From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39676+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39676+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326422; cv=none; d=zoho.com; s=zohoarc; b=RLfdl/3BGKa8KMfl+G5Gml/4/rRMohvD/JgelrshRYnxfnvX3YtTqrtcIloi+Wj95sQPH2XB+IyccQB93UCEGYhboaLDpm90ek9BqXO3TlrVE1QmqyN76CmiJAHm4Xm7NHoCXdNZ0aYfviYC0jDVKu8JkKuVSocQFD4T6q9yYWw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326422; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=dgVrGWJV8etEtN3yfAXL1EbuF2YJzkp4KizGMz+Eeu4=; b=b/YuqMRmfAiGm13ykPUBIisxXMPoMew2bVnN1Yrd7azgRsYZ/yjDDKE7MH5SSlGEmxSgRysi2slllvG6oSumPhQ0IMNr0wj9pVxaaRqXUHulZrK9RsBUcHL8KuavjwKcky52A4QCG9xdkiVmLfjZPUzKQiI65Yg7wf3xZjU/Mkw= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39676+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326422178414.90137304857853; Fri, 26 Apr 2019 17:53:42 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:53:41 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B61DB317465E; Sat, 27 Apr 2019 00:53:40 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9A2775D70A; Sat, 27 Apr 2019 00:53:37 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 01/16] OvmfPkg: introduce EnrollDefaultKeys application Date: Sat, 27 Apr 2019 02:53:13 +0200 Message-Id: <20190427005328.27005-2-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Sat, 27 Apr 2019 00:53:40 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326421; bh=28fyKSwFuRrxpwyA4Hh+yKTe3o2IhSpv10JJl7FNFmY=; h=Cc:Date:From:Reply-To:Subject:To; b=IuXE/eoVIT5L7tgX8RhrCUptuiQI4ka23iwtxBdhS+S2THPFjf9cS3ZUwulwfV/701b wOn2bSqr2W+fMf5nVTiW7x/Nr/cgTnWcweqAdY9ecp9cFeyTixGpl7WJGRC79E5QIU354 CRUtrVdF22HGCQYa5d8LaT59tuE2SlA9L04= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Add the OvmfPkg/EnrollDefaultKeys shell application source as it is at the "edk2-20190308git89910a39dcfd-2.el8" tag in RHEL8's downstream "edk2" package. Further patches in this series will replace Red Hat-specific bits in the application, with a conduit to pass in parameters directly from the host side, on both QEMU and Xen. (Note: at the moment, Xen doesn't support Secure Boot, due to lacking a standards-conformant variable driver stack. However, that could change soon , and then this facility will become useful on Xen too.) The use case for this application (including why it is only being added to the DSC files) is explained in detail in . Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/OvmfPkgIa32.dsc | 2 + OvmfPkg/OvmfPkgIa32X64.dsc | 2 + OvmfPkg/OvmfPkgX64.dsc | 2 + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 1015 ++++++++++++++++++++ 5 files changed, 1073 insertions(+) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 98a8467e86ab..36a0f87258dd 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -190,16 +190,17 @@ [LibraryClasses] HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf !endif =20 !if $(TLS_ENABLE) =3D=3D TRUE TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf !endif =20 ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip= tLib.inf SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib= /BaseOrderedCollectionRedBlackTreeLib.inf XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf =20 !if $(TPM2_ENABLE) =3D=3D TRUE Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeT= cg2PhysicalPresenceLib.inf @@ -858,16 +859,17 @@ [Components] gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf !endif =20 OvmfPkg/PlatformDxe/Platform.inf OvmfPkg/IoMmuDxe/IoMmuDxe.inf =20 !if $(SMM_REQUIRE) =3D=3D TRUE OvmfPkg/SmmAccess/SmmAccess2Dxe.inf OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 1f722fc9872c..9b341e17d7ff 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -195,16 +195,17 @@ [LibraryClasses] HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf !endif =20 !if $(TLS_ENABLE) =3D=3D TRUE TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf !endif =20 ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip= tLib.inf SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib= /BaseOrderedCollectionRedBlackTreeLib.inf XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf =20 !if $(TPM2_ENABLE) =3D=3D TRUE Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeT= cg2PhysicalPresenceLib.inf @@ -867,16 +868,17 @@ [Components.X64] gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf !endif =20 OvmfPkg/PlatformDxe/Platform.inf OvmfPkg/AmdSevDxe/AmdSevDxe.inf OvmfPkg/IoMmuDxe/IoMmuDxe.inf =20 !if $(SMM_REQUIRE) =3D=3D TRUE OvmfPkg/SmmAccess/SmmAccess2Dxe.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 2927ee07b835..a0f87f74dab9 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -195,16 +195,17 @@ [LibraryClasses] HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf !endif =20 !if $(TLS_ENABLE) =3D=3D TRUE TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf !endif =20 ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip= tLib.inf SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib= /BaseOrderedCollectionRedBlackTreeLib.inf XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf =20 !if $(TPM2_ENABLE) =3D=3D TRUE Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeT= cg2PhysicalPresenceLib.inf @@ -865,16 +866,17 @@ [Components] gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0xFF gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf !endif =20 OvmfPkg/PlatformDxe/Platform.inf OvmfPkg/AmdSevDxe/AmdSevDxe.inf OvmfPkg/IoMmuDxe/IoMmuDxe.inf =20 !if $(SMM_REQUIRE) =3D=3D TRUE OvmfPkg/SmmAccess/SmmAccess2Dxe.inf diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/Enro= llDefaultKeys/EnrollDefaultKeys.inf new file mode 100644 index 000000000000..0ad86a2843e6 --- /dev/null +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -0,0 +1,52 @@ +## @file +# Enroll default PK, KEK, DB. +# +# Copyright (C) 2014, Red Hat, Inc. +# +# This program and the accompanying materials are licensed and made avail= able +# under the terms and conditions of the BSD License which accompanies this +# distribution. The full text of the license may be found at +# http://opensource.org/licenses/bsd-license. +# +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR +# IMPLIED. +## + +[Defines] + INF_VERSION =3D 0x00010006 + BASE_NAME =3D EnrollDefaultKeys + FILE_GUID =3D D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A + MODULE_TYPE =3D UEFI_APPLICATION + VERSION_STRING =3D 0.1 + ENTRY_POINT =3D ShellCEntryLib + +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + EnrollDefaultKeys.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + ShellPkg/ShellPkg.dec + +[Guids] + gEfiCertPkcs7Guid + gEfiCertSha256Guid + gEfiCertX509Guid + gEfiCustomModeEnableGuid + gEfiGlobalVariableGuid + gEfiImageSecurityDatabaseGuid + gEfiSecureBootEnableDisableGuid + +[LibraryClasses] + BaseMemoryLib + DebugLib + MemoryAllocationLib + ShellCEntryLib + UefiLib + UefiRuntimeServicesTableLib diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c new file mode 100644 index 000000000000..dd413df12de3 --- /dev/null +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -0,0 +1,1015 @@ +/** @file + Enroll default PK, KEK, DB. + + Copyright (C) 2014, Red Hat, Inc. + + This program and the accompanying materials are licensed and made availa= ble + under the terms and conditions of the BSD License which accompanies this + distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license. + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WI= THOUT + WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +**/ +#include // gEfiCustomModeEnableGu= id +#include // EFI_SETUP_MODE_NAME +#include // EFI_IMAGE_SECURITY_DAT= ABASE +#include // CopyGuid() +#include // ASSERT() +#include // FreePool() +#include // ShellAppMain() +#include // AsciiPrint() +#include // gRT + +// +// We'll use the certificate below as both Platform Key and as first Key +// Exchange Key. +// +// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=3Dsecalert@redhat.com" +// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97 +// +STATIC CONST UINT8 RedHatPkKek1[] =3D { + 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, = 0x02, + 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, = 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, = 0x00, + 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, = 0x22, + 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, = 0x72, + 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, = 0x45, + 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, = 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, = 0x73, + 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, = 0x61, + 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, = 0x30, + 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, = 0x37, + 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, = 0x51, + 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, = 0x65, + 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, = 0x20, + 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, = 0x20, + 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, = 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, = 0x63, + 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, = 0x2e, + 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, = 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, = 0x0f, + 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, = 0x84, + 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, = 0x8c, + 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, = 0x67, + 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, = 0x41, + 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, = 0x98, + 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, = 0xe6, + 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, = 0x37, + 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, = 0x4c, + 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, = 0xc6, + 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, = 0x3a, + 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, = 0x68, + 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, = 0x04, + 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, = 0x82, + 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, = 0x6c, + 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, = 0xf7, + 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, = 0xaa, + 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, = 0xcb, + 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, = 0xb3, + 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, = 0xd9, + 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, = 0xf2, + 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, = 0x7b, + 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, = 0x00, + 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, = 0x0d, + 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, = 0x47, + 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, = 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, = 0x1d, + 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, = 0x0a, + 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, = 0x30, + 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, = 0x3c, + 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, = 0x42, + 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, = 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, = 0x00, + 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, = 0xdf, + 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, = 0x00, + 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, = 0x78, + 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, = 0x13, + 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, = 0xb0, + 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, = 0xf6, + 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, = 0x3f, + 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, = 0x60, + 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, = 0xbc, + 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, = 0x26, + 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, = 0x36, + 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, = 0x3d, + 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, = 0xde, + 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, = 0x85, + 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, = 0x90, + 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, = 0xaf, + 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, = 0x37, + 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, = 0xb7, + 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, = 0x43, + 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69 +}; + +// +// Second KEK: "Microsoft Corporation KEK CA 2011". +// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30 +// +// "dbx" updates in "dbxtool" are signed with a key derived from this KEK. +// +STATIC CONST UINT8 MicrosoftKEK[] =3D { + 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, = 0x02, + 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, = 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, + 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, + 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, + 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, + 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, + 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, = 0x43, + 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, = 0x30, + 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, = 0x6f, + 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, = 0x74, + 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, = 0x72, + 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, = 0x63, + 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, = 0x30, + 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, = 0x32, + 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, = 0x30, + 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, = 0x02, + 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, = 0x0a, + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, = 0x30, + 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, = 0x6f, + 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, = 0x15, + 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, = 0x72, + 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, = 0x06, + 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, = 0x6f, + 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, = 0x6f, + 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, = 0x31, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, = 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, = 0x82, + 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, = 0xad, + 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, = 0x5d, + 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, = 0xeb, + 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, = 0xe3, + 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, = 0x9b, + 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, = 0xac, + 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, = 0xc8, + 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, = 0xc0, + 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, = 0xe2, + 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, = 0x89, + 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, = 0xc2, + 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, = 0x03, + 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, = 0x7e, + 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, = 0xeb, + 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, = 0x2f, + 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, = 0xaa, + 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, = 0x9f, + 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, = 0xc6, + 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, = 0xaf, + 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, = 0x07, + 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, = 0x30, + 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, = 0x82, + 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, = 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, = 0xa4, + 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, = 0x5f, + 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, = 0x02, + 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, = 0x00, + 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, = 0x01, + 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, = 0x05, + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, = 0x04, + 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, = 0x11, + 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, = 0x30, + 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, = 0xa0, + 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, = 0x63, + 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, = 0x2e, + 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, = 0x70, + 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, = 0x6f, + 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, = 0x6f, + 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, = 0x63, + 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, = 0x01, + 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, = 0x05, + 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, = 0x2f, + 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, = 0x74, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, = 0x74, + 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, = 0x61, + 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, = 0x2d, + 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, = 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, = 0x82, + 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, = 0x2a, + 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, = 0x66, + 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, = 0x5a, + 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, = 0x64, + 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, = 0x58, + 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, = 0xd0, + 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, = 0xf5, + 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, = 0xec, + 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, = 0xd7, + 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, = 0x28, + 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, = 0x79, + 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, = 0x7b, + 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, = 0xd8, + 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, = 0x19, + 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, = 0x58, + 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, = 0x0d, + 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, = 0x2d, + 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, = 0xc8, + 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, = 0x60, + 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, = 0xac, + 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, = 0x87, + 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, = 0xcd, + 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, = 0x81, + 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, = 0x92, + 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, = 0xe0, + 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, = 0xaf, + 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, = 0xfb, + 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, = 0x68, + 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, = 0xad, + 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, = 0x82, + 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, = 0x14, + 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, = 0x4f, + 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, = 0x9b, + 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, = 0xb0, + 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, = 0x5d, + 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, = 0x38, + 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, = 0x1c, + 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, = 0x14, + 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, = 0xc5, + 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e +}; + +// +// First DB entry: "Microsoft Windows Production PCA 2011" +// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d +// +// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a cha= in +// rooted in this certificate. +// +STATIC CONST UINT8 MicrosoftPCA[] =3D { + 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, = 0x02, + 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, = 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, + 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, + 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, + 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, + 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, + 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, = 0x43, + 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, = 0x30, + 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, = 0x6f, + 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, = 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, = 0x68, + 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, = 0x17, + 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, = 0x32, + 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, = 0x31, + 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, = 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, = 0x55, + 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, = 0x6f, + 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, = 0x52, + 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, = 0x55, + 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, = 0x74, + 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, = 0x31, + 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, = 0x63, + 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, = 0x77, + 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, = 0x20, + 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, = 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, = 0x05, + 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, = 0x01, + 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, = 0xf7, + 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, = 0xcb, + 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, = 0x8b, + 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, = 0xe3, + 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, = 0xc0, + 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, = 0x74, + 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, = 0x67, + 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, = 0x53, + 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, = 0x23, + 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, = 0xa3, + 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, = 0xff, + 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, = 0xe2, + 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, = 0x22, + 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, = 0xf3, + 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, = 0x2b, + 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, = 0xbc, + 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, = 0xd6, + 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, = 0xe8, + 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, = 0xa8, + 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, = 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, = 0x10, + 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, = 0x03, + 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, = 0x04, + 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, = 0xf9, + 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, = 0x2b, + 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, = 0x00, + 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, = 