_FILE =3D SecureBootVariableLib.uni > + FILE_GUID =3D D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6= F > + MODULE_TYPE =3D DXE_DRIVER > + VERSION_STRING =3D 1.0 > + LIBRARY_CLASS =3D SecureBootVariableLib|DXE_DRIVER > DXE_RUNTIME_DRIVER UEFI_APPLICATION > + > +# > +# The following information is for reference only and not required by th= e > build tools. > +# > +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 > +# > + > +[Sources] > + SecureBootVariableLib.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + CryptoPkg/CryptoPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + BaseCryptLib > + DxeServicesLib > + > +[Guids] > + ## CONSUMES ## Variable:L"SetupMode" > + ## PRODUCES ## Variable:L"SetupMode" > + ## CONSUMES ## Variable:L"SecureBoot" > + ## PRODUCES ## Variable:L"SecureBoot" > + ## PRODUCES ## Variable:L"PK" > + ## PRODUCES ## Variable:L"KEK" > + ## CONSUMES ## Variable:L"PKDefault" > + ## CONSUMES ## Variable:L"KEKDefault" > + ## CONSUMES ## Variable:L"dbDefault" > + ## CONSUMES ## Variable:L"dbxDefault" > + ## CONSUMES ## Variable:L"dbtDefault" > + gEfiGlobalVariableGuid > + > + ## SOMETIMES_CONSUMES ## Variable:L"DB" > + ## SOMETIMES_CONSUMES ## Variable:L"DBX" > + ## SOMETIMES_CONSUMES ## Variable:L"DBT" > + gEfiImageSecurityDatabaseGuid > + > + ## CONSUMES ## Variable:L"SecureBootEnable" > + ## PRODUCES ## Variable:L"SecureBootEnable" > + gEfiSecureBootEnableDisableGuid > + > + ## CONSUMES ## Variable:L"CustomMode" > + ## PRODUCES ## Variable:L"CustomMode" > + gEfiCustomModeEnableGuid > + > + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES > + gEfiCertX509Guid ## CONSUMES > + gEfiCertPkcs7Guid ## CONSUMES > + > + gDefaultPKFileGuid > + gDefaultKEKFileGuid > + gDefaultdbFileGuid > + gDefaultdbxFileGuid > + gDefaultdbtFileGuid > + > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > gDxe.inf > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > gDxe.inf > index 573efa6379..30d9cd8025 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > gDxe.inf > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo > +++ nfigDxe.inf > @@ -54,6 +54,7 @@ > DevicePathLib > FileExplorerLib > PeCoffLib > + SecureBootVariableLib >=20 > [Guids] > ## SOMETIMES_CONSUMES ## Variable:L"CustomMode" > diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h > b/SecurityPkg/Include/Library/SecureBootVariableLib.h > new file mode 100644 > index 0000000000..2961c93a36 > --- /dev/null > +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h > @@ -0,0 +1,252 @@ > +/** @file > + Provides a function to enroll keys based on default values. > + > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
> +Copyright (c) 2021, ARM Ltd. All rights reserved.
