From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <shifeix.a.lu@intel.com>
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 71DC0821BC
 for <edk2-devel@lists.01.org>; Tue, 21 Feb 2017 22:34:33 -0800 (PST)
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
 by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 21 Feb 2017 22:34:32 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.35,193,1484035200"; d="scan'208";a="827075624"
Received: from shwdeopenpsi011.ccr.corp.intel.com (HELO SHWDEOPENPSI011.local)
 ([10.239.9.14])
 by FMSMGA003.fm.intel.com with SMTP; 21 Feb 2017 22:34:31 -0800
Date: Tue, 21 Feb 2017 22:15:09 -0800
From: lushifex <shifeix.a.lu@intel.com>
CC: david.wei@intel.com;
Sender: lushifex <shifeix.a.lu@intel.com>
To: edk2-devel@lists.01.org
Message-ID: <f43dce21-f15f-465a-9b29-2329f60cb1cc@SHWDEOPENPSI011.local>
X-Mailer: TortoiseGit
MIME-Version: 1.0
Subject: [Patch][edk2-platforms/devel-MinnowBoard3] Enable Secure Boot.
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 06:34:33 -0000
Content-Type: text/plain; 

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: lushifex <shifeix.a.lu@intel.com>
---
 .../PlatformSecureDefaultsLib.c                    | 952 ---------------------
 .../PlatformSecureDefaultsLib.inf                  |  69 --
 .../Common/PlatformSettings/PlatformDxe/Platform.c |  17 +-
 .../PlatformSettings/PlatformDxe/PlatformDxe.inf   |   3 +-
 .../PlatformSetupDxe/PlatformSetupDxe.c            |  39 +-
 .../PlatformSetupDxe/PlatformSetupDxe.inf          |   3 +-
 .../PlatformSettings/PlatformSetupDxe/Security.vfi |  37 +-
 .../PlatformSetupDxe/SetupInfoRecords.c            |  89 +-
 .../PlatformSetupDxe/VfrStrings.uni                | Bin 315770 -> 311660 bytes
 .../BroxtonPlatformPkg/PlatformDsc/Components.dsc  |  18 +-
 .../PlatformDsc/LibraryClasses.dsc                 |   2 -
 Platform/BroxtonPlatformPkg/PlatformPkg.fdf        |  11 +-
 12 files changed, 69 insertions(+), 1171 deletions(-)
 delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c
 delete mode 100644 Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf

diff --git a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c b/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c
deleted file mode 100644
index 2cdd01d..0000000
--- a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.c
+++ /dev/null
@@ -1,952 +0,0 @@
-/** @file
-  IPC based PlatformFvbLib library instance.
-
-  Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
-
-  This program and the accompanying materials
-  are licensed and made available under the terms and conditions of the BSD License
-  which accompanies this distribution.  The full text of the license may be found at
-  http://opensource.org/licenses/bsd-license.php.
-
-  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "Library/PlatformSecureDefaultsLib.h"
-#include <Guid/AuthenticatedVariableFormat.h>
-#include <Guid/SetupVariable.h>
-
-EFI_GUID mUefiImageSecurityDBGuid        = EFI_IMAGE_SECURITY_DATABASE_GUID;
-EFI_GUID mUefiCertTypeRsa2048Guid        = EFI_CERT_RSA2048_GUID;
-
-#define WIN_CERT_UEFI_RSA2048_SIZE        256
-#define EFI_SECURE_BOOT_ENABLE_NAME       L"SecureBootEnable"
-
-extern EFI_GUID mUefiCertTypeRsa2048Guid;
-extern EFI_GUID gEfiSecureBootEnableDisableGuid;
-
-EFI_GUID gOwnerSignatureGUID         = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}};
-static EFI_GUID  gDbxUpdateImageGuid = {0xa3d48bb3, 0x350f, 0x4bcd, 0xa4, 0xad, 0x44, 0x5b, 0x93, 0x9f, 0x6d, 0x9c };
-
-/**
-  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
-  descriptor with the input data. NO authentication is required in this function.
-
-  @param[in, out]   DataSize                 On input, the size of Data buffer in bytes.
-                                             On output, the size of data returned in Data
-                                             buffer in bytes.
-  @param[in, out]   Data                     On input, Pointer to data buffer to be wrapped or
-                                             pointer to NULL to wrap an empty payload.
-                                             On output, Pointer to the new payload date buffer allocated from pool,
-                                             it's caller's responsibility to free the memory when finish using it.
-
-  @retval           EFI_SUCCESS              Create time based payload successfully.
-  @retval           EFI_OUT_OF_RESOURCES     There are not enough memory resourses to create time based payload.
-  @retval           EFI_INVALID_PARAMETER    The parameter is invalid.
-  @retval           Others                   Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
-  IN OUT UINTN            *DataSize,
-  IN OUT UINT8            **Data
-  )
-{
-  EFI_STATUS                       Status;
-  UINT8                            *NewData;
-  UINT8                            *Payload;
-  UINTN                            PayloadSize;
-  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
-  UINTN                            DescriptorSize;
-  EFI_TIME                         Time;
-
-  if (Data == NULL || DataSize == NULL) {
-    return EFI_INVALID_PARAMETER;
-  }
-
-  //
-  // In Setup mode or Custom mode, the variable does not need to be signed but the
-  // parameters to the SetVariable() call still need to be prepared as authenticated
-  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
-  // data in it.
-  //
-  Payload     = *Data;
-  PayloadSize = *DataSize;
-
-  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
-  NewData = (UINT8 *) AllocateZeroPool (DescriptorSize + PayloadSize);
-  if (NewData == NULL) {
-    return EFI_OUT_OF_RESOURCES;
-  }
-
-  if ((Payload != NULL) && (PayloadSize != 0)) {
-    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
-  }
-
-  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
-  ZeroMem (&Time, sizeof (EFI_TIME));
-  Status = gRT->GetTime (&Time, NULL);
-  if (EFI_ERROR (Status)) {
-    FreePool(NewData);
-    return Status;
-  }
-  Time.Pad1       = 0;
-  Time.Nanosecond = 0;
-  Time.TimeZone   = 0;
-  Time.Daylight   = 0;
-  Time.Pad2       = 0;
-  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
-  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
-  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
-  DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
-  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
-  if (Payload != NULL) {
-    FreePool(Payload);
-  }
-
-  *DataSize = DescriptorSize + PayloadSize;
-  *Data     = NewData;
-  return EFI_SUCCESS;
-}
-
-
-/**
-  Generate the PK signature list from the X509 Certificate storing file (.cer)
-
-  @param[in]   X509Data                   FileHandle of X509 Certificate storing file.
-  @param[in]   X509DataSize               The size of fileHandle of X509 Certificate storing file.
-  @param[out]  PkCert                     Point to the data buffer to store the signature list.
-
-  @retval      EFI_UNSUPPORTED            Unsupported Key Length.
-  @retval      EFI_OUT_OF_RESOURCES       There are not enough memory resourses to form the signature list.
-
-**/
-EFI_STATUS
-CreatePkX509SignatureList (
-  IN    UINT8                       *X509Data,
-  IN    UINTN                       X509DataSize,
-  OUT   EFI_SIGNATURE_LIST          **PkCert
-  )
-{
-  EFI_STATUS              Status;
-  EFI_SIGNATURE_DATA      *PkCertData;
-
-  PkCertData = NULL;
-  Status = EFI_SUCCESS;
-  ASSERT (X509Data != NULL);
-
-  //
-  // Allocate space for PK certificate list and initialize it.
-  // Create PK database entry with SignatureHeaderSize equals 0.
-  //
-  *PkCert = (EFI_SIGNATURE_LIST *) AllocateZeroPool (
-              sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1
-              + X509DataSize
-              );
-  if (*PkCert == NULL) {
-    Status = EFI_OUT_OF_RESOURCES;
-    goto ON_EXIT;
-  }
-
-  (*PkCert)->SignatureListSize   = (UINT32) (sizeof (EFI_SIGNATURE_LIST)
-                                    + sizeof (EFI_SIGNATURE_DATA) - 1
-                                    + X509DataSize);
-  (*PkCert)->SignatureSize       = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
-  (*PkCert)->SignatureHeaderSize = 0;
-  CopyGuid (&(*PkCert)->SignatureType, &gEfiCertX509Guid);
-  PkCertData                     = (EFI_SIGNATURE_DATA *) ((UINTN) (*PkCert)
-                                                          + sizeof (EFI_SIGNATURE_LIST)
-                                                          + (*PkCert)->SignatureHeaderSize);
-  CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid);
-  //
-  // Fill the PK database with PKpub data from X509 certificate file.
-  //
-  CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize);
-
-ON_EXIT:
-
-  if (EFI_ERROR(Status) && *PkCert != NULL) {
-    FreePool (*PkCert);
-    *PkCert = NULL;
-  }
-
-  return Status;
-}
-
-
-EFI_STATUS
-EnrollPlatformKey (
-  IN  VOID             *Buf,
-  IN  UINTN             BufSize
-  )
-{
-  EFI_STATUS                      Status;
-  UINT32                          Attr;
-  UINTN                           DataSize;
-  EFI_SIGNATURE_LIST              *PkCert;
-
-  PkCert = NULL;
-
-  //
-  // Prase the selected PK file and generature PK certificate list.
-  //
-  Status = CreatePkX509SignatureList (
-             Buf,
-             BufSize,
-             &PkCert
-             );
-
-  if (EFI_ERROR (Status)) {
-    goto ON_EXIT;
-  }
-  ASSERT (PkCert != NULL);
-
-  //
-  // Set Platform Key variable.
-  //
-  Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
-          | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-  DataSize = PkCert->SignatureListSize;
-  Status = CreateTimeBasedPayload (&DataSize, (UINT8 **) &PkCert);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
-    goto ON_EXIT;
-  }
-
-  Status = gRT->SetVariable (
-                  EFI_PLATFORM_KEY_NAME,
-                  &gEfiGlobalVariableGuid,
-                  Attr,
-                  DataSize,
-                  PkCert
-                  );
-  if (EFI_ERROR (Status)) {
-    if (Status == EFI_OUT_OF_RESOURCES) {
-      DEBUG ((EFI_D_ERROR, "Enroll PK failed with out of resource.\n"));
-    }
-    goto ON_EXIT;
-  }
-
-ON_EXIT:
-
-  if (PkCert != NULL) {
-    FreePool (PkCert);
-  }
-
-  return Status;
-}
-
-
-/**
-  Enroll a new KEK item from X509 certificate file.
-
-  @param[in] PrivateData            The module's private data.
-
-  @retval    EFI_SUCCESS            New X509 is enrolled successfully.
-  @retval    EFI_INVALID_PARAMETER  The parameter is invalid.
-  @retval    EFI_UNSUPPORTED        Unsupported command.
-  @retval    EFI_OUT_OF_RESOURCES   Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509ToKek (
-  VOID                *X509Data,
-  UINTN                X509DataSize
-  )
-{
-  EFI_STATUS                        Status;
-  EFI_SIGNATURE_DATA                *KEKSigData;
-  EFI_SIGNATURE_LIST                *KekSigList;
-  UINTN                             DataSize;
-  UINTN                             KekSigListSize;
-  UINT32                            Attr;
-
-  KekSigList     = NULL;
-  KekSigListSize = 0;
-  DataSize       = 0;
-  KEKSigData     = NULL;
-
-  ASSERT (X509Data != NULL);
-
-  KekSigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
-  KekSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (KekSigListSize);
-  if (KekSigList == NULL) {
-    Status = EFI_OUT_OF_RESOURCES;
-    goto ON_EXIT;
-  }
-
-  //
-  // Fill Certificate Database parameters.
-  //
-  KekSigList->SignatureListSize   = (UINT32) KekSigListSize;
-  KekSigList->SignatureHeaderSize = 0;
-  KekSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
-  CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
-
-  KEKSigData = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekSigList + sizeof (EFI_SIGNATURE_LIST));
-  CopyGuid (&KEKSigData->SignatureOwner, &gOwnerSignatureGUID);
-  CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize);
-
-  //
-  // Check if KEK been already existed.
-  // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
-  // new kek to original variable
-  //
-  Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
-          | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-  Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **) &KekSigList);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
-    goto ON_EXIT;
-  }
-
-  Status = gRT->GetVariable(
-                  EFI_KEY_EXCHANGE_KEY_NAME,
-                  &gEfiGlobalVariableGuid,
-                  NULL,
-                  &DataSize,
-                  NULL
-                  );
-  if (Status == EFI_BUFFER_TOO_SMALL) {
-    Attr |= EFI_VARIABLE_APPEND_WRITE;
