<div dir="ltr"><div dir="ltr"><div>Hi Grzegorz,</div><div>I tried this patch, but I cannot enroll the DBX downloaded from here: <br><div><a href="https://uefi.org/revocationlistfile">https://uefi.org/revocationlistfile</a></div></div><div><br></div><div>Is it even possible with current code? Did you test DBX enrollment as well using the revocation list file?<br></div><div><br></div><div>Regards,</div><div>Patrick<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Aug 2, 2021 at 12:47 PM Grzegorz Bernacki <<a href="mailto:gjb@semihalf.com">gjb@semihalf.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">This commits add library, which consist functions to<br>
enrolll Secure Boot keys and initialize Secure Boot<br>
default variables. Some of the functions was moved<br>
from SecureBootConfigImpl.c file.<br>
<br>
Signed-off-by: Grzegorz Bernacki <<a href="mailto:gjb@semihalf.com" target="_blank">gjb@semihalf.com</a>><br>
Reviewed-by: Sunny Wang <<a href="mailto:sunny.wang@arm.com" target="_blank">sunny.wang@arm.com</a>><br>
Reviewed-by: Jiewen Yao <<a href="mailto:Jiewen.yao@intel.com" target="_blank">Jiewen.yao@intel.com</a>><br>
---<br>
SecurityPkg/SecurityPkg.dec | 4 +<br>
SecurityPkg/SecurityPkg.dsc | 1 +<br>
SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf | 80 ++++<br>
SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h | 134 ++++++<br>
SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c | 482 ++++++++++++++++++++<br>
SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni | 16 +<br>
6 files changed, 717 insertions(+)<br>
create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf<br>
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h<br>
create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c<br>
create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni<br>
<br>
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec<br>
index 8f3710e59f..e30c39f321 100644<br>
--- a/SecurityPkg/SecurityPkg.dec<br>
+++ b/SecurityPkg/SecurityPkg.dec<br>
@@ -91,6 +91,10 @@<br>
## @libraryclass Provides helper functions related to creation/removal Secure Boot variables.<br>
#<br>
SecureBootVariableLib|Include/Library/SecureBootVariableLib.h<br>
+<br>
+ ## @libraryclass Provides support to enroll Secure Boot keys.<br>
+ #<br>
+ SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h<br>
[Guids]<br>
## Security package token space guid.<br>
# Include/Guid/SecurityPkgTokenSpace.h<br>
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc<br>
index 854f250625..99c227dad2 100644<br>
--- a/SecurityPkg/SecurityPkg.dsc<br>
+++ b/SecurityPkg/SecurityPkg.dsc<br>
@@ -71,6 +71,7 @@<br>
TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf<br>
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf<br>
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf<br>
+ SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf<br>
<br>
[LibraryClasses.ARM]<br>
#<br>
diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf<br>
new file mode 100644<br>
index 0000000000..a09abd29ce<br>
--- /dev/null<br>
+++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf<br>
@@ -0,0 +1,80 @@<br>
+## @file<br>
+# Provides initialization of Secure Boot keys and databases.<br>
+#<br>
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><br>
+# Copyright (c) 2021, Semihalf All rights reserved.<BR><br>
+#<br>
+# SPDX-License-Identifier: BSD-2-Clause-Patent<br>
+#<br>
+##<br>
+<br>
+[Defines]<br>
+ INF_VERSION = 0x00010005<br>
+ BASE_NAME = SecureBootVariableLib<br>
+ MODULE_UNI_FILE = SecureBootVariableLib.uni<br>
+ FILE_GUID = 18192DD0-9430-45F1-80C7-5C52061CD183<br>
+ MODULE_TYPE = DXE_DRIVER<br>
+ VERSION_STRING = 1.0<br>
+ LIBRARY_CLASS = SecureBootVariableProvisionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION<br>