Copyright (c) > +2021, Semihalf All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef __SECURE_BOOT_VARIABLE_LIB_H__ > +#define __SECURE_BOOT_VARIABLE_LIB_H__ > + > +/** > + > + Set the platform secure boot mode into "Custom" or "Standard" mode. > + > + @param[in] SecureBootMode New secure boot mode: > STANDARD_SECURE_BOOT_MODE or > + CUSTOM_SECURE_BOOT_MODE. > + > + @return EFI_SUCCESS The platform has switched to the sp= ecial > mode successfully. > + @return other Fail to operate the secure boot mod= e. > + > +--*/ > +EFI_STATUS > +SetSecureBootMode ( > + IN UINT8 SecureBootMode > +); > + > +/** > + Fetches the value of SetupMode variable. > + > + @param[out] SetupMode Pointer to UINT8 for SetupMode outpu= t > + > + @retval other Error codes from GetVariable. > +--*/ > +BOOLEAN > +EFIAPI > +GetSetupMode ( > + OUT UINT8 *SetupMode > +); > + > +/** > + Create a time based data payload by concatenating the > +EFI_VARIABLE_AUTHENTICATION_2 > + descriptor with the input data. NO authentication is required in this > function. > + > + @param[in, out] DataSize On input, the size of Data buffer in = bytes. > + On output, the size of data returned = in Data > + buffer in bytes. > + @param[in, out] Data On input, Pointer to data buffer to b= e > wrapped or > + pointer to NULL to wrap an empty payl= oad. > + On output, Pointer to the new payload= date buffer > allocated from pool, > + it's caller's responsibility to free = the memory when finish > using it. > + > + @retval EFI_SUCCESS Create time based payload successfull= y. > + @retval EFI_OUT_OF_RESOURCES There are not enough memory > resources to create time based payload. > + @retval EFI_INVALID_PARAMETER The parameter is invalid. > + @retval Others Unexpected error happens. > + > +--*/ > +EFI_STATUS > +CreateTimeBasedPayload ( > + IN OUT UINTN *DataSize, > + IN OUT UINT8 **Data > +); > + > +/** > + Sets the content of the 'db' variable based on 'dbDefault' variable co= ntent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'db' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDb ( > + VOID > +); > + > +/** > + Sets the content of the 'dbx' variable based on 'dbxDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbxFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'dbx' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbx ( > + VOID > +); > + > +/** > + Sets the content of the 'dbt' variable based on 'dbtDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbtFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'dbt' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbt ( > + VOID > +); > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollKEKFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'KEK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteKEK ( > + VOID > +); > + > +/** > + Sets the content of the 'PK' variable based on 'PKDefault' variable co= ntent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollPKFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'PK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeletePlatformKey ( > + VOID > +); > + > +/** Initializes PKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitPKDefault ( > + IN VOID > + ); > + > +/** Initializes KEKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitKEKDefault ( > + IN VOID > + ); > + > +/** Initializes dbDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbDefault ( > + IN VOID > + ); > + > +/** Initializes dbtDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbtDefault ( > + IN VOID > + ); > + > +/** Initializes dbxDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbxDefault ( > + IN VOID > + ); > +#endif > diff --git > a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > new file mode 100644 > index 0000000000..16bad5530a > --- /dev/null > +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > @@ -0,0 +1,979 @@ > +/** @file > + This library provides functions to set/clear Secure Boot > + keys and databases. > + > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
> +Copyright (c) 2021, ARM Ltd. All rights reserved.
