<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">> +CreateTimeBasedPayload (<br>
<br>
</p>
<p class="MsoNormal">I feel like we have a couple other instances of this floating around. Should we consolidate on a single implementation?</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">- Bret <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:pete=akeo.ie@groups.io">Pete Batard via groups.io</a><br>
<b>Sent: </b>Wednesday, June 2, 2021 10:39 AM<br>
<b>To: </b><a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a>; <a href="mailto:gjb@semihalf.com">
gjb@semihalf.com</a><br>
<b>Cc: </b><a href="mailto:leif@nuviainc.com">Lindholm, Leif</a>; <a href="mailto:ardb+tianocore@kernel.org">
ardb+tianocore@kernel.org</a>; <a href="mailto:Samer.El-Haj-Mahmoud@arm.com">Samer El-Haj-Mahmoud</a>;
<a href="mailto:sunny.Wang@arm.com">sunny.Wang@arm.com</a>; <a href="mailto:mw@semihalf.com">
mw@semihalf.com</a>; <a href="mailto:upstream@semihalf.com">upstream@semihalf.com</a>;
<a href="mailto:jiewen.yao@intel.com">Yao, Jiewen</a>; <a href="mailto:jian.j.wang@intel.com">
jian.j.wang@intel.com</a>; <a href="mailto:min.m.xu@intel.com">min.m.xu@intel.com</a>;
<a href="mailto:lersek@redhat.com">lersek@redhat.com</a><br>
<b>Subject: </b>[EXTERNAL] Re: [edk2-devel] [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables.</p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">On 2021.06.01 14:12, Grzegorz Bernacki wrote:<br>
> This commits add library, which consist functions related<br>
> creation/removal Secure Boot variables. Some of the functions<br>
> was moved from SecureBootConfigImpl.c file.<br>
> <br>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com><br>
> ---<br>
> SecurityPkg/SecurityPkg.dsc | 1 +<br>
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 79 ++<br>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 +<br>
> SecurityPkg/Include/Library/SecureBootVariableLib.h | 252 +++++<br>
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 979 ++++++++++++++++++++<br>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 189 +---<br>
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 16 +<br>
> 7 files changed, 1329 insertions(+), 188 deletions(-)<br>
> create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf<br>
> create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h<br>
> create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c<br>
> create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni<br>
> <br>
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc<br>
> index bd4b810bce..854f250625 100644<br>
> --- a/SecurityPkg/SecurityPkg.dsc<br>
> +++ b/SecurityPkg/SecurityPkg.dsc<br>
> @@ -70,6 +70,7 @@<br>
> RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf<br>
> TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf<br>
> MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf<br>
> + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf<br>
> <br>
> [LibraryClasses.ARM]<br>
> #<br>
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf<br>
> new file mode 100644<br>
> index 0000000000..84367841d5<br>
> --- /dev/null<br>
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf<br>
> @@ -0,0 +1,79 @@<br>
> +## @file<br>
> +# Provides initialization of Secure Boot keys and databases.<br>
> +#<br>
> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><br>
> +# Copyright (c) 2021, Semihalf All rights reserved.<BR><br>
> +#<br>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent<br>
> +#<br>
> +##<br>
> +<br>
> +[Defines]<br>
> + INF_VERSION = 0x00010005<br>
> + BASE_NAME = SecureBootVariableLib<br>
> + MODULE_UNI_FILE = SecureBootVariableLib.uni<br>
> + FILE_GUID = D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F<br>
> + MODULE_TYPE = DXE_DRIVER<br>
> + VERSION_STRING = 1.0<br>
> + LIBRARY_CLASS = SecureBootVariableLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION<br>
> +<br>
> +#<br>
> +# The following information is for reference only and not required by the build tools.<br>
> +#<br>
> +# VALID_ARCHITECTURES = IA32 X64 AARCH64<br>
> +#<br>
> +<br>
> +[Sources]<br>
> + SecureBootVariableLib.c<br>
> +<br>
> +[Packages]<br>
> + MdePkg/MdePkg.dec<br>
> + MdeModulePkg/MdeModulePkg.dec<br>
> + SecurityPkg/SecurityPkg.dec<br>
> + CryptoPkg/CryptoPkg.dec<br>
> +<br>
> +[LibraryClasses]<br>
> + BaseLib<br>
> + BaseMemoryLib<br>
> + DebugLib<br>
> + MemoryAllocationLib<br>
> + BaseCryptLib<br>
> + DxeServicesLib<br>
> +<br>
> +[Guids]<br>
> + ## CONSUMES ## Variable:L"SetupMode"<br>
> + ## PRODUCES ## Variable:L"SetupMode"<br>
> + ## CONSUMES ## Variable:L"SecureBoot"<br>
> + ## PRODUCES ## Variable:L"SecureBoot"<br>
> + ## PRODUCES ## Variable:L"PK"<br>
> + ## PRODUCES ## Variable:L"KEK"<br>
> + ## CONSUMES ## Variable:L"PKDefault"<br>
> + ## CONSUMES ## Variable:L"KEKDefault"<br>
> + ## CONSUMES ## Variable:L"dbDefault"<br>
> + ## CONSUMES ## Variable:L"dbxDefault"<br>
> + ## CONSUMES ## Variable:L"dbtDefault"<br>
> + gEfiGlobalVariableGuid<br>
> +<br>
> + ## SOMETIMES_CONSUMES ## Variable:L"DB"<br>
> + ## SOMETIMES_CONSUMES ## Variable:L"DBX"<br>
> + ## SOMETIMES_CONSUMES ## Variable:L"DBT"<br>
> + gEfiImageSecurityDatabaseGuid<br>
> +<br>
> + ## CONSUMES ## Variable:L"SecureBootEnable"<br>
> + ## PRODUCES ## Variable:L"SecureBootEnable"<br>
> + gEfiSecureBootEnableDisableGuid<br>
> +<br>
> + ## CONSUMES ## Variable:L"CustomMode"<br>
> + ## PRODUCES ## Variable:L"CustomMode"<br>
> + gEfiCustomModeEnableGuid<br>
> +<br>
> + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES<br>
> + gEfiCertX509Guid ## CONSUMES<br>
> + gEfiCertPkcs7Guid ## CONSUMES<br>
> +<br>
> + gDefaultPKFileGuid<br>
> + gDefaultKEKFileGuid<br>
> + gDefaultdbFileGuid<br>