+<br>
+#<br>
+# The following information is for reference only and not required by the build tools.<br>
+#<br>
+# VALID_ARCHITECTURES = IA32 X64 AARCH64<br>
+#<br>
+<br>
+[Sources]<br>
+ SecureBootVariableProvisionLib.c<br>
+<br>
+[Packages]<br>
+ MdePkg/MdePkg.dec<br>
+ MdeModulePkg/MdeModulePkg.dec<br>
+ SecurityPkg/SecurityPkg.dec<br>
+ CryptoPkg/CryptoPkg.dec<br>
+<br>
+[LibraryClasses]<br>
+ BaseLib<br>
+ BaseMemoryLib<br>
+ DebugLib<br>
+ MemoryAllocationLib<br>
+ BaseCryptLib<br>
+ DxeServicesLib<br>
+ SecureBootVariableLib<br>
+<br>
+[Guids]<br>
+ ## CONSUMES ## Variable:L"SetupMode"<br>
+ ## PRODUCES ## Variable:L"SetupMode"<br>
+ ## CONSUMES ## Variable:L"SecureBoot"<br>
+ ## PRODUCES ## Variable:L"SecureBoot"<br>
+ ## PRODUCES ## Variable:L"PK"<br>
+ ## PRODUCES ## Variable:L"KEK"<br>
+ ## CONSUMES ## Variable:L"PKDefault"<br>
+ ## CONSUMES ## Variable:L"KEKDefault"<br>
+ ## CONSUMES ## Variable:L"dbDefault"<br>
+ ## CONSUMES ## Variable:L"dbxDefault"<br>
+ ## CONSUMES ## Variable:L"dbtDefault"<br>
+ gEfiGlobalVariableGuid<br>
+<br>
+ ## SOMETIMES_CONSUMES ## Variable:L"DB"<br>
+ ## SOMETIMES_CONSUMES ## Variable:L"DBX"<br>
+ ## SOMETIMES_CONSUMES ## Variable:L"DBT"<br>
+ gEfiImageSecurityDatabaseGuid<br>
+<br>
+ ## CONSUMES ## Variable:L"SecureBootEnable"<br>
+ ## PRODUCES ## Variable:L"SecureBootEnable"<br>
+ gEfiSecureBootEnableDisableGuid<br>
+<br>
+ ## CONSUMES ## Variable:L"CustomMode"<br>
+ ## PRODUCES ## Variable:L"CustomMode"<br>
+ gEfiCustomModeEnableGuid<br>
+<br>
+ gEfiCertTypeRsa2048Sha256Guid ## CONSUMES<br>
+ gEfiCertX509Guid ## CONSUMES<br>
+ gEfiCertPkcs7Guid ## CONSUMES<br>
+<br>
+ gDefaultPKFileGuid<br>
+ gDefaultKEKFileGuid<br>
+ gDefaultdbFileGuid<br>
+ gDefaultdbxFileGuid<br>
+ gDefaultdbtFileGuid<br>
+<br>
diff --git a/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h<br>
new file mode 100644<br>
index 0000000000..ba8009b5cd<br>
--- /dev/null<br>
+++ b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h<br>
@@ -0,0 +1,134 @@<br>
+/** @file<br>
+ Provides a functions to enroll keys based on default values.<br>
+<br>
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR><br>
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR><br>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><br>
+Copyright (c) 2021, Semihalf All rights reserved.<BR><br>
+SPDX-License-Identifier: BSD-2-Clause-Patent<br>
+<br>
+**/<br>
+<br>
+#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_<br>
+#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_<br>
+<br>
+/**<br>
+ Sets the content of the 'db' variable based on 'dbDefault' variable content.<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
+ while VendorGuid is NULL.<br>
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
+--*/<br>
+EFI_STATUS<br>
+EFIAPI<br>
+EnrollDbFromDefault (<br>
+ VOID<br>
+);<br>
+<br>
+/**<br>
+ Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
+ while VendorGuid is NULL.<br>
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
+--*/<br>
+EFI_STATUS<br>
+EFIAPI<br>
+EnrollDbxFromDefault (<br>
+ VOID<br>
+);<br>
+<br>
+/**<br>
+ Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
+ while VendorGuid is NULL.<br>
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
+--*/<br>
+EFI_STATUS<br>
+EFIAPI<br>
+EnrollDbtFromDefault (<br>
+ VOID<br>
+);<br>
+<br>
+/**<br>
+ Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
+ while VendorGuid is NULL.<br>
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
+--*/<br>
+EFI_STATUS<br>
+EFIAPI<br>
+EnrollKEKFromDefault (<br>
+ VOID<br>
+);<br>
+<br>
+/**<br>
+ Sets the content of the 'PK' variable based on 'PKDefault' variable content.<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
+ while VendorGuid is NULL.<br>