0x03, + 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, = 0x03, + 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, = 0xff, + 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, = 0x14, + 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, = 0x94, + 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, = 0x1d, + 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, = 0x45, + 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, = 0x69, + 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, = 0x70, + 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, = 0x63, + 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, = 0x41, + 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, = 0x33, + 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, = 0x05, + 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, = 0x06, + 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, = 0x3a, + 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, = 0x6f, + 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, = 0x65, + 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, = 0x72, + 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, = 0x32, + 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, = 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, = 0x14, + 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, = 0xbc, + 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, = 0xd0, + 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, = 0x61, + 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, = 0xda, + 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, = 0x6a, + 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, = 0xe2, + 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, = 0xea, + 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, = 0x30, + 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, = 0x86, + 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, = 0xc8, + 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, = 0xae, + 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, = 0xb8, + 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, = 0xac, + 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, = 0x84, + 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, = 0x73, + 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, = 0x73, + 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, = 0x60, + 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, = 0xb6, + 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, = 0x2a, + 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, = 0xba, + 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, = 0xce, + 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, = 0x0f, + 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, = 0x6e, + 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, = 0xd3, + 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, = 0x45, + 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, = 0xd0, + 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, = 0x24, + 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, = 0x2c, + 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, = 0xdf, + 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, = 0x6c, + 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, = 0xf2, + 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, = 0x5c, + 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, = 0x47, + 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, = 0x5a, + 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, = 0x21, + 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, = 0x86, + 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, = 0xd6, + 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, = 0xb9, + 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, = 0xa4, + 0x62, 0x1c, 0x59, 0x7e +}; + +// +// Second DB entry: "Microsoft Corporation UEFI CA 2011" +// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3 +// +// To verify the "shim" binary and PCI expansion ROMs with. +// +STATIC CONST UINT8 MicrosoftUefiCA[] =3D { + 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, = 0x02, + 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, = 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, + 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, + 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, + 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, + 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, + 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, = 0x43, + 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, = 0x30, + 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, = 0x6f, + 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, = 0x74, + 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, = 0x72, + 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, = 0x63, + 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, = 0x30, + 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, = 0x32, + 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, = 0x30, + 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, = 0x02, + 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, = 0x0a, + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, = 0x30, + 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, = 0x6f, + 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, = 0x15, + 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, = 0x72, + 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, = 0x06, + 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, = 0x6f, + 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, = 0x6f, + 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, = 0x31, + 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, = 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, = 0x30, + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, = 0xc7, + 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, = 0x43, + 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, = 0x73, + 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, = 0xd3, + 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, = 0x54, + 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, = 0x5c, + 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, = 0x4f, + 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, = 0xae, + 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, = 0x1d, + 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, = 0xfa, + 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, = 0xff, + 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, = 0x7b, + 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, = 0xe6, + 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, = 0x62, + 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, = 0x08, + 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, = 0xe7, + 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, = 0xb2, + 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, = 0x7f, + 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, = 0x8b, + 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, = 0x6a, + 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, = 0x76, + 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, = 0x01, + 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, = 0x23, + 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, = 0x16, + 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, = 0x37, + 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, = 0x03, + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, = 0xbd, + 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, = 0x1b, + 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, = 0x14, + 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, = 0x43, + 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, = 0x02, + 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, = 0x04, + 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, = 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, = 0x58, + 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, = 0xa8, + 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, = 0x51, + 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, = 0x2f, + 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, = 0x74, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, = 0x2f, + 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, = 0x43, + 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, = 0x6f, + 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, = 0x2e, + 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, = 0x07, + 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, = 0x01, + 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, = 0x2f, + 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, = 0x66, + 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, = 0x72, + 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, = 0x50, + 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, = 0x30, + 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, = 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, = 0x03, + 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, = 0x76, + 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, = 0xef, + 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, = 0x13, + 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, = 0x82, + 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, = 0x1a, + 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, = 0x20, + 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, = 0x90, + 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, = 0x52, + 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, = 0x6d, + 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, = 0xaf, + 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, = 0x49, + 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, = 0x34, + 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, = 0x75, + 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, = 0xb9, + 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, = 0x8f, + 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, = 0x8c, + 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, = 0x56, + 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, = 0xae, + 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, = 0x4a, + 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, = 0x3c, + 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, = 0x59, + 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, = 0x3d, + 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, = 0x53, + 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, = 0x1b, + 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, = 0x98, + 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, = 0x85, + 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, = 0xd2, + 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, = 0xe2, + 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, = 0x6c, + 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, = 0x3b, + 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, = 0x27, + 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, = 0xa6, + 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, = 0x3f, + 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, = 0x55, + 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, = 0x1e, + 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, = 0x62, + 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, = 0xf8, + 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, = 0xf6, + 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, = 0x75, + 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58 +}; + +// +// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test= case +// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit +// expects that the "dbx" variable exist. +// +// The article at +// writes (excerpt): +// +// Windows 8.1 Secure Boot Key Creation and Management Guidance +// 1. Secure Boot, Windows 8.1 and Key Management +// 1.4 Signature Databases (Db and Dbx) +// 1.4.3 Forbidden Signature Database (dbx) +// +// The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked wh= en +// verifying images before checking db and any matches must prevent the +// image from executing. The database may contain multiple certificates, +// keys, and hashes in order to identify forbidden images. The Windows +// Hardware Certification Requirements state that a dbx must be present= , so +// any dummy value, such as the SHA-256 hash of 0, may be used as a safe +// placeholder until such time as Microsoft begins delivering dbx updat= es. +// +// The byte array below captures the SHA256 checksum of the empty file, +// blacklisting it for loading & execution. This qualifies as a dummy, sin= ce +// the empty file is not a valid UEFI binary anyway. +// +// Technically speaking, we could also capture an official (although soon = to be +// obsolete) dbx update from . How= ever, +// the terms and conditions on distributing that binary aren't exactly lig= ht +// reading, so let's best steer clear of it, and follow the "dummy entry" +// practice recommended -- in natural English langauge -- in the +// above-referenced TechNet article. +// +STATIC CONST UINT8 mSha256OfDevNull[] =3D { + 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, = 0x99, + 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, = 0x95, + 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 +}; + +// +// The following test cases of the Secure Boot Logo Test in the Microsoft +// Hardware Certification Kit: +// +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureI= nDB +// +// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be +// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the +// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509 +// certificates: +// +// - "Microsoft Corporation KEK CA 2011" (in KEK) +// - "Microsoft Windows Production PCA 2011" (in db) +// - "Microsoft Corporation UEFI CA 2011" (in db) +// +// This is despite the fact that the UEFI specification requires +// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, +// application or driver) that enrolled and therefore owns +// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued +// EFI_SIGNATURE_DATA.SignatureData. +// +STATIC CONST EFI_GUID mMicrosoftOwnerGuid =3D { + 0x77fa9abd, 0x0359, 0x4d32, + { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, +}; + +// +// The most important thing about the variable payload is that it is a lis= t of +// lists, where the element size of any given *inner* list is constant. +// +// Since X509 certificates vary in size, each of our *inner* lists will co= ntain +// one element only (one X.509 certificate). This is explicitly mentioned = in +// the UEFI specification, in "28.4.1 Signature Database", in a Note. +// +// The list structure looks as follows: +// +// struct EFI_VARIABLE_AUTHENTICATION_2 { | +// struct EFI_TIME { | +// UINT16 Year; | +// UINT8 Month; | +// UINT8 Day; | +// UINT8 Hour; | +// UINT8 Minute; | +// UINT8 Second; | +// UINT8 Pad1; | +// UINT32 Nanosecond; | +// INT16 TimeZone; | +// UINT8 Daylight; | +// UINT8 Pad2; | +// } TimeStamp; | +// | +// struct WIN_CERTIFICATE_UEFI_GUID { | | +// struct WIN_CERTIFICATE { | | +// UINT32 dwLength; ----------------------------------------+ | +// UINT16 wRevision; | | +// UINT16 wCertificateType; | | +// } Hdr; | +- Dat= aSize +// | | +// EFI_GUID CertType; | | +// UINT8 CertData[1] =3D { <--- "struct hack" | | +// struct EFI_SIGNATURE_LIST { | | | +// EFI_GUID SignatureType; | | | +// UINT32 SignatureListSize; -------------------------+ | | +// UINT32 SignatureHeaderSize; | | | +// UINT32 SignatureSize; ---------------------------+ | | | +// UINT8 SignatureHeader[SignatureHeaderSize]; | | | | +// v | | | +// struct EFI_SIGNATURE_DATA { | | | | +// EFI_GUID SignatureOwner; | | | | +// UINT8 SignatureData[1] =3D { <--- "struct hack" | | | | +// X.509 payload | | | | +// } | | | | +// } Signatures[]; | | | +// } SigLists[]; | | +// }; | | +// } AuthInfo; | | +// }; | +// +// Given that the "struct hack" invokes undefined behavior (which is why C= 99 +// introduced the flexible array member), and because subtracting those pe= sky +// sizes of 1 is annoying, and because the format is fully specified in the +// UEFI specification, we'll introduce two matching convenience structures= that +// are customized for our X.509 purposes. +// +#pragma pack(1) +typedef struct { + EFI_TIME TimeStamp; + + // + // dwLength covers data below + // + UINT32 dwLength; + UINT16 wRevision; + UINT16 wCertificateType; + EFI_GUID CertType; +} SINGLE_HEADER; + +typedef struct { + // + // SignatureListSize covers data below + // + EFI_GUID SignatureType; + UINT32 SignatureListSize; + UINT32 SignatureHeaderSize; // constant 0 + UINT32 SignatureSize; + + // + // SignatureSize covers data below + // + EFI_GUID SignatureOwner; + + // + // X.509 certificate follows + // +} REPEATING_HEADER; +#pragma pack() + +/** + Enroll a set of certificates in a global variable, overwriting it. + + The variable will be rewritten with NV+BS+RT+AT attributes. + + @param[in] VariableName The name of the variable to overwrite. + + @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable= to + overwrite. + + @param[in] CertType The GUID determining the type of all the + certificates in the set that is passed in. For + example, gEfiCertX509Guid stands for DER-encoded + X.509 certificates, while gEfiCertSha256Guid st= ands + for SHA256 image hashes. + + @param[in] ... A list of + + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST EFI_GUID *OwnerGuid + + triplets. If the first component of a triplet is + NULL, then the other two components are not + accessed, and processing is terminated. The lis= t of + certificates is enrolled in the variable specif= ied, + overwriting it. The OwnerGuid component identif= ies + the agent installing the certificate. + + @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first = Cert + value is NULL), or one of the CertSize va= lues + is 0, or one of the CertSize values would + overflow the accumulated UINT32 data size. + + @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable + payload. + + @retval EFI_SUCCESS Enrollment successful; the variable has b= een + overwritten (or created). + + @return Error codes from gRT->GetTime() and + gRT->SetVariable(). +**/ +STATIC +EFI_STATUS +EFIAPI +EnrollListOfCerts ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + IN EFI_GUID *CertType, + ... + ) +{ + UINTN DataSize; + SINGLE_HEADER *SingleHeader; + REPEATING_HEADER *RepeatingHeader; + VA_LIST Marker; + CONST UINT8 *Cert; + EFI_STATUS Status; + UINT8 *Data; + UINT8 *Position; + + Status =3D EFI_SUCCESS; + + // + // compute total size first, for UINT32 range check, and allocation + // + DataSize =3D sizeof *SingleHeader; + VA_START (Marker, CertType); + for (Cert =3D VA_ARG (Marker, CONST UINT8 *); + Cert !=3D NULL; + Cert =3D VA_ARG (Marker, CONST UINT8 *)) { + UINTN CertSize; + + CertSize =3D VA_ARG (Marker, UINTN); + (VOID)VA_ARG (Marker, CONST EFI_GUID *); + + if (CertSize =3D=3D 0 || + CertSize > MAX_UINT32 - sizeof *RepeatingHeader || + DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) { + Status =3D EFI_INVALID_PARAMETER; + break; + } + DataSize +=3D sizeof *RepeatingHeader + CertSize; + } + VA_END (Marker); + + if (DataSize =3D=3D sizeof *SingleHeader) { + Status =3D EFI_INVALID_PARAMETER; + } + if (EFI_ERROR (Status)) { + goto Out; + } + + Data =3D AllocatePool (DataSize); + if (Data =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto Out; + } + + Position =3D Data; + + SingleHeader =3D (SINGLE_HEADER *)Position; + Status =3D gRT->GetTime (&SingleHeader->TimeStamp, NULL); + if (EFI_ERROR (Status)) { + goto FreeData; + } + SingleHeader->TimeStamp.Pad1 =3D 0; + SingleHeader->TimeStamp.Nanosecond =3D 0; + SingleHeader->TimeStamp.TimeZone =3D 0; + SingleHeader->TimeStamp.Daylight =3D 0; + SingleHeader->TimeStamp.Pad2 =3D 0; +#if 0 + SingleHeader->dwLength =3D DataSize - sizeof SingleHeader->TimeS= tamp; +#else + // + // This looks like a bug in edk2. According to the UEFI specification, + // dwLength is "The length of the entire certificate, including the leng= th of + // the header, in bytes". That shouldn't stop right after CertType -- it + // should include everything below it. + // + SingleHeader->dwLength =3D sizeof *SingleHeader + - sizeof SingleHeader->TimeStamp; +#endif + SingleHeader->wRevision =3D 0x0200; + SingleHeader->wCertificateType =3D WIN_CERT_TYPE_EFI_GUID; + CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid); + Position +=3D sizeof *SingleHeader; + + VA_START (Marker, CertType); + for (Cert =3D VA_ARG (Marker, CONST UINT8 *); + Cert !=3D NULL; + Cert =3D VA_ARG (Marker, CONST UINT8 *)) { + UINTN CertSize; + CONST EFI_GUID *OwnerGuid; + + CertSize =3D VA_ARG (Marker, UINTN); + OwnerGuid =3D VA_ARG (Marker, CONST EFI_GUID *); + + RepeatingHeader =3D (REPEATING_HEADER *)Position; + CopyGuid (&RepeatingHeader->SignatureType, CertType); + RepeatingHeader->SignatureListSize =3D + (UINT32)(sizeof *RepeatingHeader + CertSize); + RepeatingHeader->SignatureHeaderSize =3D 0; + RepeatingHeader->SignatureSize =3D + (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize); + CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid); + Position +=3D sizeof *RepeatingHeader; + + CopyMem (Position, Cert, CertSize); + Position +=3D CertSize; + } + VA_END (Marker); + + ASSERT (Data + DataSize =3D=3D Position); + + Status =3D gRT->SetVariable (VariableName, VendorGuid, + (EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), + DataSize, Data); + +FreeData: + FreePool (Data); + +Out: + if (EFI_ERROR (Status)) { + AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName, + VendorGuid, Status); + } + return Status; +} + + +STATIC +EFI_STATUS +EFIAPI +GetExact ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + OUT VOID *Data, + IN UINTN DataSize, + IN BOOLEAN AllowMissing + ) +{ + UINTN Size; + EFI_STATUS Status; + + Size =3D DataSize; + Status =3D gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data= ); + if (EFI_ERROR (Status)) { + if (Status =3D=3D EFI_NOT_FOUND && AllowMissing) { + ZeroMem (Data, DataSize); + return EFI_SUCCESS; + } + + AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName, + VendorGuid, Status); + return Status; + } + + if (Size !=3D DataSize) { + AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, " + "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)S= ize); + return EFI_PROTOCOL_ERROR; + } + + return EFI_SUCCESS; +} + +typedef struct { + UINT8 SetupMode; + UINT8 SecureBoot; + UINT8 SecureBootEnable; + UINT8 CustomMode; + UINT8 VendorKeys; +} SETTINGS; + +STATIC +EFI_STATUS +EFIAPI +GetSettings ( + OUT SETTINGS *Settings + ) +{ + EFI_STATUS Status; + + Status =3D GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, + &Settings->SetupMode, sizeof Settings->SetupMode, FALSE); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, + &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D GetExact (EFI_SECURE_BOOT_ENABLE_NAME, + &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable, + sizeof Settings->SecureBootEnable, TRUE); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, + &Settings->CustomMode, sizeof Settings->CustomMode, FALSE); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableG= uid, + &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE); + return Status; +} + +STATIC +VOID +EFIAPI +PrintSettings ( + IN CONST SETTINGS *Settings + ) +{ + AsciiPrint ("info: SetupMode=3D%d SecureBoot=3D%d SecureBootEnable=3D%d " + "CustomMode=3D%d VendorKeys=3D%d\n", Settings->SetupMode, Settings->Se= cureBoot, + Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys= ); +} + + +INTN +EFIAPI +ShellAppMain ( + IN UINTN Argc, + IN CHAR16 **Argv + ) +{ + EFI_STATUS Status; + SETTINGS Settings; + + Status =3D GetSettings (&Settings); + if (EFI_ERROR (Status)) { + return 1; + } + PrintSettings (&Settings); + + if (Settings.SetupMode !