> + gDefaultdbxFileGuid<br>
> + gDefaultdbtFileGuid<br>
> +<br>
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf<br>
> index 573efa6379..30d9cd8025 100644<br>
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf<br>
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf<br>
> @@ -54,6 +54,7 @@<br>
> DevicePathLib<br>
> FileExplorerLib<br>
> PeCoffLib<br>
> + SecureBootVariableLib<br>
> <br>
> [Guids]<br>
> ## SOMETIMES_CONSUMES ## Variable:L"CustomMode"<br>
> diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h<br>
> new file mode 100644<br>
> index 0000000000..2961c93a36<br>
> --- /dev/null<br>
> +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h<br>
> @@ -0,0 +1,252 @@<br>
> +/** @file<br>
> + Provides a function to enroll keys based on default values.<br>
> +<br>
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR><br>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR><br>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><br>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR><br>
> +SPDX-License-Identifier: BSD-2-Clause-Patent<br>
> +<br>
> +**/<br>
> +<br>
> +#ifndef __SECURE_BOOT_VARIABLE_LIB_H__<br>
> +#define __SECURE_BOOT_VARIABLE_LIB_H__<br>
> +<br>
> +/**<br>
> +<br>
> + Set the platform secure boot mode into "Custom" or "Standard" mode.<br>
> +<br>
> + @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or<br>
> + CUSTOM_SECURE_BOOT_MODE.<br>
> +<br>
> + @return EFI_SUCCESS The platform has switched to the special mode successfully.<br>
> + @return other Fail to operate the secure boot mode.<br>
> +<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SetSecureBootMode (<br>
> + IN UINT8 SecureBootMode<br>
> +);<br>
> +<br>
> +/**<br>
> + Fetches the value of SetupMode variable.<br>
> +<br>
> + @param[out] SetupMode Pointer to UINT8 for SetupMode output<br>
> +<br>
> + @retval other Error codes from GetVariable.<br>
> +--*/<br>
> +BOOLEAN<br>
> +EFIAPI<br>
> +GetSetupMode (<br>
> + OUT UINT8 *SetupMode<br>
> +);<br>
> +<br>
> +/**<br>
> + Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2<br>
> + descriptor with the input data. NO authentication is required in this function.<br>
> +<br>
> + @param[in, out] DataSize On input, the size of Data buffer in bytes.<br>
> + On output, the size of data returned in Data<br>
> + buffer in bytes.<br>
> + @param[in, out] Data On input, Pointer to data buffer to be wrapped or<br>
> + pointer to NULL to wrap an empty payload.<br>
> + On output, Pointer to the new payload date buffer allocated from pool,<br>
> + it's caller's responsibility to free the memory when finish using it.<br>
> +<br>
> + @retval EFI_SUCCESS Create time based payload successfully.<br>
> + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.<br>
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.<br>
> + @retval Others Unexpected error happens.<br>
> +<br>
> +--*/<br>
> +EFI_STATUS<br>
> +CreateTimeBasedPayload (<br>
> + IN OUT UINTN *DataSize,<br>
> + IN OUT UINT8 **Data<br>
> +);<br>
> +<br>
> +/**<br>
> + Sets the content of the 'db' variable based on 'dbDefault' variable content.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +EnrollDbFromDefault (<br>
> + VOID<br>
> +);<br>
> +<br>
> +/**<br>
> + Clears the content of the 'db' variable.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +DeleteDb (<br>
> + VOID<br>
> +);<br>
> +<br>
> +/**<br>
> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +EnrollDbxFromDefault (<br>
> + VOID<br>
> +);<br>
> +<br>
> +/**<br>
> + Clears the content of the 'dbx' variable.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +DeleteDbx (<br>
> + VOID<br>
> +);<br>
> +<br>
> +/**<br>
> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +EnrollDbtFromDefault (<br>
> + VOID<br>
> +);<br>
> +<br>
> +/**<br>
> + Clears the content of the 'dbt' variable.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +DeleteDbt (<br>
> + VOID<br>
> +);<br>
> +<br>
> +/**<br>
> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +EnrollKEKFromDefault (<br>
> + VOID<br>
> +);<br>
> +<br>
> +/**<br>
> + Clears the content of the 'KEK' variable.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +DeleteKEK (<br>
> + VOID<br>
> +);<br>
> +<br>
> +/**<br>
> + Sets the content of the 'PK' variable based on 'PKDefault' variable content.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +EnrollPKFromDefault (<br>
> + VOID<br>
> +);<br>
> +<br>
> +/**<br>
> + Clears the content of the 'PK' variable.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +DeletePlatformKey (<br>
> + VOID<br>
> +);<br>
> +<br>
> +/** Initializes PKDefault variable with data from FFS section.<br>
> +<br>
> +<br>
> + @retval EFI_SUCCESS Variable was initialized successfully.<br>
> + @retval EFI_UNSUPPORTED Variable already exists.<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SecureBootInitPKDefault (<br>
> + IN VOID<br>
> + );<br>
> +<br>
> +/** Initializes KEKDefault variable with data from FFS section.<br>
> +<br>
> +<br>
> + @retval EFI_SUCCESS Variable was initialized successfully.<br>
> + @retval EFI_UNSUPPORTED Variable already exists.<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SecureBootInitKEKDefault (<br>
> + IN VOID<br>
> + );<br>
> +<br>
> +/** Initializes dbDefault variable with data from FFS section.<br>
> +<br>
> +<br>
> + @retval EFI_SUCCESS Variable was initialized successfully.<br>
> + @retval EFI_UNSUPPORTED Variable already exists.<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SecureBootInitdbDefault (<br>
> + IN VOID<br>
> + );<br>
> +<br>
> +/** Initializes dbtDefault variable with data from FFS section.<br>
> +<br>
> +<br>
> + @retval EFI_SUCCESS Variable was initialized successfully.<br>
