From nobody Sat Apr 27 19:20:47 2024
Delivered-To: importer@patchew.org
Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by
 domain of lists.01.org) client-ip=198.145.21.10;
 envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org;
Authentication-Results: mx.zohomail.com;
	spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain
 of lists.01.org)  smtp.mailfrom=edk2-devel-bounces@lists.01.org
Return-Path: <edk2-devel-bounces@lists.01.org>
Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com
	with SMTPS id 1506042413241458.94128074931393;
 Thu, 21 Sep 2017 18:06:53 -0700 (PDT)
Received: from [127.0.0.1] (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id 6BC8121ECCB05;
	Thu, 21 Sep 2017 18:03:44 -0700 (PDT)
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 27DB720958BF5
 for <edk2-devel@lists.01.org>; Thu, 21 Sep 2017 18:03:43 -0700 (PDT)
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
 by orsmga105.jf.intel.com with ESMTP; 21 Sep 2017 18:06:50 -0700
Received: from chenche4.ccr.corp.intel.com ([10.239.158.36])
 by fmsmga002.fm.intel.com with ESMTP; 21 Sep 2017 18:06:48 -0700
X-Original-To: edk2-devel@lists.01.org
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.42,426,1500966000"; d="scan'208";a="1222159884"
From: chenc2 <chen.a.chen@intel.com>
To: edk2-devel@lists.01.org
Date: Fri, 22 Sep 2017 09:06:45 +0800
Message-Id: <20170922010645.5404-1-chen.a.chen@intel.com>
X-Mailer: git-send-email 2.13.2.windows.1
Subject: [edk2] [PATCH] SecurityPkg/SecureBootConfigImpl.c: Secure Boot DBX
 UI Enhancement.
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
Cc: Zhang Chao B <chao.b.zhang@intel.com>, Long Qin <qin.long@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Errors-To: edk2-devel-bounces@lists.01.org
Sender: "edk2-devel" <edk2-devel-bounces@lists.01.org>
X-ZohoMail: RSF_4  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Use 2-level format to display signature list and signature data.
Support batch delete operation to delete signature list or signature data.
Display more useful information for each signature data.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chen A Chen <chen.a.chen@intel.com>
Cc: Zhang Chao B <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
---
 .../SecureBootConfigDxe/SecureBootConfig.vfr       |   53 +-
 .../SecureBootConfigDxe/SecureBootConfigImpl.c     | 1036 ++++++++++++++++=
+++-
 .../SecureBootConfigDxe/SecureBootConfigImpl.h     |   35 +
 .../SecureBootConfigDxe/SecureBootConfigNvData.h   |   23 +-
 .../SecureBootConfigStrings.uni                    |   26 +
 5 files changed, 1144 insertions(+), 29 deletions(-)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secure=
BootConfig.vfr
index bbecff2b08..296b9c9b9e 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
g.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
g.vfr
@@ -316,11 +316,11 @@ formset
=20
     subtitle text =3D STRING_TOKEN(STR_NULL);
=20
-    goto SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
+    goto SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
     prompt =3D STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
     help   =3D STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
     flags  =3D INTERACTIVE,
-    key    =3D SECUREBOOT_DELETE_SIGNATURE_FROM_DBX;
+    key    =3D KEY_VALUE_FROM_DBX_TO_LIST_FORM;
=20
   endform;
=20
@@ -360,17 +360,58 @@ formset
   endform;
=20
   //
-  // Form: 'Delete Signature' for DBX Options.
+  // Form: Display Signature List.
   //
-  form formid =3D SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
-    title  =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE);
+  form formid =3D SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
+    title  =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_LIST_FORM);
+
+    subtitle text =3D STRING_TOKEN(STR_NULL);
+
+    grayoutif ideqval SECUREBOOT_CONFIGURATION.ListCount =3D=3D 0;
+      label LABEL_DELETE_ALL_LIST_BUTTON;
+      //
+      // Will create a goto button dynamically here.
+      //
+      label LABEL_END;
+   endif;
+
+   subtitle text =3D STRING_TOKEN(STR_NULL);
+   label LABEL_SIGNATURE_LIST_START;
+   label LABEL_END;
+   subtitle text =3D STRING_TOKEN(STR_NULL);
=20
-    label LABEL_DBX_DELETE;
+  endform;
+
+  //
+  // Form: Display Signature Data.
+  //
+  form formid =3D SECUREBOOT_DELETE_SIGNATURE_DATA_FORM,
+    title =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_DATA_FORM);
+
+    subtitle text =3D STRING_TOKEN(STR_NULL);
+
+    goto SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
+      prompt =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_ALL_DATA),
+      help   =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_ALL_DATA_HELP),
+      flags  =3D INTERACTIVE,
+      key    =3D KEY_SECURE_BOOT_DELETE_ALL_DATA;
+
+    grayoutif ideqval SECUREBOOT_CONFIGURATION.CheckedDataCount =3D=3D 0;
+      goto SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
+        prompt =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_CHECK_DATA),
+        help   =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_CHECK_DATA_HELP),
+        flags  =3D INTERACTIVE,
+        key    =3D KEY_SECURE_BOOT_DELETE_CHECK_DATA;
+    endif;
+
+    subtitle text =3D STRING_TOKEN(STR_NULL);
+    label LABEL_SIGNATURE_DATA_START;
     label LABEL_END;
     subtitle text =3D STRING_TOKEN(STR_NULL);
=20
   endform;
=20
+
   //
   // Form: 'Delete Signature' for DBT Options.
   //
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu=
reBootConfigImpl.c
index 2eaf24633d..3df1f431a9 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.c
@@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER=
 EXPRESS OR IMPLIED.
 **/
=20
 #include "SecureBootConfigImpl.h"
+#include <Library/BaseCryptLib.h>
=20
 CHAR16              mSecureBootStorageName[] =3D L"SECUREBOOT_CONFIGURATIO=
N";
=20
@@ -3051,6 +3052,184 @@ ON_EXIT:
 }
=20
 /**
+  This function to delete signature list or data, according by DelType.
+
+  @param[in]  PrivateData           Module's private data.
+  @param[in]  DelType               Indicate delete signature list or data.
+  @param[in]  CheckedCount          Indicate how many signature data have
+                                    been checked in current signature list.
+
+  @retval   EFI_SUCCESS             Success to update the signature list p=
age
+  @retval   EFI_OUT_OF_RESOURCES    Unable to allocate required resources.