-  } else if (Status != EFI_NOT_FOUND) {
-    goto ON_EXIT;
-  }
-
-  Status = gRT->SetVariable(
-                  EFI_KEY_EXCHANGE_KEY_NAME,
-                  &gEfiGlobalVariableGuid,
-                  Attr,
-                  KekSigListSize,
-                  KekSigList
-                  );
-  if (EFI_ERROR (Status)) {
-    goto ON_EXIT;
-  }
-
-ON_EXIT:
-
-  if (KekSigList != NULL) {
-    FreePool (KekSigList);
-  }
-
-  return Status;
-}
-
-
-/**
-  Enroll new KEK into the System without PK's authentication.
-  The SignatureOwner GUID will be Private->SignatureGUID.
-
-  @param[in] PrivateData            The module's private data.
-
-  @retval    EFI_SUCCESS            New KEK enrolled successful.
-  @retval    EFI_INVALID_PARAMETER  The parameter is invalid.
-  @retval    others                 Fail to enroll KEK data.
-
-**/
-EFI_STATUS
-EnrollKeyExchangeKey (
-  IN VOID                  *DataBuf,
-  IN UINTN                 BufSize
-  )
-{
-  return EnrollX509ToKek (DataBuf, BufSize);
-}
-
-
-EFI_STATUS
-EnrollX509toForbSigDB (
-  IN CHAR16                         *VariableName,
-  IN VOID                           *X509Data,
-  IN UINTN                          X509DataSize
-  )
-{
-  EFI_STATUS                        Status;
-  VOID                              *Data;
-  UINTN                             SigDBSize;
-  UINT32                            Attr;
-  UINTN                             DataSize;
-
-  SigDBSize     = 0;
-  DataSize      = 0;
-  Data          = NULL;
-
-  ASSERT (X509Data != NULL);
-
-  SigDBSize = X509DataSize;
-
-  Data = AllocateZeroPool (SigDBSize);
-  if (Data == NULL) {
-    Status = EFI_OUT_OF_RESOURCES;
-    goto ON_EXIT;
-  }
-
-  CopyMem ((UINT8 *) Data, X509Data, X509DataSize);
-
-  Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
-          | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
-  //
-  // Check if signature database entry has been already existed.
-  // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
-  // new signature data to original variable
-  //
-  Status = gRT->GetVariable(
-                  VariableName,
-                  &gEfiImageSecurityDatabaseGuid,
-                  NULL,
-                  &DataSize,
-                  NULL
-                  );
-  if (Status == EFI_BUFFER_TOO_SMALL) {
-    Attr |= EFI_VARIABLE_APPEND_WRITE;
-  } else if (Status != EFI_NOT_FOUND) {
-    goto ON_EXIT;
-  }
-
-  Status = gRT->SetVariable(
-                  VariableName,
-                  &gEfiImageSecurityDatabaseGuid,
-                  Attr,
-                  SigDBSize,
-                  Data
-                  );
-
-  if (EFI_ERROR (Status)) {
-    goto ON_EXIT;
-  }
-
-ON_EXIT:
-
-  if (Data != NULL) {
-    FreePool (Data);
-  }
-
-  return Status;
-}
-
-
-/**
-  Enroll X509 certificate into Forbidden Database (DBX) without
-  KEK's authentication.
-
-  @param[in] VariableName           Variable name of signature database, must be
-  @param[in] *DataBuf               Pointer to Data Buffer
-  @param[in] BufSize                Data Buffer size
-
-  @retval    EFI_SUCCESS            New X509 is enrolled successfully.
-  @retval    EFI_OUT_OF_RESOURCES   Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollKeyForbiddenSignatureDatabase (
-  IN CHAR16                             *VariableName,
-  IN VOID                               *DataBuf,
-  IN UINTN                              BufSize
-  )
-{
-  return EnrollX509toForbSigDB (VariableName, DataBuf, BufSize);
-}
-
-
-/**
-  Enroll a new X509 certificate into Signature Database (DB or DBX) without
-  KEK's authentication.
-
-  @param[in] PrivateData            The module's private data.
-  @param[in] VariableName           Variable name of signature database, must be
-                                    EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
-
-  @retval    EFI_SUCCESS            New X509 is enrolled successfully.
-  @retval    EFI_OUT_OF_RESOURCES   Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509toSigDB (
-  IN CHAR16                         *VariableName,
-  IN VOID                           *X509Data,
-  IN UINTN                          X509DataSize
-  )
-{
-  EFI_STATUS                        Status;
-  EFI_SIGNATURE_LIST                *SigDBCert;
-  EFI_SIGNATURE_DATA                *SigDBCertData;
-  VOID                              *Data;
-  UINTN                             DataSize;
-  UINTN                             SigDBSize;
-  UINT32                            Attr;
-
-  SigDBSize     = 0;
-  DataSize      = 0;
-  SigDBCert     = NULL;
-  SigDBCertData = NULL;
-  Data          = NULL;
-
-  ASSERT (X509Data != NULL);
-
-  SigDBSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
-
-  Data = AllocateZeroPool (SigDBSize);
-  if (Data == NULL) {
-    Status = EFI_OUT_OF_RESOURCES;
-    goto ON_EXIT;
-  }
-
-  //
-  // Fill Certificate Database parameters.
-  //
-  SigDBCert = (EFI_SIGNATURE_LIST *) Data;
-  SigDBCert->SignatureListSize   = (UINT32) SigDBSize;
-  SigDBCert->SignatureHeaderSize = 0;
-  SigDBCert->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
-  CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid);
-
-  SigDBCertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) SigDBCert + sizeof (EFI_SIGNATURE_LIST));
-  CopyGuid (&SigDBCertData->SignatureOwner, &gOwnerSignatureGUID);
-  CopyMem ((UINT8 *) (SigDBCertData->SignatureData), X509Data, X509DataSize);
-
-  //
-  // Check if signature database entry has been already existed.
-  // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
-  // new signature data to original variable
-  //
-  Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
-          | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-  Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **) &Data);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
-    goto ON_EXIT;
-  }
-
-  Status = gRT->GetVariable(
-                  VariableName,
-                  &gEfiImageSecurityDatabaseGuid,
-                  NULL,
-                  &DataSize,
-                  NULL
-                  );
-  if (Status == EFI_BUFFER_TOO_SMALL) {
-    Attr |= EFI_VARIABLE_APPEND_WRITE;
-  } else if (Status != EFI_NOT_FOUND) {
-    goto ON_EXIT;
-  }
-
-  Status = gRT->SetVariable(
-                  VariableName,
-                  &gEfiImageSecurityDatabaseGuid,
-                  Attr,
-                  SigDBSize,
-                  Data
-                  );
-  if (EFI_ERROR (Status)) {
-    goto ON_EXIT;
-  }
-
-ON_EXIT:
-
-  if (Data != NULL) {
-    FreePool (Data);
-  }
-
-  return Status;
-}
-
-
-EFI_STATUS
-EnrollSignatureDatabase (
-  IN CHAR16                             *VariableName,
-  IN VOID                               *DataBuf,
-  IN UINTN                              BufSize
-  )
-{
-  return EnrollX509toSigDB (VariableName, DataBuf, BufSize);
-}
-
-
-/**
-  Function to Load Secure Keys given the binary GUID
-
-  @param[in]      VendorGuid       GUID of the Variable.
-  @param[in]      VariableName     Name of the Variable.
-  @param[in]      VendorGuid       GUID of the Variable.
-
-  @retval         EFI_SUCCESS      Set the variable successfully.
-  @retval         Others           Set variable failed.
-
-**/
-EFI_STATUS
-SetSecureVariabeKeys (
-  IN  EFI_GUID                  *ImageGuid,
-  IN  CHAR16                    *VariableName,
-  IN  EFI_GUID                  *VendorGuid
-  )
-{
-  EFI_STATUS                     Status;
-  EFI_FIRMWARE_VOLUME2_PROTOCOL  *Fv;
-  UINTN                          FvProtocolCount;
-  EFI_HANDLE                     *FvHandles;
-  UINTN                          Index1;
-  UINT32                         AuthenticationStatus;
-  UINT8                          *Buffer=NULL;
-  UINTN                          BufferSize=0;
-  UINT32                         Attr;
-
-  Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
-
-  FvHandles = NULL;
-
-  Status = gBS->LocateHandleBuffer (
-                  ByProtocol,
-                  &gEfiFirmwareVolume2ProtocolGuid,
-                  NULL,
-                  &FvProtocolCount,
-                  &FvHandles
-                  );
-
-  if (!EFI_ERROR (Status)) {
-    for (Index1 = 0; Index1 < FvProtocolCount; Index1++) {
-      Status = gBS->HandleProtocol (
-                      FvHandles[Index1],
-                      &gEfiFirmwareVolume2ProtocolGuid,
-                      (VOID **) &Fv
-                      );
-      BufferSize= 0;
-
-      Status = Fv->ReadSection (
-                     Fv,
-                     ImageGuid,
-                     EFI_SECTION_RAW,
-                     0,
-                     (VOID **) &Buffer,
-                     &BufferSize,
-                     &AuthenticationStatus
-                     );
-
-      if (!EFI_ERROR (Status)) {
-        Status = EFI_SUCCESS;
-        break;
-      }
-    }
-  }
-
-  if (Buffer == NULL)
-    return EFI_UNSUPPORTED;
-  if (StrCmp (VariableName, L"PK") == 0){
-    Status = EnrollPlatformKey (Buffer, BufferSize);
-  } else if (StrCmp (VariableName, L"KEK") == 0) {
-    Status = EnrollKeyExchangeKey (Buffer, BufferSize);
-  } else if (CompareGuid (ImageGuid, &gDbxUpdateImageGuid)) {
-    Status = EnrollKeyForbiddenSignatureDatabase (VariableName,Buffer, BufferSize);
-  } else {
-    Status = EnrollSignatureDatabase (VariableName, Buffer, BufferSize);
-  }
-  return Status;
-}
-
-
-/**
-  Internal function to Update User Mode to Setup Mode given its name and GUID, no authentication
-  required.
-
-  @param[in]      VariableName            Name of the Variable.
-  @param[in]      VendorGuid              GUID of the Variable.
-
-  @retval         EFI_SUCCESS             Updated to Setup Mode successfully.
-  @retval         Others                  The driver failed to start the device.
-
-**/
-EFI_STATUS
-UpdateSetupModetoUserMode (
-  IN  CHAR16                    *VariableName,
-  IN  EFI_GUID                  *VendorGuid
-  )
-{
-  EFI_STATUS     Status;
-  VOID*          Variable;
-  UINT8          SetupMode;
-  UINT8          SecureBootEnable;
-
-  SetupMode = 0;
-  SecureBootEnable = 1;
-
-  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
-  if (Variable == NULL) {
-    return EFI_SUCCESS;
-  }
-
-  Status = gRT->SetVariable (
-                  VariableName,
-                  VendorGuid,
-                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-                  1,
-                  &SetupMode
-                  );
-
-  if (!EFI_ERROR (Status)) {
-    Status = gRT->SetVariable (