> + @retval EFI_UNSUPPORTED Variable already exists.<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SecureBootInitdbtDefault (<br>
> + IN VOID<br>
> + );<br>
> +<br>
> +/** Initializes dbxDefault variable with data from FFS section.<br>
> +<br>
> +<br>
> + @retval EFI_SUCCESS Variable was initialized successfully.<br>
> + @retval EFI_UNSUPPORTED Variable already exists.<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SecureBootInitdbxDefault (<br>
> + IN VOID<br>
> + );<br>
> +#endif<br>
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c<br>
> new file mode 100644<br>
> index 0000000000..16bad5530a<br>
> --- /dev/null<br>
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c<br>
> @@ -0,0 +1,979 @@<br>
> +/** @file<br>
> + This library provides functions to set/clear Secure Boot<br>
> + keys and databases.<br>
> +<br>
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR><br>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR><br>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><br>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR><br>
> +SPDX-License-Identifier: BSD-2-Clause-Patent<br>
> +<br>
> +**/<br>
> +#include <Guid/GlobalVariable.h><br>
> +#include <Guid/AuthenticatedVariableFormat.h><br>
> +#include <Guid/ImageAuthentication.h><br>
> +#include <Library/BaseCryptLib.h><br>
> +#include <Library/BaseLib.h><br>
> +#include <Library/BaseMemoryLib.h><br>
> +#include <Library/DebugLib.h><br>
> +#include <Library/UefiLib.h><br>
> +#include <Library/MemoryAllocationLib.h><br>
> +#include <Library/UefiRuntimeServicesTableLib.h><br>
> +#include <Library/SecureBootVariableLib.h><br>
> +#include "Library/DxeServicesLib.h"<br>
> +<br>
> +/** Creates EFI Signature List structure.<br>
> +<br>
> + @param[in] Data A pointer to signature data.<br>
> + @param[in] Size Size of signature data.<br>
> + @param[out] SigList Created Signature List.<br>
> +<br>
> + @retval EFI_SUCCESS Signature List was created successfully.<br>
> + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.<br>
> +--*/<br>
> +STATIC<br>
> +EFI_STATUS<br>
> +CreateSigList (<br>
> + IN VOID *Data,<br>
> + IN UINTN Size,<br>
> + OUT EFI_SIGNATURE_LIST **SigList<br>
> + )<br>
> +{<br>
> + UINTN SigListSize;<br>
> + EFI_SIGNATURE_LIST *TmpSigList;<br>
> + EFI_SIGNATURE_DATA *SigData;<br>
> +<br>
> + //<br>
> + // Allocate data for Signature Database<br>
> + //<br>
> + SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;<br>
> + TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);<br>
> + if (TmpSigList == NULL) {<br>
> + return EFI_OUT_OF_RESOURCES;<br>
> + }<br>
> +<br>
> + //<br>
> + // Only gEfiCertX509Guid type is supported<br>
> + //<br>
> + TmpSigList->SignatureListSize = (UINT32)SigListSize;<br>
> + TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + Size);<br>
> + TmpSigList->SignatureHeaderSize = 0;<br>
> + CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);<br>
> +<br>
> + //<br>
> + // Copy key data<br>
> + //<br>
> + SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);<br>
> + CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);<br>
> + CopyMem (&SigData->SignatureData[0], Data, Size);<br>
> +<br>
> + *SigList = TmpSigList;<br>
> +<br>
> + return EFI_SUCCESS;<br>
> +}<br>
> +<br>
> +/** Adds new signature list to signature database.<br>
> +<br>
> + @param[in] SigLists A pointer to signature database.<br>
> + @param[in] SiglListAppend A signature list to be added.<br>
> + @param[out] *SigListOut Created signature database.<br>
> + @param[out] SigListsSize A size of created signature database.<br>
> +<br>
> + @retval EFI_SUCCESS Signature List was added successfully.<br>
> + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.<br>
> +--*/<br>
> +STATIC<br>
> +EFI_STATUS<br>
> +ConcatenateSigList (<br>
> + IN EFI_SIGNATURE_LIST *SigLists,<br>
> + IN EFI_SIGNATURE_LIST *SigListAppend,<br>
> + OUT EFI_SIGNATURE_LIST **SigListOut,<br>
> + IN OUT UINTN *SigListsSize<br>
> +)<br>
> +{<br>
> + EFI_SIGNATURE_LIST *TmpSigList;<br>
> + UINT8 *Offset;<br>
> + UINTN NewSigListsSize;<br>
> +<br>
> + NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;<br>
> +<br>
> + TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);<br>
> + if (TmpSigList == NULL) {<br>
> + return EFI_OUT_OF_RESOURCES;<br>
> + }<br>
> +<br>
> + CopyMem (TmpSigList, SigLists, *SigListsSize);<br>
> +<br>
> + Offset = (UINT8 *)TmpSigList;<br>
> + Offset += *SigListsSize;<br>
> + CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);<br>
> +<br>
> + *SigListsSize = NewSigListsSize;<br>
> + *SigListOut = TmpSigList;<br>
> + return EFI_SUCCESS;<br>
> +}<br>
> +<br>
> +/**<br>
> + Create a EFI Signature List with data fetched from section specified as a argument.<br>
> + Found keys are verified using RsaGetPublicKeyFromX509().<br>
> +<br>
> + @param[in] KeyFileGuid A pointer to to the FFS filename GUID<br>
> + @param[out] SigListsSize A pointer to size of signature list<br>
> + @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists<br>
> +<br>
> + @retval EFI_SUCCESS Create time based payload successfully.<br>
> + @retval EFI_NOT_FOUND Section with key has not been found.<br>
> + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.<br>
> + @retval Others Unexpected error happens.<br>
> +<br>
> +--*/<br>
> +STATIC<br>
> +EFI_STATUS<br>
> +SecureBootFetchData (<br>
> + IN EFI_GUID *KeyFileGuid,<br>
> + OUT UINTN *SigListsSize,<br>
> + OUT EFI_SIGNATURE_LIST **SigListOut<br>
> +)<br>
> +{<br>
> + EFI_SIGNATURE_LIST *EfiSig;<br>
> + EFI_SIGNATURE_LIST *TmpEfiSig;<br>
> + EFI_SIGNATURE_LIST *TmpEfiSig2;<br>
> + EFI_STATUS Status;<br>
> + VOID *Buffer;<br>
> + VOID *RsaPubKey;<br>
> + UINTN Size;<br>