+**/
+EFI_STATUS
+DeleteSignatureEx (
+  IN SECUREBOOT_CONFIG_PRIVATE_DATA   *PrivateData,
+  IN SIGNATURE_DELETE_TYPE            DelType,
+  IN UINT32                           CheckedCount
+  )
+{
+  EFI_STATUS          Status;
+  EFI_SIGNATURE_LIST  *ListWalker;
+  EFI_SIGNATURE_LIST  *NewCertList;
+  EFI_SIGNATURE_DATA  *DataWalker;
+  CHAR16              *VariableName;
+  UINT32              VariableAttr;
+  UINTN               VariableDataSize;
+  UINTN               RemainingSize;
+  UINTN               ListIndex;
+  UINTN               Index;
+  UINTN               Offset;
+  UINT8               *VariableData;
+  UINT8               *NewVariableData;
+
+  Status              =3D EFI_SUCCESS;
+  VariableName        =3D NULL;
+  VariableAttr        =3D 0;
+  VariableDataSize    =3D 0;
+  ListIndex           =3D 0;
+  Offset              =3D 0;
+  VariableData        =3D NULL;
+  NewVariableData     =3D NULL;
+
+  VariableName =3D AllocateZeroPool (100);
+  if (VariableName =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  if (PrivateData->VariableName =3D=3D VARIABLE_DB) {
+    UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE);
+  } else if (PrivateData->VariableName =3D=3D VARIABLE_DBX) {
+    UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE1);
+  } else if (PrivateData->VariableName =3D=3D VARIABLE_DBT) {
+    UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE2);
+  } else {
+    goto ON_EXIT;
+  }
+
+  Status =3D gRT->GetVariable (
+                  VariableName,
+                  &gEfiImageSecurityDatabaseGuid,
+                  &VariableAttr,
+                  &VariableDataSize,
+                  VariableData
+                );
+  if (EFI_ERROR (Status) && Status !=3D EFI_BUFFER_TOO_SMALL) {
+    goto ON_EXIT;
+  }
+
+  VariableData =3D AllocateZeroPool (VariableDataSize);
+  if (VariableData =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  Status =3D gRT->GetVariable (
+                  VariableName,
+                  &gEfiImageSecurityDatabaseGuid,
+                  &VariableAttr,
+                  &VariableDataSize,
+                  VariableData
+                );
+  if (EFI_ERROR (Status)) {
+    goto ON_EXIT;
+  }
+
+  Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    goto ON_EXIT;
+  }
+
+  NewVariableData =3D AllocateZeroPool (VariableDataSize);
+  if (NewVariableData =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  RemainingSize =3D VariableDataSize;
+  ListWalker =3D (EFI_SIGNATURE_LIST *)(VariableData);
+  if (DelType =3D=3D DELETE_SIGNATURE_LIST_ALL) {
+    VariableDataSize =3D 0;
+  } else {
+    while ((RemainingSize > 0) && (RemainingSize >=3D ListWalker->Signatur=
eListSize) && ListIndex < PrivateData->ListIndex) {
+      CopyMem ((UINT8 *)NewVariableData + Offset, ListWalker, ListWalker->=
SignatureListSize);
+      Offset +=3D ListWalker->SignatureListSize;
+
+      RemainingSize -=3D ListWalker->SignatureListSize;
+      ListWalker =3D (EFI_SIGNATURE_LIST *)((UINT8 *)ListWalker + ListWalk=
er->SignatureListSize);
+      ListIndex++;
+    }
+
+    if (CheckedCount =3D=3D SIGNATURE_DATA_COUNTS (ListWalker) || DelType =
=3D=3D DELETE_SIGNATURE_LIST_ONE) {
+      RemainingSize -=3D ListWalker->SignatureListSize;
+      ListWalker =3D (EFI_SIGNATURE_LIST *)((UINT8 *)ListWalker + ListWalk=
er->SignatureListSize);
+    } else {
+      NewCertList =3D (EFI_SIGNATURE_LIST *)(NewVariableData + Offset);
+      //
+      // Copy header.
+      //
+      CopyMem ((UINT8 *)NewVariableData, ListWalker, sizeof (EFI_SIGNATURE=
_LIST) + ListWalker->SignatureHeaderSize);
+      Offset +=3D sizeof (EFI_SIGNATURE_LIST) + ListWalker->SignatureHeade=
rSize;
+
+      DataWalker =3D (EFI_SIGNATURE_DATA *)((UINT8 *)ListWalker + sizeof(E=
FI_SIGNATURE_LIST) + ListWalker->SignatureHeaderSize);
+      for (Index =3D 0; Index < SIGNATURE_DATA_COUNTS(ListWalker); Index =
=3D Index + 1) {
+        if (PrivateData->CheckArray[Index]) {
+          //
+          // Delete checked siganture data, and update the size of whole s=
ignature list.
+          //
+          NewCertList->SignatureListSize -=3D NewCertList->SignatureSize;
+        } else {
+          //
+          // Remain the unchecked signature data.
+          //
+          CopyMem ((UINT8 *)NewVariableData + Offset, DataWalker, ListWalk=
er->SignatureSize);
+          Offset +=3D ListWalker->SignatureSize;
+        }
+        DataWalker =3D (EFI_SIGNATURE_DATA *)((UINT8 *)DataWalker + ListWa=
lker->SignatureSize);
+      }
+
+      RemainingSize -=3D ListWalker->SignatureListSize;
+    }
+
+    //
+    // Copy remaining data, maybe 0.
+    //
+    CopyMem((UINT8 *)NewVariableData + Offset, ListWalker, RemainingSize);
+    Offset +=3D RemainingSize;
+
+    VariableDataSize =3D Offset;
+  }
+
+  if ((VariableAttr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) =
!=3D 0) {
+    Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData=
);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S=
tatus));
+      goto ON_EXIT;
+    }
+  }
+
+  Status =3D gRT->SetVariable (
+                  VariableName,
+                  &gEfiImageSecurityDatabaseGuid,
+                  VariableAttr,
+                  VariableDataSize,
+                  NewVariableData
+                );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Failed to set variable, Status =3D %r", Status));
+    goto ON_EXIT;
+  }
+
+ON_EXIT:
+  SECUREBOOT_FREE_NON_NULL (VariableName);
+  SECUREBOOT_FREE_NON_NULL (VariableData);
+  SECUREBOOT_FREE_NON_NULL (NewVariableData);
+
+  return Status;
+}
+
+/**
=20
   Update SecureBoot strings based on new Secure Boot Mode State. String in=
cludes STR_SECURE_BOOT_STATE_CONTENT
  and STR_CUR_SECURE_BOOT_MODE_CONTENT.
@@ -3381,6 +3560,731 @@ SecureBootRouteConfig (
 }
=20
 /**
+  This function to load signature list, the update the menu page.
+
+  @param[in]  PrivateData         Module's private data.
+  @param[in]  LabelId             Label number to insert opcodes.
+  @param[in]  FormId              Form ID of current page.
+  @param[in]  QuestionIdBase      Base question id of the signature list.
+
+  @retval   EFI_SUCCESS           Success to update the signature list page
+  @retval   EFI_OUT_OF_RESOURCES  Unable to allocate required resources.
+**/
+EFI_STATUS
+LoadSignatureList (
+  IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
+  IN UINT16                         LabelId,
+  IN EFI_FORM_ID                    FormId,
+  IN EFI_QUESTION_ID                QuestionIdBase
+  )
+{
+  EFI_STATUS            Status;
+  EFI_STRING_ID         ListType;
+  EFI_SIGNATURE_LIST    *ListWalker;
+  EFI_IFR_GUID_LABEL    *StartLabel;
+  EFI_IFR_GUID_LABEL    *EndLabel;
+  EFI_IFR_GUID_LABEL    *StartGoto;
+  EFI_IFR_GUID_LABEL    *EndGoto;
+  EFI_FORM_ID           DstFormId;
+  VOID                  *StartOpCodeHandle;
+  VOID                  *EndOpCodeHandle;
+  VOID                  *StartGotoHandle;
+  VOID                  *EndGotoHandle;
+  UINTN                 DataSize;
+  UINTN                 RemainingSize;
+  UINT16                Index;
+  UINT8                 *VariableData;
+  CHAR16                *VariableName;
+  CHAR16                *NameBuffer;
+  CHAR16                *HelpBuffer;
+
+  Status                =3D EFI_SUCCESS;
+  StartOpCodeHandle     =3D NULL;
+  EndOpCodeHandle       =3D NULL;
+  Index                 =3D 0;
+  VariableData          =3D NULL;
+  VariableName          =3D NULL;
+  NameBuffer            =3D NULL;
+  HelpBuffer            =3D NULL;
+
+  //
+  // Initialize the container for dynamic opcodes.