Copyright (c) > +2021, Semihalf All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include #include > + > +#include #include > +"Library/DxeServicesLib.h" > + > +/** Creates EFI Signature List structure. > + > + @param[in] Data A pointer to signature data. > + @param[in] Size Size of signature data. > + @param[out] SigList Created Signature List. > + > + @retval EFI_SUCCESS Signature List was created successfully= . > + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. > +--*/ > +STATIC > +EFI_STATUS > +CreateSigList ( > + IN VOID *Data, > + IN UINTN Size, > + OUT EFI_SIGNATURE_LIST **SigList > + ) > +{ > + UINTN SigListSize; > + EFI_SIGNATURE_LIST *TmpSigList; > + EFI_SIGNATURE_DATA *SigData; > + > + // > + // Allocate data for Signature Database // SigListSize =3D sizeof > + (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size; > + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize); > + if (TmpSigList =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + // > + // Only gEfiCertX509Guid type is supported // > + TmpSigList->SignatureListSize =3D (UINT32)SigListSize; > + TmpSigList->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 > + + Size); TmpSigList->SignatureHeaderSize =3D 0; CopyGuid > + (&TmpSigList->SignatureType, &gEfiCertX509Guid); > + > + // > + // Copy key data > + // > + SigData =3D (EFI_SIGNATURE_DATA *) (TmpSigList + 1); CopyGuid > + (&SigData->SignatureOwner, &gEfiGlobalVariableGuid); CopyMem > + (&SigData->SignatureData[0], Data, Size); > + > + *SigList =3D TmpSigList; > + > + return EFI_SUCCESS; > +} > + > +/** Adds new signature list to signature database. > + > + @param[in] SigLists A pointer to signature database. > + @param[in] SiglListAppend A signature list to be added. > + @param[out] *SigListOut Created signature database. > + @param[out] SigListsSize A size of created signature database. > + > + @retval EFI_SUCCESS Signature List was added successfully. > + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. > +--*/ > +STATIC > +EFI_STATUS > +ConcatenateSigList ( > + IN EFI_SIGNATURE_LIST *SigLists, > + IN EFI_SIGNATURE_LIST *SigListAppend, > + OUT EFI_SIGNATURE_LIST **SigListOut, > + IN OUT UINTN *SigListsSize > +) > +{ > + EFI_SIGNATURE_LIST *TmpSigList; > + UINT8 *Offset; > + UINTN NewSigListsSize; > + > + NewSigListsSize =3D *SigListsSize + SigListAppend->SignatureListSize; > + > + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool > + (NewSigListsSize); if (TmpSigList =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + CopyMem (TmpSigList, SigLists, *SigListsSize); > + > + Offset =3D (UINT8 *)TmpSigList; > + Offset +=3D *SigListsSize; > + CopyMem ((VOID *)Offset, SigListAppend, > + SigListAppend->SignatureListSize); > + > + *SigListsSize =3D NewSigListsSize; > + *SigListOut =3D TmpSigList; > + return EFI_SUCCESS; > +} > + > +/** > + Create a EFI Signature List with data fetched from section specified a= s a > argument. > + Found keys are verified using RsaGetPublicKeyFromX509(). > + > + @param[in] KeyFileGuid A pointer to to the FFS filename GUID > + @param[out] SigListsSize A pointer to size of signature list > + @param[out] SigListsOut a pointer to a callee-allocated buffe= r with > signature lists > + > + @retval EFI_SUCCESS Create time based payload successfull= y. > + @retval EFI_NOT_FOUND Section with key has not been found. > + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. > + @retval Others Unexpected error happens. > + > +--*/ > +STATIC > +EFI_STATUS > +SecureBootFetchData ( > + IN EFI_GUID *KeyFileGuid, > + OUT UINTN *SigListsSize, > + OUT EFI_SIGNATURE_LIST **SigListOut > +) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + EFI_SIGNATURE_LIST *TmpEfiSig; > + EFI_SIGNATURE_LIST *TmpEfiSig2; > + EFI_STATUS Status; > + VOID *Buffer; > + VOID *RsaPubKey; > + UINTN Size; > + UINTN KeyIndex; > + > + > + KeyIndex =3D 0; > + EfiSig =3D NULL; > + *SigListsSize =3D 0; > + while (1) { > + Status =3D GetSectionFromAnyFv ( > + KeyFileGuid, > + EFI_SECTION_RAW, > + KeyIndex, > + &Buffer, > + &Size > + ); > + > + if (Status =3D=3D EFI_SUCCESS) { > + RsaPubKey =3D NULL; > + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALS= E) { > + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", > __FUNCTION__, KeyIndex)); > + if (EfiSig !=3D NULL) { > + FreePool(EfiSig); > + } > + FreePool(Buffer); > + return EFI_INVALID_PARAMETER; > + } > + > + Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); > + > + // > + // Concatenate lists if more than one section found > + // > + if (KeyIndex =3D=3D 0) { > + EfiSig =3D TmpEfiSig; > + *SigListsSize =3D TmpEfiSig->SignatureListSize; > + } else { > + ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize= ); > + FreePool (EfiSig); > + FreePool (TmpEfiSig); > + EfiSig =3D TmpEfiSig2; > + } > + > + KeyIndex++; > + FreePool (Buffer); > + } if (Status =3D=3D EFI_NOT_FOUND) { > + break; > + } > + }; > + > + if (KeyIndex =3D=3D 0) { > + return EFI_NOT_FOUND; > + } > + > + *SigListOut =3D EfiSig; > + > + return EFI_SUCCESS; > +} > + > +/** > + Create a time based data payload by concatenating the > +EFI_VARIABLE_AUTHENTICATION_2 > + descriptor with the input data. NO authentication is required in this > function. > + > + @param[in, out] DataSize On input, the size of Data buffer in = bytes. > + On output, the size of data returned = in Data > + buffer in bytes. > + @param[in, out] Data On input, Pointer to data buffer to b= e > wrapped or > + pointer