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()<br>
+--*/<br>
+EFI_STATUS<br>
+EFIAPI<br>
+EnrollPKFromDefault (<br>
+ VOID<br>
+);<br>
+<br>
+/**<br>
+ Initializes PKDefault variable with data from FFS section.<br>
+<br>
+ @retval EFI_SUCCESS Variable was initialized successfully.<br>
+ @retval EFI_UNSUPPORTED Variable already exists.<br>
+--*/<br>
+EFI_STATUS<br>
+SecureBootInitPKDefault (<br>
+ IN VOID<br>
+ );<br>
+<br>
+/**<br>
+ Initializes KEKDefault variable with data from FFS section.<br>
+<br>
+ @retval EFI_SUCCESS Variable was initialized successfully.<br>
+ @retval EFI_UNSUPPORTED Variable already exists.<br>
+--*/<br>
+EFI_STATUS<br>
+SecureBootInitKEKDefault (<br>
+ IN VOID<br>
+ );<br>
+<br>
+/**<br>
+ Initializes dbDefault variable with data from FFS section.<br>
+<br>
+ @retval EFI_SUCCESS Variable was initialized successfully.<br>
+ @retval EFI_UNSUPPORTED Variable already exists.<br>
+--*/<br>
+EFI_STATUS<br>
+SecureBootInitDbDefault (<br>
+ IN VOID<br>
+ );<br>
+<br>
+/**<br>
+ Initializes dbtDefault variable with data from FFS section.<br>
+<br>
+ @retval EFI_SUCCESS Variable was initialized successfully.<br>
+ @retval EFI_UNSUPPORTED Variable already exists.<br>
+--*/<br>
+EFI_STATUS<br>
+SecureBootInitDbtDefault (<br>
+ IN VOID<br>
+ );<br>
+<br>
+/**<br>
+ Initializes dbxDefault variable with data from FFS section.<br>
+<br>
+ @retval EFI_SUCCESS Variable was initialized successfully.<br>
+ @retval EFI_UNSUPPORTED Variable already exists.<br>
+--*/<br>
+EFI_STATUS<br>
+SecureBootInitDbxDefault (<br>
+ IN VOID<br>
+ );<br>
+#endif<br>
diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c<br>
new file mode 100644<br>
index 0000000000..848f7ce929<br>
--- /dev/null<br>
+++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c<br>
@@ -0,0 +1,482 @@<br>
+/** @file<br>
+ This library provides functions to set/clear Secure Boot<br>
+ keys and databases.<br>
+<br>
+ Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR><br>
+ (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR><br>
+ Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><br>
+ Copyright (c) 2021, Semihalf All rights reserved.<BR><br>
+ SPDX-License-Identifier: BSD-2-Clause-Patent<br>
+**/<br>
+#include <Guid/GlobalVariable.h><br>
+#include <Guid/AuthenticatedVariableFormat.h><br>
+#include <Guid/ImageAuthentication.h><br>
+#include <Library/BaseLib.h><br>
+#include <Library/BaseMemoryLib.h><br>
+#include <Library/DebugLib.h><br>
+#include <Library/UefiLib.h><br>
+#include <Library/MemoryAllocationLib.h><br>
+#include <Library/UefiRuntimeServicesTableLib.h><br>
+#include <Library/SecureBootVariableLib.h><br>
+#include <Library/SecureBootVariableProvisionLib.h><br>
+<br>
+/**<br>
+ Enroll a key/certificate based on a default variable.<br>
+<br>
+ @param[in] VariableName The name of the key/database.<br>
+ @param[in] DefaultName The name of the default variable.<br>
+ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader.<br>
+ @retval EFI_SUCCESS Successful enrollment.<br>
+ @return Error codes from GetTime () and SetVariable ().<br>
+**/<br>
+STATIC<br>
+EFI_STATUS<br>
+EnrollFromDefault (<br>
+ IN CHAR16 *VariableName,<br>
+ IN CHAR16 *DefaultName,<br>
+ IN EFI_GUID *VendorGuid<br>
+ )<br>
+{<br>
+ VOID *Data;<br>
+ UINTN DataSize;<br>
+ EFI_STATUS Status;<br>
+<br>
+ Status = EFI_SUCCESS;<br>
+<br>
+ DataSize = 0;<br>
+ Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));<br>
+ return Status;<br>
+ }<br>
+<br>
+ CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));<br>
+ return Status;<br>
+ }<br>
+<br>
+ //<br>
+ // Allocate memory for auth variable<br>
+ //<br>
+ Status = gRT->SetVariable (<br>
+ VariableName,<br>
+ VendorGuid,<br>
+ (EFI_VARIABLE_NON_VOLATILE |<br>