+  //
+  StartOpCodeHandle =3D HiiAllocateOpCodeHandle ();
+  if (StartOpCodeHandle =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  EndOpCodeHandle =3D HiiAllocateOpCodeHandle ();
+  if (EndOpCodeHandle =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  StartGotoHandle =3D HiiAllocateOpCodeHandle ();
+  if (StartGotoHandle =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  EndGotoHandle =3D HiiAllocateOpCodeHandle ();
+  if (EndGotoHandle =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  //
+  // Create Hii Extend Label OpCode.
+  //
+  StartLabel =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode (
+                                       StartOpCodeHandle,
+                                       &gEfiIfrTianoGuid,
+                                       NULL,
+                                       sizeof (EFI_IFR_GUID_LABEL)
+                                     );
+  StartLabel->ExtendOpCode  =3D EFI_IFR_EXTEND_OP_LABEL;
+  StartLabel->Number        =3D LabelId;
+
+  EndLabel =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode (
+                                     EndOpCodeHandle,
+                                     &gEfiIfrTianoGuid,
+                                     NULL,
+                                     sizeof (EFI_IFR_GUID_LABEL)
+                                   );
+  EndLabel->ExtendOpCode  =3D EFI_IFR_EXTEND_OP_LABEL;
+  EndLabel->Number        =3D LABEL_END;
+
+  StartGoto =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode(
+                                      StartGotoHandle,
+                                      &gEfiIfrTianoGuid,
+                                      NULL,
+                                      sizeof(EFI_IFR_GUID_LABEL)
+                                    );
+  StartGoto->ExtendOpCode  =3D EFI_IFR_EXTEND_OP_LABEL;
+  StartGoto->Number        =3D LABEL_DELETE_ALL_LIST_BUTTON;
+
+  EndGoto =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode(
+                                    EndGotoHandle,
+                                    &gEfiIfrTianoGuid,
+                                    NULL,
+                                    sizeof(EFI_IFR_GUID_LABEL)
+                                  );
+  EndGoto->ExtendOpCode =3D EFI_IFR_EXTEND_OP_LABEL;
+  EndGoto->Number =3D LABEL_END;
+
+  VariableName =3D AllocateZeroPool (100);
+  if (VariableName =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  if (PrivateData->VariableName =3D=3D VARIABLE_DB) {
+    UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE);
+    DstFormId =3D FORMID_SECURE_BOOT_DB_OPTION_FORM;
+  } else if (PrivateData->VariableName =3D=3D VARIABLE_DBX) {
+    UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE1);
+    DstFormId =3D FORMID_SECURE_BOOT_DBX_OPTION_FORM;
+  } else if (PrivateData->VariableName =3D=3D VARIABLE_DBT) {
+    UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE2);
+    DstFormId =3D FORMID_SECURE_BOOT_DBT_OPTION_FORM;
+  } else {
+    goto ON_EXIT;
+  }
+
+  HiiCreateGotoOpCode (
+    StartGotoHandle,
+    DstFormId,
+    STRING_TOKEN (STR_SECURE_BOOT_DELETE_ALL_LIST),
+    STRING_TOKEN (STR_SECURE_BOOT_DELETE_ALL_LIST),
+    EFI_IFR_FLAG_CALLBACK,
+    KEY_SECURE_BOOT_DELETE_ALL_LIST
+  );
+
+  //
+  // Read Variable, the variable name save in the PrivateData->VariableNam=
e.
+  //
+  DataSize =3D 0;
+  Status =3D gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGui=
d, NULL, &DataSize, VariableData);
+  if (EFI_ERROR (Status) && Status !=3D EFI_BUFFER_TOO_SMALL) {
+    goto ON_EXIT;
+  }
+
+  VariableData =3D AllocateZeroPool (DataSize);
+  if (VariableData =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+  Status =3D gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGui=
d, NULL, &DataSize, VariableData);
+  if (EFI_ERROR (Status)) {
+    goto ON_EXIT;
+  }
+
+  NameBuffer =3D AllocateZeroPool (100);
+  if (NameBuffer =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  HelpBuffer =3D AllocateZeroPool (100);
+  if (HelpBuffer =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  RemainingSize =3D DataSize;
+  ListWalker    =3D (EFI_SIGNATURE_LIST *)VariableData;
+  while ((RemainingSize > 0) && (RemainingSize >=3D ListWalker->SignatureL=
istSize)) {
+    if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) {
+      ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)=
) {
+      ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)=
) {
+      ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA1);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Gui=
d)) {
+      ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA256);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha25=
6Guid)) {
+      ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha38=
4Guid)) {
+      ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA384);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha51=
2Guid)) {
+      ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA512);
+    } else {
+      ListType =3D STRING_TOKEN (STR_LIST_TYPE_UNKNOWN);
+    }
+
+    UnicodeSPrint (NameBuffer,
+      100,
+      HiiGetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SIGNATURE_LI=
ST_NAME_FORMAT), NULL),
+      Index + 1
+    );
+    UnicodeSPrint (HelpBuffer,
+      100,
+      HiiGetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SIGNATURE_LI=
ST_HELP_FORMAT), NULL),
+      HiiGetString (PrivateData->HiiHandle, ListType, NULL),
+      SIGNATURE_DATA_COUNTS (ListWalker)
+    );
+
+    HiiCreateGotoOpCode (
+      StartOpCodeHandle,
+      SECUREBOOT_DELETE_SIGNATURE_DATA_FORM,
+      HiiSetString (PrivateData->HiiHandle, 0, NameBuffer, NULL),
+      HiiSetString (PrivateData->HiiHandle, 0, HelpBuffer, NULL),
+      EFI_IFR_FLAG_CALLBACK,
+      QuestionIdBase + Index++
+    );
+
+    ZeroMem (NameBuffer, 100);
+    ZeroMem (HelpBuffer, 100);
+
+    RemainingSize -=3D ListWalker->SignatureListSize;
+    ListWalker =3D (EFI_SIGNATURE_LIST *)((UINT8 *)ListWalker + ListWalker=
->SignatureListSize);
+  }
+
+ON_EXIT:
+  HiiUpdateForm (
+    PrivateData->HiiHandle,
+    &gSecureBootConfigFormSetGuid,
+    FormId,
+    StartOpCodeHandle,
+    EndOpCodeHandle
+  );
+
+  HiiUpdateForm (
+    PrivateData->HiiHandle,
+    &gSecureBootConfigFormSetGuid,
+    FormId,
+    StartGotoHandle,
+    EndGotoHandle
+  );
+
+  SECUREBOOT_FREE_NON_OPCODE (StartOpCodeHandle);
+  SECUREBOOT_FREE_NON_OPCODE (EndOpCodeHandle);
+  SECUREBOOT_FREE_NON_OPCODE (StartGotoHandle);
+  SECUREBOOT_FREE_NON_OPCODE (EndGotoHandle);
+
+  SECUREBOOT_FREE_NON_NULL (VariableName);
+  SECUREBOOT_FREE_NON_NULL (VariableData);
+  SECUREBOOT_FREE_NON_NULL (NameBuffer);
+  SECUREBOOT_FREE_NON_NULL (HelpBuffer);
+
+  PrivateData->ListCount =3D Index;
+
+  return Status;
+}
+
+/**
+  Parse hash value from EFI_SIGANTURE_DATA, and save in the CHAR16 type ar=
ray.