> + UINTN KeyIndex;<br>
> +<br>
> +<br>
> + KeyIndex = 0;<br>
> + EfiSig = NULL;<br>
> + *SigListsSize = 0;<br>
> + while (1) {<br>
> + Status = GetSectionFromAnyFv (<br>
> + KeyFileGuid,<br>
> + EFI_SECTION_RAW,<br>
> + KeyIndex,<br>
> + &Buffer,<br>
> + &Size<br>
> + );<br>
> +<br>
> + if (Status == EFI_SUCCESS) {<br>
> + RsaPubKey = NULL;<br>
> + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {<br>
> + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));<br>
> + if (EfiSig != NULL) {<br>
> + FreePool(EfiSig);<br>
> + }<br>
> + FreePool(Buffer);<br>
> + return EFI_INVALID_PARAMETER;<br>
> + }<br>
> +<br>
> + Status = CreateSigList (Buffer, Size, &TmpEfiSig);<br>
> +<br>
> + //<br>
> + // Concatenate lists if more than one section found<br>
> + //<br>
> + if (KeyIndex == 0) {<br>
> + EfiSig = TmpEfiSig;<br>
> + *SigListsSize = TmpEfiSig->SignatureListSize;<br>
> + } else {<br>
> + ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);<br>
> + FreePool (EfiSig);<br>
> + FreePool (TmpEfiSig);<br>
> + EfiSig = TmpEfiSig2;<br>
> + }<br>
> +<br>
> + KeyIndex++;<br>
> + FreePool (Buffer);<br>
> + } if (Status == EFI_NOT_FOUND) {<br>
> + break;<br>
> + }<br>
> + };<br>
> +<br>
> + if (KeyIndex == 0) {<br>
> + return EFI_NOT_FOUND;<br>
> + }<br>
> +<br>
> + *SigListOut = EfiSig;<br>
> +<br>
> + return EFI_SUCCESS;<br>
> +}<br>
> +<br>
> +/**<br>
> + Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2<br>
> + descriptor with the input data. NO authentication is required in this function.<br>
> +<br>
> + @param[in, out] DataSize On input, the size of Data buffer in bytes.<br>
> + On output, the size of data returned in Data<br>
> + buffer in bytes.<br>
> + @param[in, out] Data On input, Pointer to data buffer to be wrapped or<br>
> + pointer to NULL to wrap an empty payload.<br>
> + On output, Pointer to the new payload date buffer allocated from pool,<br>
> + it's caller's responsibility to free the memory when finish using it.<br>
> +<br>
> + @retval EFI_SUCCESS Create time based payload successfully.<br>
> + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.<br>
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.<br>
> + @retval Others Unexpected error happens.<br>
> +<br>
> +--*/<br>
> +EFI_STATUS<br>
> +CreateTimeBasedPayload (<br>
> + IN OUT UINTN *DataSize,<br>
> + IN OUT UINT8 **Data<br>
> + )<br>
> +{<br>
> + EFI_STATUS Status;<br>
> + UINT8 *NewData;<br>
> + UINT8 *Payload;<br>
> + UINTN PayloadSize;<br>
> + EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;<br>
> + UINTN DescriptorSize;<br>
> + EFI_TIME Time;<br>
> +<br>
> + if (Data == NULL || DataSize == NULL) {<br>
> + return EFI_INVALID_PARAMETER;<br>
> + }<br>
> +<br>
> + //<br>
> + // In Setup mode or Custom mode, the variable does not need to be signed but the<br>
> + // parameters to the SetVariable() call still need to be prepared as authenticated<br>
> + // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate<br>
> + // data in it.<br>
> + //<br>
> + Payload = *Data;<br>
> + PayloadSize = *DataSize;<br>
> +<br>
> + DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);<br>
> + NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);<br>
> + if (NewData == NULL) {<br>
> + return EFI_OUT_OF_RESOURCES;<br>
> + }<br>
> +<br>
> + if ((Payload != NULL) && (PayloadSize != 0)) {<br>
> + CopyMem (NewData + DescriptorSize, Payload, PayloadSize);<br>
> + }<br>
> +<br>
> + DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);<br>
> +<br>
> + ZeroMem (&Time, sizeof (EFI_TIME));<br>
> + Status = gRT->GetTime (&Time, NULL);<br>
> + if (EFI_ERROR (Status)) {<br>
> + FreePool(NewData);<br>
> + return Status;<br>
> + }<br>
> + Time.Pad1 = 0;<br>
> + Time.Nanosecond = 0;<br>
> + Time.TimeZone = 0;<br>
> + Time.Daylight = 0;<br>
> + Time.Pad2 = 0;<br>
> + CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));<br>
> +<br>
> + DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);<br>
> + DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;<br>
> + DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;<br>
> + CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);<br>
> +<br>
> + if (Payload != NULL) {<br>
> + FreePool(Payload);<br>
> + }<br>
> +<br>
> + *DataSize = DescriptorSize + PayloadSize;<br>
> + *Data = NewData;<br>
> + return EFI_SUCCESS;<br>
> +}<br>
> +<br>
> +/**<br>
> + Internal helper function to delete a Variable given its name and GUID, NO authentication<br>
> + required.<br>
> +<br>
> + @param[in] VariableName Name of the Variable.<br>
> + @param[in] VendorGuid GUID of the Variable.<br>
> +<br>
> + @retval EFI_SUCCESS Variable deleted successfully.<br>
> + @retval Others The driver failed to start the device.<br>
> +<br>
> +--*/<br>
> +EFI_STATUS<br>
> +DeleteVariable (<br>
> + IN CHAR16 *VariableName,<br>
> + IN EFI_GUID *VendorGuid<br>
> + )<br>
> +{<br>
> + EFI_STATUS Status;<br>
> + VOID* Variable;<br>
> + UINT8 *Data;<br>
> + UINTN DataSize;<br>
> + UINT32 Attr;<br>
> +<br>
> + GetVariable2 (VariableName, VendorGuid, &Variable, NULL);<br>
> + if (Variable == NULL) {<br>
> + return EFI_SUCCESS;<br>
> + }<br>
> + FreePool (Variable);<br>
> +<br>
> + Data = NULL;<br>
> + DataSize = 0;<br>
> + Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS<br>
> + | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;<br>
> +<br>
> + Status = CreateTimeBasedPayload (&DataSize, &Data);<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));<br>
> + return Status;<br>
> + }<br>
> +<br>
> + Status = gRT->SetVariable (<br>
> + VariableName,<br>
> + VendorGuid,<br>
> + Attr,<br>
> + DataSize,<br>
> + Data<br>
> + );<br>
> + if (Data != NULL) {<br>
> + FreePool (Data);<br>