to NULL to wrap an empty payl= oad. > + On output, Pointer to the new payload= date buffer > allocated from pool, > + it's caller's responsibility to free = the memory when finish > using it. > + > + @retval EFI_SUCCESS Create time based payload successfull= y. > + @retval EFI_OUT_OF_RESOURCES There are not enough memory > resources to create time based payload. > + @retval EFI_INVALID_PARAMETER The parameter is invalid. > + @retval Others Unexpected error happens. > + > +--*/ > +EFI_STATUS > +CreateTimeBasedPayload ( > + IN OUT UINTN *DataSize, > + IN OUT UINT8 **Data > + ) > +{ > + EFI_STATUS Status; > + UINT8 *NewData; > + UINT8 *Payload; > + UINTN PayloadSize; > + EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; > + UINTN DescriptorSize; > + EFI_TIME Time; > + > + if (Data =3D=3D NULL || DataSize =3D=3D NULL) { > + return EFI_INVALID_PARAMETER; > + } > + > + // > + // In Setup mode or Custom mode, the variable does not need to be > + signed but the // parameters to the SetVariable() call still need to > + be prepared as authenticated // variable. So we create > + EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate // data in > it. > + // > + Payload =3D *Data; > + PayloadSize =3D *DataSize; > + > + DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, > AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); > + NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); > + if (NewData =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { > + CopyMem (NewData + DescriptorSize, Payload, PayloadSize); } > + > + DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); > + > + ZeroMem (&Time, sizeof (EFI_TIME)); > + Status =3D gRT->GetTime (&Time, NULL); > + if (EFI_ERROR (Status)) { > + FreePool(NewData); > + return Status; > + } > + Time.Pad1 =3D 0; > + Time.Nanosecond =3D 0; > + Time.TimeZone =3D 0; > + Time.Daylight =3D 0; > + Time.Pad2 =3D 0; > + CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); > + > + DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF > (WIN_CERTIFICATE_UEFI_GUID, CertData); > + DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; > + DescriptorData->AuthInfo.Hdr.wCertificateType =3D > + WIN_CERT_TYPE_EFI_GUID; CopyGuid (&DescriptorData- > >AuthInfo.CertType, > + &gEfiCertPkcs7Guid); > + > + if (Payload !=3D NULL) { > + FreePool(Payload); > + } > + > + *DataSize =3D DescriptorSize + PayloadSize; > + *Data =3D NewData; > + return EFI_SUCCESS; > +} > + > +/** > + Internal helper function to delete a Variable given its name and > +GUID, NO authentication > + required. > + > + @param[in] VariableName Name of the Variable. > + @param[in] VendorGuid GUID of the Variable. > + > + @retval EFI_SUCCESS Variable deleted successfully. > + @retval Others The driver failed to start the device= . > + > +--*/ > +EFI_STATUS > +DeleteVariable ( > + IN CHAR16 *VariableName, > + IN EFI_GUID *VendorGuid > + ) > +{ > + EFI_STATUS Status; > + VOID* Variable; > + UINT8 *Data; > + UINTN DataSize; > + UINT32 Attr; > + > + GetVariable2 (VariableName, VendorGuid, &Variable, NULL); if > + (Variable =3D=3D NULL) { > + return EFI_SUCCESS; > + } > + FreePool (Variable); > + > + Data =3D NULL; > + DataSize =3D 0; > + Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS > | EFI_VARIABLE_BOOTSERVICE_ACCESS > + | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; > + > + Status =3D CreateTimeBasedPayload (&DataSize, &Data); if (EFI_ERROR > + (Status)) { > + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", > Status)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + VariableName, > + VendorGuid, > + Attr, > + DataSize, > + Data > + ); > + if (Data !=3D NULL) { > + FreePool (Data); > + } > + return Status; > +} > + > +/** > + > + Set the platform secure boot mode into "Custom" or "Standard" mode. > + > + @param[in] SecureBootMode New secure boot mode: > STANDARD_SECURE_BOOT_MODE or > + CUSTOM_SECURE_BOOT_MODE. > + > + @return EFI_SUCCESS The platform has switched to the sp= ecial > mode successfully. > + @return other Fail to operate the secure boot mod= e. > + > +--*/ > +EFI_STATUS > +SetSecureBootMode ( > + IN UINT8 SecureBootMode > + ) > +{ > + return gRT->SetVariable ( > + EFI_CUSTOM_MODE_NAME, > + &gEfiCustomModeEnableGuid, > + EFI_VARIABLE_NON_VOLATILE | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + sizeof (UINT8), > + &SecureBootMode > + ); > +} > + > + > +/** > + Enroll a key/certificate based on a default variable. > + > + @param[in] VariableName The name of the key/database. > + @param[in] DefaultName The name of the default variable. > + @param[in] VendorGuid The namespace (ie. vendor GUID) of the > variable > + > + > + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating > AuthHeader. > + @retval EFI_SUCCESS Successful