=3D 1) { + AsciiPrint ("error: already in User Mode\n"); + return 1; + } + + if (Settings.CustomMode !=3D CUSTOM_SECURE_BOOT_MODE) { + Settings.CustomMode =3D CUSTOM_SECURE_BOOT_MODE; + Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnab= leGuid, + (EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS), + sizeof Settings.CustomMode, &Settings.CustomMode); + if (EFI_ERROR (Status)) { + AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_= NAME, + &gEfiCustomModeEnableGuid, Status); + return 1; + } + } + + Status =3D EnrollListOfCerts ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + &gEfiCertX509Guid, + MicrosoftPCA, sizeof MicrosoftPCA, &mMicrosoftOwnerGuid, + MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid, + NULL); + if (EFI_ERROR (Status)) { + return 1; + } + + Status =3D EnrollListOfCerts ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + &gEfiCertSha256Guid, + mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid, + NULL); + if (EFI_ERROR (Status)) { + return 1; + } + + Status =3D EnrollListOfCerts ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + &gEfiCertX509Guid, + RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid, + MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid, + NULL); + if (EFI_ERROR (Status)) { + return 1; + } + + Status =3D EnrollListOfCerts ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + &gEfiCertX509Guid, + RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid, + NULL); + if (EFI_ERROR (Status)) { + return 1; + } + + Settings.CustomMode =3D STANDARD_SECURE_BOOT_MODE; + Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnable= Guid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACC= ESS, + sizeof Settings.CustomMode, &Settings.CustomMode); + if (EFI_ERROR (Status)) { + AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NA= ME, + &gEfiCustomModeEnableGuid, Status); + return 1; + } + + Status =3D GetSettings (&Settings); + if (EFI_ERROR (Status)) { + return 1; + } + PrintSettings (&Settings); + + if (Settings.SetupMode !=3D 0 || Settings.SecureBoot !=3D 1 || + Settings.SecureBootEnable !=3D 1 || Settings.CustomMode !=3D 0 || + Settings.VendorKeys !=3D 0) { + AsciiPrint ("error: unexpected\n"); + return 1; + } + + AsciiPrint ("info: success\n"); + return 0; +} --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39676): https://edk2.groups.io/g/devel/message/39676 Mute This Topic: https://groups.io/mt/31359370/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39677+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39677+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326425; cv=none; d=zoho.com; s=zohoarc; b=cXvzR8LzRDMfAChl9cjC6mCCrQmLUr5inzFLvipQrMt6ofGO3GcO1bUjULJI3QrOqxyd/QBpwpxNtH3YUyC7Bi7pU+xGimYeykfoCfXws+pW2PPHpNRCILNsTe6Gc/9M/4EinpHxiAz686TQXHBkphc6q2wPT+h2bJoA/GWF8IM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326425; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=BEAUY00wtm6g+PQAzZRgMa0r3XhEYhCa6mSLSrYoZUM=; b=iyHhsPce2vAxaR5M2IaLjMo+ZvbH6u/lTMmGAy892xIiZSBJzHY9k01FhpqjSu1yhGqU4epFZ/X0k0hkoORTWuQXkOfVgEfqUyylYdLT4C1E8oLa3hmwlzROfSltgdTMfRzSMDFQPBKpYRrXeO+epkwukftvuEm3TmAua/cpXNw= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39677+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326425514925.2390181196174; Fri, 26 Apr 2019 17:53:45 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:53:44 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3369730BEF16; Sat, 27 Apr 2019 00:53:44 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id 087635D70A; Sat, 27 Apr 2019 00:53:41 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 02/16] OvmfPkg/EnrollDefaultKeys: update @file comment blocks Date: Sat, 27 Apr 2019 02:53:14 +0200 Message-Id: <20190427005328.27005-3-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Sat, 27 Apr 2019 00:53:44 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326425; bh=gDUgBUmINkrERGH+OiDX2YGl346pMLOjOn4UrEuOT5g=; h=Cc:Date:From:Reply-To:Subject:To; b=CHnuQihb10bXc6+cekmS3wUORLviSxEneFkFm2VQ4Lj48DBGT49JiFIeA0b4Ls1XPV9 X90/PIAvMPSH1U/HBO+sWZJ5MdXvgID3b9Te80pKTCNq99eLttgEQC5qfoEAi7V65ehfd 6eguWEcsvQWfo7NTLuE0ECUa4bBakSFNUcY= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Refresh the sentence that states the purpose of the application. Extend the copyright notice to the year 2019. Replace the 2-clause BSD License banner with the BSD-2-Clause-Patent SPDX ID. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 13 +++---------- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 12 +++--------- 2 files changed, 6 insertions(+), 19 deletions(-) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/Enro= llDefaultKeys/EnrollDefaultKeys.inf index 0ad86a2843e6..1e579f495143 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -1,21 +1,14 @@ ## @file -# Enroll default PK, KEK, DB. +# Enroll default PK, KEK, db, dbx. # -# Copyright (C) 2014, Red Hat, Inc. +# Copyright (C) 2014-2019, Red Hat, Inc. # -# This program and the accompanying materials are licensed and made avail= able -# under the terms and conditions of the BSD License which accompanies this -# distribution. The full text of the license may be found at -# http://opensource.org/licenses/bsd-license. -# -# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR -# IMPLIED. +# SPDX-License-Identifier: BSD-2-Clause-Patent ## =20 [Defines] INF_VERSION =3D 0x00010006 BASE_NAME =3D EnrollDefaultKeys FILE_GUID =3D D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A MODULE_TYPE =3D UEFI_APPLICATION VERSION_STRING =3D 0.1 diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index dd413df12de3..b354ec6f81c8 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -1,20 +1,14 @@ /** @file - Enroll default PK, KEK, DB. + Enroll default PK, KEK, db, dbx. =20 - Copyright (C) 2014, Red Hat, Inc. + Copyright (C) 2014-2019, Red Hat, Inc. =20 - This program and the accompanying materials are licensed and made availa= ble - under the terms and conditions of the BSD License which accompanies this - distribution. The full text of the license may be found at - http://opensource.org/licenses/bsd-license. - - THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WI= THOUT - WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include // gEfiCustomModeEnableGu= id #include // EFI_SETUP_MODE_NAME #include // EFI_IMAGE_SECURITY_DAT= ABASE #include // CopyGuid() #include // ASSERT() #include // FreePool() #include // ShellAppMain() --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39677): https://edk2.groups.io/g/devel/message/39677 Mute This Topic: https://groups.io/mt/31359371/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39678+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39678+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326427; cv=none; d=zoho.com; s=zohoarc; b=EYCmf538O7l4raRLygFGwiEnv1KG4wpjZskludO8/0Lj+Og9ZXWC72wrNBzAnNzyBK9iNhAqWLwtCTUd4IqlTWs7zfKCWC+SC5UXCAjcX1E2nbh2+1cvqcT9Ffg4sA1fvWSs4KIFbV1ZKWulUeHLr+X1ifVFMzvUY8ZDkTz+t/s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326427; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=RhClp4JyKj1XgxfqI5r6tOvnHrpQARZxVH3Lqu1QIxQ=; b=asxxYMjUmsXS4UCLr2uzWK0fqmSp/Wg6oPY4REHRu00/HdeS3Qgm6F1LoqhDdtjdD7r+SYZsqTbcVmv3QGMFxCTBhDIy+mZNAlDJwt+W7lprFWNhPU/NGbsS1Hpiv+2Ejsm7zsVRAF3mC9Lcobq+s+oI+yH2NBypft/tmepwRbg= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39678+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326427948963.6709944175121; Fri, 26 Apr 2019 17:53:47 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:53:47 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D4BB914419C; Sat, 27 Apr 2019 00:53:46 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id C246E5D70A; Sat, 27 Apr 2019 00:53:44 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 03/16] OvmfPkg/EnrollDefaultKeys: refresh INF file Date: Sat, 27 Apr 2019 02:53:15 +0200 Message-Id: <20190427005328.27005-4-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Sat, 27 Apr 2019 00:53:46 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326427; bh=FXt8EwauphVpX5PDU/qZSyqOLe/NOBfAwGXyY4mwzII=; h=Cc:Date:From:Reply-To:Subject:To; b=Q965vjwloEOSWO9DQoSVHUA8G/3xz9cRoX5RjIfK5QuQ7MxaolxkUF3AtDjHG9wnyca nhjO35aECV4Z5MUi4ciAAqw8TweO7edXJyDNuZpho1Fc3CLcn7wHQRpCjPDNudyLpHx9L jd1OrUPAbKnZcYjKwxkHql8mjMS0awJyf6E= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Bump INF_VERSION to the latest edk2 INF specification. Regenerate FILE_GUID to distinguish this application from downstream-only versions. Remove the VALID_ARCHITECTURES comment as there is nothing ISA or platform specific in the application. Ensure all sections apart from [Defines] are alphabetically sorted. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/Enro= llDefaultKeys/EnrollDefaultKeys.inf index 1e579f495143..3a215df50863 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -2,33 +2,29 @@ # Enroll default PK, KEK, db, dbx. # # Copyright (C) 2014-2019, Red Hat, Inc. # # SPDX-License-Identifier: BSD-2-Clause-Patent ## =20 [Defines] - INF_VERSION =3D 0x00010006 + INF_VERSION =3D 1.28 BASE_NAME =3D EnrollDefaultKeys - FILE_GUID =3D D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A + FILE_GUID =3D A0BAA8A3-041D-48A8-BC87-C36D121B5E3D MODULE_TYPE =3D UEFI_APPLICATION VERSION_STRING =3D 0.1 ENTRY_POINT =3D ShellCEntryLib =20 -# -# VALID_ARCHITECTURES =3D IA32 X64 -# - [Sources] EnrollDefaultKeys.c =20 [Packages] - MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec SecurityPkg/SecurityPkg.dec ShellPkg/ShellPkg.dec =20 [Guids] gEfiCertPkcs7Guid gEfiCertSha256Guid gEfiCertX509Guid gEfiCustomModeEnableGuid --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39678): https://edk2.groups.io/g/devel/message/39678 Mute This Topic: https://groups.io/mt/31359373/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39679+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39679+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326429; cv=none; d=zoho.com; s=zohoarc; b=KbcaaOrKQl+UFw9Sb1ZXaqzqlutS6G43oeJ2R7aAjSTdaK01RzWInSAsIXmG3H5cCcG65bVmeH0uwJglwHLBS29tykzrrAwP6c/NxlqiYjqUBxrDtbP7WGW7mZ/0+pwcn9qs0MB9jQ2+UWou0nRImjclb8nzx+8piQ9c0aLH3kw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326429; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=+T+hP7tU6V4/Owlbye7T6Q7PerDAPETRxKGJS1qJG4g=; b=B90HCcB97ZaYvRP5Misss7VxzvD0mkofbeJuJIfq+9S8S6E5HctcKyMXk4l2rlYclxzulkaJGAOA9jzYDsI4e1ctjwQ15/+koTLTMrV6ZP3FMSsJC2VUjUoFBCQwilYqv3OBAU8ib49c11tlg1ihTG1XhDeszMCq4E/VzC+UP6M= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39679+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326429641819.8277237463838; Fri, 26 Apr 2019 17:53:49 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:53:48 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9585B30BC101; Sat, 27 Apr 2019 00:53:48 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5739F5D70A; Sat, 27 Apr 2019 00:53:47 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Ard Biesheuvel Subject: [edk2-devel] [PATCH 04/16] ArmVirtPkg: build EnrollDefaultKeys.efi Date: Sat, 27 Apr 2019 02:53:16 +0200 Message-Id: <20190427005328.27005-5-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]); Sat, 27 Apr 2019 00:53:48 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326429; bh=IXu4xINdjz8Fpi4FOVDh2Gxswvpy3BtsgdX/91OjOuo=; h=Cc:Date:From:Reply-To:Subject:To; b=NByMLx1N3zr+36+xCKjdhu54aYDeWHUtcpUGxpvFxkomTOUBVp8DuaZpEUTTjGCOdLD 8KvxBxYt7xXYzq7LrFrWIgvy9EyLKBx56P7DCOwcUbjHsyqkbXXZWNjKju4MdJE4uwwk4 y3OwigecoQidQDRUx0cXYp577DXV+UzuHH4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Having removed VALID_ARCHITECTURES from "OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf", it now makes sense to reflect the related platform DSC bits from OvmfPkg to ArmVirtPkg. Build "EnrollDefaultKeys.efi" as part of ArmVirtQemu and ArmVirtQemuKernel (which are the ArmVirtPkg platforms that include SecureBootConfigDxe too). Cc: Ard Biesheuvel Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- ArmVirtPkg/ArmVirt.dsc.inc | 1 + ArmVirtPkg/ArmVirtQemu.dsc | 1 + ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 + 3 files changed, 3 insertions(+) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index 82335541f964..1848d20531ab 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -46,16 +46,17 @@ [LibraryClasses.common] DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableL= ib.inf DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntry= Point.inf UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiA= pplicationEntryPoint.inf HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServic= esLib.inf SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf =20 UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib= /BaseOrderedCollectionRedBlackTreeLib.inf =20 # # Ramdisk Requirements # diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index d6ba3b6ae397..28c8fd551344 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -270,16 +270,17 @@ [Components.common] BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf } !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf } SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf !else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf !endif MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntim= eDxe.inf MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf { diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKerne= l.dsc index 129780548e4a..2a83c7469424 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc @@ -254,16 +254,17 @@ [Components.common] BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf } !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf } SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf !else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf !endif MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntim= eDxe.inf MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf EmbeddedPkg/RealTimeClockRuntimeDxe/RealTimeClockRuntimeDxe.inf { --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39679): https://edk2.groups.io/g/devel/message/39679 Mute This Topic: https://groups.io/mt/31359374/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39680+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39680+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326432; cv=none; d=zoho.com; s=zohoarc; b=lJJGmtR0cEtCR5Sk6iNpsoL5sbYHxndqI8axLo2INmyZJm9rqqijftufg3OT7pFfr5X0AL4h4f8oaAnryeLWxJoSLSnmsfdpLT1jYvZbqP1DkMj6cmiGixmgtjnbEsybx2QvSPtm9HOUwG5cRdLMjw8zNQSG6sveMi9hAccSJBc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326432; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=/mey7vZsJiXe8H8ZSp49dhquQ2miFeSrvL9SIBawLJw=; b=aaD0GWk6fU6myIa5Lxg31fvu7MOjPcqblOEaupvSE93jyiVLxsWfnExwIo8T8qPn8vaGC5OaRyL/C0HhTHgzbw4XyKW1ORhOWeOjhO+e18QdNEpxCPvi9yqzV910yYtClSw4sVu+6BtVw4f6AAzHkipxaRkPjHChH3A1E1Bz/lw= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39680+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326432827246.91863694613835; Fri, 26 Apr 2019 17:53:52 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:53:51 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5C7112FE543; Sat, 27 Apr 2019 00:53:51 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id 310815D70A; Sat, 27 Apr 2019 00:53:48 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 05/16] OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart Date: Sat, 27 Apr 2019 02:53:17 +0200 Message-Id: <20190427005328.27005-6-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Sat, 27 Apr 2019 00:53:51 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326432; bh=7uqsQkT/VyxYQlTYaDnAuShgxvOtRxWRNX9TLUcHwRQ=; h=Cc:Date:From:Reply-To:Subject:To; b=LIOP7yM4l7d0LM7nSIIhXlxfzzI9pJc4Zl9zSp5maWzCBwOh6XVbx9bHTGpkRrP0KJx 3KBAmv1U3zrMfZYXg8smzORPZSbxBEOpd/ib6WY4AvjYUSNJudkCL/mRvG/BjbKukobQQ CsBay9gswic2rTvqcvBCukLR/es/Bb1LPmQ= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" In edk2, we should spell "#pragma pack(...)" with a space character in front of the opening parenthesis. Fix up locations that suggest otherwise. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index b354ec6f81c8..aa827ac6aa81 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -596,17 +596,17 @@ STATIC CONST EFI_GUID mMicrosoftOwnerGuid =3D { // }; | // // Given that the "struct hack" invokes undefined behavior (which is why C= 99 // introduced the flexible array member), and because subtracting those pe= sky // sizes of 1 is annoying, and because the format is fully specified in the // UEFI specification, we'll introduce two matching convenience structures= that // are customized for our X.509 purposes. // -#pragma pack(1) +#pragma pack (1) typedef struct { EFI_TIME TimeStamp; =20 // // dwLength covers data below // UINT32 dwLength; UINT16 wRevision; @@ -627,17 +627,17 @@ typedef struct { // SignatureSize covers data below // EFI_GUID SignatureOwner; =20 // // X.509 certificate follows // } REPEATING_HEADER; -#pragma pack() +#pragma pack () =20 /** Enroll a set of certificates in a global variable, overwriting it. =20 The variable will be rewritten with NV+BS+RT+AT attributes. =20 @param[in] VariableName The name of the variable to overwrite. =20 --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39680): https://edk2.groups.io/g/devel/message/39680 Mute This Topic: https://groups.io/mt/31359375/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39681+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39681+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326435; cv=none; d=zoho.com; s=zohoarc; b=OUbmqTGb6Q4wj+q/jnoY+7xXpmCWT4fU9foZPu4DK6KFJcOyQu8JLp8qs/YRhU+3TFtTT95Bymew3w/YmgNuYt+gqnXsxQLSmZc4Kt6uzqeJo6N0R7uk7yZ99tC2Eiro0NpgNMvVqUrWmoj6pRInBOD1TE7GG7/nAENQ5Em9tvs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326435; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=Il3PsFzgFUxxxInKybT8Y/qNSCstvygiymHYOA6sSTY=; b=LvJHI/RoL5Lxu38bevgnXSeuu29Crtsrbo9qaw5Li/0dvcm6+Cbx1gs/WNx2UDEKP0VGiPB10gI7nlAoflPTQ8Jrr2G5CHXAFyeW7oQ0feamKINlZoxvj5Or3YzD1qEaJOjY7dXwdxonVVgAZcsnJTbAl+E5EGF/+l8c9+FFCeQ= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39681+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326435402359.07669301387136; Fri, 26 Apr 2019 17:53:55 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:53:54 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 242B0C04959E; Sat, 27 Apr 2019 00:53:54 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id EB5AA5D71A; Sat, 27 Apr 2019 00:53:51 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 06/16] OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes Date: Sat, 27 Apr 2019 02:53:18 +0200 Message-Id: <20190427005328.27005-7-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Sat, 27 Apr 2019 00:53:54 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326435; bh=7KldZpGZIVdZ9dmsYFdveW+dGo2RhfXvTlio7e0QN3U=; h=Cc:Date:From:Reply-To:Subject:To; b=RGSQ1q+V7mxTqdxUQUSpAhntAmWENP84UCXaYSk57TWJKJg8zRx99xDLxieqxPzVcvo agkGbhLiH3szvQGBgY1LvTOCaOoyELV2cBUdAJB4V2gBrQ0CrIZ5TdtAK8MbPt8IAPiBh x6JYRLGf8VhbFRogGdZN90/FPeFG2Opd5m4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" In edk2, we should start the names of module-global variables with "m". Rename the "RedHatPkKek1", "MicrosoftKEK", "MicrosoftPCA", "MicrosoftUefiCA" variables accordingly, with the following command: sed --regexp-extended --in-place \ --expression=3D's,\<(RedHatPkKek1|Microsoft(KEK|PCA|UefiCA))\>,m\1,g' \ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index aa827ac6aa81..fb30f4906df7 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -17,17 +17,17 @@ =20 // // We'll use the certificate below as both Platform Key and as first Key // Exchange Key. // // "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=3Dsecalert@redhat.com" // SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97 // -STATIC CONST UINT8 RedHatPkKek1[] =3D { +STATIC CONST UINT8 mRedHatPkKek1[] =3D { 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, = 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, = 0x00, 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, = 0x22, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, = 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, = 0x45, 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, = 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, = 0x73, @@ -98,17 +98,17 @@ STATIC CONST UINT8 RedHatPkKek1[] =3D { }; =20 // // Second KEK: "Microsoft Corporation KEK CA 2011". // SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30 // // "dbx" updates in "dbxtool" are signed with a key derived from this KEK. // -STATIC CONST UINT8 MicrosoftKEK[] =3D { +STATIC CONST UINT8 mMicrosoftKEK[] =3D { 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, = 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, @@ -225,17 +225,17 @@ STATIC CONST UINT8 MicrosoftKEK[] =3D { =20 // // First DB entry: "Microsoft Windows Production PCA 2011" // SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d // // Windows 8 and Windows Server 2012 R2 boot loaders are signed with a cha= in // rooted in this certificate. // -STATIC CONST UINT8 MicrosoftPCA[] =3D { +STATIC CONST UINT8 mMicrosoftPCA[] =3D { 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, = 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, @@ -350,17 +350,17 @@ STATIC CONST UINT8 MicrosoftPCA[] =3D { }; =20 // // Second DB entry: "Microsoft Corporation UEFI CA 2011" // SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3 // // To verify the "shim" binary and PCI expansion ROMs with. // -STATIC CONST UINT8 MicrosoftUefiCA[] =3D { +STATIC CONST UINT8 mMicrosoftUefiCA[] =3D { 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, = 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, @@ -938,18 +938,18 @@ ShellAppMain ( return 1; } } =20 Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, &gEfiCertX509Guid, - MicrosoftPCA, sizeof MicrosoftPCA, &mMicrosoftOwnerGuid, - MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid, + mMicrosoftPCA, sizeof mMicrosoftPCA, &mMicrosoftOwnerGu= id, + mMicrosoftUefiCA, sizeof mMicrosoftUefiCA, &mMicrosoftOwnerGu= id, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, @@ -959,28 +959,28 @@ ShellAppMain ( if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, - RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid, - MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid, + mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid, + mMicrosoftKEK, sizeof mMicrosoftKEK, &mMicrosoftOwnerGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, - RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid, + mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiGlobalVariableGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Settings.CustomMode =3D STANDARD_SECURE_BOOT_MODE; Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnable= Guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACC= ESS, --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39681): https://edk2.groups.io/g/devel/message/39681 Mute This Topic: https://groups.io/mt/31359376/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39682+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39682+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326437; cv=none; d=zoho.com; s=zohoarc; b=J6IQQ89WYxGV4mVrvwNpwNn6uCdVOov5kn48HDzrg+g2e/VJQUIJfK2dAkiZ6M1GqjgObI17dKdNZ5Q3PUMO8eQRK8mirEPOHc6xp151f1mnHkf6aqizs8kGaWzz490z/jLAfPFJWBts8rt3WRMKRyZVplS1ON0VAT9nZXqrisk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326437; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=NapBcSjl1QTTutiqcY6SaTZkrfEAv+FdipOPDCnwlg8=; b=Hh3viBWZO3Vm6aOPpItL2L5y3TrqeOQEqjCqI7UBibn+QAJmoSDGhPUDuSnv6xjKhHbpEGQqKzRFuf55zsDGnH37r6O1CvUTuzhlm221vrwli28Z4ITmgoA23zPotILbGSUruJBc2G0zUneitCgGI83SE/KkPfqT855JCdHX00U= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39682+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326437969730.720008932623; Fri, 26 Apr 2019 17:53:57 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:53:57 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DFFAE3172D91; Sat, 27 Apr 2019 00:53:56 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id