+  The buffer is callee allocated and should be freed by the caller.
+
+  @param[in]    ListEntry                 The pointer point to the signatu=
re list.
+  @param[in]    DataEntry                 The signature data we are proces=
sing.
+  @param[out]   BufferToReturn            Buffer to save the hash value.
+
+  @retval       EFI_INVALID_PARAMETER     Invalid List or Data or Buffer.
+  @retval       EFI_OUT_OF_RESOURCES      A memory allocation failed.
+  @retval       EFI_SUCCESS               Operation success.
+**/
+EFI_STATUS
+ParseHashValue (
+  IN     EFI_SIGNATURE_LIST    *ListEntry,
+  IN     EFI_SIGNATURE_DATA    *DataEntry,
+     OUT CHAR16                **BufferToReturn
+  )
+{
+  UINTN       Index;
+  UINTN       BufferIndex;
+  UINTN       TotalSize;
+  UINTN       DataSize;
+  UINTN       Line;
+  UINTN       OneLineBytes;
+
+  //
+  //  Assume that, display 8 bytes in one line.
+  //
+  OneLineBytes =3D 8;
+
+  if (ListEntry =3D=3D NULL || DataEntry =3D=3D NULL || BufferToReturn =3D=
=3D NULL) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  DataSize =3D ListEntry->SignatureSize - sizeof(EFI_GUID);
+  Line =3D (DataSize + OneLineBytes - 1) / OneLineBytes;
+
+  //
+  // Each byte will split two Hex-number, and each line need additional me=
mory to save '\r\n'.
+  //
+  TotalSize =3D ((DataSize + Line) * 2 * sizeof(CHAR16));
+
+  *BufferToReturn =3D AllocateZeroPool(TotalSize);
+  if (*BufferToReturn =3D=3D NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  for (Index =3D 0, BufferIndex =3D 0; Index < DataSize; Index =3D Index +=
 1) {
+    if ((Index > 0) && (Index % OneLineBytes =3D=3D 0)) {
+      BufferIndex +=3D UnicodeSPrint(&(*BufferToReturn)[BufferIndex], Tota=
lSize - sizeof(CHAR16) * BufferIndex, L"\n");
+    }
+    BufferIndex +=3D UnicodeSPrint(&(*BufferToReturn)[BufferIndex], TotalS=
ize - sizeof(CHAR16) * BufferIndex, L"%02x", DataEntry->SignatureData[Index=
]);
+  }
+  BufferIndex +=3D UnicodeSPrint(&(*BufferToReturn)[BufferIndex], TotalSiz=
e - sizeof(CHAR16) * BufferIndex, L"\n");
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Function to get the common name from the X509 format certificate.
+  The buffer is callee allocated and should be freed by the caller.
+
+  @param[in]    ListEntry                 The pointer point to the signatu=
re list.
+  @param[in]    DataEntry                 The signature data we are proces=
sing.
+  @param[out]   BufferToReturn            Buffer to save the CN of X509 ce=
rtificate.
+
+  @retval       EFI_INVALID_PARAMETER     Invalid List or Data or Buffer.
+  @retval       EFI_OUT_OF_RESOURCES      A memory allocation failed.
+  @retval       EFI_SUCCESS               Operation success.
+  @retval       EFI_NOT_FOUND             Not found CN field in the X509 c=
ertificate.
+**/
+EFI_STATUS
+GetCommonNameFromX509 (
+  IN     EFI_SIGNATURE_LIST    *ListEntry,
+  IN     EFI_SIGNATURE_DATA    *DataEntry,
+     OUT CHAR16                **BufferToReturn
+  )
+{
+  EFI_STATUS      Status;
+  UINT8           *CNBuffer;
+
+  Status =3D EFI_SUCCESS;
+  CNBuffer =3D NULL;
+
+  CNBuffer =3D AllocateZeroPool(256);
+  if (CNBuffer =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  X509GetCommonName (
+    (UINT8 *)DataEntry + sizeof(EFI_GUID),
+    ListEntry->SignatureSize - sizeof(EFI_GUID),
+    CNBuffer,
+    256
+  );
+
+  *BufferToReturn =3D AllocateZeroPool(256 * sizeof(CHAR16));
+  if (*BufferToReturn =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  AsciiStrToUnicodeStrS (CNBuffer, *BufferToReturn, 256);
+
+ON_EXIT:
+  SECUREBOOT_FREE_NON_NULL (CNBuffer);
+
+  return Status;
+}
+
+/**
+  Format the help info for the signature data, each help info contain 3 pa=
rts.
+  1. Onwer Guid.
+  2. Content, depends on the type of the signature list.
+  3. Revocation time.
+
+  @param[in]      PrivateData             Module's private data.
+  @param[in]      ListEntry               Point to the signature list.
+  @param[in]      DataEntry               Point to the siganture data we a=
re processing.
+  @param[out]     StringId                Save the string id of help info.
+
+  @retval         EFI_SUCCESS             Operation success.
+  @retval         EFI_OUT_OF_RESOURCES    Unable to allocate required reso=
urces.
+**/
+EFI_STATUS
+FormatHelpInfo (
+  IN     SECUREBOOT_CONFIG_PRIVATE_DATA   *PrivateData,
+  IN     EFI_SIGNATURE_LIST               *ListEntry,
+  IN     EFI_SIGNATURE_DATA               *DataEntry,
+     OUT EFI_STRING_ID                    *StringId
+  )
+{
+  EFI_STATUS      Status;
+  EFI_TIME        *Time;
+  EFI_STRING_ID   ListTypeId;
+  UINTN           DataSize;
+  UINTN           HelpInfoIndex;
+  UINTN           TotalSize;
+  CHAR16          *GuidString;
+  CHAR16          *DataString;
+  CHAR16          *TimeString;
+  CHAR16          *HelpInfoString;
+  BOOLEAN         IsCert;
+
+  Status          =3D EFI_SUCCESS;
+  Time            =3D NULL;
+  HelpInfoIndex   =3D 0;
+  GuidString      =3D NULL;
+  DataString      =3D NULL;
+  TimeString      =3D NULL;
+  HelpInfoString  =3D NULL;
+  IsCert          =3D FALSE;
+
+  if (CompareGuid(&ListEntry->SignatureType, &gEfiCertRsa2048Guid)) {
+    ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_RSA2048_SHA256);
+    DataSize =3D ListEntry->SignatureSize - sizeof(EFI_GUID);
+    IsCert =3D TRUE;
+  } else if (CompareGuid(&ListEntry->SignatureType, &gEfiCertX509Guid)) {
+    ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_X509);
+    DataSize =3D ListEntry->SignatureSize - sizeof(EFI_GUID);
+    IsCert =3D TRUE;
+  } else if (CompareGuid(&ListEntry->SignatureType, &gEfiCertSha1Guid)) {
+    ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_SHA1);
+    DataSize =3D 20;
+  } else if (CompareGuid(&ListEntry->SignatureType, &gEfiCertSha256Guid)) {
+    ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_SHA256);
+    DataSize =3D 32;
+  } else if (CompareGuid(&ListEntry->SignatureType, &gEfiCertX509Sha256Gui=
d)) {
+    ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_X509_SHA256);
+    DataSize =3D 32;
+    Time =3D (EFI_TIME *)(DataEntry->SignatureData + DataSize);
+  } else if (CompareGuid(&ListEntry->SignatureType, &gEfiCertX509Sha384Gui=
d)) {
+    ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_X509_SHA384);
+    DataSize =3D 48;
+    Time =3D (EFI_TIME *)(DataEntry->SignatureData + DataSize);
+  } else if (CompareGuid(&ListEntry->SignatureType, &gEfiCertX509Sha512Gui=
d)) {
+    ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_X509_SHA512);
+    DataSize =3D 64;
+    Time =3D (EFI_TIME *)(DataEntry->SignatureData + DataSize);
+  } else {
+    Status =3D EFI_UNSUPPORTED;
+    goto ON_EXIT;
+  }
+
+  GuidString =3D AllocateZeroPool (100);
+  if (GuidString =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  TotalSize =3D 1024;
+  HelpInfoString =3D AllocateZeroPool (TotalSize);
+  if (HelpInfoString =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  //
+  // Format GUID part.