> + }<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/**<br>
> +<br>
> + Set the platform secure boot mode into "Custom" or "Standard" mode.<br>
> +<br>
> + @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or<br>
> + CUSTOM_SECURE_BOOT_MODE.<br>
> +<br>
> + @return EFI_SUCCESS The platform has switched to the special mode successfully.<br>
> + @return other Fail to operate the secure boot mode.<br>
> +<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SetSecureBootMode (<br>
> + IN UINT8 SecureBootMode<br>
> + )<br>
> +{<br>
> + return gRT->SetVariable (<br>
> + EFI_CUSTOM_MODE_NAME,<br>
> + &gEfiCustomModeEnableGuid,<br>
> + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
> + sizeof (UINT8),<br>
> + &SecureBootMode<br>
> + );<br>
> +}<br>
> +<br>
> +<br>
> +/**<br>
> + Enroll a key/certificate based on a default variable.<br>
> +<br>
> + @param[in] VariableName The name of the key/database.<br>
> + @param[in] DefaultName The name of the default variable.<br>
> + @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable<br>
> +<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader.<br>
> + @retval EFI_SUCCESS Successful enrollment.<br>
> + @return Error codes from GetTime () and SetVariable ().<br>
> +--*/<br>
> +STATIC<br>
> +EFI_STATUS<br>
> +EnrollFromDefault (<br>
> + IN CHAR16 *VariableName,<br>
> + IN CHAR16 *DefaultName,<br>
> + IN EFI_GUID *VendorGuid<br>
> + )<br>
> +{<br>
> + VOID *Data;<br>
> + UINTN DataSize;<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = EFI_SUCCESS;<br>
> +<br>
> + DataSize = 0;<br>
> + Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));<br>
> + return Status;<br>
> + }<br>
> +<br>
> + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));<br>
> + return Status;<br>
> + }<br>
> +<br>
> + //<br>
> + // Allocate memory for auth variable<br>
> + //<br>
> + Status = gRT->SetVariable (<br>
> + VariableName,<br>
> + VendorGuid,<br>
> + (EFI_VARIABLE_NON_VOLATILE |<br>
> + EFI_VARIABLE_BOOTSERVICE_ACCESS |<br>
> + EFI_VARIABLE_RUNTIME_ACCESS |<br>
> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),<br>
> + DataSize,<br>
> + Data<br>
> + );<br>
> +<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, VariableName,<br>
> + VendorGuid, Status));<br>
> + }<br>
> +<br>
> + if (Data != NULL) {<br>
> + FreePool (Data);<br>
> + }<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/** Initializes PKDefault variable with data from FFS section.<br>
> +<br>
> +<br>
> + @retval EFI_SUCCESS Variable was initialized successfully.<br>
> + @retval EFI_UNSUPPORTED Variable already exists.<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SecureBootInitPKDefault (<br>
> + IN VOID<br>
> + )<br>
> +{<br>
> + EFI_SIGNATURE_LIST *EfiSig;<br>
> + UINTN SigListsSize;<br>
> + EFI_STATUS Status;<br>
> + UINT8 *Data;<br>
> + UINTN DataSize;<br>
> +<br>
> + //<br>
> + // Check if variable exists, if so do not change it<br>
> + //<br>
> + Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);<br>
> + if (Status == EFI_SUCCESS) {<br>
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));<br>
> + FreePool (Data);<br>
> + return EFI_UNSUPPORTED;<br>
> + }<br>
> +<br>
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {<br>
> + return Status;<br>
> + }<br>
> +<br>
> + //<br>
> + // Variable does not exist, can be initialized<br>
> + //<br>
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));<br>
> +<br>
> + Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));<br>
> + return Status;<br>
> + }<br>
> +<br>
> + Status = gRT->SetVariable (<br>
> + EFI_PK_DEFAULT_VARIABLE_NAME,<br>
> + &gEfiGlobalVariableGuid,<br>
> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
> + SigListsSize,<br>
> + (VOID *)EfiSig<br>
> + );<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));<br>
> + }<br>
> +<br>
> + FreePool (EfiSig);<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/** Initializes KEKDefault variable with data from FFS section.<br>
> +<br>
> +<br>
> + @retval EFI_SUCCESS Variable was initialized successfully.<br>
> + @retval EFI_UNSUPPORTED Variable already exists.<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SecureBootInitKEKDefault (<br>
> + IN VOID<br>
> + )<br>
> +{<br>
> + EFI_SIGNATURE_LIST *EfiSig;<br>
> + UINTN SigListsSize;<br>
> + EFI_STATUS Status;<br>
> + UINT8 *Data;<br>
> + UINTN DataSize;<br>
> +<br>
> + //<br>
> + // Check if variable exists, if so do not change it<br>
> + //<br>
> + Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);<br>
> + if (Status == EFI_SUCCESS) {<br>
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));<br>
> + FreePool (Data);<br>
> + return EFI_UNSUPPORTED;<br>
> + }<br>
> +<br>
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {<br>
> + return Status;<br>
> + }<br>
> +<br>
> + //<br>
> + // Variable does not exist, can be initialized<br>
> + //<br>
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));<br>
> +<br>
> + Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));<br>
> + return Status;<br>
> + }<br>
> +<br>
> +<br>
> + Status = gRT->SetVariable (<br>
> + EFI_KEK_DEFAULT_VARIABLE_NAME,<br>
> + &gEfiGlobalVariableGuid,<br>
> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
> + SigListsSize,<br>
> + (VOID *)EfiSig<br>
> + );<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));<br>
> + }<br>
> +<br>
> + FreePool (EfiSig);<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/** Initializes dbDefault variable with data from FFS section.<br>
> +<br>
> +<br>
> + @retval EFI_SUCCESS Variable was initialized successfully.<br>
> + @retval EFI_UNSUPPORTED Variable already exists.<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SecureBootInitdbDefault (<br>
> + IN VOID<br>
> + )<br>