B27995D70A; Sat, 27 Apr 2019 00:53:54 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 07/16] OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in identifiers Date: Sat, 27 Apr 2019 02:53:19 +0200 Message-Id: <20190427005328.27005-8-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Sat, 27 Apr 2019 00:53:56 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326437; bh=Oh9zrL6IZV8v3u0H6u17QYEy3hpwJQnkOGzgJhvI1lE=; h=Cc:Date:From:Reply-To:Subject:To; b=uVyRcmE7jZb1MmEnJQmSm6EKMVVh4jAmRFAxC1LTGTDDiaxBTK6NLCnJ+/bmMWryY5Y sHQTmh6hO4x0nZ4PwJCRBxy7ReXwC6lhnS/PWBZ982WvIa8FonGKNcdSsLO04N4/TxkHZ zZ4wZRfhQF+ZpHOqb6PjR3uGmFzgtePHvD0= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" According to the edk2 coding standards, "[w]hen all letters in an acronym are capitalized, it makes the prior and subsequent words visually difficult to distinguish". Fix the spellings of three acronyms, accordingly: - "KEK" (Key Exchange Key) should be written as "Kek", in "mMicrosoftKEK", - "CA" (Certificate Authority) should be written as "Ca", in "mMicrosoftUefiCA", - "PCA" (Production Certificate Authority) should be written as "Pca", in "mMicrosoftPCA". Generate the changes with: sed --regexp-extended --in-place \ --expression=3D's,\,mMicrosoftKek,g' \ --expression=3D's,\,mMicrosoftUefiCa,g' \ --expression=3D's,\,mMicrosoftPca,g' \ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index fb30f4906df7..be0e4d8f8e96 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -98,17 +98,17 @@ STATIC CONST UINT8 mRedHatPkKek1[] =3D { }; =20 // // Second KEK: "Microsoft Corporation KEK CA 2011". // SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30 // // "dbx" updates in "dbxtool" are signed with a key derived from this KEK. // -STATIC CONST UINT8 mMicrosoftKEK[] =3D { +STATIC CONST UINT8 mMicrosoftKek[] =3D { 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, = 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, @@ -225,17 +225,17 @@ STATIC CONST UINT8 mMicrosoftKEK[] =3D { =20 // // First DB entry: "Microsoft Windows Production PCA 2011" // SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d // // Windows 8 and Windows Server 2012 R2 boot loaders are signed with a cha= in // rooted in this certificate. // -STATIC CONST UINT8 mMicrosoftPCA[] =3D { +STATIC CONST UINT8 mMicrosoftPca[] =3D { 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, = 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, @@ -350,17 +350,17 @@ STATIC CONST UINT8 mMicrosoftPCA[] =3D { }; =20 // // Second DB entry: "Microsoft Corporation UEFI CA 2011" // SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3 // // To verify the "shim" binary and PCI expansion ROMs with. // -STATIC CONST UINT8 mMicrosoftUefiCA[] =3D { +STATIC CONST UINT8 mMicrosoftUefiCa[] =3D { 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, = 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, @@ -938,18 +938,18 @@ ShellAppMain ( return 1; } } =20 Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, &gEfiCertX509Guid, - mMicrosoftPCA, sizeof mMicrosoftPCA, &mMicrosoftOwnerGu= id, - mMicrosoftUefiCA, sizeof mMicrosoftUefiCA, &mMicrosoftOwnerGu= id, + mMicrosoftPca, sizeof mMicrosoftPca, &mMicrosoftOwnerGu= id, + mMicrosoftUefiCa, sizeof mMicrosoftUefiCa, &mMicrosoftOwnerGu= id, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, @@ -960,17 +960,17 @@ ShellAppMain ( return 1; } =20 Status =3D EnrollListOfCerts ( EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid, - mMicrosoftKEK, sizeof mMicrosoftKEK, &mMicrosoftOwnerGuid, + mMicrosoftKek, sizeof mMicrosoftKek, &mMicrosoftOwnerGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39682): https://edk2.groups.io/g/devel/message/39682 Mute This Topic: https://groups.io/mt/31359377/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39683+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39683+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326440; cv=none; d=zoho.com; s=zohoarc; b=Umjlp9y9ht30HkMqTwzGLte42LUE3hib9G3E9c43L2H+eHNjTANxYzDFWSRWMy5yPsQCeR2O1l8b9nwmbAdoNhSLWS6Pq/p+pUAdwsJKlmbhJCVlMzYqpVKReBVJwXq3uHc2w8z/1cyScYzC+JLrjHMhkTnPBXoz7Fho7fCPHH0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326440; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=w0o+cHcXpyrJSasbf7NUrvk8kJjtA+eYfg/8YSLhP+g=; b=mr6NChSGW90p/uCSedHsRlICRxEcShye84tFtZBbGvH04q0cN//wiZH0TRNTnvMxEUtxn+gR8nk6YguVsj+OUsAgT61EQD29ctAuMdnFR1DjK835JkINJ1XTopAQM8aPGyAjjlSV2zpEpqTQgB8mw13ialiX/JvmFDaauypM7FQ= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39683+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326440550284.61306242151727; Fri, 26 Apr 2019 17:54:00 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:53:59 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 88CB8307027C; Sat, 27 Apr 2019 00:53:59 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id 795F15D70A; Sat, 27 Apr 2019 00:53:57 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 08/16] OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv. specifiers Date: Sat, 27 Apr 2019 02:53:20 +0200 Message-Id: <20190427005328.27005-9-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Sat, 27 Apr 2019 00:53:59 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326440; bh=wsVVvqkA+qAx6Jus0PfgQaYOt534zEX+Dz3A+U5RLK4=; h=Cc:Date:From:Reply-To:Subject:To; b=hi8FBZVQN7IP1iMW0ZCeZvkqskq70qasBZD+7yWrhrAiShuhv8xDMUygYA32ax7+wRH 7iuJ6doagWyAGOej0Xu43Oj7IGwMEfGiZuI0tO9bpC+io2Xq8Ow7Hw/7CAOVbXVSsfh5/ MLfevUKpQcBylhXQg1wf63ZS1s/4aVXPXio= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The GetExact(), GetSettings(), PrintSettings() functions are only called from within "EnrollDefaultKeys.c", and none of them take variable arguments. Drop their EFIAPI calling convention specifiers. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index be0e4d8f8e96..671efef8d6ad 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -806,17 +806,16 @@ Out: VendorGuid, Status); } return Status; } =20 =20 STATIC EFI_STATUS -EFIAPI GetExact ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, OUT VOID *Data, IN UINTN DataSize, IN BOOLEAN AllowMissing ) { @@ -850,17 +849,16 @@ typedef struct { UINT8 SecureBoot; UINT8 SecureBootEnable; UINT8 CustomMode; UINT8 VendorKeys; } SETTINGS; =20 STATIC EFI_STATUS -EFIAPI GetSettings ( OUT SETTINGS *Settings ) { EFI_STATUS Status; =20 Status =3D GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, &Settings->SetupMode, sizeof Settings->SetupMode, FALSE); @@ -889,17 +887,16 @@ GetSettings ( =20 Status =3D GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableG= uid, &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE); return Status; } =20 STATIC VOID -EFIAPI PrintSettings ( IN CONST SETTINGS *Settings ) { AsciiPrint ("info: SetupMode=3D%d SecureBoot=3D%d SecureBootEnable=3D%d " "CustomMode=3D%d VendorKeys=3D%d\n", Settings->SetupMode, Settings->Se= cureBoot, Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys= ); } --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39683): https://edk2.groups.io/g/devel/message/39683 Mute This Topic: https://groups.io/mt/31359378/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39684+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39684+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326442; cv=none; d=zoho.com; s=zohoarc; b=Kkiuq/f4M77adVb9YPeu9YCJwQhiy3am/ZUCCuii50Wzi7l9F9Z56ztdyWaxUpuSbfZLwjX46tKWBxRoMFQ3ChM487OAdrZ3p0DEjylrSGZ08Zyij4t+nnO6obpM1LR1Nm6KCxBMCPC2gJ49aEZAMvYBCiK58oP1Mqu7W8gYY7Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326442; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=pgY4MAfUlYiudOwuwAg8IAr04BKEwzWJ6h4oFpnz1Aw=; b=QjPHc0yfoJ8sdILtT4gxzBr/6KOHfUL4D8m2i118ZXta1UCJsri3XIaT9+zDEZdTXj6JCYS5o99lo54v21uX41mqll0zwuxyaV/gNAhAiB4VFxB7ly6Uxk6WaczarkQbDRg+CivVDhgnJWrXIZxlJDDPiblhUQpz41juf/QgL/k= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39684+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326442815706.9869652281022; Fri, 26 Apr 2019 17:54:02 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:54:02 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B4776E952C; Sat, 27 Apr 2019 00:54:01 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0DC6F5D70A; Sat, 27 Apr 2019 00:53:59 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 09/16] OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file Date: Sat, 27 Apr 2019 02:53:21 +0200 Message-Id: <20190427005328.27005-10-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Sat, 27 Apr 2019 00:54:01 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326442; bh=170j+i00/FFgrUCNL8NQ0HhSSCwv/cR4/P1AaYWVHQ0=; h=Cc:Date:From:Reply-To:Subject:To; b=E/+h/ohlFWEAoFDpNXg8w1EZ4+vEqXD3oYUIgWRLifNdkHiQkQE8rvY32hL9v/mqWXb dV1IEPdWz96HETNoJ4gd81np613cZUfRwhf6VQqV91QP3d/rpKNIPb0LGwTIh+p13g8TR ZAOEeh6qG5MAvUAxrM/PsS6fTWZOvCEHY4Q= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" "EnrollDefaultKeys.c" defines three structure types: SINGLE_HEADER, REPEATING_HEADER, and SETTINGS. The definitions are scattered over the C file, and lack high-level summary comments. Extract the structures to "EnrollDefaultKeys.h", and add the missing comments. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 1 + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 121 ++++++++++++++++++++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 101 +--------------- 3 files changed, 124 insertions(+), 99 deletions(-) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/Enro= llDefaultKeys/EnrollDefaultKeys.inf index 3a215df50863..9f315a8e6d90 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -11,16 +11,17 @@ [Defines] BASE_NAME =3D EnrollDefaultKeys FILE_GUID =3D A0BAA8A3-041D-48A8-BC87-C36D121B5E3D MODULE_TYPE =3D UEFI_APPLICATION VERSION_STRING =3D 0.1 ENTRY_POINT =3D ShellCEntryLib =20 [Sources] EnrollDefaultKeys.c + EnrollDefaultKeys.h =20 [Packages] MdeModulePkg/MdeModulePkg.dec MdePkg/MdePkg.dec SecurityPkg/SecurityPkg.dec ShellPkg/ShellPkg.dec =20 [Guids] diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.h new file mode 100644 index 000000000000..9bcd87ff4f44 --- /dev/null +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h @@ -0,0 +1,121 @@ +/** @file + Type definitions for the EnrollDefaultKeys application. + + Copyright (C) 2014-2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef ENROLL_DEFAULT_KEYS_H_ +#define ENROLL_DEFAULT_KEYS_H_ + +#include + +// +// Convenience structure types for constructing "signature lists" for +// authenticated UEFI variables. +// +// The most important thing about the variable payload is that it is a lis= t of +// lists, where the element size of any given *inner* list is constant. +// +// Since X509 certificates vary in size, each of our *inner* lists will co= ntain +// one element only (one X.509 certificate). This is explicitly mentioned = in +// the UEFI specification, in "28.4.1 Signature Database", in a Note. +// +// The list structure looks as follows: +// +// struct EFI_VARIABLE_AUTHENTICATION_2 { | +// struct EFI_TIME { | +// UINT16 Year; | +// UINT8 Month; | +// UINT8 Day; | +// UINT8 Hour; | +// UINT8 Minute; | +// UINT8 Second; | +// UINT8 Pad1; | +// UINT32 Nanosecond; | +// INT16 TimeZone; | +// UINT8 Daylight; | +// UINT8 Pad2; | +// } TimeStamp; | +// | +// struct WIN_CERTIFICATE_UEFI_GUID { | | +// struct WIN_CERTIFICATE { | | +// UINT32 dwLength; ----------------------------------------+ | +// UINT16 wRevision; | | +// UINT16 wCertificateType; | | +// } Hdr; | +- Dat= aSize +// | | +// EFI_GUID CertType; | | +// UINT8 CertData[1] =3D { <--- "struct hack" | | +// struct EFI_SIGNATURE_LIST { | | | +// EFI_GUID SignatureType; | | | +// UINT32 SignatureListSize; -------------------------+ | | +// UINT32 SignatureHeaderSize; | | | +// UINT32 SignatureSize; ---------------------------+ | | | +// UINT8 SignatureHeader[SignatureHeaderSize]; | | | | +// v | | | +// struct EFI_SIGNATURE_DATA { | | | | +// EFI_GUID SignatureOwner; | | | | +// UINT8 SignatureData[1] =3D { <--- "struct hack" | | | | +// X.509 payload | | | | +// } | | | | +// } Signatures[]; | | | +// } SigLists[]; | | +// }; | | +// } AuthInfo; | | +// }; | +// +// Given that the "struct hack" invokes undefined behavior (which is why C= 99 +// introduced the flexible array member), and because subtracting those pe= sky +// sizes of 1 is annoying, and because the format is fully specified in the +// UEFI specification, we'll introduce two matching convenience structures= that +// are customized for our X.509 purposes. +// +#pragma pack (1) +typedef struct { + EFI_TIME TimeStamp; + + // + // dwLength covers data below + // + UINT32 dwLength; + UINT16 wRevision; + UINT16 wCertificateType; + EFI_GUID CertType; +} SINGLE_HEADER; + +typedef struct { + // + // SignatureListSize covers data below + // + EFI_GUID SignatureType; + UINT32 SignatureListSize; + UINT32 SignatureHeaderSize; // constant 0 + UINT32 SignatureSize; + + // + // SignatureSize covers data below + // + EFI_GUID SignatureOwner; + + // + // X.509 certificate follows + // +} REPEATING_HEADER; +#pragma pack () + + +// +// A structure that collects the values of UEFI variables related to Secure +// Boot. +// +typedef struct { + UINT8 SetupMode; + UINT8 SecureBoot; + UINT8 SecureBootEnable; + UINT8 CustomMode; + UINT8 VendorKeys; +} SETTINGS; + +#endif /* ENROLL_DEFAULT_KEYS_H_ */ diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index 671efef8d6ad..fefea6638887 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -10,16 +10,18 @@ #include // EFI_IMAGE_SECURITY_DAT= ABASE #include // CopyGuid() #include // ASSERT() #include // FreePool() #include // ShellAppMain() #include // AsciiPrint() #include // gRT =20 +#include "EnrollDefaultKeys.h" + // // We'll use the certificate below as both Platform Key and as first Key // Exchange Key. // // "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=3Dsecalert@redhat.com" // SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97 // STATIC CONST UINT8 mRedHatPkKek1[] =3D { @@ -538,107 +540,16 @@ STATIC CONST UINT8 mSha256OfDevNull[] =3D { // EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued // EFI_SIGNATURE_DATA.SignatureData. // STATIC CONST EFI_GUID mMicrosoftOwnerGuid =3D { 0x77fa9abd, 0x0359, 0x4d32, { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, }; =20 -// -// The most important thing about the variable payload is that it is a lis= t of -// lists, where the element size of any given *inner* list is constant. -// -// Since X509 certificates vary in size, each of our *inner* lists will co= ntain -// one element only (one X.509 certificate). This is explicitly mentioned = in -// the UEFI specification, in "28.4.1 Signature Database", in a Note. -// -// The list structure looks as follows: -// -// struct EFI_VARIABLE_AUTHENTICATION_2 { | -// struct EFI_TIME { | -// UINT16 Year; | -// UINT8 Month; | -// UINT8 Day; | -// UINT8 Hour; | -// UINT8 Minute; | -// UINT8 Second; | -// UINT8 Pad1; | -// UINT32 Nanosecond; | -// INT16 TimeZone; | -// UINT8 Daylight; | -// UINT8 Pad2; | -// } TimeStamp; | -// | -// struct WIN_CERTIFICATE_UEFI_GUID { | | -// struct WIN_CERTIFICATE { | | -// UINT32 dwLength; ----------------------------------------+ | -// UINT16 wRevision; | | -// UINT16 wCertificateType; | | -// } Hdr; | +- Dat= aSize -// | | -// EFI_GUID CertType; | | -// UINT8 CertData[1] =3D { <--- "struct hack" | | -// struct EFI_SIGNATURE_LIST { | | | -// EFI_GUID SignatureType; | | | -// UINT32 SignatureListSize; -------------------------+ | | -// UINT32 SignatureHeaderSize; | | | -// UINT32 SignatureSize; ---------------------------+ | | | -// UINT8 SignatureHeader[SignatureHeaderSize]; | | | | -// v | | | -// struct EFI_SIGNATURE_DATA { | | | | -// EFI_GUID SignatureOwner; | | | | -// UINT8 SignatureData[1] =3D { <--- "struct hack" | | | | -// X.509 payload | | | | -// } | | | | -// } Signatures[]; | | | -// } SigLists[]; | | -// }; | | -// } AuthInfo; | | -// }; | -// -// Given that the "struct hack" invokes undefined behavior (which is why C= 99 -// introduced the flexible array member), and because subtracting those pe= sky -// sizes of 1 is annoying, and because the format is fully specified in the -// UEFI specification, we'll introduce two matching convenience structures= that -// are customized for our X.509 purposes. -// -#pragma pack (1) -typedef struct { - EFI_TIME TimeStamp; - - // - // dwLength covers data below - // - UINT32 dwLength; - UINT16 wRevision; - UINT16 wCertificateType; - EFI_GUID CertType; -} SINGLE_HEADER; - -typedef struct { - // - // SignatureListSize covers data below - // - EFI_GUID SignatureType; - UINT32 SignatureListSize; - UINT32 SignatureHeaderSize; // constant 0 - UINT32 SignatureSize; - - // - // SignatureSize covers data below - // - EFI_GUID SignatureOwner; - - // - // X.509 certificate follows - // -} REPEATING_HEADER; -#pragma pack () - /** Enroll a set of certificates in a global variable, overwriting it. =20 The variable will be rewritten with NV+BS+RT+AT attributes. =20 @param[in] VariableName The name of the variable to overwrite. =20 @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable= to @@ -839,24 +750,16 @@ GetExact ( AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, " "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)S= ize); return EFI_PROTOCOL_ERROR; } =20 return EFI_SUCCESS; } =20 -typedef struct { - UINT8 SetupMode; - UINT8 SecureBoot; - UINT8 SecureBootEnable; - UINT8 CustomMode; - UINT8 VendorKeys; -} SETTINGS; - STATIC EFI_STATUS GetSettings ( OUT SETTINGS *Settings ) { EFI_STATUS Status; =20 --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39684): https://edk2.groups.io/g/devel/message/39684 Mute This Topic: https://groups.io/mt/31359379/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39685+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39685+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326445; cv=none; d=zoho.com; s=zohoarc; b=QKdYFB6/gFMqlHvQsRDS08VqGZ/KoaStaOBuKYparkJ8DiDUrYI8VBWlvXFt3YBeWjD4LG8bGicxR/8DWfrDjUfM+r1F16iFBiFi0ILY8fFobmpDT8qiXPfwwiN3FtvaumeR2T2/ehngY+hz/M0SKpaGxVGewYv0LdKifdZ/T8U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326445; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=eFBUl6wbSH9b3UVub3llt/ckvjovvWOuR4Z3kR9pKe4=; b=IlUVpn27+f51I9nqcK9we5jTRwXQKDlvsr+zxLLjLqB25MuHG4GksfgWtQtSUIygacIfuGfpVMu3XPLFlwpc6D/zzUtUSLFPgCFDSahp81jmBELIddSEyycbST0+Kk1pVVwYgwT9p4o15HgH7p9lHTUcgg/o+qxk9n/ztTS9B2s= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39685+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 155632644555025.150395144587264; Fri, 26 Apr 2019 17:54:05 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:54:04 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 48C0330BDBF7; Sat, 27 Apr 2019 00:54:04 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1A6815D70A; Sat, 27 Apr 2019 00:54:01 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 10/16] OvmfPkg/EnrollDefaultKeys: split out certificate and signature constants Date: Sat, 27 Apr 2019 02:53:22 +0200 Message-Id: <20190427005328.27005-11-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Sat, 27 Apr 2019 00:54:04 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326445; bh=FAXWoW97J4mXavx3pfzhUYrZGaOW87MUgQnKHitueW0=; h=Cc:Date:From:Reply-To:Subject:To; b=bFljO/urrf3IR1bZQTM5327KeZXxsvCrwJn5eSiTKO3zghAFkSM2eKQ2VQNKh5xu+IX kGOyCrkgoRyj2fbm94BRPSFrQQHqrCeV5iAHAaZS3iEp4wAzDWjIviUU8my1kub41ZwXF 97roiDcqDonFv5qJ4dyupoN/Dy9iDXhPrKI= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" A large portion of "EnrollDefaultKeys.c" is hex-encoded X509 certificates, GUIDs, and signatures. These objects are constants, unlikely to see changes anytime soon. Move them out of the way, to "AuthData.c", so we can more easily work on functions in "EnrollDefaultKeys.c". Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 1 + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 24 +- OvmfPkg/EnrollDefaultKeys/{EnrollDefaultKeys.c =3D> AuthData.c} | 402 +---= ----------- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 540 +-----= -------------- 4 files changed, 53 insertions(+), 914 deletions(-) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/Enro= llDefaultKeys/EnrollDefaultKeys.inf index 9f315a8e6d90..3f093c768585 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -10,16 +10,17 @@ [Defines] INF_VERSION =3D 1.28 BASE_NAME =3D EnrollDefaultKeys FILE_GUID =3D A0BAA8A3-041D-48A8-BC87-C36D121B5E3D MODULE_TYPE =3D UEFI_APPLICATION VERSION_STRING =3D 0.1 ENTRY_POINT =3D ShellCEntryLib =20 [Sources] + AuthData.c EnrollDefaultKeys.c EnrollDefaultKeys.h =20 [Packages] MdeModulePkg/MdeModulePkg.dec MdePkg/MdePkg.dec SecurityPkg/SecurityPkg.dec ShellPkg/ShellPkg.dec diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.h index 9bcd87ff4f44..07f4aa04e469 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h @@ -1,10 +1,11 @@ /** @file - Type definitions for the EnrollDefaultKeys application. + Type definitions and object declarations for the EnrollDefaultKeys + application. =20 Copyright (C) 2014-2019, Red Hat, Inc. =20 SPDX-License-Identifier: BSD-2-Clause-Patent **/ =20 #ifndef ENROLL_DEFAULT_KEYS_H_ #define ENROLL_DEFAULT_KEYS_H_ @@ -113,9 +114,30 @@ typedef struct { typedef struct { UINT8 SetupMode; UINT8 SecureBoot; UINT8 SecureBootEnable; UINT8 CustomMode; UINT8 VendorKeys; } SETTINGS; =20 + +// +// Refer to "AuthData.c" for details on the following objects. +// +extern CONST UINT8 mRedHatPkKek1[]; +extern CONST UINTN mSizeOfRedHatPkKek1; + +extern CONST UINT8 mMicrosoftKek[]; +extern CONST UINTN mSizeOfMicrosoftKek; + +extern CONST UINT8 mMicrosoftPca[]; +extern CONST UINTN mSizeOfMicrosoftPca; + +extern CONST UINT8 mMicrosoftUefiCa[]; +extern CONST UINTN mSizeOfMicrosoftUefiCa; + +extern CONST UINT8 mSha256OfDevNull[]; +extern CONST UINTN mSizeOfSha256OfDevNull; + +extern CONST EFI_GUID mMicrosoftOwnerGuid; + #endif /* ENROLL_DEFAULT_KEYS_H_ */ diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/AuthData.c similarity index 74% copy from OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c copy to OvmfPkg/EnrollDefaultKeys/AuthData.c index fefea6638887..e0a543785fb5 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c @@ -1,35 +1,27 @@ /** @file - Enroll default PK, KEK, db, dbx. + Certificate and signature constants for the EnrollDefaultKeys applicatio= n. =20 Copyright (C) 2014-2019, Red Hat, Inc. =20 SPDX-License-Identifier: BSD-2-Clause-Patent **/ -#include // gEfiCustomModeEnableGu= id -#include // EFI_SETUP_MODE_NAME -#include // EFI_IMAGE_SECURITY_DAT= ABASE -#include // CopyGuid() -#include // ASSERT() -#include // FreePool() -#include // ShellAppMain() -#include // AsciiPrint() -#include // gRT =20 #include "EnrollDefaultKeys.h" =20 + // // We'll use the certificate below as both Platform Key and as first Key // Exchange Key. // // "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=3Dsecalert@redhat.com" // SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97 // -STATIC CONST UINT8 mRedHatPkKek1[] =3D { +CONST UINT8 mRedHatPkKek1[] =3D { 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, = 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, = 0x00, 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, = 0x22, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, = 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, = 0x45, 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, = 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, = 0x73, @@ -94,23 +86,26 @@ STATIC CONST UINT8 mRedHatPkKek1[] =3D { 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, = 0x90, 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, = 0xaf, 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, = 0x37, 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, = 0xb7, 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, = 0x43, 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69 }; =20 +CONST UINTN mSizeOfRedHatPkKek1 =3D sizeof mRedHatPkKek1; + + // // Second KEK: "Microsoft Corporation KEK CA 2011". // SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30 // // "dbx" updates in "dbxtool" are signed with a key derived from this