+  //
+  GuidToString(&DataEntry->SignatureOwner, GuidString, 100);
+  HelpInfoIndex +=3D UnicodeSPrint (
+                     &HelpInfoString[HelpInfoIndex],
+                     TotalSize - sizeof(CHAR16) * HelpInfoIndex,
+                     HiiGetString (PrivateData->HiiHandle, STRING_TOKEN (S=
TR_SIGNATURE_DATA_HELP_FORMAT_GUID), NULL),
+                     GuidString
+                   );
+
+  //
+  // Format content part, it depends on the type of signature list, hash v=
alue or CN.
+  //
+  if (IsCert) {
+    GetCommonNameFromX509 (ListEntry, DataEntry, &DataString);
+    HelpInfoIndex +=3D UnicodeSPrint(
+                       &HelpInfoString[HelpInfoIndex],
+                       TotalSize - sizeof(CHAR16) * HelpInfoIndex,
+                       HiiGetString (PrivateData->HiiHandle, STRING_TOKEN =
(STR_SIGNATURE_DATA_HELP_FORMAT_CN), NULL),
+                       HiiGetString (PrivateData->HiiHandle, ListTypeId, N=
ULL),
+                       DataSize,
+                       DataString
+                     );
+  } else {
+    //
+    //  Format hash value for each signature data entry.
+    //
+    ParseHashValue (ListEntry, DataEntry, &DataString);
+    HelpInfoIndex +=3D UnicodeSPrint (
+                       &HelpInfoString[HelpInfoIndex],
+                       TotalSize - sizeof(CHAR16) * HelpInfoIndex,
+                       HiiGetString (PrivateData->HiiHandle, STRING_TOKEN =
(STR_SIGNATURE_DATA_HELP_FORMAT_HASH), NULL),
+                       HiiGetString (PrivateData->HiiHandle, ListTypeId, N=
ULL),
+                       DataSize,
+                       DataString
+                     );
+  }
+
+  //
+  // Format revocation time part.
+  //
+  if (Time !=3D NULL) {
+    TimeString =3D AllocateZeroPool(100);
+    if (TimeString =3D=3D NULL) {
+      Status =3D EFI_OUT_OF_RESOURCES;
+      goto ON_EXIT;
+    }
+
+    UnicodeSPrint (
+      TimeString,
+      100,
+      L"%d-%d-%d %d:%d:%d",
+      Time->Year,
+      Time->Month,
+      Time->Day,
+      Time->Hour,
+      Time->Minute,
+      Time->Second
+    );
+
+    UnicodeSPrint (
+      &HelpInfoString[HelpInfoIndex],
+      TotalSize - sizeof (CHAR16) * HelpInfoIndex,
+      HiiGetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SIGNATURE_DA=
TA_HELP_FORMAT_TIME), NULL),
+      TimeString
+    );
+  }
+
+  *StringId =3D HiiSetString (PrivateData->HiiHandle, 0, HelpInfoString, N=
ULL);
+
+ON_EXIT:
+  SECUREBOOT_FREE_NON_NULL (GuidString);
+  SECUREBOOT_FREE_NON_NULL (DataString);
+  SECUREBOOT_FREE_NON_NULL (TimeString);
+  SECUREBOOT_FREE_NON_NULL (HelpInfoString);
+
+  return Status;
+}
+
+/**
+  This functino to load signature data under the signature list.
+
+  @param[in]  PrivateData         Module's private data.
+  @param[in]  LabelId             Label number to insert opcodes.
+  @param[in]  FormId              Form ID of current page.
+  @param[in]  QuestionIdBase      Base question id of the signature list.
+  @param[in]  ListIndex           Indicate to load which signature list.
+
+  @retval   EFI_SUCCESS           Success to update the signature list page
+  @retval   EFI_OUT_OF_RESOURCES  Unable to allocate required resources.
+**/
+EFI_STATUS
+LoadSignatureData (
+  IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
+  IN UINT16                         LabelId,
+  IN EFI_FORM_ID                    FormId,
+  IN EFI_QUESTION_ID                QuestionIdBase,
+  IN UINT16                         ListIndex
+  )
+{
+  EFI_STATUS            Status;
+  EFI_SIGNATURE_LIST    *ListWalker;
+  EFI_SIGNATURE_DATA    *DataWalker;
+  EFI_IFR_GUID_LABEL    *StartLabel;
+  EFI_IFR_GUID_LABEL    *EndLabel;
+  EFI_STRING_ID         HelpStringId;
+  VOID                  *StartOpCodeHandle;
+  VOID                  *EndOpCodeHandle;
+  UINTN                 DataSize;
+  UINTN                 RemainingSize;
+  UINT16                Index;
+  UINT8                 *VariableData;
+  CHAR16                *VariableName;
+  CHAR16                *NameBuffer;
+
+  Status              =3D EFI_SUCCESS;
+  StartOpCodeHandle   =3D NULL;
+  EndOpCodeHandle     =3D NULL;
+  Index               =3D 0;
+  VariableData        =3D NULL;
+  VariableName        =3D NULL;
+  NameBuffer          =3D NULL;
+
+  //
+  // Initialize the container for dynamic opcodes.
+  //
+  StartOpCodeHandle =3D HiiAllocateOpCodeHandle ();
+  if (StartOpCodeHandle =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  EndOpCodeHandle =3D HiiAllocateOpCodeHandle ();
+  if (EndOpCodeHandle =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  //
+  // Create Hii Extend Label OpCode.
+  //
+  StartLabel =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode (
+                                       StartOpCodeHandle,
+                                       &gEfiIfrTianoGuid,
+                                       NULL,
+                                       sizeof (EFI_IFR_GUID_LABEL)
+                                     );
+  StartLabel->ExtendOpCode  =3D EFI_IFR_EXTEND_OP_LABEL;
+  StartLabel->Number        =3D LabelId;
+
+  EndLabel =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode (
+                                     EndOpCodeHandle,
+                                     &gEfiIfrTianoGuid,
+                                     NULL,
+                                     sizeof (EFI_IFR_GUID_LABEL)
+                                   );
+  EndLabel->ExtendOpCode  =3D EFI_IFR_EXTEND_OP_LABEL;
+  EndLabel->Number        =3D LABEL_END;
+
+  VariableName =3D AllocateZeroPool (100);
+  if (VariableName =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  if (PrivateData->VariableName =3D=3D VARIABLE_DB) {
+    UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE);
+  } else if (PrivateData->VariableName =3D=3D VARIABLE_DBX) {
+    UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE1);
+  } else if (PrivateData->VariableName =3D=3D VARIABLE_DBT) {
+    UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE2);
+  } else {
+    goto ON_EXIT;
+  }
+
+  //
+  // Read Variable, the variable name save in the PrivateData->VariableNam=
e.