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |<br>
+ EFI_VARIABLE_RUNTIME_ACCESS |<br>
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),<br>
+ DataSize,<br>
+ Data<br>
+ );<br>
+<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, VariableName,<br>
+ VendorGuid, Status));<br>
+ }<br>
+<br>
+ if (Data != NULL) {<br>
+ FreePool (Data);<br>
+ }<br>
+<br>
+ return Status;<br>
+}<br>
+<br>
+/** Initializes PKDefault variable with data from FFS section.<br>
+<br>
+ @retval EFI_SUCCESS Variable was initialized successfully.<br>
+ @retval EFI_UNSUPPORTED Variable already exists.<br>
+**/<br>
+EFI_STATUS<br>
+SecureBootInitPKDefault (<br>
+ IN VOID<br>
+ )<br>
+{<br>
+ EFI_SIGNATURE_LIST *EfiSig;<br>
+ UINTN SigListsSize;<br>
+ EFI_STATUS Status;<br>
+ UINT8 *Data;<br>
+ UINTN DataSize;<br>
+<br>
+ //<br>
+ // Check if variable exists, if so do not change it<br>
+ //<br>
+ Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);<br>
+ if (Status == EFI_SUCCESS) {<br>
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));<br>
+ FreePool (Data);<br>
+ return EFI_UNSUPPORTED;<br>
+ }<br>
+<br>
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {<br>
+ return Status;<br>
+ }<br>
+<br>
+ //<br>
+ // Variable does not exist, can be initialized<br>
+ //<br>
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));<br>
+<br>
+ Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));<br>
+ return Status;<br>
+ }<br>
+<br>
+ Status = gRT->SetVariable (<br>
+ EFI_PK_DEFAULT_VARIABLE_NAME,<br>
+ &gEfiGlobalVariableGuid,<br>
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
+ SigListsSize,<br>
+ (VOID *)EfiSig<br>
+ );<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));<br>
+ }<br>
+<br>
+ FreePool (EfiSig);<br>
+<br>
+ return Status;<br>
+}<br>
+<br>
+/** Initializes KEKDefault variable with data from FFS section.<br>
+<br>
+ @retval EFI_SUCCESS Variable was initialized successfully.<br>
+ @retval EFI_UNSUPPORTED Variable already exists.<br>
+**/<br>
+EFI_STATUS<br>
+SecureBootInitKEKDefault (<br>
+ IN VOID<br>
+ )<br>
+{<br>
+ EFI_SIGNATURE_LIST *EfiSig;<br>
+ UINTN SigListsSize;<br>
+ EFI_STATUS Status;<br>
+ UINT8 *Data;<br>
+ UINTN DataSize;<br>
+<br>
+ //<br>
+ // Check if variable exists, if so do not change it<br>
+ //<br>
+ Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);<br>
+ if (Status == EFI_SUCCESS) {<br>
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));<br>
+ FreePool (Data);<br>
+ return EFI_UNSUPPORTED;<br>
+ }<br>
+<br>
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {<br>
+ return Status;<br>
+ }<br>
+<br>
+ //<br>
+ // Variable does not exist, can be initialized<br>
+ //<br>
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));<br>
+<br>
+ Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));<br>
+ return Status;<br>
+ }<br>
+<br>
+<br>
+ Status = gRT->SetVariable (<br>
+ EFI_KEK_DEFAULT_VARIABLE_NAME,<br>
+ &gEfiGlobalVariableGuid,<br>
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
+ SigListsSize,<br>
+ (VOID *)EfiSig<br>
+ );<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));<br>
+ }<br>
+<br>
+ FreePool (EfiSig);<br>
+<br>
+ return Status;<br>
+}<br>
+<br>
+/** Initializes dbDefault variable with data from FFS section.<br>
+<br>
+ @retval EFI_SUCCESS Variable was initialized successfully.<br>
+ @retval EFI_UNSUPPORTED Variable already exists.<br>
+**/<br>
+EFI_STATUS<br>
+SecureBootInitDbDefault (<br>
+ IN VOID<br>
+ )<br>
+{<br>
+ EFI_SIGNATURE_LIST *EfiSig;<br>
+ UINTN SigListsSize;<br>
+ EFI_STATUS Status;<br>
+ UINT8 *Data;<br>
+ UINTN DataSize;<br>
+<br>
+ Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);<br>
+ if (Status == EFI_SUCCESS) {<br>
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));<br>
+ FreePool (Data);<br>