enrollment. > + @return Error codes from GetTime () and SetVari= able (). > +--*/ > +STATIC > +EFI_STATUS > +EnrollFromDefault ( > + IN CHAR16 *VariableName, > + IN CHAR16 *DefaultName, > + IN EFI_GUID *VendorGuid > + ) > +{ > + VOID *Data; > + UINTN DataSize; > + EFI_STATUS Status; > + > + Status =3D EFI_SUCCESS; > + > + DataSize =3D 0; > + Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, > + &DataSize); if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", > DefaultName, Status)); > + return Status; > + } > + > + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); if (EFI_ERROR > + (Status)) { > + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", > Status)); > + return Status; > + } > + > + // > + // Allocate memory for auth variable > + // > + Status =3D gRT->SetVariable ( > + VariableName, > + VendorGuid, > + (EFI_VARIABLE_NON_VOLATILE | > + EFI_VARIABLE_BOOTSERVICE_ACCESS | > + EFI_VARIABLE_RUNTIME_ACCESS | > + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), > + DataSize, > + Data > + ); > + > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, > VariableName, > + VendorGuid, Status)); > + } > + > + if (Data !=3D NULL) { > + FreePool (Data); > + } > + > + return Status; > +} > + > +/** Initializes PKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitPKDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it // Status =3D > + GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, > + (VOID **) &Data, &DataSize); if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized // DEBUG > + ((DEBUG_INFO, "Variable %s does not exist.\n", > + EFI_PK_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, > + &EfiSig); if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_PK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > + EFI_PK_DEFAULT_VARIABLE_NAME)); } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes KEKDefault variable with data from FFS section. Please keep consistent that "Initializes KEKDefault ... " should be in a ne= w line, instead of after the "/**" directly.=20 > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitKEKDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it // Status =3D > + GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, > + (VOID **) &Data, &DataSize); if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized // DEBUG > + ((DEBUG_INFO, "Variable %s does not exist.\n", > + EFI_KEK_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, > + &EfiSig); if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + > + Status =3D gRT->SetVariable ( > + EFI_KEK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > + EFI_KEK_DEFAULT_VARIABLE_NAME)); } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbDefault variable with data from FFS section. Please keep consistent that "Initializes deDefault ... " should be in a new= line, instead of after the "/**" directly. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); if (Status =3D= =3D > EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DB_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > + EFI_DB_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, > + &EfiSig); if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > + EFI_DB_DEFAULT_VARIABLE_NAME)); } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbxDefault variable with data from FFS section. Please keep consistent that "Initializes dbxDefault ... " should be in a ne= w line, instead of after the "/**" directly. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbxDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it // Status =3D > + GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, > + (VOID **) &Data, &DataSize); if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized // DEBUG > + ((DEBUG_INFO, "Variable %s does not exist.\n", > + EFI_DBX_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, > + &EfiSig); if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DBX_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > + EFI_DBX_DEFAULT_VARIABLE_NAME)); } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbtDefault variable with data from FFS section. Please keep consistent that "Initializes dbtDefault ... " should be in a ne= w line, instead of after the "/**" directly. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbtDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it // Status =3D > + GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, > + (VOID **) &Data, &DataSize); if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DBT_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized // DEBUG > + ((DEBUG_INFO, "Variable %s does not exist.