> +{<br>
> + EFI_SIGNATURE_LIST *EfiSig;<br>
> + UINTN SigListsSize;<br>
> + EFI_STATUS Status;<br>
> + UINT8 *Data;<br>
> + UINTN DataSize;<br>
> +<br>
> + Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);<br>
> + if (Status == EFI_SUCCESS) {<br>
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));<br>
> + FreePool (Data);<br>
> + return EFI_UNSUPPORTED;<br>
> + }<br>
> +<br>
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {<br>
> + return Status;<br>
> + }<br>
> +<br>
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));<br>
> +<br>
> + Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);<br>
> + if (EFI_ERROR (Status)) {<br>
> + return Status;<br>
> + }<br>
> +<br>
> + Status = gRT->SetVariable (<br>
> + EFI_DB_DEFAULT_VARIABLE_NAME,<br>
> + &gEfiGlobalVariableGuid,<br>
> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
> + SigListsSize,<br>
> + (VOID *)EfiSig<br>
> + );<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));<br>
> + }<br>
> +<br>
> + FreePool (EfiSig);<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/** Initializes dbxDefault variable with data from FFS section.<br>
> +<br>
> +<br>
> + @retval EFI_SUCCESS Variable was initialized successfully.<br>
> + @retval EFI_UNSUPPORTED Variable already exists.<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SecureBootInitdbxDefault (<br>
> + IN VOID<br>
> + )<br>
> +{<br>
> + EFI_SIGNATURE_LIST *EfiSig;<br>
> + UINTN SigListsSize;<br>
> + EFI_STATUS Status;<br>
> + UINT8 *Data;<br>
> + UINTN DataSize;<br>
> +<br>
> + //<br>
> + // Check if variable exists, if so do not change it<br>
> + //<br>
> + Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);<br>
> + if (Status == EFI_SUCCESS) {<br>
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));<br>
> + FreePool (Data);<br>
> + return EFI_UNSUPPORTED;<br>
> + }<br>
> +<br>
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {<br>
> + return Status;<br>
> + }<br>
> +<br>
> + //<br>
> + // Variable does not exist, can be initialized<br>
> + //<br>
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));<br>
> +<br>
> + Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));<br>
> + return Status;<br>
> + }<br>
> +<br>
> + Status = gRT->SetVariable (<br>
> + EFI_DBX_DEFAULT_VARIABLE_NAME,<br>
> + &gEfiGlobalVariableGuid,<br>
> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
> + SigListsSize,<br>
> + (VOID *)EfiSig<br>
> + );<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));<br>
> + }<br>
> +<br>
> + FreePool (EfiSig);<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/** Initializes dbtDefault variable with data from FFS section.<br>
> +<br>
> +<br>
> + @retval EFI_SUCCESS Variable was initialized successfully.<br>
> + @retval EFI_UNSUPPORTED Variable already exists.<br>
> +--*/<br>
> +EFI_STATUS<br>
> +SecureBootInitdbtDefault (<br>
> + IN VOID<br>
> + )<br>
> +{<br>
> + EFI_SIGNATURE_LIST *EfiSig;<br>
> + UINTN SigListsSize;<br>
> + EFI_STATUS Status;<br>
> + UINT8 *Data;<br>
> + UINTN DataSize;<br>
> +<br>
> + //<br>
> + // Check if variable exists, if so do not change it<br>
> + //<br>
> + Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);<br>
> + if (Status == EFI_SUCCESS) {<br>
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));<br>
> + FreePool (Data);<br>
> + return EFI_UNSUPPORTED;<br>
> + }<br>
> +<br>
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {<br>
> + return Status;<br>
> + }<br>
> +<br>
> + //<br>
> + // Variable does not exist, can be initialized<br>
> + //<br>
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));<br>
> +<br>
> + Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);<br>
> + if (EFI_ERROR (Status)) {<br>
> + return Status;<br>
> + }<br>
> +<br>
> + Status = gRT->SetVariable (<br>
> + EFI_DBT_DEFAULT_VARIABLE_NAME,<br>
> + &gEfiGlobalVariableGuid,<br>
> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
> + SigListsSize,<br>
> + (VOID *)EfiSig<br>
> + );<br>
> + if (EFI_ERROR (Status)) {<br>
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));<br>
> + }<br>
> +<br>
> + FreePool (EfiSig);<br>
> +<br>
> + return EFI_SUCCESS;<br>
> +}<br>
> +<br>
> +/**<br>
> + Fetches the value of SetupMode variable.<br>
> +<br>
> + @param[out] SetupMode Pointer to UINT8 for SetupMode output<br>
> +<br>
> + @retval other Retval from GetVariable.<br>
> +--*/<br>
> +BOOLEAN<br>
> +EFIAPI<br>
> +GetSetupMode (<br>
> + OUT UINT8 *SetupMode<br>
> +)<br>
> +{<br>
> + UINTN Size;<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Size = sizeof (*SetupMode);<br>
> + Status = gRT->GetVariable (<br>
> + EFI_SETUP_MODE_NAME,<br>
> + &gEfiGlobalVariableGuid,<br>
> + NULL,<br>
> + &Size,<br>
> + SetupMode<br>
> + );<br>
> + if (EFI_ERROR (Status)) {<br>
> + return Status;<br>
> + }<br>
> +<br>
> + return EFI_SUCCESS;<br>
> +}<br>
> +<br>
> +/**<br>
> + Sets the content of the 'db' variable based on 'dbDefault' variable content.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +EnrollDbFromDefault (<br>
> + VOID<br>
> +)<br>
> +{<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = EnrollFromDefault (<br>
> + EFI_IMAGE_SECURITY_DATABASE,<br>
> + EFI_DB_DEFAULT_VARIABLE_NAME,<br>
> + &gEfiImageSecurityDatabaseGuid<br>
> + );<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/**<br>
> + Clears the content of the 'db' variable.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +DeleteDb (<br>
> + VOID<br>
> +)<br>
> +{<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = DeleteVariable (<br>
> + EFI_IMAGE_SECURITY_DATABASE,<br>
> + &gEfiImageSecurityDatabaseGuid<br>
> + );<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/**<br>
> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +EnrollDbxFromDefault (<br>