-                    EFI_SECURE_BOOT_ENABLE_NAME,
-                    &gEfiSecureBootEnableDisableGuid,
-                    EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-                    sizeof (UINT8),
-                    &SecureBootEnable
-                    );
-  }
-  return Status;
-}
-
-
-/**
-  Enrolls PK, KEK, Db and Dbx.
-
-  Note: Setup variable uses UEFI Runtime Services.
-        Do not call this function from PEI.
-
-**/
-VOID
-EnrollKeys (
-  VOID
-  )
-{
-  EFI_STATUS              Status;
-  UINT8                   SecureBootCstMde;
-  UINTN                   DataSize;
-  SYSTEM_CONFIGURATION    SystemConfiguration;
-  UINTN                   VarSize;
-
-  EFI_GUID  KekImageGuid  = { 0x5d354a1f, 0x98d7, 0x4938, 0x8f, 0x18, 0xf8, 0x4e, 0x1c, 0x89, 0xb2, 0xed };
-  EFI_GUID  Db1ImageGuid  = { 0x4de09060, 0x5864, 0x471a, 0xb3, 0x52, 0xd4, 0x50, 0x6e, 0xd7, 0xbb, 0xb0 };
-  EFI_GUID  DbxImageGuid  = { 0x96b44e98, 0x6c49, 0x4c03, 0xa8, 0xa4, 0x77, 0x93, 0xef, 0x41, 0x68, 0x5a };
-  EFI_GUID  PkImageGuid   = { 0xc43024ad, 0x8cb8, 0x4393, 0x8a, 0xe1, 0xf3, 0x5c, 0xbf, 0xc7, 0xcd, 0x56 };
-  EFI_GUID  Db2ImageGuid  = { 0x0f97c7a2, 0xba0c, 0x4e8a, 0x90, 0xf9, 0xb1, 0xcc, 0x40, 0x57, 0x01, 0xf8 };
-  EFI_GUID  Db3ImageGuid  = { 0x774491b2, 0x85ff, 0x47b0, 0x89, 0xa4, 0xcc, 0xd8, 0xb3, 0x99, 0xaa, 0xd4 };
-  EFI_GUID  Kek2ImageGuid = { 0xE989363D, 0x449F, 0x4b32, 0x96, 0xB0, 0xB2, 0x71, 0x73, 0x44, 0xD0, 0xEE };
-  EFI_GUID  Db4ImageGuid  = { 0xB69B054C, 0x7EA4, 0x4f13, 0xB7, 0xFF, 0x72, 0xC6, 0x32, 0x3B, 0xC8, 0x5A };
-  EFI_GUID  Db5ImageGuid  = { 0xB8FA2839, 0xE0C1, 0x4368, 0xA5, 0x1B, 0x5F, 0x4A, 0x21, 0x74, 0x61, 0x29 };
-  EFI_GUID  Db6ImageGuid  = { 0x758FBB84, 0xEF4C, 0x4acf, 0xB1, 0xA6, 0xE8, 0x44, 0xD5, 0xFF, 0x6B, 0xA6 };
-
-  VarSize = sizeof (SYSTEM_CONFIGURATION);
-  Status = gRT->GetVariable (
-                  L"Setup",
-                  &gEfiSetupVariableGuid,
-                  NULL,
-                  &VarSize,
-                  &SystemConfiguration
-                  );
-
-  ASSERT_EFI_ERROR (Status);
-
-  //
-  // Enroll Key Exchange Key
-  //
-  SetSecureVariabeKeys (&KekImageGuid, EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid);
-  if (!(SystemConfiguration.UseProductKey)) {
-    SetSecureVariabeKeys (&Kek2ImageGuid, EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid);
-    //
-    // Enroll Authenticated database.
-    //
-    SetSecureVariabeKeys (&Db1ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
-    SetSecureVariabeKeys (&Db4ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
-    SetSecureVariabeKeys (&Db5ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
-    SetSecureVariabeKeys (&Db6ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
-    //
-    // Enroll Platform Key - 219_Microsoft_UEFI_Logo_Test_KEK.cer for WOS and common_PK.x509.cer for AOS
-    //
-    SetSecureVariabeKeys (&PkImageGuid, EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid);
-  } else {
-    //
-    // Enroll Platform Key - KEK_MSFTproductionKekCA.cer
-    //
-    SetSecureVariabeKeys (&KekImageGuid, EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid);
-  }
-  SetSecureVariabeKeys (&Db2ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
-  SetSecureVariabeKeys (&Db3ImageGuid, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
-  //
-  //Enroll Forbidden  Database
-  //
-  SetSecureVariabeKeys (&DbxImageGuid, EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid);
-  SetSecureVariabeKeys (&gDbxUpdateImageGuid, EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid);
-
-  //
-  // If secure boot mode in custom mode, change to standard mode.
-  //
-  Status = gRT->GetVariable (
-                  EFI_CUSTOM_MODE_NAME,
-                  &gEfiCustomModeEnableGuid,
-                  NULL,
-                  &DataSize,
-                  &SecureBootCstMde
-                  );
-
-  if (SecureBootCstMde) {
-    SecureBootCstMde = !SecureBootCstMde;
-    Status = gRT->SetVariable (
-                    EFI_CUSTOM_MODE_NAME,
-                    &gEfiCustomModeEnableGuid,
-                    EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-                    sizeof (UINT8),
-                    &SecureBootCstMde
-                    );
-  }
-}
-
-
-/**
-  Internal function to delete a Variable given its name and GUID, no authentication
-  required.
-
-  @param[in]      VariableName             Name of the Variable.
-  @param[in]      VendorGuid               GUID of the Variable.
-
-  @retval         EFI_SUCCESS              Variable deleted successfully.
-  @retval         Others                   The driver failed to start the device.
-
-**/
-EFI_STATUS
-DeleteVariable (
-  IN  CHAR16                    *VariableName,
-  IN  EFI_GUID                  *VendorGuid
-  )
-{
-  EFI_STATUS              Status;
-  VOID*                   Variable;
-  UINT8                   *Data;
-  UINTN                   DataSize;
-  UINT32                  Attr;
-
-  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
-  if (Variable == NULL) {
-    return EFI_SUCCESS;
-  }
-
-  Data     = NULL;
-  DataSize = 0;
-  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
-             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
-  Status = CreateTimeBasedPayload (&DataSize, &Data);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
-    return Status;
-  }
-
-  Status = gRT->SetVariable (
-                  VariableName,
-                  VendorGuid,
-                  Attr,
-                  DataSize,
-                  Data
-                  );
-  if (Data != NULL) {
-    FreePool (Data);
-  }
-  return Status;
-}
-
-
-/**
-  Internal function to Update User Mode to Setup Mode given its name and GUID, no authentication
-  required.
-
-  @param[in]      VariableName             Name of the Variable.
-  @param[in]      VendorGuid               GUID of the Variable.
-
-  @retval         EFI_SUCCESS              Updated to Setup Mode successfully.
-  @retval         Others                   The driver failed to start the device.
-
-**/
-EFI_STATUS
-UpdateUserModetoSetupMode (
-  IN  CHAR16                    *VariableName,
-  IN  EFI_GUID                  *VendorGuid
-  )
-{
-  EFI_STATUS              Status;
-  VOID*                   Variable;
-  UINT8                   SetupMode;
-  UINT8                   SecureBootDisable;
-
-  SetupMode = 1;
-  SecureBootDisable = 0;
-
-  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
-  if (Variable == NULL) {
-    return EFI_SUCCESS;
-  }
-
-  Status = gRT->SetVariable (
-                  VariableName,
-                  VendorGuid,
-                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-                  1,
-                  &SetupMode
-                  );
-
-  if (!EFI_ERROR (Status)) {
-    GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, NULL);
-    Status = gRT->SetVariable (
-                    EFI_SECURE_BOOT_ENABLE_NAME,
-                    &gEfiSecureBootEnableDisableGuid,
-                    EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-                    sizeof (UINT8),
-                    &SecureBootDisable
-                    );
-  }
-  return Status;
-}
-
-
-/**
-  Deletes PK, KEK, Db and Dbx.
-
-**/
-VOID
-DeleteKeys (
-  )
-{
-  //
-  // 1. Clear PK.
-  //
-  DeleteVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid);
-
-  //
-  // 2. Update "SetupMode" variable to SETUP_MODE.
-  //
-  UpdateUserModetoSetupMode (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid);
-
-  //
-  // 3. Clear KEK, DB and DBX.
-  //
-  DeleteVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid);
-  DeleteVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid);
-  DeleteVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid);
-}
-
-
-/**
-  Enable Custom Mode.
-
-**/
- VOID
- EnableCustomMode (
-  )
-{
-  UINT8          CustomMode;
-  EFI_STATUS     Status;
-
-  CustomMode = 1;
-
-  Status = gRT->SetVariable (
-                  EFI_CUSTOM_MODE_NAME,
-                  &gEfiCustomModeEnableGuid,
-                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-                  sizeof (UINT8),
-                  &CustomMode
-                  );
-
-}
-
diff --git a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf b/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
deleted file mode 100644
index 72a001d..0000000
--- a/Platform/BroxtonPlatformPkg/Common/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
+++ /dev/null
@@ -1,69 +0,0 @@
-## @file
-#  NULL PlatformFvbLib library instance.
-#  This library handles hooks for the EMU Variable FVB driver.
-#
-#  Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
-#
-#  This program and the accompanying materials
-#  are licensed and made available under the terms and conditions of the BSD License
-#  which accompanies this distribution. The full text of the license may be found at
-#  http://opensource.org/licenses/bsd-license.php.
-#
-#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-##
-
-[Defines]
-  INF_VERSION                    = 0x00010005
-  BASE_NAME                      = PlatformSecureDefaultsLib
-  FILE_GUID                      = 402B0508-781A-4016-A1D7-9740FFE001A0
-  MODULE_TYPE                    = BASE
-  VERSION_STRING                 = 1.0
-  LIBRARY_CLASS                  = PlatformSecureDefaultsLib | DXE_DRIVER DXE_RUNTIME_DRIVER
-
-#
-# The following information is for reference only and not required by the build tools.
-#
-#  VALID_ARCHITECTURES           = IA32 X64 IPF EBC
-#
-
-[Sources]
-  PlatformSecureDefaultsLib.c
-
-[Packages]
-  MdePkg/MdePkg.dec
-  MdeModulePkg/MdeModulePkg.dec
-  IntelFrameworkPkg/IntelFrameworkPkg.dec
-  IntelFrameworkModulePkg/IntelFrameworkModulePkg.dec
-  SecurityPkg/SecurityPkg.dec
-  BroxtonPlatformPkg/PlatformPkg.dec
-  BroxtonSiPkg/BroxtonSiPkg.dec
-
-[LibraryClasses]
-  DebugLib
-  DxeServicesTableLib
-  UefiBootServicesTableLib
-  DevicePathLib
-  BaseMemoryLib
-  BaseLib
-  IoLib
-  TimerLib
-  MemoryAllocationLib
-  PcdLib
-
-[Protocols]
-  gEfiFirmwareVolume2ProtocolGuid
-
-[Guids]
-  gEfiGlobalVariableGuid                        ## PRODUCES ## Variable Guid
-  gEfiSetupVariableGuid
-  gEfiVariableGuid
-  gEfiImageSecurityDatabaseGuid
-  gEfiCertX509Guid
-  gEfiCertPkcs7Guid
-  gEfiCustomModeEnableGuid
-
-[Depex]
-  TRUE
-
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c
index 02dcc27..187eb21 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/Platform.c
@@ -1,7 +1,7 @@
 /** @file
   Platform Initialization Driver.
 