\n", > + EFI_DBT_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, > + &EfiSig); if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DBT_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > + EFI_DBT_DEFAULT_VARIABLE_NAME)); } > + > + FreePool (EfiSig); > + > + return EFI_SUCCESS; > +} > + > +/** > + Fetches the value of SetupMode variable. > + > + @param[out] SetupMode Pointer to UINT8 for SetupMode outpu= t > + > + @retval other Retval from GetVariable. > +--*/ > +BOOLEAN > +EFIAPI > +GetSetupMode ( > + OUT UINT8 *SetupMode > +) > +{ > + UINTN Size; > + EFI_STATUS Status; > + > + Size =3D sizeof (*SetupMode); > + Status =3D gRT->GetVariable ( > + EFI_SETUP_MODE_NAME, > + &gEfiGlobalVariableGuid, > + NULL, > + &Size, > + SetupMode > + ); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + return EFI_SUCCESS; > +} > + > +/** > + Sets the content of the 'db' variable based on 'dbDefault' variable co= ntent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE, > + EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'db' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDb ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'dbx' variable based on 'dbxDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbxFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE1, > + EFI_DBX_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'dbx' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbx ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE1, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'dbt' variable based on 'dbtDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbtFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE2, > + EFI_DBT_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid); > + > + return Status; > +} > + > +/** > + Clears the content of the 'dbt' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbt ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE2, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollKEKFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + EFI_KEK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'KEK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteKEK ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable > content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollPKFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_PLATFORM_KEY_NAME, > + EFI_PK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Remove the PK variable. > + > + @retval EFI_SUCCESS Delete PK successfully. > + @retval Others Could not allow to delete PK. > + > +--*/ > +EFI_STATUS > +DeletePlatformKey ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D DeleteVariable ( > + EFI_PLATFORM_KEY_NAME, > + &gEfiGlobalVariableGuid > + ); > + return Status; > +} > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > gImpl.c > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > gImpl.c > index e82bfe7757..67e5e594ed 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi > gImpl.c > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo > +++ nfigImpl.c > @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > #include "SecureBootConfigImpl.h" > #include > +#include >=20 > CHAR16 mSecureBootStorageName[] =3D > L"SECUREBOOT_CONFIGURATION"; >=20 > @@ -237,168 +238,6 @@ SaveSecureBootVariable ( > return Status; > } >=20 > -/** > - Create a time based data payload by concatenating the > EFI_VARIABLE_AUTHENTICATION_2 > - descriptor with the input data. NO authentication is required in this > function. > - > - @param[in, out] DataSize On input, the size of Data buffer in = bytes. > - On output, the size of data returned = in Data > - buffer in bytes. > - @param[in, out] Data On input, Pointer to data buffer to b= e > wrapped or > - pointer to NULL to wrap an empty payl= oad. > - On output, Pointer to the new payload= date buffer > allocated from pool, > - it's caller's responsibility to free = the memory when finish > using it. > - > - @retval EFI_SUCCESS Create time based payload successfull= y. > - @retval EFI_OUT_OF_RESOURCES There are not enough memory > resources to create time based payload. > - @retval EFI_INVALID_PARAMETER The parameter is invalid. > - @retval Others Unexpected error happens. > - > -**/ > -EFI_STATUS > -CreateTimeBasedPayload ( > - IN OUT UINTN *DataSize, > - IN OUT UINT8 **Data > - ) > -{ > - EFI_STATUS Status; > - UINT8 *NewData; > - UINT8 *Payload; > - UINTN PayloadSize; > - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; > - UINTN DescriptorSize; > - EFI_TIME Time; > - > - if (Data =3D=3D NULL || DataSize =3D=3D NULL) { > - return EFI_INVALID_PARAMETER; > - } > - > - // > - // In Setup mode or Custom mode, the variable does not need to be sign= ed > but the > - // parameters to the SetVariable() call still need to be prepared as > authenticated > - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor > without certificate > - // data in it. > - // > - Payload =3D *Data; > - PayloadSize =3D *DataSize; > - > - DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, > AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); > - NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); > - if (NewData =3D=3D NULL) { > - return EFI_OUT_OF_RESOURCES; > - } > - > - if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { > - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); > - } > - > - DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); > - > - ZeroMem (&Time, sizeof (EFI_TIME)); > - Status =3D gRT->GetTime (&Time, NULL); > - if (EFI_ERROR (Status)) { > - FreePool(NewData); > - return Status; > - } > - Time.Pad1 =3D 0; > - Time.Nanosecond =3D 0; > - Time.TimeZone =3D 0; > - Time.Daylight =3D 0; > - Time.Pad2 =3D 0; > - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); > - > - DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF > (WIN_CERTIFICATE_UEFI_GUID, CertData); > - DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; > - DescriptorData->AuthInfo.Hdr.wCertificateType =3D > WIN_CERT_TYPE_EFI_GUID; > - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); > - > - if (Payload !=3D NULL) { > - FreePool(Payload); > - } > - > - *DataSize =3D DescriptorSize + PayloadSize; > - *Data =3D NewData; > - return EFI_SUCCESS; > -} > - > -/** > - Internal helper function to delete a Variable given its name and GUID,= NO > authentication > - required. > - > - @param[in] VariableName Name of the Variable. > - @param[in] VendorGuid GUID of the Variable. > - > - @retval EFI_SUCCESS Variable deleted successfully. > - @retval Others The driver failed to start the device= . > - > -**/ > -EFI_STATUS > -DeleteVariable ( > - IN CHAR16 *VariableName, > - IN EFI_GUID *VendorGuid > - ) > -{ > - EFI_STATUS Status; > - VOID* Variable; > - UINT8 *Data; > - UINTN DataSize; > - UINT32 Attr; > - > - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); > - if (Variable =3D=3D NULL) { > - return EFI_SUCCESS; > - } > - FreePool (Variable); > - > - Data =3D NULL; > - DataSize =3D 0; > - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS > | EFI_VARIABLE_BOOTSERVICE_ACCESS > - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; > - > - Status =3D CreateTimeBasedPayload (&DataSize, &Data); > - if (EFI_ERROR (Status)) { > - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", > Status)); > - return Status; > - } > - > - Status =3D gRT->SetVariable ( > - VariableName, > - VendorGuid, > - Attr, > - DataSize, > - Data > - ); > - if (Data !=3D NULL) { > - FreePool (Data); > - } > - return Status; > -} > - > -/** > - > - Set the platform secure boot mode into "Custom" or "Standard" mode. > - > - @param[in] SecureBootMode New secure boot mode: > STANDARD_SECURE_BOOT_MODE or > - CUSTOM_SECURE_BOOT_MODE. > - > - @return EFI_SUCCESS The platform has switched to the sp= ecial > mode successfully. > - @return other Fail to operate the secure boot mod= e. > - > -**/ > -EFI_STATUS > -SetSecureBootMode ( > - IN UINT8 SecureBootMode > - ) > -{ > - return gRT->SetVariable ( > - EFI_CUSTOM_MODE_NAME, > - &gEfiCustomModeEnableGuid, > - EFI_VARIABLE_NON_VOLATILE | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > - sizeof (UINT8), > - &SecureBootMode > - ); > -} > - > /** > This code checks if the encode type and key strength of X.509 > certificate is qualified. > @@ -646,32 +485,6 @@ ON_EXIT: > return Status; > } >=20 > -/** > - Remove the PK variable. > - > - @retval EFI_SUCCESS Delete PK successfully. > - @retval Others Could not allow to delete PK. > - > -**/ > -EFI_STATUS > -DeletePlatformKey ( > - VOID > -) > -{ > - EFI_STATUS Status; > - > - Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); > - if (EFI_ERROR (Status)) { > - return Status; > - } > - > - Status =3D DeleteVariable ( > - EFI_PLATFORM_KEY_NAME, > - &gEfiGlobalVariableGuid > - ); > - return Status; > -} > - > /** > Enroll a new KEK item from public key storing file (*.pbk). >=20 > diff --git > a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > new file mode 100644 > index 0000000000..2c51e4db53 > --- /dev/null > +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un > +++ i > @@ -0,0 +1,16 @@ > +// /** @file > +// > +// Provides initialization of Secure Boot keys and databases. > +// > +// Copyright (c) 2021, ARM Ltd. All rights reserved.
// Copyright > +(c) 2021, Semihalf All rights reserved.
// // > +SPDX-License-Identifier: BSD-2-Clause-Patent // // **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Provides functi= on > to initialize PK, KEK and databases based on default variables." > + > +#string STR_MODULE_DESCRIPTION #language en-US "Provides > function to initialize PK, KEK and databases based on default variables." > + > -- > 2.25.1