+  //
+  DataSize =3D 0;
+  Status =3D gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGui=
d, NULL, &DataSize, VariableData);
+  if (EFI_ERROR (Status) && Status !=3D EFI_BUFFER_TOO_SMALL) {
+    goto ON_EXIT;
+  }
+
+  VariableData =3D AllocateZeroPool (DataSize);
+  if (VariableData =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+  Status =3D gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGui=
d, NULL, &DataSize, VariableData);
+  if (EFI_ERROR (Status)) {
+    goto ON_EXIT;
+  }
+
+  NameBuffer =3D AllocateZeroPool (100);
+  if (NameBuffer =3D=3D NULL) {
+    Status =3D EFI_OUT_OF_RESOURCES;
+    goto ON_EXIT;
+  }
+
+  RemainingSize =3D DataSize;
+  ListWalker =3D (EFI_SIGNATURE_LIST *)VariableData;
+
+  //
+  // Skip signature list.
+  //
+  while ((RemainingSize > 0) && (RemainingSize >=3D ListWalker->SignatureL=
istSize) && ListIndex-- > 0) {
+    RemainingSize -=3D ListWalker->SignatureListSize;
+    ListWalker =3D (EFI_SIGNATURE_LIST *)((UINT8 *)ListWalker + ListWalker=
->SignatureListSize);
+  }
+
+  DataWalker =3D (EFI_SIGNATURE_DATA *)((UINT8 *)ListWalker + sizeof(EFI_S=
IGNATURE_LIST) + ListWalker->SignatureHeaderSize);
+  for (Index =3D 0; Index < SIGNATURE_DATA_COUNTS(ListWalker); Index =3D I=
ndex + 1) {
+    //
+    // Format name buffer.
+    //
+    UnicodeSPrint (NameBuffer,
+      100,
+      HiiGetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SIGNATURE_DA=
TA_NAME_FORMAT), NULL),
+      Index + 1
+    );
+
+    //
+    // Format help info buffer.
+    //
+    Status =3D FormatHelpInfo (PrivateData, ListWalker, DataWalker, &HelpS=
tringId);
+    if (EFI_ERROR (Status)) {
+      goto ON_EXIT;
+    }
+
+    HiiCreateCheckBoxOpCode (
+      StartOpCodeHandle,
+      (EFI_QUESTION_ID)(QuestionIdBase + Index),
+      0,
+      0,
+      HiiSetString (PrivateData->HiiHandle, 0, NameBuffer, NULL),
+      HelpStringId,
+      EFI_IFR_FLAG_CALLBACK,
+      0,
+      NULL
+    );
+
+    ZeroMem(NameBuffer, 100);
+    DataWalker =3D (EFI_SIGNATURE_DATA *)((UINT8 *)DataWalker + ListWalker=
->SignatureSize);
+  }
+
+  //
+  // Allocate a buffer to record which signature data will be checked.
+  // This memory buffer will be freed when exit from the SECUREBOOT_DELETE=
_SIGNATURE_DATA_FORM form.
+  //
+  PrivateData->CheckArray =3D AllocateZeroPool (SIGNATURE_DATA_COUNTS (Lis=
tWalker) * sizeof (BOOLEAN));
+
+ON_EXIT:
+  HiiUpdateForm (
+    PrivateData->HiiHandle,
+    &gSecureBootConfigFormSetGuid,
+    FormId,
+    StartOpCodeHandle,
+    EndOpCodeHandle
+  );
+
+  SECUREBOOT_FREE_NON_OPCODE (StartOpCodeHandle);
+  SECUREBOOT_FREE_NON_OPCODE (EndOpCodeHandle);
+
+  SECUREBOOT_FREE_NON_NULL (VariableName);
+  SECUREBOOT_FREE_NON_NULL (VariableData);
+  SECUREBOOT_FREE_NON_NULL (NameBuffer);
+
+  return Status;
+}
+
+/**
   This function is called to provide results data to the driver.
=20
   @param[in]  This               Points to the EFI_HII_CONFIG_ACCESS_PROTO=
COL.
@@ -3474,6 +4378,13 @@ SecureBootCallback (
           (QuestionId =3D=3D KEY_SECURE_BOOT_DBX_OPTION) ||
           (QuestionId =3D=3D KEY_SECURE_BOOT_DBT_OPTION)) {
         CloseEnrolledFile(Private->FileContext);
+      } else if (QuestionId =3D=3D KEY_SECURE_BOOT_DELETE_ALL_LIST) {
+        //
+        // Update ListCount field in varstore
+        // Button "Delete All Signature List" is
+        // enable when ListCount is greater than 0.
+        //
+        IfrNvData->ListCount =3D Private->ListCount;
       }
     }
     goto EXIT;
@@ -3665,16 +4576,89 @@ SecureBootCallback (
         );
        break;
=20
-    case SECUREBOOT_DELETE_SIGNATURE_FROM_DBX:
-      UpdateDeletePage (
+    //
+    // From DBX option to the level-1 form, display signature list.
+    //
+    case KEY_VALUE_FROM_DBX_TO_LIST_FORM:
+      Private->VariableName =3D VARIABLE_DBX;
+      LoadSignatureList (
         Private,
-        EFI_IMAGE_SECURITY_DATABASE1,
-        &gEfiImageSecurityDatabaseGuid,
-        LABEL_DBX_DELETE,
-        SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
-        OPTION_DEL_DBX_QUESTION_ID
-        );
+        LABEL_SIGNATURE_LIST_START,
+        SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
+        OPTION_SIGNATURE_LIST_QUESTION_ID
+      );
+      break;
=20
+      //
+      // Delete all signature list and reload.
+      //
+    case KEY_SECURE_BOOT_DELETE_ALL_LIST:
+      CreatePopUp(
+        EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
+        &Key,
+        L"Press 'Y' to delete signature list.",
+        L"Press other key to cancel and exit.",
+        NULL
+      );
+
+      if (Key.UnicodeChar =3D=3D L'Y' || Key.UnicodeChar =3D=3D L'y') {
+        DeleteSignatureEx (Private, DELETE_SIGNATURE_LIST_ALL, IfrNvData->=
CheckedDataCount);
+      }
+
+      LoadSignatureList (
+        Private,
+        LABEL_SIGNATURE_LIST_START,
+        SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
+        OPTION_SIGNATURE_LIST_QUESTION_ID
+      );
+      break;
+
+      //
+      // Delete one signature list and reload.
+      //
+    case KEY_SECURE_BOOT_DELETE_ALL_DATA:
+      CreatePopUp(
+        EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
+        &Key,
+        L"Press 'Y' to delete signature data.",
+        L"Press other key to cancel and exit.",
+        NULL
+      );
+
+      if (Key.UnicodeChar =3D=3D L'Y' || Key.UnicodeChar =3D=3D L'y') {
+        DeleteSignatureEx (Private, DELETE_SIGNATURE_LIST_ONE, IfrNvData->=
CheckedDataCount);
+      }
+
+      LoadSignatureList (
+        Private,
+        LABEL_SIGNATURE_LIST_START,
+        SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
+        OPTION_SIGNATURE_LIST_QUESTION_ID
+      );
+      break;
+
+      //
+      // Delete checked signature data and reload.