-  Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -641,7 +641,7 @@ InitPlatformResolution (
   PcdSet32S (PcdVideoVerticalResolution, PanelResolution[mSystemConfiguration.IgdFlatPanel].VerticalResolution);
 }
 
-VOID 
+VOID
 OverrideSdCardPresence (
   VOID
   )
@@ -670,7 +670,7 @@ OverrideSdCardPresence (
   } else {
     P2sbMmioBar &= B_P2SB_BAR_BA;
   }
-  
+
   Gpio177PadConfigDW0RegAdd = P2SB_MMIO_ADDR (P2sbMmioBar, SOUTHWEST, 0x5D0);
   Gpio177RxState = MmioRead32(Gpio177PadConfigDW0RegAdd) & BIT1;
   DEBUG ((DEBUG_INFO, "Gpio177PadConfigDW0RegAdd: 0x%X\n", Gpio177PadConfigDW0RegAdd));
@@ -868,11 +868,6 @@ InitializePlatform (
 
   FdoEnabledGuidHob = GetFirstGuidHob (&gFdoModeEnabledHobGuid);
   if (FdoEnabledGuidHob != NULL) {
-    //
-    // Secure boot must be disabled in Flash Descriptor Override (FDO) boot
-    //
-    EnableCustomMode ();
-    DeleteKeys ();
   }
 