> + VOID<br>
> +)<br>
> +{<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = EnrollFromDefault (<br>
> + EFI_IMAGE_SECURITY_DATABASE1,<br>
> + EFI_DBX_DEFAULT_VARIABLE_NAME,<br>
> + &gEfiImageSecurityDatabaseGuid<br>
> + );<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/**<br>
> + Clears the content of the 'dbx' variable.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +DeleteDbx (<br>
> + VOID<br>
> +)<br>
> +{<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = DeleteVariable (<br>
> + EFI_IMAGE_SECURITY_DATABASE1,<br>
> + &gEfiImageSecurityDatabaseGuid<br>
> + );<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/**<br>
> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +EnrollDbtFromDefault (<br>
> + VOID<br>
> +)<br>
> +{<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = EnrollFromDefault (<br>
> + EFI_IMAGE_SECURITY_DATABASE2,<br>
> + EFI_DBT_DEFAULT_VARIABLE_NAME,<br>
> + &gEfiImageSecurityDatabaseGuid);<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/**<br>
> + Clears the content of the 'dbt' variable.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +DeleteDbt (<br>
> + VOID<br>
> +)<br>
> +{<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = DeleteVariable (<br>
> + EFI_IMAGE_SECURITY_DATABASE2,<br>
> + &gEfiImageSecurityDatabaseGuid<br>
> + );<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/**<br>
> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +EnrollKEKFromDefault (<br>
> + VOID<br>
> +)<br>
> +{<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = EnrollFromDefault (<br>
> + EFI_KEY_EXCHANGE_KEY_NAME,<br>
> + EFI_KEK_DEFAULT_VARIABLE_NAME,<br>
> + &gEfiGlobalVariableGuid<br>
> + );<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/**<br>
> + Clears the content of the 'KEK' variable.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +DeleteKEK (<br>
> + VOID<br>
> +)<br>
> +{<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = DeleteVariable (<br>
> + EFI_KEY_EXCHANGE_KEY_NAME,<br>
> + &gEfiGlobalVariableGuid<br>
> + );<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/**<br>
> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.<br>
> +<br>
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
> + while VendorGuid is NULL.<br>
> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
> +--*/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +EnrollPKFromDefault (<br>
> + VOID<br>
> +)<br>
> +{<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = EnrollFromDefault (<br>
> + EFI_PLATFORM_KEY_NAME,<br>
> + EFI_PK_DEFAULT_VARIABLE_NAME,<br>
> + &gEfiGlobalVariableGuid<br>
> + );<br>
> +<br>
> + return Status;<br>
> +}<br>
> +<br>
> +/**<br>
> + Remove the PK variable.<br>
> +<br>
> + @retval EFI_SUCCESS Delete PK successfully.<br>
> + @retval Others Could not allow to delete PK.<br>
> +<br>
> +--*/<br>
> +EFI_STATUS<br>
> +DeletePlatformKey (<br>
> + VOID<br>
> +)<br>
> +{<br>
> + EFI_STATUS Status;<br>
> +<br>
> + Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);<br>
> + if (EFI_ERROR (Status)) {<br>
> + return Status;<br>
> + }<br>
> +<br>
> + Status = DeleteVariable (<br>
> + EFI_PLATFORM_KEY_NAME,<br>
> + &gEfiGlobalVariableGuid<br>
> + );<br>
> + return Status;<br>
> +}<br>
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c<br>
> index e82bfe7757..67e5e594ed 100644<br>
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c<br>
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c<br>
> @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent<br>
> <br>
> #include "SecureBootConfigImpl.h"<br>
> #include <Library/BaseCryptLib.h><br>
> +#include <Library/SecureBootVariableLib.h><br>
> <br>
> CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";<br>
> <br>
> @@ -237,168 +238,6 @@ SaveSecureBootVariable (<br>
> return Status;<br>
> }<br>
> <br>
> -/**<br>
> - Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2<br>
> - descriptor with the input data. NO authentication is required in this function.<br>
> -<br>
> - @param[in, out] DataSize On input, the size of Data buffer in bytes.<br>
> - On output, the size of data returned in Data<br>
> - buffer in bytes.<br>
> - @param[in, out] Data On input, Pointer to data buffer to be wrapped or<br>
> - pointer to NULL to wrap an empty payload.<br>
> - On output, Pointer to the new payload date buffer allocated from pool,<br>
> - it's caller's responsibility to free the memory when finish using it.<br>
> -<br>
> - @retval EFI_SUCCESS Create time based payload successfully.<br>
> - @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.<br>
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.<br>
> - @retval Others Unexpected error happens.<br>
> -<br>
> -**/<br>
> -EFI_STATUS<br>
> -CreateTimeBasedPayload (<br>
> - IN OUT UINTN *DataSize,<br>
> - IN OUT UINT8 **Data<br>
> - )<br>
> -{<br>
> - EFI_STATUS Status;<br>
> - UINT8 *NewData;<br>
> - UINT8 *Payload;<br>
> - UINTN PayloadSize;<br>
> - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;<br>
> - UINTN DescriptorSize;<br>
> - EFI_TIME Time;<br>
> -<br>
> - if (Data == NULL || DataSize == NULL) {<br>
> - return EFI_INVALID_PARAMETER;<br>
> - }<br>
> -<br>
> - //<br>
> - // In Setup mode or Custom mode, the variable does not need to be signed but the<br>
> - // parameters to the SetVariable() call still need to be prepared as authenticated<br>
> - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate<br>
> - // data in it.<br>
> - //<br>
> - Payload = *Data;<br>
> - PayloadSize = *DataSize;<br>
> -<br>
> - DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);<br>
> - NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);<br>
> - if (NewData == NULL) {<br>