KEK. // -STATIC CONST UINT8 mMicrosoftKek[] =3D { +CONST UINT8 mMicrosoftKek[] =3D { 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, = 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, @@ -220,24 +215,27 @@ STATIC CONST UINT8 mMicrosoftKek[] =3D { 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, = 0x5d, 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, = 0x38, 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, = 0x1c, 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, = 0x14, 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, = 0xc5, 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e }; =20 +CONST UINTN mSizeOfMicrosoftKek =3D sizeof mMicrosoftKek; + + // // First DB entry: "Microsoft Windows Production PCA 2011" // SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d // // Windows 8 and Windows Server 2012 R2 boot loaders are signed with a cha= in // rooted in this certificate. // -STATIC CONST UINT8 mMicrosoftPca[] =3D { +CONST UINT8 mMicrosoftPca[] =3D { 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, = 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, @@ -346,23 +344,26 @@ STATIC CONST UINT8 mMicrosoftPca[] =3D { 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, = 0x21, 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, = 0x86, 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, = 0xd6, 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, = 0xb9, 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, = 0xa4, 0x62, 0x1c, 0x59, 0x7e }; =20 +CONST UINTN mSizeOfMicrosoftPca =3D sizeof mMicrosoftPca; + + // // Second DB entry: "Microsoft Corporation UEFI CA 2011" // SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3 // // To verify the "shim" binary and PCI expansion ROMs with. // -STATIC CONST UINT8 mMicrosoftUefiCa[] =3D { +CONST UINT8 mMicrosoftUefiCa[] =3D { 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, = 0x02, 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, = 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, @@ -475,16 +476,19 @@ STATIC CONST UINT8 mMicrosoftUefiCa[] =3D { 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, = 0x1e, 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, = 0x62, 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, = 0xf8, 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, = 0xf6, 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, = 0x75, 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58 }; =20 +CONST UINTN mSizeOfMicrosoftUefiCa =3D sizeof mMicrosoftUefiCa; + + // // The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test= case // of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit // expects that the "dbx" variable exist. // // The article at // writes (excerpt): // @@ -507,22 +511,25 @@ STATIC CONST UINT8 mMicrosoftUefiCa[] =3D { // // Technically speaking, we could also capture an official (although soon = to be // obsolete) dbx update from . How= ever, // the terms and conditions on distributing that binary aren't exactly lig= ht // reading, so let's best steer clear of it, and follow the "dummy entry" // practice recommended -- in natural English langauge -- in the // above-referenced TechNet article. // -STATIC CONST UINT8 mSha256OfDevNull[] =3D { +CONST UINT8 mSha256OfDevNull[] =3D { 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, = 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, = 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 }; =20 +CONST UINTN mSizeOfSha256OfDevNull =3D sizeof mSha256OfDevNull; + + // // The following test cases of the Secure Boot Logo Test in the Microsoft // Hardware Certification Kit: // // - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent // - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureI= nDB // // expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be @@ -535,375 +542,12 @@ STATIC CONST UINT8 mSha256OfDevNull[] =3D { // - "Microsoft Corporation UEFI CA 2011" (in db) // // This is despite the fact that the UEFI specification requires // EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, // application or driver) that enrolled and therefore owns // EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued // EFI_SIGNATURE_DATA.SignatureData. // -STATIC CONST EFI_GUID mMicrosoftOwnerGuid =3D { +CONST EFI_GUID mMicrosoftOwnerGuid =3D { 0x77fa9abd, 0x0359, 0x4d32, { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, }; - -/** - Enroll a set of certificates in a global variable, overwriting it. - - The variable will be rewritten with NV+BS+RT+AT attributes. - - @param[in] VariableName The name of the variable to overwrite. - - @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable= to - overwrite. - - @param[in] CertType The GUID determining the type of all the - certificates in the set that is passed in. For - example, gEfiCertX509Guid stands for DER-encoded - X.509 certificates, while gEfiCertSha256Guid st= ands - for SHA256 image hashes. - - @param[in] ... A list of - - IN CONST UINT8 *Cert, - IN UINTN CertSize, - IN CONST EFI_GUID *OwnerGuid - - triplets. If the first component of a triplet is - NULL, then the other two components are not - accessed, and processing is terminated. The lis= t of - certificates is enrolled in the variable specif= ied, - overwriting it. The OwnerGuid component identif= ies - the agent installing the certificate. - - @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first = Cert - value is NULL), or one of the CertSize va= lues - is 0, or one of the CertSize values would - overflow the accumulated UINT32 data size. - - @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable - payload. - - @retval EFI_SUCCESS Enrollment successful; the variable has b= een - overwritten (or created). - - @return Error codes from gRT->GetTime() and - gRT->SetVariable(). -**/ -STATIC -EFI_STATUS -EFIAPI -EnrollListOfCerts ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN EFI_GUID *CertType, - ... - ) -{ - UINTN DataSize; - SINGLE_HEADER *SingleHeader; - REPEATING_HEADER *RepeatingHeader; - VA_LIST Marker; - CONST UINT8 *Cert; - EFI_STATUS Status; - UINT8 *Data; - UINT8 *Position; - - Status =3D EFI_SUCCESS; - - // - // compute total size first, for UINT32 range check, and allocation - // - DataSize =3D sizeof *SingleHeader; - VA_START (Marker, CertType); - for (Cert =3D VA_ARG (Marker, CONST UINT8 *); - Cert !=3D NULL; - Cert =3D VA_ARG (Marker, CONST UINT8 *)) { - UINTN CertSize; - - CertSize =3D VA_ARG (Marker, UINTN); - (VOID)VA_ARG (Marker, CONST EFI_GUID *); - - if (CertSize =3D=3D 0 || - CertSize > MAX_UINT32 - sizeof *RepeatingHeader || - DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) { - Status =3D EFI_INVALID_PARAMETER; - break; - } - DataSize +=3D sizeof *RepeatingHeader + CertSize; - } - VA_END (Marker); - - if (DataSize =3D=3D sizeof *SingleHeader) { - Status =3D EFI_INVALID_PARAMETER; - } - if (EFI_ERROR (Status)) { - goto Out; - } - - Data =3D AllocatePool (DataSize); - if (Data =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Out; - } - - Position =3D Data; - - SingleHeader =3D (SINGLE_HEADER *)Position; - Status =3D gRT->GetTime (&SingleHeader->TimeStamp, NULL); - if (EFI_ERROR (Status)) { - goto FreeData; - } - SingleHeader->TimeStamp.Pad1 =3D 0; - SingleHeader->TimeStamp.Nanosecond =3D 0; - SingleHeader->TimeStamp.TimeZone =3D 0; - SingleHeader->TimeStamp.Daylight =3D 0; - SingleHeader->TimeStamp.Pad2 =3D 0; -#if 0 - SingleHeader->dwLength =3D DataSize - sizeof SingleHeader->TimeS= tamp; -#else - // - // This looks like a bug in edk2. According to the UEFI specification, - // dwLength is "The length of the entire certificate, including the leng= th of - // the header, in bytes". That shouldn't stop right after CertType -- it - // should include everything below it. - // - SingleHeader->dwLength =3D sizeof *SingleHeader - - sizeof SingleHeader->TimeStamp; -#endif - SingleHeader->wRevision =3D 0x0200; - SingleHeader->wCertificateType =3D WIN_CERT_TYPE_EFI_GUID; - CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid); - Position +=3D sizeof *SingleHeader; - - VA_START (Marker, CertType); - for (Cert =3D VA_ARG (Marker, CONST UINT8 *); - Cert !=3D NULL; - Cert =3D VA_ARG (Marker, CONST UINT8 *)) { - UINTN CertSize; - CONST EFI_GUID *OwnerGuid; - - CertSize =3D VA_ARG (Marker, UINTN); - OwnerGuid =3D VA_ARG (Marker, CONST EFI_GUID *); - - RepeatingHeader =3D (REPEATING_HEADER *)Position; - CopyGuid (&RepeatingHeader->SignatureType, CertType); - RepeatingHeader->SignatureListSize =3D - (UINT32)(sizeof *RepeatingHeader + CertSize); - RepeatingHeader->SignatureHeaderSize =3D 0; - RepeatingHeader->SignatureSize =3D - (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize); - CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid); - Position +=3D sizeof *RepeatingHeader; - - CopyMem (Position, Cert, CertSize); - Position +=3D CertSize; - } - VA_END (Marker); - - ASSERT (Data + DataSize =3D=3D Position); - - Status =3D gRT->SetVariable (VariableName, VendorGuid, - (EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS | - EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), - DataSize, Data); - -FreeData: - FreePool (Data); - -Out: - if (EFI_ERROR (Status)) { - AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName, - VendorGuid, Status); - } - return Status; -} - - -STATIC -EFI_STATUS -GetExact ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - OUT VOID *Data, - IN UINTN DataSize, - IN BOOLEAN AllowMissing - ) -{ - UINTN Size; - EFI_STATUS Status; - - Size =3D DataSize; - Status =3D gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data= ); - if (EFI_ERROR (Status)) { - if (Status =3D=3D EFI_NOT_FOUND && AllowMissing) { - ZeroMem (Data, DataSize); - return EFI_SUCCESS; - } - - AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName, - VendorGuid, Status); - return Status; - } - - if (Size !=3D DataSize) { - AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, " - "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)S= ize); - return EFI_PROTOCOL_ERROR; - } - - return EFI_SUCCESS; -} - -STATIC -EFI_STATUS -GetSettings ( - OUT SETTINGS *Settings - ) -{ - EFI_STATUS Status; - - Status =3D GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, - &Settings->SetupMode, sizeof Settings->SetupMode, FALSE); - if (EFI_ERROR (Status)) { - return Status; - } - - Status =3D GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, - &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE); - if (EFI_ERROR (Status)) { - return Status; - } - - Status =3D GetExact (EFI_SECURE_BOOT_ENABLE_NAME, - &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable, - sizeof Settings->SecureBootEnable, TRUE); - if (EFI_ERROR (Status)) { - return Status; - } - - Status =3D GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, - &Settings->CustomMode, sizeof Settings->CustomMode, FALSE); - if (EFI_ERROR (Status)) { - return Status; - } - - Status =3D GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableG= uid, - &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE); - return Status; -} - -STATIC -VOID -PrintSettings ( - IN CONST SETTINGS *Settings - ) -{ - AsciiPrint ("info: SetupMode=3D%d SecureBoot=3D%d SecureBootEnable=3D%d " - "CustomMode=3D%d VendorKeys=3D%d\n", Settings->SetupMode, Settings->Se= cureBoot, - Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys= ); -} - - -INTN -EFIAPI -ShellAppMain ( - IN UINTN Argc, - IN CHAR16 **Argv - ) -{ - EFI_STATUS Status; - SETTINGS Settings; - - Status =3D GetSettings (&Settings); - if (EFI_ERROR (Status)) { - return 1; - } - PrintSettings (&Settings); - - if (Settings.SetupMode !=3D 1) { - AsciiPrint ("error: already in User Mode\n"); - return 1; - } - - if (Settings.CustomMode !=3D CUSTOM_SECURE_BOOT_MODE) { - Settings.CustomMode =3D CUSTOM_SECURE_BOOT_MODE; - Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnab= leGuid, - (EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS), - sizeof Settings.CustomMode, &Settings.CustomMode); - if (EFI_ERROR (Status)) { - AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_= NAME, - &gEfiCustomModeEnableGuid, Status); - return 1; - } - } - - Status =3D EnrollListOfCerts ( - EFI_IMAGE_SECURITY_DATABASE, - &gEfiImageSecurityDatabaseGuid, - &gEfiCertX509Guid, - mMicrosoftPca, sizeof mMicrosoftPca, &mMicrosoftOwnerGu= id, - mMicrosoftUefiCa, sizeof mMicrosoftUefiCa, &mMicrosoftOwnerGu= id, - NULL); - if (EFI_ERROR (Status)) { - return 1; - } - - Status =3D EnrollListOfCerts ( - EFI_IMAGE_SECURITY_DATABASE1, - &gEfiImageSecurityDatabaseGuid, - &gEfiCertSha256Guid, - mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid, - NULL); - if (EFI_ERROR (Status)) { - return 1; - } - - Status =3D EnrollListOfCerts ( - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - &gEfiCertX509Guid, - mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid, - mMicrosoftKek, sizeof mMicrosoftKek, &mMicrosoftOwnerGuid, - NULL); - if (EFI_ERROR (Status)) { - return 1; - } - - Status =3D EnrollListOfCerts ( - EFI_PLATFORM_KEY_NAME, - &gEfiGlobalVariableGuid, - &gEfiCertX509Guid, - mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiGlobalVariableGuid, - NULL); - if (EFI_ERROR (Status)) { - return 1; - } - - Settings.CustomMode =3D STANDARD_SECURE_BOOT_MODE; - Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnable= Guid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACC= ESS, - sizeof Settings.CustomMode, &Settings.CustomMode); - if (EFI_ERROR (Status)) { - AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NA= ME, - &gEfiCustomModeEnableGuid, Status); - return 1; - } - - Status =3D GetSettings (&Settings); - if (EFI_ERROR (Status)) { - return 1; - } - PrintSettings (&Settings); - - if (Settings.SetupMode !=3D 0 || Settings.SecureBoot !=3D 1 || - Settings.SecureBootEnable !=3D 1 || Settings.CustomMode !=3D 0 || - Settings.VendorKeys !=3D 0) { - AsciiPrint ("error: unexpected\n"); - return 1; - } - - AsciiPrint ("info: success\n"); - return 0; -} diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index fefea6638887..528718b15ae9 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -12,544 +12,16 @@ #include // ASSERT() #include // FreePool() #include // ShellAppMain() #include // AsciiPrint() #include // gRT =20 #include "EnrollDefaultKeys.h" =20 -// -// We'll use the certificate below as both Platform Key and as first Key -// Exchange Key. -// -// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=3Dsecalert@redhat.com" -// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97 -// -STATIC CONST UINT8 mRedHatPkKek1[] =3D { - 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, = 0x02, - 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, = 0x0d, - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, = 0x00, - 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, = 0x22, - 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, = 0x72, - 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, = 0x45, - 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, = 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, = 0x73, - 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, = 0x61, - 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, = 0x30, - 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, = 0x37, - 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, = 0x51, - 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, = 0x65, - 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, = 0x20, - 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, = 0x20, - 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, = 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, = 0x63, - 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, = 0x2e, - 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, = 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, = 0x0f, - 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, = 0x84, - 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, = 0x8c, - 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, = 0x67, - 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, = 0x41, - 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, = 0x98, - 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, = 0xe6, - 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, = 0x37, - 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, = 0x4c, - 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, = 0xc6, - 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, = 0x3a, - 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, = 0x68, - 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, = 0x04, - 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, = 0x82, - 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, = 0x6c, - 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, = 0xf7, - 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, = 0xaa, - 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, = 0xcb, - 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, = 0xb3, - 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, = 0xd9, - 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, = 0xf2, - 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, = 0x7b, - 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, = 0x00, - 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, = 0x0d, - 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, = 0x47, - 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, = 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, = 0x1d, - 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, = 0x0a, - 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, = 0x30, - 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, = 0x3c, - 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, = 0x42, - 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, = 0x48, - 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, = 0x00, - 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, = 0xdf, - 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, = 0x00, - 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, = 0x78, - 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, = 0x13, - 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, = 0xb0, - 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, = 0xf6, - 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, = 0x3f, - 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, = 0x60, - 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, = 0xbc, - 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, = 0x26, - 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, = 0x36, - 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, = 0x3d, - 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, = 0xde, - 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, = 0x85, - 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, = 0x90, - 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, = 0xaf, - 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, = 0x37, - 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, = 0xb7, - 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, = 0x43, - 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69 -}; - -// -// Second KEK: "Microsoft Corporation KEK CA 2011". -// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30 -// -// "dbx" updates in "dbxtool" are signed with a key derived from this KEK. -// -STATIC CONST UINT8 mMicrosoftKek[] =3D { - 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, = 0x02, - 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, = 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, - 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, - 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, - 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, - 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, - 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, = 0x43, - 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, = 0x30, - 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, = 0x6f, - 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, = 0x74, - 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, = 0x72, - 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, = 0x63, - 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, = 0x30, - 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, = 0x32, - 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, = 0x30, - 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, = 0x02, - 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, = 0x0a, - 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, = 0x30, - 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, = 0x6f, - 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, = 0x15, - 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, = 0x72, - 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, = 0x06, - 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, = 0x6f, - 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, = 0x6f, - 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, = 0x31, - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, = 0xf7, - 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, = 0x82, - 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, = 0xad, - 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, = 0x5d, - 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, = 0xeb, - 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, = 0xe3, - 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, = 0x9b, - 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, = 0xac, - 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, = 0xc8, - 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, = 0xc0, - 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, = 0xe2, - 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, = 0x89, - 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, = 0xc2, - 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, = 0x03, - 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, = 0x7e, - 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, = 0xeb, - 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, = 0x2f, - 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, = 0xaa, - 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, = 0x9f, - 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, = 0xc6, - 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, = 0xaf, - 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, = 0x07, - 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, = 0x30, - 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, = 0x82, - 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, = 0x55, - 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, = 0xa4, - 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, = 0x5f, - 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, = 0x02, - 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, = 0x00, - 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, = 0x01, - 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, = 0x05, - 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, = 0x04, - 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, = 0x11, - 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, = 0x30, - 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, = 0xa0, - 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, = 0x63, - 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, = 0x2e, - 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, = 0x70, - 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, = 0x6f, - 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, = 0x6f, - 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, = 0x63, - 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, = 0x01, - 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, = 0x05, - 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, = 0x2f, - 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, = 0x74, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, = 0x74, - 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, = 