 #if (ENBDT_PF_ENABLE == 1) //BXTP
@@ -916,9 +911,9 @@ InitializePlatform (
                   &EfiExitBootServicesEvent
                   );
 
-  
-  OverrideSdCardPresence(); 
-        
+
+  OverrideSdCardPresence();
+
   return EFI_SUCCESS;
 }
 
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf
index c2714a6..cf8ca08 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformDxe/PlatformDxe.inf
@@ -1,7 +1,7 @@
 ## @file
 #  Component description file for platform DXE driver
 #
-#  Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR>
 #
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
@@ -50,7 +50,6 @@
   UefiBootServicesTableLib
   UefiDriverEntryPoint
   UefiRuntimeServicesTableLib
-  PlatformSecureDefaultsLib
   DxeServicesTableLib
   DebugLib
   HiiLib
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c
index 02b03ff..5cbe136 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.c
@@ -13,7 +13,7 @@
   4. It save all the mapping info in NV variables which will be consumed
      by platform override protocol driver to publish the platform override protocol.
 
-  Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -508,43 +508,6 @@ SystemConfigCallback (
         if (Key.UnicodeChar == CHAR_CARRIAGE_RETURN) {
 
         }
-      } else if (KeyValue == 0x1237 /*KEY_CLEAR_KEK_AND_PK*/ ) {
-        //
-        //Delete PK, KEK, DB, DBx
-        //
-        EnableCustomMode ();
-        DeleteKeys ();
-        StrCpyS (StringBuffer1, 200, L"Clear Keys Completed");
-        StrCpyS (StringBuffer2, 200, L"Please Restart System");
-
-        //
-        // Popup a menu to notice user
-        //
-        do {
-          CreatePopUp (EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, StringBuffer1, StringBuffer2, NULL);
-        } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN));
-
-        gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);
-      } else if (KeyValue == 0x1238 /*KEY_LOAD_DEFAULTS_KEYS*/ ) {
-        //
-        // Enroll PK, KEK, DB and DBx
-        //
-        EnrollKeys ();
-        StrCpyS (StringBuffer1, 200, L"Restore Keys Completed");
-        StrCpyS (StringBuffer2, 200, L"Please Restart System");
-
-        //
-        // Popup a notification menu
-        //
-        do {
-          CreatePopUp(EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, StringBuffer1, StringBuffer2, NULL);
-        } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN));
-
-        //
-        // Reset the system
-        //
-        gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);
-
       } else if (KeyValue == 0x1239) {
         //
         // Popup a notification menu
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf
index 09a16c8..0cbcb71 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/PlatformSetupDxe.inf
@@ -16,7 +16,7 @@
 #  4. It save all the mapping info in NV variables for the following boot,
 #     which will be consumed by GetDriver API of the produced the platform override protocol.
 #
-#  Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR>
 #
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
@@ -92,7 +92,6 @@
   BiosIdLib
   CpuIA32Lib
   IoLib
-  PlatformSecureDefaultsLib
   BaseIpcLib
   HeciMsgLib
   SteppingLib
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi
index f79e81b..9d0855e 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/Security.vfi
@@ -107,39 +107,6 @@ form formid = SECURITY_CONFIGURATION_FORM_ID,
   endif;
   endif;
 
-  subtitle text = STRING_TOKEN(STR_NULL_STRING);
-
-
-    subtitle text = STRING_TOKEN(STR_NULL_STRING);
-
-  oneof	varid	= Setup.SecureBootCustomMode,
-    prompt	  = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT),
-    help		  = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP),
-    option text = STRING_TOKEN(STR_SB_STANDARD_MODE), value=0x00, flags = DEFAULT | MANUFACTURING;
-    option text = STRING_TOKEN(STR_SB_CUSTOM_MODE), value=0x01, flags = 0;
-  endoneof;
-  oneof   varid   = Setup.UseProductKey,
-    prompt      = STRING_TOKEN(STR_SECURE_BOOT_PRO_KEY_PROMPT),
-    help        = STRING_TOKEN(STR_SECURE_BOOT_PRO_KEY_HELP),
-    option text = STRING_TOKEN(STR_DEV_KEY), value=0x00, flags = DEFAULT |  RESET_REQUIRED;
-    option text = STRING_TOKEN(STR_PRO_KEY), value=0x01, flags = RESET_REQUIRED;
-  endoneof;
-    text
-      help   = STRING_TOKEN(STR_CLEAR_ALL_KEYS_HELP),
-      text   = STRING_TOKEN(STR_CLEAR_ALL_KEYS),
-      text   = STRING_TOKEN(STR_NULL_STRING),
-      flags  = INTERACTIVE,
-      key    = 0x1237; //KEY_CLEAR_KEK_AND_PK;
-
-    text
-      help   = STRING_TOKEN(STR_LOAD_DEFAULTS_KEYS_HELP),
-      text   = STRING_TOKEN(STR_LOAD_DEFAULTS_KEYS),
-      text   = STRING_TOKEN(STR_NULL_STRING),
-      flags  = INTERACTIVE,
-      key    = 0x1238; //KEY_LOAD_DEFAULTS_KEYS;
-
-  subtitle text = STRING_TOKEN(STR_NULL_STRING);
-
   //
   //TPM related
   //
@@ -154,7 +121,7 @@ form formid = SECURITY_CONFIGURATION_FORM_ID,
     option text = STRING_TOKEN(STR_TPM_DTPM_2_0), value = 0x03, flags = RESET_REQUIRED;
   endoneof;
 