> - return EFI_OUT_OF_RESOURCES;<br>
> - }<br>
> -<br>
> - if ((Payload != NULL) && (PayloadSize != 0)) {<br>
> - CopyMem (NewData + DescriptorSize, Payload, PayloadSize);<br>
> - }<br>
> -<br>
> - DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);<br>
> -<br>
> - ZeroMem (&Time, sizeof (EFI_TIME));<br>
> - Status = gRT->GetTime (&Time, NULL);<br>
> - if (EFI_ERROR (Status)) {<br>
> - FreePool(NewData);<br>
> - return Status;<br>
> - }<br>
> - Time.Pad1 = 0;<br>
> - Time.Nanosecond = 0;<br>
> - Time.TimeZone = 0;<br>
> - Time.Daylight = 0;<br>
> - Time.Pad2 = 0;<br>
> - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));<br>
> -<br>
> - DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);<br>
> - DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;<br>
> - DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;<br>
> - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);<br>
> -<br>
> - if (Payload != NULL) {<br>
> - FreePool(Payload);<br>
> - }<br>
> -<br>
> - *DataSize = DescriptorSize + PayloadSize;<br>
> - *Data = NewData;<br>
> - return EFI_SUCCESS;<br>
> -}<br>
> -<br>
> -/**<br>
> - Internal helper function to delete a Variable given its name and GUID, NO authentication<br>
> - required.<br>
> -<br>
> - @param[in] VariableName Name of the Variable.<br>
> - @param[in] VendorGuid GUID of the Variable.<br>
> -<br>
> - @retval EFI_SUCCESS Variable deleted successfully.<br>
> - @retval Others The driver failed to start the device.<br>
> -<br>
> -**/<br>
> -EFI_STATUS<br>
> -DeleteVariable (<br>
> - IN CHAR16 *VariableName,<br>
> - IN EFI_GUID *VendorGuid<br>
> - )<br>
> -{<br>
> - EFI_STATUS Status;<br>
> - VOID* Variable;<br>
> - UINT8 *Data;<br>
> - UINTN DataSize;<br>
> - UINT32 Attr;<br>
> -<br>
> - GetVariable2 (VariableName, VendorGuid, &Variable, NULL);<br>
> - if (Variable == NULL) {<br>
> - return EFI_SUCCESS;<br>
> - }<br>
> - FreePool (Variable);<br>
> -<br>
> - Data = NULL;<br>
> - DataSize = 0;<br>
> - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS<br>
> - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;<br>
> -<br>
> - Status = CreateTimeBasedPayload (&DataSize, &Data);<br>
> - if (EFI_ERROR (Status)) {<br>
> - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));<br>
> - return Status;<br>
> - }<br>
> -<br>
> - Status = gRT->SetVariable (<br>
> - VariableName,<br>
> - VendorGuid,<br>
> - Attr,<br>
> - DataSize,<br>
> - Data<br>
> - );<br>
> - if (Data != NULL) {<br>
> - FreePool (Data);<br>
> - }<br>
> - return Status;<br>
> -}<br>
> -<br>
> -/**<br>
> -<br>
> - Set the platform secure boot mode into "Custom" or "Standard" mode.<br>
> -<br>
> - @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or<br>
> - CUSTOM_SECURE_BOOT_MODE.<br>
> -<br>
> - @return EFI_SUCCESS The platform has switched to the special mode successfully.<br>
> - @return other Fail to operate the secure boot mode.<br>
> -<br>
> -**/<br>
> -EFI_STATUS<br>
> -SetSecureBootMode (<br>
> - IN UINT8 SecureBootMode<br>
> - )<br>
> -{<br>
> - return gRT->SetVariable (<br>
> - EFI_CUSTOM_MODE_NAME,<br>
> - &gEfiCustomModeEnableGuid,<br>
> - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
> - sizeof (UINT8),<br>
> - &SecureBootMode<br>
> - );<br>
> -}<br>
> -<br>
> /**<br>
> This code checks if the encode type and key strength of X.509<br>
> certificate is qualified.<br>
> @@ -646,32 +485,6 @@ ON_EXIT:<br>
> return Status;<br>
> }<br>
> <br>
> -/**<br>
> - Remove the PK variable.<br>
> -<br>
> - @retval EFI_SUCCESS Delete PK successfully.<br>
> - @retval Others Could not allow to delete PK.<br>
> -<br>
> -**/<br>
> -EFI_STATUS<br>
> -DeletePlatformKey (<br>
> - VOID<br>
> -)<br>
> -{<br>
> - EFI_STATUS Status;<br>
> -<br>
> - Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);<br>
> - if (EFI_ERROR (Status)) {<br>
> - return Status;<br>
> - }<br>
> -<br>
> - Status = DeleteVariable (<br>
> - EFI_PLATFORM_KEY_NAME,<br>
> - &gEfiGlobalVariableGuid<br>
> - );<br>
> - return Status;<br>
> -}<br>
> -<br>
> /**<br>
> Enroll a new KEK item from public key storing file (*.pbk).<br>
> <br>
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni<br>
> new file mode 100644<br>
> index 0000000000..2c51e4db53<br>
> --- /dev/null<br>
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni<br>
> @@ -0,0 +1,16 @@<br>
> +// /** @file<br>
> +//<br>
> +// Provides initialization of Secure Boot keys and databases.<br>
> +//<br>
> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><br>
> +// Copyright (c) 2021, Semihalf All rights reserved.<BR><br>
> +//<br>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent<br>
> +//<br>
> +// **/<br>
> +<br>
> +<br>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides function to initialize PK, KEK and databases based on default variables."<br>
> +<br>
> +#string STR_MODULE_DESCRIPTION #language en-US "Provides function to initialize PK, KEK and databases based on default variables."<br>
> +<br>
> <br>
<br>
Reviewed-by: Pete Batard <pete@akeo.ie><br>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
<div width="1" style="color:white;clear:both">_._,_._,_</div> <hr> Groups.io Links:<p> You receive all messages sent to this group. <p> <a target="_blank" href="https://edk2.groups.io/g/devel/message/75998">View/Reply Online (#75998)</a> | | <a target="_blank" href="https://groups.io/mt/83267641/1813853">Mute This Topic</a> | <a href="https://edk2.groups.io/g/devel/post">New Topic</a><br> <a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> | <a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> | <a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a> [edk2-devel-archive@redhat.com]<br> <div width="1" style="color:white;clear:both">_._,_._,_</div>