+ return EFI_UNSUPPORTED;<br>
+ }<br>
+<br>
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {<br>
+ return Status;<br>
+ }<br>
+<br>
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));<br>
+<br>
+ Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);<br>
+ if (EFI_ERROR (Status)) {<br>
+ return Status;<br>
+ }<br>
+<br>
+ Status = gRT->SetVariable (<br>
+ EFI_DB_DEFAULT_VARIABLE_NAME,<br>
+ &gEfiGlobalVariableGuid,<br>
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
+ SigListsSize,<br>
+ (VOID *)EfiSig<br>
+ );<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));<br>
+ }<br>
+<br>
+ FreePool (EfiSig);<br>
+<br>
+ return Status;<br>
+}<br>
+<br>
+/** Initializes dbxDefault variable with data from FFS section.<br>
+<br>
+ @retval EFI_SUCCESS Variable was initialized successfully.<br>
+ @retval EFI_UNSUPPORTED Variable already exists.<br>
+**/<br>
+EFI_STATUS<br>
+SecureBootInitDbxDefault (<br>
+ IN VOID<br>
+ )<br>
+{<br>
+ EFI_SIGNATURE_LIST *EfiSig;<br>
+ UINTN SigListsSize;<br>
+ EFI_STATUS Status;<br>
+ UINT8 *Data;<br>
+ UINTN DataSize;<br>
+<br>
+ //<br>
+ // Check if variable exists, if so do not change it<br>
+ //<br>
+ Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);<br>
+ if (Status == EFI_SUCCESS) {<br>
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));<br>
+ FreePool (Data);<br>
+ return EFI_UNSUPPORTED;<br>
+ }<br>
+<br>
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {<br>
+ return Status;<br>
+ }<br>
+<br>
+ //<br>
+ // Variable does not exist, can be initialized<br>
+ //<br>
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));<br>
+<br>
+ Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));<br>
+ return Status;<br>
+ }<br>
+<br>
+ Status = gRT->SetVariable (<br>
+ EFI_DBX_DEFAULT_VARIABLE_NAME,<br>
+ &gEfiGlobalVariableGuid,<br>
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
+ SigListsSize,<br>
+ (VOID *)EfiSig<br>
+ );<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));<br>
+ }<br>
+<br>
+ FreePool (EfiSig);<br>
+<br>
+ return Status;<br>
+}<br>
+<br>
+/** Initializes dbtDefault variable with data from FFS section.<br>
+<br>
+ @retval EFI_SUCCESS Variable was initialized successfully.<br>
+ @retval EFI_UNSUPPORTED Variable already exists.<br>
+**/<br>
+EFI_STATUS<br>
+SecureBootInitDbtDefault (<br>
+ IN VOID<br>
+ )<br>
+{<br>
+ EFI_SIGNATURE_LIST *EfiSig;<br>
+ UINTN SigListsSize;<br>
+ EFI_STATUS Status;<br>
+ UINT8 *Data;<br>
+ UINTN DataSize;<br>
+<br>
+ //<br>
+ // Check if variable exists, if so do not change it<br>
+ //<br>
+ Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);<br>
+ if (Status == EFI_SUCCESS) {<br>
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));<br>
+ FreePool (Data);<br>
+ return EFI_UNSUPPORTED;<br>
+ }<br>
+<br>
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {<br>
+ return Status;<br>
+ }<br>
+<br>
+ //<br>
+ // Variable does not exist, can be initialized<br>
+ //<br>
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));<br>
+<br>
+ Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);<br>
+ if (EFI_ERROR (Status)) {<br>
+ return Status;<br>
+ }<br>
+<br>
+ Status = gRT->SetVariable (<br>
+ EFI_DBT_DEFAULT_VARIABLE_NAME,<br>
+ &gEfiGlobalVariableGuid,<br>
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,<br>
+ SigListsSize,<br>
+ (VOID *)EfiSig<br>
+ );<br>
+ if (EFI_ERROR (Status)) {<br>
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));<br>
+ }<br>
+<br>
+ FreePool (EfiSig);<br>
+<br>
+ return EFI_SUCCESS;<br>
+}<br>
+<br>
+/**<br>
+ Sets the content of the 'db' variable based on 'dbDefault' variable content.<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
+ while VendorGuid is NULL.<br>
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
+**/<br>
+EFI_STATUS<br>
+EFIAPI<br>
+EnrollDbFromDefault (<br>
+ VOID<br>
+)<br>
+{<br>
+ EFI_STATUS Status;<br>
+<br>
+ Status = EnrollFromDefault (<br>
+ EFI_IMAGE_SECURITY_DATABASE,<br>
+ EFI_DB_DEFAULT_VARIABLE_NAME,<br>
+ &gEfiImageSecurityDatabaseGuid<br>
+ );<br>
+<br>
+ return Status;<br>
+}<br>
+<br>
+/**<br>
+ Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
+ while VendorGuid is NULL.<br>
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
+**/<br>
+EFI_STATUS<br>
+EFIAPI<br>
+EnrollDbxFromDefault (<br>
+ VOID<br>
+)<br>
+{<br>
+ EFI_STATUS Status;<br>
+<br>
+ Status = EnrollFromDefault (<br>
+ EFI_IMAGE_SECURITY_DATABASE1,<br>
+ EFI_DBX_DEFAULT_VARIABLE_NAME,<br>
+ &gEfiImageSecurityDatabaseGuid<br>
+ );<br>
+<br>
+ return Status;<br>
+}<br>
+<br>
+/**<br>
+ Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
+ while VendorGuid is NULL.<br>
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
+**/<br>
+EFI_STATUS<br>
+EFIAPI<br>
+EnrollDbtFromDefault (<br>
+ VOID<br>
+)<br>
+{<br>
+ EFI_STATUS Status;<br>
+<br>
+ Status = EnrollFromDefault (<br>
+ EFI_IMAGE_SECURITY_DATABASE2,<br>
+ EFI_DBT_DEFAULT_VARIABLE_NAME,<br>
+ &gEfiImageSecurityDatabaseGuid);<br>
+<br>
+ return Status;<br>
+}<br>
+<br>
+/**<br>
+ Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
+ while VendorGuid is NULL.<br>
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
+**/<br>
+EFI_STATUS<br>
+EFIAPI<br>
+EnrollKEKFromDefault (<br>
+ VOID<br>
+)<br>
+{<br>
+ EFI_STATUS Status;<br>
+<br>
+ Status = EnrollFromDefault (<br>
+ EFI_KEY_EXCHANGE_KEY_NAME,<br>
+ EFI_KEK_DEFAULT_VARIABLE_NAME,<br>
+ &gEfiGlobalVariableGuid<br>
+ );<br>
+<br>
+ return Status;<br>
+}<br>
+<br>
+/**<br>
+ Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.<br>
+<br>
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails<br>
+ while VendorGuid is NULL.<br>
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()<br>
+**/<br>
+EFI_STATUS<br>
+EFIAPI<br>
+EnrollPKFromDefault (<br>
+ VOID<br>
+)<br>
+{<br>
+ EFI_STATUS Status;<br>
+<br>
+ Status = EnrollFromDefault (<br>
+ EFI_PLATFORM_KEY_NAME,<br>
+ EFI_PK_DEFAULT_VARIABLE_NAME,<br>
+ &gEfiGlobalVariableGuid<br>
+ );<br>
+<br>
+ return Status;<br>
+}<br>
diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni<br>
new file mode 100644<br>
index 0000000000..68d928ef30<br>
--- /dev/null<br>
+++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni<br>
@@ -0,0 +1,16 @@<br>
+// /** @file<br>
+//<br>
+// Provides initialization of Secure Boot keys and databases.<br>
+//<br>
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><br>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR><br>
+//<br>
+// SPDX-License-Identifier: BSD-2-Clause-Patent<br>
+//<br>
+// **/<br>
+<br>
+<br>
+#string STR_MODULE_ABSTRACT #language en-US "Provides functions to initialize PK, KEK and databases based on default variables."<br>
+<br>
+#string STR_MODULE_DESCRIPTION #language en-US "Provides functions to initialize PK, KEK and databases based on default variables."<br>
+<br>
-- <br>
2.25.1<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote></div></div>
<div width="1" style="color:white;clear:both">_._,_._,_</div> <hr> Groups.io Links:<p> You receive all messages sent to this group. <p> <a target="_blank" href="https://edk2.groups.io/g/devel/message/79766">View/Reply Online (#79766)</a> | | <a target="_blank" href="https://groups.io/mt/84608356/1813853">Mute This Topic</a> | <a href="https://edk2.groups.io/g/devel/post">New Topic</a><br> <a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> | <a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> | <a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a> [edk2-devel-archive@redhat.com]<br> <div width="1" style="color:white;clear:both">_._,_._,_</div>