-  suppressif NOT ideqval Setup.TPM == 1; 
+  suppressif NOT ideqval Setup.TPM == 1;
     oneof varid  = Setup.TPMSupportedBanks,
       prompt = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_PROMPT),
       help   = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_HELP),
@@ -164,6 +131,6 @@ form formid = SECURITY_CONFIGURATION_FORM_ID,
       option text = STRING_TOKEN(STR_TPM2_PCR_ALLOCATE_BOTH), value = TPM2_SUPPORTED_BANK_BOTH, flags = RESET_REQUIRED;
     endoneof;
   endif;
-  
+
 endform;
 
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c
index 8f7a534..d504995 100644
--- a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c
+++ b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/SetupInfoRecords.c
@@ -1,7 +1,7 @@
 /** @file
   To retrieve various platform info data for Setup menu.
 
-  Copyright (c) 1999 - 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 1999 - 2017, Intel Corporation. All rights reserved.<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -47,8 +47,6 @@
 #include "ScAccess.h"
 #include "SetupMode.h"
 
-#define EFI_CUSTOM_MODE_NAME          L"CustomMode"
-extern EFI_GUID gEfiCustomModeEnableGuid;
 
 #define LEFT_JUSTIFY  0x01
 #define PREFIX_SIGN   0x02
@@ -65,7 +63,6 @@ EFI_GUID                        mProcessorProducerGuid;
 EFI_HII_HANDLE                  mHiiHandle;
 SYSTEM_CONFIGURATION            mSystemConfiguration;
 EFI_PLATFORM_INFO_HOB           *mPlatformInfo;
-UINT8                           mUseProductKey = 0;
 
 #define memset SetMem
 
@@ -1720,14 +1717,30 @@ SetupInfo (
 
 VOID
 CheckSystemConfigLoad (
-  SYSTEM_CONFIGURATION *SystemConfigPtr
+  SYSTEM_CONFIGURATION    *SystemConfigPtr
   )
 {
   EFI_STATUS              Status;
   SEC_OPERATION_PROTOCOL  *SeCOp;
   SEC_INFOMATION          SeCInfo;
+  UINT8                   SecureBoot;
+  UINTN                   DataSize;
+
+  DataSize = sizeof (SecureBoot);
+  Status = gRT->GetVariable (
+                  EFI_SECURE_BOOT_MODE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  NULL,
+                  &DataSize,
+                  &SecureBoot
+                  );
+
+  if (EFI_ERROR (Status)) {
+    SystemConfigPtr->SecureBoot = 0;
+  } else {
+    SystemConfigPtr->SecureBoot = SecureBoot;
+  }
 
-  mUseProductKey = SystemConfigPtr->UseProductKey;
   Status = gBS->LocateProtocol (
                   &gEfiSeCOperationProtocolGuid,
                   NULL,
@@ -1787,7 +1800,7 @@ CheckTPMActivePcrBanks (
 
 VOID
 CheckSystemConfigSave (
-  SYSTEM_CONFIGURATION *SystemConfigPtr
+  SYSTEM_CONFIGURATION    *SystemConfigPtr
   )
 {
   EFI_STATUS              Status;
@@ -1795,51 +1808,7 @@ CheckSystemConfigSave (
   SEC_INFOMATION          SeCInfo;
   UINT8                   SecureBootCfg;
   UINTN                   DataSize;
-  UINT8                   CustomMode;
-
-  if (mUseProductKey != SystemConfigPtr->UseProductKey) {
-    EnableCustomMode ();
-    DeleteKeys ();
-    EnrollKeys ();
-  }
-  DataSize = sizeof (CustomMode);
-  Status = gRT->GetVariable (
-                  EFI_CUSTOM_MODE_NAME,
-                  &gEfiCustomModeEnableGuid,
-                  NULL,
-                  &DataSize,
-                  &CustomMode
-                  );
-
-  if (EFI_ERROR (Status)) {
-    DeleteKeys ();
-    EnrollKeys ();
-    DataSize = sizeof (CustomMode);
-    Status = gRT->GetVariable (
-                    EFI_CUSTOM_MODE_NAME,
-                    &gEfiCustomModeEnableGuid,
-                    NULL,
-                    &DataSize,
-                    &CustomMode
-                    );
-  }
-
-  if (CustomMode != SystemConfigPtr->SecureBootCustomMode) {
-    if (CustomMode == 1) {
-      DeleteKeys ();
-      EnrollKeys ();
-      CustomMode = 0;
-    } else {
-      CustomMode = 1;
-      Status = gRT->SetVariable (
-                      EFI_CUSTOM_MODE_NAME,
-                      &gEfiCustomModeEnableGuid,
-                      EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-                      sizeof (UINT8),
-                      &CustomMode
-                      );
-    }
-  }
+  BOOLEAN                 SecureBootNotFound;
 
   Status = gBS->LocateProtocol (
                   &gEfiSeCOperationProtocolGuid,
@@ -1861,6 +1830,8 @@ CheckSystemConfigSave (
   //
   // Secure Boot configuration changes
   //
+  DataSize = sizeof (SecureBootCfg);
+  SecureBootNotFound = FALSE;
   Status = gRT->GetVariable (
                   EFI_SECURE_BOOT_ENABLE_NAME,
                   &gEfiSecureBootEnableDisableGuid,
@@ -1870,12 +1841,22 @@ CheckSystemConfigSave (
                   );
 
   if (EFI_ERROR (Status)) {
-    SecureBootCfg = 0;
+    SecureBootNotFound = TRUE;
+  }
+
+  if (SecureBootNotFound) {
+    Status = gRT->GetVariable (
+                    EFI_SECURE_BOOT_ENABLE_NAME,
+                    &gEfiSecureBootEnableDisableGuid,
+                    NULL,
+                    &DataSize,
+                    &SecureBootCfg
+                    );
+    ASSERT_EFI_ERROR (Status);
   }
 