+      //
+    case KEY_SECURE_BOOT_DELETE_CHECK_DATA:
+      CreatePopUp(
+        EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
+        &Key,
+        L"Press 'Y' to delete signature data.",
+        L"Press other key to cancel and exit.",
+        NULL
+      );
+
+      if (Key.UnicodeChar =3D=3D L'Y' || Key.UnicodeChar =3D=3D L'y') {
+        DeleteSignatureEx (Private, DELETE_SIGNATURE_DATA, IfrNvData->Chec=
kedDataCount);
+      }
+
+      LoadSignatureList (
+        Private,
+        LABEL_SIGNATURE_LIST_START,
+        SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
+        OPTION_SIGNATURE_LIST_QUESTION_ID
+      );
       break;
=20
     case SECUREBOOT_DELETE_SIGNATURE_FROM_DBT:
@@ -3799,17 +4783,25 @@ SecureBootCallback (
           OPTION_DEL_DB_QUESTION_ID,
           QuestionId - OPTION_DEL_DB_QUESTION_ID
           );
-      } else if ((QuestionId >=3D OPTION_DEL_DBX_QUESTION_ID) &&
-                 (QuestionId < (OPTION_DEL_DBX_QUESTION_ID + OPTION_CONFIG=
_RANGE))) {
-        DeleteSignature (
+      } else if ((QuestionId >=3D OPTION_SIGNATURE_LIST_QUESTION_ID) &&
+                 (QuestionId < (OPTION_SIGNATURE_LIST_QUESTION_ID + OPTION=
_CONFIG_RANGE))) {
+        LoadSignatureData (
           Private,
-          EFI_IMAGE_SECURITY_DATABASE1,
-          &gEfiImageSecurityDatabaseGuid,
-          LABEL_DBX_DELETE,
-          SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
-          OPTION_DEL_DBX_QUESTION_ID,
-          QuestionId - OPTION_DEL_DBX_QUESTION_ID
-          );
+          LABEL_SIGNATURE_DATA_START,
+          SECUREBOOT_DELETE_SIGNATURE_DATA_FORM,
+          OPTION_SIGNATURE_DATA_QUESTION_ID,
+          QuestionId - OPTION_SIGNATURE_LIST_QUESTION_ID
+        );
+        Private->ListIndex =3D QuestionId - OPTION_SIGNATURE_LIST_QUESTION=
_ID;
+      } else if ((QuestionId >=3D OPTION_SIGNATURE_DATA_QUESTION_ID) &&
+                 (QuestionId < (OPTION_SIGNATURE_DATA_QUESTION_ID + OPTION=
_CONFIG_RANGE))) {
+        if (Private->CheckArray[QuestionId - OPTION_SIGNATURE_DATA_QUESTIO=
N_ID]) {
+          IfrNvData->CheckedDataCount--;
+          Private->CheckArray[QuestionId - OPTION_SIGNATURE_DATA_QUESTION_=
ID] =3D FALSE;
+        } else {
+          IfrNvData->CheckedDataCount++;
+          Private->CheckArray[QuestionId - OPTION_SIGNATURE_DATA_QUESTION_=
ID] =3D TRUE;
+        }
       } else if ((QuestionId >=3D OPTION_DEL_DBT_QUESTION_ID) &&
                  (QuestionId < (OPTION_DEL_DBT_QUESTION_ID + OPTION_CONFIG=
_RANGE))) {
         DeleteSignature (
@@ -3899,6 +4891,14 @@ SecureBootCallback (
     if (SecureBootMode !=3D NULL) {
       FreePool (SecureBootMode);
     }
+
+    if (QuestionId =3D=3D KEY_SECURE_BOOT_DELETE_ALL_DATA) {
+      //
+      // Free memory when exit from the SECUREBOOT_DELETE_SIGNATURE_DATA_F=
ORM form.
+      //
+      SECUREBOOT_FREE_NON_NULL (Private->CheckArray);
+      IfrNvData->CheckedDataCount =3D 0;
+    }
   }
=20
 EXIT:
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu=
reBootConfigImpl.h
index 75b18f121c..501215cdf5 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.h
@@ -112,6 +112,23 @@ typedef struct {
   UINT8                             FileType;
 } SECUREBOOT_FILE_CONTEXT;
=20
+#define SECUREBOOT_FREE_NON_NULL(Pointer)   \
+  do {                                      \
+    if ((Pointer) !=3D NULL) {                \
+      FreePool((Pointer));                  \
+      (Pointer) =3D NULL;                     \
+    }                                       \
+  } while (FALSE)
+
+#define SECUREBOOT_FREE_NON_OPCODE(Handle)  \
+  do{                                       \
+    if ((Handle) !=3D NULL) {                 \
+      HiiFreeOpCodeHandle((Handle));        \
+    }                                       \
+  } while (FALSE)
+
+#define SIGNATURE_DATA_COUNTS(List)         \
+  (((List)->SignatureListSize - sizeof(EFI_SIGNATURE_LIST) - (List)->Signa=
tureHeaderSize) / (List)->SignatureSize)
=20
 //
 // We define another format of 5th directory entry: security directory
@@ -134,6 +151,19 @@ typedef struct {
   EFI_DEVICE_PATH_PROTOCOL          End;
 } HII_VENDOR_DEVICE_PATH;
=20
+typedef enum {
+  VARIABLE_DB,
+  VARIABLE_DBX,
+  VARIABLE_DBT,
+  VARIABLE_MAX
+} CURRENT_VARIABLE_NAME;
+
+typedef enum {
+  DELETE_SIGNATURE_LIST_ALL,
+  DELETE_SIGNATURE_LIST_ONE,
+  DELETE_SIGNATURE_DATA
+}SIGNATURE_DELETE_TYPE;
+
 typedef struct {
   UINTN                             Signature;
=20
@@ -144,6 +174,11 @@ typedef struct {
   SECUREBOOT_FILE_CONTEXT           *FileContext;
=20
   EFI_GUID                          *SignatureGUID;
+
+  CURRENT_VARIABLE_NAME             VariableName;     // The variable name=
 we are processing.
+  UINT32                            ListCount;        // Record current va=
riable has how many signature list.
+  UINTN                             ListIndex;        // Record which sign=
ature list is processing.
+  BOOLEAN                           *CheckArray;      // Record whcih siga=
nture data checked.jj
 } SECUREBOOT_CONFIG_PRIVATE_DATA;
=20
 extern SECUREBOOT_CONFIG_PRIVATE_DATA      mSecureBootConfigPrivateDateTem=
plate;
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se=
cureBootConfigNvData.h
index 6b69f92b26..d112867e58 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gNvData.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gNvData.h
@@ -35,10 +35,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH=
ER EXPRESS OR IMPLIED.
 #define SECUREBOOT_ENROLL_SIGNATURE_TO_DB     0x0b
 #define SECUREBOOT_DELETE_SIGNATURE_FROM_DB   0x0c
 #define SECUREBOOT_ENROLL_SIGNATURE_TO_DBX    0x0d
-#define SECUREBOOT_DELETE_SIGNATURE_FROM_DBX  0x0e
 #define FORMID_SECURE_BOOT_DBT_OPTION_FORM    0x14
 #define SECUREBOOT_ENROLL_SIGNATURE_TO_DBT    0x15
 #define SECUREBOOT_DELETE_SIGNATURE_FROM_DBT  0x16
+#define SECUREBOOT_DELETE_SIGNATURE_LIST_FORM 0x17
+#define SECUREBOOT_DELETE_SIGNATURE_DATA_FORM 0x18
=20
 #define SECURE_BOOT_MODE_CUSTOM               0x01
 #define SECURE_BOOT_MODE_STANDARD             0x00
@@ -57,6 +58,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER=
 EXPRESS OR IMPLIED.