0x61, - 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, = 0x2d, - 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, = 0x09, - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, = 0x82, - 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, = 0x2a, - 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, = 0x66, - 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, = 0x5a, - 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, = 0x64, - 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, = 0x58, - 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, = 0xd0, - 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, = 0xf5, - 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, = 0xec, - 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, = 0xd7, - 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, = 0x28, - 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, = 0x79, - 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, = 0x7b, - 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, = 0xd8, - 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, = 0x19, - 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, = 0x58, - 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, = 0x0d, - 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, = 0x2d, - 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, = 0xc8, - 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, = 0x60, - 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, = 0xac, - 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, = 0x87, - 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, = 0xcd, - 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, = 0x81, - 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, = 0x92, - 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, = 0xe0, - 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, = 0xaf, - 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, = 0xfb, - 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, = 0x68, - 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, = 0xad, - 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, = 0x82, - 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, = 0x14, - 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, = 0x4f, - 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, = 0x9b, - 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, = 0xb0, - 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, = 0x5d, - 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, = 0x38, - 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, = 0x1c, - 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, = 0x14, - 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, = 0xc5, - 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e -}; - -// -// First DB entry: "Microsoft Windows Production PCA 2011" -// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d -// -// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a cha= in -// rooted in this certificate. -// -STATIC CONST UINT8 mMicrosoftPca[] =3D { - 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, = 0x02, - 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, = 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, - 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, - 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, - 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, - 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, - 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, = 0x43, - 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, = 0x30, - 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, = 0x6f, - 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, = 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, = 0x68, - 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, = 0x17, - 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, = 0x32, - 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, = 0x31, - 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, = 0x55, - 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, = 0x55, - 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, = 0x6f, - 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, = 0x52, - 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, = 0x55, - 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, = 0x74, - 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, = 0x31, - 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, = 0x63, - 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, = 0x77, - 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, = 0x20, - 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, = 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, = 0x05, - 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, = 0x01, - 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, = 0xf7, - 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, = 0xcb, - 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, = 0x8b, - 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, = 0xe3, - 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, = 0xc0, - 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, = 0x74, - 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, = 0x67, - 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, = 0x53, - 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, = 0x23, - 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, = 0xa3, - 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, = 0xff, - 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, = 0xe2, - 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, = 0x22, - 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, = 0xf3, - 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, = 0x2b, - 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, = 0xbc, - 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, = 0xd6, - 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, = 0xe8, - 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, = 0xa8, - 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, = 0x03, - 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, = 0x10, - 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, = 0x03, - 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, = 0x04, - 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, = 0xf9, - 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, = 0x2b, - 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, = 0x00, - 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, = 0x03, - 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, = 0x03, - 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, = 0xff, - 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, = 0x14, - 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, = 0x94, - 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, = 0x1d, - 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, = 0x45, - 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, = 0x69, - 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, = 0x70, - 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, = 0x63, - 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, = 0x41, - 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, = 0x33, - 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, = 0x05, - 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, = 0x06, - 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, = 0x3a, - 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, = 0x6f, - 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, = 0x65, - 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, = 0x72, - 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, = 0x32, - 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, = 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, = 0x14, - 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, = 0xbc, - 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, = 0xd0, - 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, = 0x61, - 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, = 0xda, - 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, = 0x6a, - 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, = 0xe2, - 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, = 0xea, - 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, = 0x30, - 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, = 0x86, - 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, = 0xc8, - 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, = 0xae, - 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, = 0xb8, - 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, = 0xac, - 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, = 0x84, - 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, = 0x73, - 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, = 0x73, - 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, = 0x60, - 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, = 0xb6, - 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, = 0x2a, - 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, = 0xba, - 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, = 0xce, - 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, = 0x0f, - 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, = 0x6e, - 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, = 0xd3, - 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, = 0x45, - 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, = 0xd0, - 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, = 0x24, - 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, = 0x2c, - 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, = 0xdf, - 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, = 0x6c, - 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, = 0xf2, - 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, = 0x5c, - 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, = 0x47, - 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, = 0x5a, - 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, = 0x21, - 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, = 0x86, - 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, = 0xd6, - 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, = 0xb9, - 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, = 0xa4, - 0x62, 0x1c, 0x59, 0x7e -}; - -// -// Second DB entry: "Microsoft Corporation UEFI CA 2011" -// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3 -// -// To verify the "shim" binary and PCI expansion ROMs with. -// -STATIC CONST UINT8 mMicrosoftUefiCa[] =3D { - 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, = 0x02, - 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, = 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, = 0x05, - 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, = 0x06, - 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, = 0x08, - 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, = 0x31, - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, = 0x64, - 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, = 0x0a, - 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, = 0x43, - 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, = 0x30, - 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, = 0x6f, - 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, = 0x74, - 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, = 0x72, - 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, = 0x63, - 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, = 0x30, - 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, = 0x32, - 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, = 0x30, - 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, = 0x02, - 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, = 0x0a, - 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, = 0x30, - 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, = 0x6f, - 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, = 0x15, - 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, = 0x72, - 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, = 0x06, - 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, = 0x6f, - 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, = 0x6f, - 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, = 0x31, - 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, = 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, = 0x30, - 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, = 0xc7, - 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, = 0x43, - 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, = 0x73, - 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, = 0xd3, - 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, = 0x54, - 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, = 0x5c, - 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, = 0x4f, - 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, = 0xae, - 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, = 0x1d, - 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, = 0xfa, - 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, = 0xff, - 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, = 0x7b, - 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, = 0xe6, - 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, = 0x62, - 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, = 0x08, - 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, = 0xe7, - 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, = 0xb2, - 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, = 0x7f, - 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, = 0x8b, - 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, = 0x6a, - 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, = 0x76, - 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, = 0x01, - 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, = 0x23, - 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, = 0x16, - 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, = 0x37, - 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, = 0x03, - 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, = 0xbd, - 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, = 0x1b, - 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, = 0x14, - 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, = 0x43, - 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, = 0x02, - 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, = 0x04, - 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, = 0x23, - 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, = 0x58, - 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, = 0xa8, - 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, = 0x51, - 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, = 0x2f, - 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, = 0x74, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, = 0x2f, - 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, = 0x43, - 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, = 0x6f, - 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, = 0x2e, - 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, = 0x07, - 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, = 0x01, - 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, = 0x2f, - 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, = 0x66, - 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, = 0x72, - 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, = 0x50, - 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, = 0x30, - 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, = 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, = 0x03, - 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, = 0x76, - 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, = 0xef, - 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, = 0x13, - 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, = 0x82, - 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, = 0x1a, - 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, = 0x20, - 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, = 0x90, - 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, = 0x52, - 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, = 0x6d, - 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, = 0xaf, - 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, = 0x49, - 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, = 0x34, - 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, = 0x75, - 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, = 0xb9, - 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, = 0x8f, - 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, = 0x8c, - 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, = 0x56, - 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, = 0xae, - 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, = 0x4a, - 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, = 0x3c, - 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, = 0x59, - 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, = 0x3d, - 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, = 0x53, - 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, = 0x1b, - 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, = 0x98, - 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, = 0x85, - 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, = 0xd2, - 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, = 0xe2, - 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, = 0x6c, - 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, = 0x3b, - 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, = 0x27, - 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, = 0xa6, - 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, = 0x3f, - 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, = 0x55, - 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, = 0x1e, - 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, = 0x62, - 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, = 0xf8, - 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, = 0xf6, - 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, = 0x75, - 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58 -}; - -// -// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test= case -// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit -// expects that the "dbx" variable exist. -// -// The article at -// writes (excerpt): -// -// Windows 8.1 Secure Boot Key Creation and Management Guidance -// 1. Secure Boot, Windows 8.1 and Key Management -// 1.4 Signature Databases (Db and Dbx) -// 1.4.3 Forbidden Signature Database (dbx) -// -// The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked wh= en -// verifying images before checking db and any matches must prevent the -// image from executing. The database may contain multiple certificates, -// keys, and hashes in order to identify forbidden images. The Windows -// Hardware Certification Requirements state that a dbx must be present= , so -// any dummy value, such as the SHA-256 hash of 0, may be used as a safe -// placeholder until such time as Microsoft begins delivering dbx updat= es. -// -// The byte array below captures the SHA256 checksum of the empty file, -// blacklisting it for loading & execution. This qualifies as a dummy, sin= ce -// the empty file is not a valid UEFI binary anyway. -// -// Technically speaking, we could also capture an official (although soon = to be -// obsolete) dbx update from . How= ever, -// the terms and conditions on distributing that binary aren't exactly lig= ht -// reading, so let's best steer clear of it, and follow the "dummy entry" -// practice recommended -- in natural English langauge -- in the -// above-referenced TechNet article. -// -STATIC CONST UINT8 mSha256OfDevNull[] =3D { - 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, = 0x99, - 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, = 0x95, - 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 -}; - -// -// The following test cases of the Secure Boot Logo Test in the Microsoft -// Hardware Certification Kit: -// -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureI= nDB -// -// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be -// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the -// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509 -// certificates: -// -// - "Microsoft Corporation KEK CA 2011" (in KEK) -// - "Microsoft Windows Production PCA 2011" (in db) -// - "Microsoft Corporation UEFI CA 2011" (in db) -// -// This is despite the fact that the UEFI specification requires -// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, -// application or driver) that enrolled and therefore owns -// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued -// EFI_SIGNATURE_DATA.SignatureData. -// -STATIC CONST EFI_GUID mMicrosoftOwnerGuid =3D { - 0x77fa9abd, 0x0359, 0x4d32, - { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, -}; - /** Enroll a set of certificates in a global variable, overwriting it. =20 The variable will be rewritten with NV+BS+RT+AT attributes. =20 @param[in] VariableName The name of the variable to overwrite. =20 @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable= to @@ -838,49 +310,49 @@ ShellAppMain ( return 1; } } =20 Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, &gEfiCertX509Guid, - mMicrosoftPca, sizeof mMicrosoftPca, &mMicrosoftOwnerGu= id, - mMicrosoftUefiCa, sizeof mMicrosoftUefiCa, &mMicrosoftOwnerGu= id, + mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGui= d, + mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGui= d, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, &gEfiCertSha256Guid, - mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid, + mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, - mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiCallerIdGuid, - mMicrosoftKek, sizeof mMicrosoftKek, &mMicrosoftOwnerGuid, + mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid, + mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, - mRedHatPkKek1, sizeof mRedHatPkKek1, &gEfiGlobalVariableGuid, + mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Settings.CustomMode =3D STANDARD_SECURE_BOOT_MODE; Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnable= Guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACC= ESS, --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39685): https://edk2.groups.io/g/devel/message/39685 Mute This Topic: https://groups.io/mt/31359381/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39686+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39686+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326448; cv=none; d=zoho.com; s=zohoarc; b=n9wd1oGst5iE9O4gvNdDLE8CDuBE9SpD14letNc4PPFJfj1LNw1D16Z77fBTClQdK4Cdx9ZM3Jhgc+ayW6/C4oDvfkBMG0hgDp9V0t04TggGCi7d7r+CfSFFDr1L/gslBAbqDtdB8Igy1OMAoh9ODbkq4/Cl02jFdm8sAC4TXiY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326448; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=2MaHZY87O6JoJARKvMRQyDm9Mj51jvwgkD0F8Ii4SiE=; b=C3a3ZjOBqCXtokY7S3PZHTIsmcYhE6iA+tkGJDq9QkRhjG0Tj0t+XdZ2hgKA4w0l39Kx42nlsceoiQkXlOK4+cpLUqoenMxmsnGF1dG6u/UxPk9i/weGXjrumhCd4csqkVax0PqDjKmYU6TQ7Atu94vsEByKuQpb+sPbF85KC+w= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39686+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 15563264480071002.3828641712815; Fri, 26 Apr 2019 17:54:08 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:54:07 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CE06B50F64; Sat, 27 Apr 2019 00:54:06 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id B9D365D70A; Sat, 27 Apr 2019 00:54:04 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 11/16] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID Date: Sat, 27 Apr 2019 02:53:23 +0200 Message-Id: <20190427005328.27005-12-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Sat, 27 Apr 2019 00:54:06 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326447; bh=t+dQDJdaE21pSfW5BHBgCQPEOM65q1zXUC+/VKvzF/I=; h=Cc:Date:From:Reply-To:Subject:To; b=D7AcYIo74TmI6o/HXT+wukWzBsqRyJHXYhEgIU+arhYaV9RSKj/Qhzny4sE68FR/Toe odWQ22WuPoVbddKqcrxjU7UA1+DNXLJKY1djT0hh2OhUBPax8zGfSf7u/Hlo2jhzCyjts jmZkQzewUoQ9f6PAWmS7fWfJ2RcWD/soJ20= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The GUID 77FA9ABD-0359-4D32-BD60-28F4E78F784B is specified in MSDN, at , therefore it deserves an entry in the package DEC file, and a header file under "Include/Guid". (Arguably, this GUID declaration / definition could even live under SecurityPkg, but the edk2 tradition has been to hoist GUIDs, protocols/PPIs, and lib classes from OvmfPkg to a core package only when dependent C code is added to the core package.) Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/OvmfPkg.dec | 1 + OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++++++++++++++++++++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 2 + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 2 - OvmfPkg/EnrollDefaultKeys/AuthData.c | 28 ---------- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 7 +-- 6 files changed, 62 insertions(+), 33 deletions(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index cc2a4909afd4..922e061cc85c 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -72,16 +72,17 @@ [LibraryClasses] [Guids] gUefiOvmfPkgTokenSpaceGuid =3D {0x93bb96af, 0xb9f2, 0x4eb8, {0x= 94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}} gEfiXenInfoGuid =3D {0xd3b46f3b, 0xd441, 0x1244, {0x= 9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}} gOvmfPlatformConfigGuid =3D {0x7235c51c, 0x0c80, 0x4cab, {0x= 87, 0xac, 0x3b, 0x08, 0x4a, 0x63, 0x04, 0xb1}} gVirtioMmioTransportGuid =3D {0x837dca9e, 0xe874, 0x4d82, {0x= b2, 0x9a, 0x23, 0xfe, 0x0e, 0x23, 0xd1, 0xe2}} gQemuRamfbGuid =3D {0x557423a1, 0x63ab, 0x406c, {0x= be, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}} gXenBusRootDeviceGuid =3D {0xa732241f, 0x383d, 0x4d9c, {0x= 8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}} gRootBridgesConnectedEventGroupGuid =3D {0x24a2d66f, 0xeedd, 0x4086, {0x= 90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}} + gMicrosoftVendorGuid =3D {0x77fa9abd, 0x0359, 0x4d32, {0x= bd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}} =20 [Protocols] gVirtioDeviceProtocolGuid =3D {0xfa920010, 0x6785, 0x4941, {0x= b6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}} gXenBusProtocolGuid =3D {0x3d3ca290, 0xb9a5, 0x11e3, {0x= b7, 0x5d, 0xb8, 0xac, 0x6f, 0x7d, 0x65, 0xe6}} gXenIoProtocolGuid =3D {0x6efac84f, 0x0ab0, 0x4747, {0x= 81, 0xbe, 0x85, 0x55, 0x62, 0x59, 0x04, 0x49}} gIoMmuAbsentProtocolGuid =3D {0xf8775d50, 0x8abd, 0x4adf, {0x= 92, 0xac, 0x85, 0x3e, 0x51, 0xf6, 0xc8, 0xdc}} gEfiLegacy8259ProtocolGuid =3D {0x38321dba, 0x4fe0, 0x4e17, {0x= 8a, 0xec, 0x41, 0x30, 0x55, 0xea, 0xed, 0xc1}} =20 diff --git a/OvmfPkg/Include/Guid/MicrosoftVendor.h b/OvmfPkg/Include/Guid/= MicrosoftVendor.h new file mode 100644 index 000000000000..db7a326c3194 --- /dev/null +++ b/OvmfPkg/Include/Guid/MicrosoftVendor.h @@ -0,0 +1,55 @@ +/** @file + Declare the GUID that is expected: + + - as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and + RSA2048 Secure Boot certificates issued by/for Microsoft, + + - as UEFI variable vendor GUID in association with (unspecified) + Microsoft-owned variables. + + Copyright (C) 2014-2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent + + @par Specification Reference: + - MSDN: System.Fundamentals.Firmware at + . +**/ + +#ifndef MICROSOFT_VENDOR_H_ +#define MICROSOFT_VENDOR_H_ + +#include + +// +// The following test cases of the Secure Boot Logo Test in the Microsoft +// Hardware Certification Kit: +// +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureI= nDB +// +// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be +// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the +// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509 +// certificates: +// +// - "Microsoft Corporation KEK CA 2011" (in KEK) +// - "Microsoft Windows Production PCA 2011" (in db) +// - "Microsoft Corporation UEFI CA 2011" (in db) +// +// This is despite the fact that the UEFI specification requires +// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, +// application or driver) that enrolled and therefore owns +// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued +// EFI_SIGNATURE_DATA.SignatureData. +// +#define MICROSOFT_VENDOR_GUID \ + { 0x77fa9abd, \ + 0x0359, \ + 0x4d32, \ + { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \ + } + +extern EFI_GUID gMicrosoftVendorGuid; + +#endif /* MICROSOFT_VENDOR_H_ */ diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/Enro= llDefaultKeys/EnrollDefaultKeys.inf index 3f093c768585..28db52586a9b 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -17,27 +17,29 @@ [Defines] [Sources] AuthData.c EnrollDefaultKeys.c EnrollDefaultKeys.h =20 [Packages] MdeModulePkg/MdeModulePkg.dec MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec SecurityPkg/SecurityPkg.dec ShellPkg/ShellPkg.dec =20 [Guids] gEfiCertPkcs7Guid gEfiCertSha256Guid gEfiCertX509Guid gEfiCustomModeEnableGuid gEfiGlobalVariableGuid gEfiImageSecurityDatabaseGuid gEfiSecureBootEnableDisableGuid + gMicrosoftVendorGuid =20 [LibraryClasses] BaseMemoryLib DebugLib MemoryAllocationLib ShellCEntryLib UefiLib UefiRuntimeServicesTableLib diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.h index 07f4aa04e469..e3a7e43da4e3 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h @@ -133,11 +133,9 @@ extern CONST UINT8 mMicrosoftPca[]; extern CONST UINTN mSizeOfMicrosoftPca; =20 extern CONST UINT8 mMicrosoftUefiCa[]; extern CONST UINTN mSizeOfMicrosoftUefiCa; =20 extern CONST UINT8 mSha256OfDevNull[]; extern CONST UINTN mSizeOfSha256OfDevNull; =20 -extern CONST EFI_GUID mMicrosoftOwnerGuid; - #endif /* ENROLL_DEFAULT_KEYS_H_ */ diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKe= ys/AuthData.c index e0a543785fb5..9a96dcc440b3 100644 --- a/OvmfPkg/EnrollDefaultKeys/AuthData.c +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c @@ -518,36 +518,8 @@ CONST UINTN mSizeOfMicrosoftUefiCa =3D sizeof mMicroso= ftUefiCa; // CONST UINT8 mSha256OfDevNull[] =3D { 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, = 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, = 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 }; =20 CONST UINTN mSizeOfSha256OfDevNull =3D sizeof mSha256OfDevNull; - - -// -// The following test cases of the Secure Boot Logo Test in the Microsoft -// Hardware Certification Kit: -// -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureI= nDB -// -// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be -// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the -// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509 -// certificates: -// -// - "Microsoft Corporation KEK CA 2011" (in KEK) -// - "Microsoft Windows Production PCA 2011" (in db) -// - "Microsoft Corporation UEFI CA 2011" (in db) -// -// This is despite the fact that the UEFI specification requires -// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, -// application or driver) that enrolled and therefore owns -// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued -// EFI_SIGNATURE_DATA.SignatureData. -// -CONST EFI_GUID mMicrosoftOwnerGuid =3D { - 0x77fa9abd, 0x0359, 0x4d32, - { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, -}; diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index 528718b15ae9..e4f6a50e008b 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -3,16 +3,17 @@ =20 Copyright (C) 2014-2019, Red Hat, Inc. =20 SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include // gEfiCustomModeEnableGu= id #include // EFI_SETUP_MODE_NAME #include // EFI_IMAGE_SECURITY_DAT= ABASE +#include // gMicrosoftVendorGuid #include // CopyGuid() #include // ASSERT() #include // FreePool() #include // ShellAppMain() #include // AsciiPrint() #include // gRT =20 #include "EnrollDefaultKeys.h" @@ -310,18 +311,18 @@ ShellAppMain ( return 1; } } =20 Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, &gEfiCertX509Guid, - mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGui= d, - mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGui= d, + mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGu= id, + mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGu= id, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, @@ -332,17 +333,17 @@ ShellAppMain ( return 1; } =20 Status =3D EnrollListOfCerts ( EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid, - mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid, + mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 Status =3D EnrollListOfCerts ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39686): https://edk2.groups.io/g/devel/message/39686 Mute This Topic: https://groups.io/mt/31359383/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39687+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39687+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326450; cv=none; d=zoho.com; s=zohoarc; b=OGVV0DpzHpfC4P0yWnQxNncQYa5L1jWKR+6wYylf/Medh/hFOxj6JyaTtmKcV7l0OYdG7bXlTqIfFO023pbOqDMKXgEp+szp3StPrcKclBUjBIOg1Ul7D9GtkEh0KBL2ceeyRpqDOoCsNSkcWD4+rAbU9jiIl/S3YtK6CcygDLo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326450; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=vMqAgTPH7E8DmYgcrl9kg82Ttj5F5bYoTvdATr0px+A=; b=ZJHfw+7yzZE4WoreZ0Cn65UsXZJesGnaYCZ3CNIPjyb30dV+2Mwf95kuwXs8v6h9nHnJ92htgj2OammAYtzibfkhidbu+r2S7iUwYwugqbnPChJh6fEKAodiQ/Be8b5Ltv50h9kK6dSbiv+4IVCJZvjnGw5Rt2w+GB+/9DWtoWM= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39687+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326450609339.25245301666064; Fri, 26 Apr 2019 17:54:10 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:54:09 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 31A576EB97; Sat, 27 Apr 2019 00:54:09 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4F67C5D70A; Sat, 27 Apr 2019 00:54:07 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 12/16] OvmfPkg/EnrollDefaultKeys: describe functions with leading comment blocks Date: Sat, 27 Apr 2019 02:53:24 +0200 Message-Id: <20190427005328.27005-13-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Sat, 27 Apr 2019 00:54:09 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326450; bh=zIx6/4tKx/4UuIRdlMdEysj00OgeGXpJF1aGU36GbWg=; h=Cc:Date:From:Reply-To:Subject:To; b=dpr2wh/zYgZrRJmJpjgnYmS+o1jXTtlz4IyC1TYgmrZEarBunT0JaXcdBoSXuA0jzls lFN9ptbQ9ROvQ0A+J/Lfi3SjJnUA76DSRW5KvXojJim1MQdW0mdzflm3krWlYvpcxzP5+ oex+ozcCz449BAPFPssuRMWKC1APfEiyA7c= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The GetExact(), GetSettings(), PrintSettings(), and ShellAppMain() functions lack leading comment blocks. Supply those. While at it, make sure that every such comment block is preceded by two blank lines. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 73 ++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index e4f6a50e008b..07297c631f38 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -13,16 +13,17 @@ #include // ASSERT() #include // FreePool() #include // ShellAppMain() #include // AsciiPrint() #include // gRT =20 #include "EnrollDefaultKeys.h" =20 + /** Enroll a set of certificates in a global variable, overwriting it. =20 The variable will be rewritten with NV+BS+RT+AT attributes. =20 @param[in] VariableName The name of the variable to overwrite. =20 @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable= to @@ -188,16 +189,54 @@ Out: if (EFI_ERROR (Status)) { AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName, VendorGuid, Status); } return Status; } =20 =20 +/** + Read a UEFI variable into a caller-allocated buffer, enforcing an exact = size. + + @param[in] VariableName The name of the variable to read; passed to + gRT->GetVariable(). + + @param[in] VendorGuid The vendor (namespace) GUID of the variable to = read; + passed to gRT->GetVariable(). + + @param[out] Data The caller-allocated buffer that is supposed to + receive the variable's contents. On error, the + contents of Data are indeterminate. + + @param[in] DataSize The size in bytes that the caller requires the = UEFI + variable to have. The caller is responsible for + providing room for DataSize bytes in Data. + + @param[in] AllowMissing If FALSE, the variable is required to exist. If + TRUE, the variable is permitted to be missing. + + @retval EFI_SUCCESS The UEFI variable exists, has the required= size + (DataSize), and has been read into Data. + + @retval EFI_SUCCESS The UEFI variable doesn't exist, and + AllowMissing is TRUE. DataSize bytes in Da= ta + have been zeroed out. + + @retval EFI_NOT_FOUND The UEFI variable doesn't exist, and + AllowMissing is FALSE. + + @retval EFI_BUFFER_TOO_SMALL The UEFI variable exists, but its size is + greater than DataSize. + + @retval EFI_PROTOCOL_ERROR The UEFI variable exists, but its size is + smaller than DataSize. + + @return Error codes propagated from gRT->GetVariab= le(). +**/ STATIC EFI_STATUS GetExact ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, OUT VOID *Data, IN UINTN DataSize, IN BOOLEAN AllowMissing @@ -223,16 +262,41 @@ GetExact ( AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, " "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)S= ize); return EFI_PROTOCOL_ERROR; } =20 return EFI_SUCCESS; } =20 + +/** + Populate a SETTINGS structure from the underlying UEFI variables. + + The following UEFI variables are standard variables: + - L"SetupMode" (EFI_SETUP_MODE_NAME) + - L"SecureBoot" (EFI_SECURE_BOOT_MODE_NAME) + - L"VendorKeys" (EFI_VENDOR_KEYS_VARIABLE_NAME) + + The following UEFI variables are edk2 extensions: + - L"SecureBootEnable" (EFI_SECURE_BOOT_ENABLE_NAME) + - L"CustomMode" (EFI_CUSTOM_MODE_NAME) + + The L"SecureBootEnable" UEFI variable is permitted to be missing, in whi= ch + case the corresponding field in the SETTINGS object will be zeroed out. = The + rest of the covered UEFI variables are required to exist; otherwise, the + function will fail. + + @param[out] Settings The SETTINGS object to fill. + + @retval EFI_SUCCESS Settings has been populated. + + @return Error codes propagated from the GetExact() function= . The + contents of Settings are indeterminate. +**/ STATIC EFI_STATUS GetSettings ( OUT SETTINGS *Settings ) { EFI_STATUS Status; =20 @@ -261,28 +325,37 @@ GetSettings ( return Status; } =20 Status =3D GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableG= uid, &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE); return Status; } =20 + +/** + Print the contents of a SETTINGS structure to the UEFI console. + + @param[in] Settings The SETTINGS object to print the contents of. +**/ STATIC VOID PrintSettings ( IN CONST SETTINGS *Settings ) { AsciiPrint ("info: SetupMode=3D%d SecureBoot=3D%d SecureBootEnable=3D%d " "CustomMode=3D%d VendorKeys=3D%d\n", Settings->SetupMode, Settings->Se= cureBoot, Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys= ); } =20 =20 +/** + Entry point function of this shell application. +**/ INTN EFIAPI ShellAppMain ( IN UINTN Argc, IN CHAR16 **Argv ) { EFI_STATUS Status; --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39687): https://edk2.groups.io/g/devel/message/39687 Mute This Topic: https://groups.io/mt/31359384/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39688+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39688+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326452; cv=none; d=zoho.com; s=zohoarc; b=FoAoAPPNIs0nlfDnJb+hfulntSSBJJNC2858/s21MpFKe8UJdZ5jYXEdMlaHtsuq/rgFmfOp7xKGCMNFR6P8gWHceMwgbwSTI+pfybZr/3eX4DaHF5mQIleQGKjY7mngJ0cwZil+fM+FKOUbnK1fFB247vb+lxXSyLm+q6GChFU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326452; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=WpWCp0HyI2Tiq6om4bN/E0wbTU4meqhzzct+BjSen/w=; b=KnIfUY+8GhLfTfeC51eTHZqZNbnfxQv/aODDeWzFeUnuB49+LJGBQYSBpvBiPLcP7YejaH/+cCGi+TZVHXxWm8k1mKqKv8ZnNPBbKEFW7sijZe/OVMYFzY/lH3bB6mlu8v44eSVw3UOL3+tqgeyT7BszmpGD1DSsSarrlxARCWg= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39688+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 155632645249012.842441029754127; Fri, 26 Apr 2019 17:54:12 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:54:11 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 53215A049B; Sat, 27 Apr 2019 00:54:11 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id BEE6D5D71B; Sat, 27 Apr 2019 00:54:09 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 13/16] OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function Date: Sat, 27 Apr 2019 02:53:25 +0200 Message-Id: <20190427005328.27005-14-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Sat, 27 Apr 2019 00:54:11 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326452; bh=/K1jZpORaU/llSyX4fffJojp5FnKInAKON1QwaJ7sK0=; h=Cc:Date:From:Reply-To:Subject:To; b=vyEXseJxydI4iV4HtEeMvPF0NbRVE+JemsSUsm2csGKMgHBxaTo+xy5kzZnxK8AL6XS UPVGQPBSS4yPVCbMOZnMF2oXA1bIscJQLM+t2QfTK7B+qLF3QQlaZ0xHXDlzvUXU3vScL lua3b0blNre8f4JFfvxz8fGAeSADpbGBZiE= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The entry point function of EnrollDefaultKeys finishes with a sanity check, verifying the values of the Secure Boot-related "control" variables. Add a diagram to explain why we expect the values we do. While at it, write comments on the rest of the entry point function. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 54 ++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index 07297c631f38..9c4a0f06fb4d 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -356,92 +356,146 @@ EFIAPI ShellAppMain ( IN UINTN Argc, IN CHAR16 **Argv ) { EFI_STATUS Status; SETTINGS Settings; =20 + // + // If we're not in Setup Mode, we can't do anything. + // Status =3D GetSettings (&Settings); if (EFI_ERROR (Status)) { return 1; } PrintSettings (&Settings); =20 if (Settings.SetupMode !=3D 1) { AsciiPrint ("error: already in User Mode\n"); return 1; } =20 + // + // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signa= ture + // checks on those variable writes. + // if (Settings.CustomMode !=3D CUSTOM_SECURE_BOOT_MODE) { Settings.CustomMode =3D CUSTOM_SECURE_BOOT_MODE; Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnab= leGuid, (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS), sizeof Settings.CustomMode, &Settings.CustomMode); if (EFI_ERROR (Status)) { AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_= NAME, &gEfiCustomModeEnableGuid, Status); return 1; } } =20 + // + // Enroll db. + // Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, &gEfiCertX509Guid, mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGu= id, mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGu= id, NULL); if (EFI_ERROR (Status)) { return 1; } =20 + // + // Enroll dbx. + // Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, &gEfiCertSha256Guid, mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 + // + // Enroll KEK. + // Status =3D EnrollListOfCerts ( EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid, mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 + // + // Enroll PK, leaving Setup Mode (entering User Mode) at once. + // Status =3D EnrollListOfCerts ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 + // + // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require va= lid + // signatures. + // Settings.CustomMode =3D STANDARD_SECURE_BOOT_MODE; Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnable= Guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACC= ESS, sizeof Settings.CustomMode, &Settings.CustomMode); if (EFI_ERROR (Status)) { AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NA= ME, &gEfiCustomModeEnableGuid, Status); return 1; } =20 + // + // Final sanity check: + // + // [SetupMode] + // (read-only, standardized by UEFI) + // / \_ + // 0 1, default + // / \_ + // PK enrolled no PK enrolled yet, + // (this is called "User Mode") PK enrollment poss= ible + // | + // | + // [SecureBootEnable] + // (read-write, edk2-specific, boot service only) + // / \_ + // 0 1, default + // / \_ + // [SecureBoot]=3D0 [SecureBoot]=3D1 + // (read-only, standardized by UEFI) (read-only, standardized by UEFI) + // images are not verified images are verified, platform is + // operating in Secure Boot mode + // | + // | + // [CustomMode] + // (read-write, edk2-specific, boot service onl= y) + // / \_ + // 0, default 1 + // / \_ + // PK, KEK, db, dbx PK, KEK, db, dbx + // updates are verified updates are not veri= fied + // Status =3D GetSettings (&Settings); if (EFI_ERROR (Status)) { return 1; } PrintSettings (&Settings); =20 if (Settings.SetupMode !=3D 0 || Settings.SecureBoot !=3D 1 || Settings.SecureBootEnable !=3D 1 || Settings.CustomMode !=3D 0 || --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39688): https://edk2.groups.io/g/devel/message/39688 Mute This Topic: https://groups.io/mt/31359385/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39689+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39689+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326454; cv=none; d=zoho.com; s=zohoarc; b=KE5/OjiuzSbl37XpdHACHO6cLXHhPXUfid9VE1yB5wGenFdU8G8hYiFK4IPU+oVQH9tATTyh5IY0LH6LWoLNnVo8sysFQzHFPhShT/aVE0CyJaaWLzuiNl6L3R9JfbOQEI47tBmQANk0i7244R64buX0jEAxlFvDSfHK3S9OhTA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326454; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=t8b2t/pJElspRjPqlQJklGCyk9PJIr0tFQvklwBWDBk=; b=I/kiX2eGJ7hhgAClMq9XzP0W8+KbP97/RBsoUsV4CoGHGdjD5oLGpg9vfoxGfbBCWIQMtiN2mLSG5FDyzpvW8KMPfhmTdgOz15abwS1GbGhzMb94p2IBbqtnCqq3S3/s3uQEpeQvNEE0QiigGuvFMVd2RFbSPXjwW+VjSkLIOiQ= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39689+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326454378629.3101189997153; Fri, 26 Apr 2019 17:54:14 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:54:13 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 31E29F93F5; Sat, 27 Apr 2019 00:54:13 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id B1F3B5D71A; Sat, 27 Apr 2019 00:54:11 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 14/16] OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID Date: Sat, 27 Apr 2019 02:53:26 +0200 Message-Id: <20190427005328.27005-15-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Sat, 27 Apr 2019 00:54:13 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326454; bh=5D4jIpJ1CPZvCFZ6Fc3qWqBa6OzT5AZkNBtOwJ3WBO4=; h=Cc:Date:From:Reply-To:Subject:To; b=H+BtGw9zphfX1rJQdbOyvNcNBz8IoU8rgak8LQyu+e8qt5giUVi8MLIcAxpsGANnAhZ NruQS/PaIWYx2wJT53g3Vy+nxguf/dUGTAooiybo0rnqX9J/MauloqRJz7B8r18FHgSrm SI5Ow89lqxOp/05bxAch2ASDg0Imo2mcYHo= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" For the EnrollDefaultKeys application, the hypervisor is expected to add a string entry to the "OEM Strings" (Type 11) SMBIOS table, with the following format: 4e32566d-8e9e-4f52-81d3-5bb9715f9727: The string representation of the GUID at the front is the "application prefix", in terms of QEMU commit . Introduce this GUID in the usual manner. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/OvmfPkg.dec | 1 + OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 922e061cc85c..0e555c5c78c5 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -67,16 +67,17 @@ [LibraryClasses] =20 ## @libraryclass Manage XenBus device path and I/O handles # XenIoMmioLib|Include/Library/XenIoMmioLib.h =20 [Guids] gUefiOvmfPkgTokenSpaceGuid =3D {0x93bb96af, 0xb9f2, 0x4eb8, {0x= 94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}} gEfiXenInfoGuid =3D {0xd3b46f3b, 0xd441, 0x1244, {0x= 9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}} + gOvmfPkKek1AppPrefixGuid =3D {0x4e32566d, 0x8e9e, 0x4f52, {0x= 81, 0xd3, 0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}} gOvmfPlatformConfigGuid =3D {0x7235c51c, 0x0c80, 0x4cab, {0x= 87, 0xac, 0x3b, 0x08, 0x4a, 0x63, 0x04, 0xb1}} gVirtioMmioTransportGuid =3D {0x837dca9e, 0xe874, 0x4d82, {0x= b2, 0x9a, 0x23, 0xfe, 0x0e, 0x23, 0xd1, 0xe2}} gQemuRamfbGuid =3D {0x557423a1, 0x63ab, 0x406c, {0x= be, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}} gXenBusRootDeviceGuid =3D {0xa732241f, 0x383d, 0x4d9c, {0x= 8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}} gRootBridgesConnectedEventGroupGuid =3D {0x24a2d66f, 0xeedd, 0x4086, {0x= 90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}} gMicrosoftVendorGuid =3D {0x77fa9abd, 0x0359, 0x4d32, {0x= bd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}} =20 [Protocols] diff --git a/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h b/OvmfPkg/Include/G= uid/OvmfPkKek1AppPrefix.h new file mode 100644 index 000000000000..e05d2fe021b7 --- /dev/null +++ b/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h @@ -0,0 +1,45 @@ +/** @file + Declare the application prefix string as a GUID, for locating the PK/KEK1 + X509 certificate to enroll, in the "OEM Strings" SMBIOS table. + + Copyright (C) 2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent + + @par Specification Reference: + - https://git.qemu.org/?p=3Dqemu.git;a=3Dcommit;h=3D2d6dcbf93fb0 + - https://libvirt.org/formatdomain.html#elementsSysinfo + - https://bugs.launchpad.net/qemu/+bug/1826200 + - https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 +**/ + +#ifndef OVMF_PK_KEK1_APP_PREFIX_H_ +#define OVMF_PK_KEK1_APP_PREFIX_H_ + +#include + +// +// For the EnrollDefaultKeys application, the hypervisor is expected to ad= d a +// string entry to the "OEM Strings" (Type 11) SMBIOS table, with the foll= owing +// format: +// +// 4e32566d-8e9e-4f52-81d3-5bb9715f9727: +// +// The string representation of the GUID at the front is the "application +// prefix". It is matched by EnrollDefaultKeys case-insensitively. +// +// The base64-encoded blob following the application prefix and the colon = (:) +// is an X509 certificate in DER representation; the hypervisor instructs +// EnrollDefaultKeys to enroll this certificate as both Platform Key and f= irst +// Key Exchange Key. +// +#define OVMF_PK_KEK1_APP_PREFIX_GUID \ + { 0x4e32566d, \ + 0x8e9e, \ + 0x4f52, \ + { 0x81, 0xd3, 0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27 }, \ + } + +extern EFI_GUID gOvmfPkKek1AppPrefixGuid; + +#endif /* OVMF_PK_KEK1_APP_PREFIX_H_ */ --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39689): https://edk2.groups.io/g/devel/message/39689 Mute This Topic: https://groups.io/mt/31359387/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39690+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39690+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326456; cv=none; d=zoho.com; s=zohoarc; b=KECteRyAOCWJfc41q3jwyrSghsWhfP6FexUZ+6wRQzLZ4YgqrTHRnV3OgTgsKEcjz/ymAdjSVDESg/Fr4ekqCBgsw7I+G4ZRJJdhAX2zJ9Hegvk27SHrw4aj33Tc/9TRC2BfzFIoIr8IasoeirXgQJusA6U8A8Xti1PsQ+M5y/A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326456; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=l/9/hz0isS6GwOdIEjLd3xVz3H2YmIGMULH4DI/yxXY=; b=neQWJChBoUMmubKDrpqjysc5QMddWEZ+QA0jA6JDQy1EKbJsJ4aPR5vjR5yW8ojKwN3Wflw1bLXOtRcG5FJoYoPUuUFVOSs06c3oNjLL9b+jVq8ikX5PaYYVpZOd+VDUmvm7FNU6LFTYNQzplSVcto/CbIB/8ygD6Z9WWKI3yQ0= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39690+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 15563264567671012.5905690528707; Fri, 26 Apr 2019 17:54:16 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:54:15 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 862C91441B1; Sat, 27 Apr 2019 00:54:15 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id A48655D71A; Sat, 27 Apr 2019 00:54:13 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 15/16] OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS table Date: Sat, 27 Apr 2019 02:53:27 +0200 Message-Id: <20190427005328.27005-16-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Sat, 27 Apr 2019 00:54:15 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326456; bh=jrRztzAVBA8P/2KoEReZz4cajdWenEEiKvDnpePecfg=; h=Cc:Date:From:Reply-To:Subject:To; b=a1ny3jBO/9nF4RMY3eF2DEmfAKm7l1xirNhU2RveF2xVJ6lP8KakALOPldGJD9cWyW/ YV7jSAV+jHhQFqYKLMAfGXeFSqevfIJ0SYXU8qv+ki0UkKr9dL10Gfx1VxhQEOxesM6MQ qEKNWDGx9JSKuqMCvHU4VN72n8YUIpY4a30= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Disconnect the certificate that is enrolled as both Platform Key and first Key Exchange Key from Red Hat: expect the hypervisor to specify it, as part of SMBIOS. Example usage with QEMU: * Generate self-signed X509 certificate: openssl req \ -x509 \ -newkey rsa:2048 \ -outform PEM \ -keyout PkKek1.private.key \ -out PkKek1.pem (where "PEM" simply means "DER + base64 + header + footer"). * Strip the header, footer, and newline characters; prepend the application prefix: sed \ -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f972= 7:/' \ -e '/^-----END CERTIFICATE-----$/d' \ PkKek1.pem \ | tr -d '\n' \ > PkKek1.oemstr * Pass the certificate to EnrollDefaultKeys with the following QEMU option: -smbios type=3D11,value=3D"$(< PkKek1.oemstr)" (Note: for the above option to work correctly, a QEMU version is needed that includes commit 950c4e6c94b1 ("opts: don't silently truncate long option values", 2018-05-09). The first upstream release with that commit was v3.0.0. Once is fixed, QEMU will learn to read the file directly; passing the blob on the command will be necessary no more.) Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 7 + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 223 ++++++++++++++++++-- 2 files changed, 217 insertions(+), 13 deletions(-) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/Enro= llDefaultKeys/EnrollDefaultKeys.inf index 28db52586a9b..184f7972d52d 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -30,16 +30,23 @@ [Guids] gEfiCertPkcs7Guid gEfiCertSha256Guid gEfiCertX509Guid gEfiCustomModeEnableGuid gEfiGlobalVariableGuid gEfiImageSecurityDatabaseGuid gEfiSecureBootEnableDisableGuid gMicrosoftVendorGuid + gOvmfPkKek1AppPrefixGuid + +[Protocols] + gEfiSmbiosProtocolGuid ## CONSUMES =20 [LibraryClasses] + BaseLib BaseMemoryLib DebugLib MemoryAllocationLib + PrintLib ShellCEntryLib + UefiBootServicesTableLib UefiLib UefiRuntimeServicesTableLib diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index 9c4a0f06fb4d..b7b2e424c59e 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -4,26 +4,201 @@ Copyright (C) 2014-2019, Red Hat, Inc. =20 SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include // gEfiCustomModeEnableGu= id #include // EFI_SETUP_MODE_NAME #include // EFI_IMAGE_SECURITY_DAT= ABASE #include // gMicrosoftVendorGuid +#include // gOvmfPkKek1AppPrefixGu= id +#include // SMBIOS_HANDLE_PI_RESER= VED +#include // GUID_STRING_LENGTH #include // CopyGuid() #include // ASSERT() #include // FreePool() +#include // AsciiSPrint() #include // ShellAppMain() +#include // gBS #include // AsciiPrint() #include // gRT +#include // EFI_SMBIOS_PROTOCOL =20 #include "EnrollDefaultKeys.h" =20 =20 +/** + Fetch the X509 certificate (to be used as Platform Key and first Key Exc= hange + Key) from SMBIOS. + + @param[out] PkKek1 The X509 certificate in DER encoding from the + hypervisor, to be enrolled as PK and first KEK + entry. On success, the caller is responsible f= or + releasing PkKek1 with FreePool(). + + @param[out] SizeOfPkKek1 The size of PkKek1 in bytes. + + @retval EFI_SUCCESS PkKek1 and SizeOfPkKek1 have been set + successfully. + + @retval EFI_NOT_FOUND An OEM String matching + OVMF_PK_KEK1_APP_PREFIX_GUID has not been + found. + + @retval EFI_PROTOCOL_ERROR In the OEM String matching + OVMF_PK_KEK1_APP_PREFIX_GUID, the certific= ate + is empty, or it has invalid base64 encodin= g. + + @retval EFI_OUT_OF_RESOURCES Memory allocation failed. + + @return Error codes from gBS->LocateProtocol(). +**/ +STATIC +EFI_STATUS +GetPkKek1 ( + OUT UINT8 **PkKek1, + OUT UINTN *SizeOfPkKek1 + ) +{ + CONST CHAR8 *Base64Cert; + CHAR8 OvmfPkKek1AppPrefix[GUID_STRING_LENGTH + 1 + 1]; + EFI_STATUS Status; + EFI_SMBIOS_PROTOCOL *Smbios; + EFI_SMBIOS_HANDLE Handle; + EFI_SMBIOS_TYPE Type; + EFI_SMBIOS_TABLE_HEADER *Header; + SMBIOS_TABLE_TYPE11 *OemStringsTable; + UINTN Base64CertLen; + UINTN DecodedCertSize; + UINT8 *DecodedCert; + + Base64Cert =3D NULL; + + // + // Format the application prefix, for OEM String matching. + // + AsciiSPrint (OvmfPkKek1AppPrefix, sizeof OvmfPkKek1AppPrefix, "%g:", + &gOvmfPkKek1AppPrefixGuid); + + // + // Scan all "OEM Strings" tables. + // + Status =3D gBS->LocateProtocol (&gEfiSmbiosProtocolGuid, NULL, + (VOID **)&Smbios); + if (EFI_ERROR (Status)) { + AsciiPrint ("error: failed to locate EFI_SMBIOS_PROTOCOL: %r\n", Statu= s); + return Status; + } + + Handle =3D SMBIOS_HANDLE_PI_RESERVED; + Type =3D SMBIOS_TYPE_OEM_STRINGS; + for (Status =3D Smbios->GetNext (Smbios, &Handle, &Type, &Header, NULL); + !EFI_ERROR (Status); + Status =3D Smbios->GetNext (Smbios, &Handle, &Type, &Header, NULL))= { + CONST CHAR8 *OemString; + UINTN Idx; + + if (Header->Length < sizeof *OemStringsTable) { + // + // Malformed table header, skip to next. + // + continue; + } + OemStringsTable =3D (SMBIOS_TABLE_TYPE11 *)Header; + + // + // Scan all strings in the unformatted area of the current "OEM String= s" + // table. + // + OemString =3D (CONST CHAR8 *)(OemStringsTable + 1); + for (Idx =3D 0; Idx < OemStringsTable->StringCount; ++Idx) { + CHAR8 CandidatePrefix[sizeof OvmfPkKek1AppPrefix]; + + // + // NUL-terminate the candidate prefix for case-insensitive compariso= n. + // + AsciiStrnCpyS (CandidatePrefix, sizeof CandidatePrefix, OemString, + GUID_STRING_LENGTH + 1); + if (AsciiStriCmp (OvmfPkKek1AppPrefix, CandidatePrefix) =3D=3D 0) { + // + // The current string matches the prefix. + // + Base64Cert =3D OemString + GUID_STRING_LENGTH + 1; + break; + } + OemString +=3D AsciiStrSize (OemString); + } + + if (Idx < OemStringsTable->StringCount) { + // + // The current table has a matching string. + // + break; + } + } + + if (EFI_ERROR (Status)) { + // + // No table with a matching string has been found. + // + AsciiPrint ("error: OEM String with app prefix %g not found: %r\n", + &gOvmfPkKek1AppPrefixGuid, Status); + return EFI_NOT_FOUND; + } + + ASSERT (Base64Cert !=3D NULL); + Base64CertLen =3D AsciiStrLen (Base64Cert); + + // + // Verify the base64 encoding, and determine the decoded size. + // + DecodedCertSize =3D 0; + Status =3D Base64Decode (Base64Cert, Base64CertLen, NULL, &DecodedCertSi= ze); + switch (Status) { + case EFI_BUFFER_TOO_SMALL: + if (DecodedCertSize > 0) { + break; + } + // + // Fall through: the above Base64Decode() call is ill-specified in Bas= eLib + // if Source decodes to zero bytes (for example if it consists of igno= red + // whitespace only). + // + case EFI_SUCCESS: + AsciiPrint ("error: empty certificate after app prefix %g\n", + &gOvmfPkKek1AppPrefixGuid); + return EFI_PROTOCOL_ERROR; + default: + AsciiPrint ("error: invalid base64 string after app prefix %g\n", + &gOvmfPkKek1AppPrefixGuid); + return EFI_PROTOCOL_ERROR; + } + + // + // Allocate the output buffer. + // + DecodedCert =3D AllocatePool (DecodedCertSize); + if (DecodedCert =3D=3D NULL) { + AsciiPrint ("error: failed to allocate memory\n"); + return EFI_OUT_OF_RESOURCES; + } + + // + // Decoding will succeed at this point. + // + Status =3D Base64Decode (Base64Cert, Base64CertLen, DecodedCert, + &DecodedCertSize); + ASSERT_EFI_ERROR (Status); + + *PkKek1 =3D DecodedCert; + *SizeOfPkKek1 =3D DecodedCertSize; + return EFI_SUCCESS; +} + + /** Enroll a set of certificates in a global variable, overwriting it. =20 The variable will be rewritten with NV+BS+RT+AT attributes. =20 @param[in] VariableName The name of the variable to overwrite. =20 @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable= to @@ -353,116 +528,133 @@ PrintSettings ( **/ INTN EFIAPI ShellAppMain ( IN UINTN Argc, IN CHAR16 **Argv ) { + INTN RetVal; EFI_STATUS Status; SETTINGS Settings; + UINT8 *PkKek1; + UINTN SizeOfPkKek1; + + // + // Prepare for failure. + // + RetVal =3D 1; =20 // // If we're not in Setup Mode, we can't do anything. // Status =3D GetSettings (&Settings); if (EFI_ERROR (Status)) { - return 1; + return RetVal; } PrintSettings (&Settings); =20 if (Settings.SetupMode !=3D 1) { AsciiPrint ("error: already in User Mode\n"); - return 1; + return RetVal; + } + + // + // Fetch the X509 certificate (to be used as Platform Key and first Key + // Exchange Key) from SMBIOS. + // + Status =3D GetPkKek1 (&PkKek1, &SizeOfPkKek1); + if (EFI_ERROR (Status)) { + return RetVal; } =20 // // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signa= ture // checks on those variable writes. // if (Settings.CustomMode !=3D CUSTOM_SECURE_BOOT_MODE) { Settings.CustomMode =3D CUSTOM_SECURE_BOOT_MODE; Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnab= leGuid, (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS), sizeof Settings.CustomMode, &Settings.CustomMode); if (EFI_ERROR (Status)) { AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_= NAME, &gEfiCustomModeEnableGuid, Status); - return 1; + goto FreePkKek1; } } =20 // // Enroll db. // Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, &gEfiCertX509Guid, mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGu= id, mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGu= id, NULL); if (EFI_ERROR (Status)) { - return 1; + goto FreePkKek1; } =20 // // Enroll dbx. // Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, &gEfiCertSha256Guid, mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid, NULL); if (EFI_ERROR (Status)) { - return 1; + goto FreePkKek1; } =20 // // Enroll KEK. // Status =3D EnrollListOfCerts ( EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, - mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid, + PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid, mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid, NULL); if (EFI_ERROR (Status)) { - return 1; + goto FreePkKek1; } =20 // // Enroll PK, leaving Setup Mode (entering User Mode) at once. // Status =3D EnrollListOfCerts ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, - mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid, + PkKek1, SizeOfPkKek1, &gEfiGlobalVariableGuid, NULL); if (EFI_ERROR (Status)) { - return 1; + goto FreePkKek1; } =20 // // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require va= lid // signatures. // Settings.CustomMode =3D STANDARD_SECURE_BOOT_MODE; Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnable= Guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACC= ESS, sizeof Settings.CustomMode, &Settings.CustomMode); if (EFI_ERROR (Status)) { AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NA= ME, &gEfiCustomModeEnableGuid, Status); - return 1; + goto FreePkKek1; } =20 // // Final sanity check: // // [SetupMode] // (read-only, standardized by UEFI) // / \_ @@ -488,22 +680,27 @@ ShellAppMain ( // / \_ // 0, default 1 // / \_ // PK, KEK, db, dbx PK, KEK, db, dbx // updates are verified updates are not veri= fied // Status =3D GetSettings (&Settings); if (EFI_ERROR (Status)) { - return 1; + goto FreePkKek1; } PrintSettings (&Settings); =20 if (Settings.SetupMode !=3D 0 || Settings.SecureBoot !=3D 1 || Settings.SecureBootEnable !=3D 1 || Settings.CustomMode !=3D 0 || Settings.VendorKeys !=3D 0) { AsciiPrint ("error: unexpected\n"); - return 1; + goto FreePkKek1; } =20 AsciiPrint ("info: success\n"); - return 0; + RetVal =3D 0; + +FreePkKek1: + FreePool (PkKek1); + + return RetVal; } --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39690): https://edk2.groups.io/g/devel/message/39690 Mute This Topic: https://groups.io/mt/31359388/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 12 14:48:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39691+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39691+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326464; cv=none; d=zoho.com; s=zohoarc; b=ZlX4EtRZ2y8TdNxW8BOy5W5h4BbHaxsNYWp2l5iot9Bf4Veh9Qzd/d1kZfh/FGh93TBC8cbvFTIxqBOL9Iz12rtbNNz5QOQ16nsqbEXvMNRocfwkW7fMWjnXx/fHx8poFCak4bdKjkqR83n/P1/Hy9WGEc4dPZ2TxA1uqNNmZCQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326464; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=JMs2ZfRLbCL80BF8HqTwHbG33WFTK1A9H1Q/4X04hLE=; b=Hstx9fOei9ysMq52wbZmeFwDJU+Zk6xfgGtlOiJliEFuheuxCUSLAXqQ5VW+wn8v8or2NYl8alw3h09JlmuuWkmyHJEsv7IVBHQaPYPwyCOnOhv6ACPoyhO9n7WUbYxr0UXhX4NbC/NfiKfy84eAeMWG5b3JfKmrQT6EboV29iw= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39691+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1556326464662477.0251218059617; Fri, 26 Apr 2019 17:54:24 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:54:18 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 336B630BDEC2; Sat, 27 Apr 2019 00:54:18 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id 202DD5D70A; Sat, 27 Apr 2019 00:54:15 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 16/16] OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1 Date: Sat, 27 Apr 2019 02:53:28 +0200 Message-Id: <20190427005328.27005-17-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Sat, 27 Apr 2019 00:54:18 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326464; bh=1aphC3LGO3Vo0M3mUNGaZl5lw8z+bRhN/I8Hst4HoI4=; h=Cc:Date:From:Reply-To:Subject:To; b=HOUXiEkR1hpQG0HKsqOdkDDo6cYckEkImbKplrANm9/OZ/6U3vIWWq8z5euIqHz1VA7 oeqwBj4GfnzISXrldglB8PPGG+kb84L+K1os233Ji0ZY2xbjqaaWzgS3J80Gwj652nJMI zu+EYNHxD6Fxx2wXjaezst3PnnIeItwLXiQ= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The certificate "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=3Dsecalert@redhat.com" SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97 is no longer referenced; remove it. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Acked-by: Ard Biesheuvel Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 3 - OvmfPkg/EnrollDefaultKeys/AuthData.c | 85 -------------------- 2 files changed, 88 deletions(-) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.h index e3a7e43da4e3..8e61f0a77b90 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h @@ -118,19 +118,16 @@ typedef struct { UINT8 CustomMode; UINT8 VendorKeys; } SETTINGS; =20 =20 // // Refer to "AuthData.c" for details on the following objects. // -extern CONST UINT8 mRedHatPkKek1[]; -extern CONST UINTN mSizeOfRedHatPkKek1; - extern CONST UINT8 mMicrosoftKek[]; extern CONST UINTN mSizeOfMicrosoftKek; =20 extern CONST UINT8 mMicrosoftPca[]; extern CONST UINTN mSizeOfMicrosoftPca; =20 extern CONST UINT8 mMicrosoftUefiCa[]; extern CONST UINTN mSizeOfMicrosoftUefiCa; diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKe= ys/AuthData.c index 9a96dcc440b3..3b4856a01f48 100644 --- a/OvmfPkg/EnrollDefaultKeys/AuthData.c +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c @@ -4,101 +4,16 @@ Copyright (C) 2014-2019, Red Hat, Inc. =20 SPDX-License-Identifier: BSD-2-Clause-Patent **/ =20 #include "EnrollDefaultKeys.h" =20 =20 -// -// We'll use the certificate below as both Platform Key and as first Key -// Exchange Key. -// -// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=3Dsecalert@redhat.com" -// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97 -// -CONST UINT8 mRedHatPkKek1[] =3D { - 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, = 0x02, - 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, = 0x0d, - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, = 0x00, - 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, = 0x22, - 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, = 0x72, - 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, = 0x45, - 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, = 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, = 0x73, - 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, = 0x61, - 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, = 0x30, - 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, = 0x37, - 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, = 0x51, - 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, = 0x65, - 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, = 0x20, - 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, = 0x20, - 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, = 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, = 0x63, - 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, = 0x2e, - 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, = 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, = 0x0f, - 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, = 0x84, - 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, = 0x8c, - 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, = 0x67, - 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, = 0x41, - 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, = 0x98, - 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, = 0xe6, - 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, = 0x37, - 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, = 0x4c, - 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, = 0xc6, - 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, = 0x3a, - 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, = 0x68, - 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, = 0x04, - 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, = 0x82, - 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, = 0x6c, - 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, = 0xf7, - 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, = 0xaa, - 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, = 0xcb, - 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, = 0xb3, - 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, = 0xd9, - 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, = 0xf2, - 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, = 0x7b, - 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, = 0x00, - 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, = 0x0d, - 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, = 0x47, - 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, = 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, = 0x1d, - 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, = 0x0a, - 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, = 0x30, - 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, = 0x3c, - 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, = 0x42, - 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, = 0x48, - 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, = 0x00, - 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, = 0xdf, - 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, = 0x00, - 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, = 0x78, - 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, = 0x13, - 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, = 0xb0, - 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, = 0xf6, - 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, = 0x3f, - 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, = 0x60, - 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, = 0xbc, - 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, = 0x26, - 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, = 0x36, - 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, = 0x3d, - 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, = 0xde, - 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, = 0x85, - 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, = 0x90, - 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, = 0xaf, - 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, = 0x37, - 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, = 0xb7, - 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, = 0x43, - 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69 -}; - -CONST UINTN mSizeOfRedHatPkKek1 =3D sizeof mRedHatPkKek1; - - // // Second KEK: "Microsoft Corporation KEK CA 2011". // SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30 // // "dbx" updates in "dbxtool" are signed with a key derived from this KEK. // CONST UINT8 mMicrosoftKek[] =3D { 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, = 0x02, --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39691): https://edk2.groups.io/g/devel/message/39691 Mute This Topic: https://groups.io/mt/31359390/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-