   if ((SecureBootCfg) != SystemConfigPtr->SecureBoot) {
     SecureBootCfg = !SecureBootCfg;
-
     Status = gRT->SetVariable (
                     EFI_SECURE_BOOT_ENABLE_NAME,
                     &gEfiSecureBootEnableDisableGuid,
diff --git a/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/VfrStrings.uni b/Platform/BroxtonPlatformPkg/Common/PlatformSettings/PlatformSetupDxe/VfrStrings.uni
index 47b84ee6a0ac53bef15b322024a47c9935285ffb..9ff9a80ba62edb19ac8982991e2dcc364d1df52a 100644
GIT binary patch
delta 42
zcmV+_0M-Bcq7&?b6Oh6MHvlXEAd}HFBZ2CL>H&r70=4P`rpuSC=K&74tlR_6^p{B#
AVgLXD

delta 1706
zcmbtUOHUI~6h1T45<nXv1hhfJOe-ZpMG^3|k?F(4P%Po$V_|9oMVcV3v{f`wf(h(2
zCbPIZ1s80HuZ3X?Y%xUt0d6#DG=}KPmEW16wnGXM&CT4o_uTXN?m6dvUmw-{dQtOq
z#d(U3l4^Wx_fF-ebJBE9ewS0`S4Gts`G8U7FWWajy%eG-`6+_YFJg7_S&_Q$Xg1!=
zsAA}WTqV})EM1pPSA1Jl0-`e_`NXR|j>?dqk{B6MsT=<xieq&QUx2cdhCE5Pu=C;T
z!!AZ+(23DFW&ngN&bG$u8EvxI1KaUwKk0Odf|z?TtMHYNk%SM9GGJ;&5WR59o-;H;
z2_R5u5G#&*)5K=U;xvpA#~CA!VV#-8mR+W?y@PcN*18FIQ(^Ob9RD=FjClbL!&fc<
zyNj@+7%IH6Ru=y;?EZEor-xirDO#U9BI3rP+%8gSd2h&LrfAUg!g2m7-9qn{yj=Dz
zrPN!cLMh8#dEcdgxNJa-hKEh=0EN*)T$w25Fh-QRAh{;ANx9KbbLX@G@(?%6%{jEP
z(gn#qWUy3}dJihPjfpYWsqGN+(|7s0u|DEBoj2#w_W%$#1H-abL1d7za2u*<DL+k=
zMAA`=WY?}l^%IBpkPg35d?C7k#0(%Y{ivcXIkQ(zUJRp`V<rrK1*J+HgnSq}S>z;R
z_HrJ02(S~7l}cj3gNXm>TErG)Z$kv|ce=`yE_aB|dHHag6|Rscd%`ESq`VaB;|0{a
zaw9f=C|YeF3K-qW6XJH0W6)(I53#%=Yt@!^5ofTbE@l@bU&SA(SUxCe{8$=nyoVY_
z(NDc#%gss}8{s}?ODFeNT<BTZYkbhk-9@x&H!-xPHfGLdvG!6aXVZjfisz802d+4i
z&nOC*0;$B&sLW8-qfsGcit544JeW24D}gl=jHScv9<VW<DHlmu+Fw6psxprxOp_v#
z7J5WEQW2ud*7bz`SUGQ`8c(>l1ti`EapR?{4yT!ryhV#x`mB`ImP9A!zDVxHXYZA@
GpT7a+n_%An

diff --git a/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc b/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc
index eb47ea0..d3be2da 100644
--- a/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc
+++ b/Platform/BroxtonPlatformPkg/PlatformDsc/Components.dsc
@@ -234,6 +234,16 @@
 !endif
 
   #
+  # Secure Boot
+  #
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf {
+    <LibraryClasses>
+      PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+  }
+!endif
+
+  #
   # SMM
   #
   MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
@@ -367,10 +377,10 @@
   $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/MMC/MmcHostDxe/MmcHostDxe.inf
 
   $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/MMC/MmcMediaDeviceDxe/MmcMediaDeviceDxe.inf
-  
+
   $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdControllerDxe/SdControllerDxe.inf
   $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdMediaDeviceDxe/SdMediaDeviceDxe.inf
-    
+
 
   !if $(ACPI50_ENABLE) == TRUE
     MdeModulePkg/Universal/SmmCommunicationBufferDxe/SmmCommunicationBufferDxe.inf
@@ -474,12 +484,12 @@
   PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf
 
   $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf
-  
+
   #
   # USB TypeC
   #
   $(PLATFORM_PACKAGE_COMMON)/Acpi/UsbTypeCDxe/UsbTypeCDxe.inf
-  
+
   #
   # Application
   #
diff --git a/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc b/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc
index c2424f0..971dc4a 100644
--- a/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc
+++ b/Platform/BroxtonPlatformPkg/PlatformDsc/LibraryClasses.dsc
@@ -237,8 +237,6 @@
    !if $(SECURE_BOOT_ENABLE) == TRUE
      BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
    !endif
-
-   PlatformSecureDefaultsLib|$(PLATFORM_PACKAGE_COMMON)/Library/PlatformSecureDefaultsLib/PlatformSecureDefaultsLib.inf
    SmmCpuPlatformHookLib|UefiCpuPkg/Library/SmmCpuPlatformHookLibNull/SmmCpuPlatformHookLibNull.inf
 
    BasePlatformCmosLib|$(PLATFORM_PACKAGE_COMMON)/Library/PlatformCmosLib/PlatformCmosLib.inf
diff --git a/Platform/BroxtonPlatformPkg/PlatformPkg.fdf b/Platform/BroxtonPlatformPkg/PlatformPkg.fdf
index a5a3555..2476407 100644
--- a/Platform/BroxtonPlatformPkg/PlatformPkg.fdf
+++ b/Platform/BroxtonPlatformPkg/PlatformPkg.fdf
@@ -450,7 +450,7 @@ APRIORI DXE {
 
   INF $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdControllerDxe/SdControllerDxe.inf
   INF $(PLATFORM_SI_PACKAGE)/SouthCluster/Sdio/Dxe/SD/SdMediaDeviceDxe/SdMediaDeviceDxe.inf
-    
+
   INF IntelFrameworkModulePkg/Universal/Acpi/AcpiS3SaveDxe/AcpiS3SaveDxe.inf
 
   #
@@ -575,6 +575,13 @@ APRIORI DXE {
   INF $(PLATFORM_PACKAGE_COMMON)/PnpDxe/PnpDxe.inf
 
   #
+  # Secure Boot
+  #
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
+  #
   # SMM
   #
   INF MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
@@ -710,7 +717,7 @@ APRIORI DXE {
     SECTION PE32 = ShellBinPkg/UefiShell/$(IA32_X64_LC)/Shell.efi
   }
 
-  INF $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf  
+  INF $(PLATFORM_PACKAGE_COMMON)/Features/UsbDeviceDxe/UsbDeviceDxe.inf
 
   #
   # USB TypeC
-- 
2.7.0.windows.1