 #define KEY_VALUE_SAVE_AND_EXIT_DBT           0x100d
 #define KEY_VALUE_NO_SAVE_AND_EXIT_DBT        0x100e
=20
+#define KEY_VALUE_FROM_DBX_TO_LIST_FORM       0x100f
+
 #define KEY_SECURE_BOOT_OPTION                0x1100
 #define KEY_SECURE_BOOT_PK_OPTION             0x1101
 #define KEY_SECURE_BOOT_KEK_OPTION            0x1102
@@ -71,14 +74,18 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH=
ER EXPRESS OR IMPLIED.
 #define KEY_SECURE_BOOT_SIGNATURE_GUID_DBX    0x110c
 #define KEY_SECURE_BOOT_DBT_OPTION            0x110d
 #define KEY_SECURE_BOOT_SIGNATURE_GUID_DBT    0x110e
+#define KEY_SECURE_BOOT_DELETE_ALL_LIST       0x110f
+#define KEY_SECURE_BOOT_DELETE_ALL_DATA       0x1110
+#define KEY_SECURE_BOOT_DELETE_CHECK_DATA     0x1111
=20
 #define LABEL_KEK_DELETE                      0x1200
 #define LABEL_DB_DELETE                       0x1201
-#define LABEL_DBX_DELETE                      0x1202
+#define LABEL_SIGNATURE_LIST_START            0x1202
 #define LABEL_DBT_DELETE                      0x1203
+#define LABEL_SIGNATURE_DATA_START            0x1204
+#define LABEL_DELETE_ALL_LIST_BUTTON          0x1300
 #define LABEL_END                             0xffff
=20
-
 #define SECURE_BOOT_MAX_ATTEMPTS_NUM          255
=20
 #define CONFIG_OPTION_OFFSET                  0x2000
@@ -95,9 +102,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH=
ER EXPRESS OR IMPLIED.
 //
 #define OPTION_DEL_DB_QUESTION_ID             0x3000
 //
-// Question ID 0x4000 ~ 0x4FFF is for DBX
+// Question ID 0x4000 ~ 0x4FFF is for signature list.
+//
+#define OPTION_SIGNATURE_LIST_QUESTION_ID     0X4000
+//
+// Question ID 0x6000 ~ 0x6FFF is for signature data.
 //
-#define OPTION_DEL_DBX_QUESTION_ID            0x4000
+#define OPTION_SIGNATURE_DATA_QUESTION_ID     0x6000
=20
 //
 // Question ID 0x5000 ~ 0x5FFF is for DBT
@@ -128,6 +139,8 @@ typedef struct {
   EFI_HII_DATE RevocationDate; // The revocation date of the certificate
   EFI_HII_TIME RevocationTime; // The revocation time of the certificate
   UINT8   FileEnrollType;      // File type of sigunature enroll
+  UINT32  ListCount;           // The count of signature list.
+  UINT32  CheckedDataCount;    // The count of checked signature data.
 } SECUREBOOT_CONFIGURATION;
=20
 #endif
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe=
/SecureBootConfigStrings.uni
index 320cc79c47..bf42598fa3 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gStrings.uni
@@ -29,6 +29,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHE=
R EXPRESS OR IMPLIED.
=20
 #string STR_SECURE_BOOT_ENROLL_SIGNATURE   #language en-US "Enroll Signatu=
re"
 #string STR_SECURE_BOOT_DELETE_SIGNATURE   #language en-US "Delete Signatu=
re"
+#string STR_SECURE_BOOT_DELETE_LIST_FORM   #language en-US "Delete Signatu=
re List Form"
+#string STR_SECURE_BOOT_DELETE_DATA_FORM   #language en-US "Delete Signatu=
re Data Form"
+#string STR_SECURE_BOOT_DELETE_ALL_LIST    #language en-US "Delete All Sig=
nature List"
+#string STR_SECURE_BOOT_DELETE_ALL_DATA    #language en-US "Delete All Sig=
nature Data"
+#string STR_SECURE_BOOT_DELETE_CHECK_DATA  #language en-US "Delete Checked=
 Signature Data"
+#string STR_SECURE_BOOT_DELETE_ALL_DATA_HELP   #language en-US "All signat=
ure data will be deleted, no matter how many signature data have you checke=
d."
+#string STR_SECURE_BOOT_DELETE_CHECK_DATA_HELP #language en-US "All checke=
d signature data will be deleted."
=20
 #string STR_SECURE_BOOT_SIGNATURE_GUID     #language en-US "Signature GUID"
 #string STR_SECURE_BOOT_SIGNATURE_GUID_HELP #language en-US "Input digit c=
haracter in 11111111-2222-3333-4444-1234567890ab format."
@@ -114,3 +121,22 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EIT=
HER EXPRESS OR IMPLIED.
 #string STR_CERT_TYPE_X509_SHA256_GUID            #language en-US "X509_SH=
A256_GUID"
 #string STR_CERT_TYPE_X509_SHA384_GUID            #language en-US "X509_SH=
A384_GUID"
 #string STR_CERT_TYPE_X509_SHA512_GUID            #language en-US "X509_SH=
A512_GUID"
+
+#string STR_LIST_TYPE_RSA2048_SHA256              #language en-US "RSA2048=
_SHA256"
+#string STR_LIST_TYPE_X509                        #language en-US "X509"
+#string STR_LIST_TYPE_SHA1                        #language en-US "SHA1"
+#string STR_LIST_TYPE_SHA256                      #language en-US "SHA256"
+#string STR_LIST_TYPE_X509_SHA256                 #language en-US "X509_SH=
A256"
+#string STR_LIST_TYPE_X509_SHA384                 #language en-US "X509_SH=
A384"
+#string STR_LIST_TYPE_X509_SHA512                 #language en-US "X509_SH=
A512"
+#string STR_LIST_TYPE_UNKNOWN                     #language en-US "UnKnown"
+
+#string STR_SIGNATURE_LIST_NAME_FORMAT            #language en-US "Signatu=
re List, Entry-%d"
+#string STR_SIGNATURE_DATA_NAME_FORMAT            #language en-US "Signatu=
re Data, Entry-%d"
+#string STR_SIGNATURE_LIST_HELP_FORMAT            #language en-US "List Ty=
pe:\n  %s\n\nEntry Number:\n  %d"
+#string STR_SIGNATURE_DATA_HELP_FORMAT_GUID       #language en-US "Owner G=
UID:\n%s\n\n"
+#string STR_SIGNATURE_DATA_HELP_FORMAT_CN         #language en-US "%s(%d b=
ytes):\nCN =3D %s\n"
+#string STR_SIGNATURE_DATA_HELP_FORMAT_HASH       #language en-US "%s(%d b=
ytes):\n%s\n"
+#string STR_SIGNATURE_DATA_HELP_FORMAT_TIME       #language en-US "Revocat=
ion Time:\n%s"
+
+#string STR_SIGNATURE_DELETE_ALL_CONFIRM          #language en-US "Press '=
Y' to delete all signature List."
--=20
2.13.2.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel