Blame 0013-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch

b846ca
From deeaddfb366703c157668588947e5f1767a1193a Mon Sep 17 00:00:00 2001
Gerd Hoffmann b0c3af
From: Laszlo Ersek <lersek@redhat.com>
Paolo Bonzini 348500
Date: Tue, 4 Nov 2014 23:02:55 +0100
294170
Subject: [PATCH] OvmfPkg: EnrollDefaultKeys: application for enrolling default
294170
 keys
Gerd Hoffmann b0c3af
Gerd Hoffmann b0c3af
This application is meant to be invoked by the management layer, after
Gerd Hoffmann b0c3af
booting the UEFI shell and getting a shell prompt on the serial console.
Gerd Hoffmann b0c3af
The app enrolls a number of certificates (see below), and then reports
Gerd Hoffmann b0c3af
status to the serial console as well. The expected output is "info:
Gerd Hoffmann b0c3af
success":
Gerd Hoffmann b0c3af
Gerd Hoffmann b0c3af
> Shell> EnrollDefaultKeys.efi
Gerd Hoffmann b0c3af
> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
Gerd Hoffmann b0c3af
> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
Gerd Hoffmann b0c3af
> info: success
Gerd Hoffmann b0c3af
> Shell>
Gerd Hoffmann b0c3af
Gerd Hoffmann b0c3af
In case of success, the management layer can force off or reboot the VM
Gerd Hoffmann b0c3af
(for example with the "reset -s" or "reset -c" UEFI shell commands,
Gerd Hoffmann b0c3af
respectively), and start the guest installation with SecureBoot enabled.
Gerd Hoffmann b0c3af
Gerd Hoffmann b0c3af
PK:
Gerd Hoffmann b0c3af
- A unique, static, ad-hoc certificate whose private half has been
Gerd Hoffmann b0c3af
  destroyed (more precisely, never saved) and is therefore unusable for
Gerd Hoffmann b0c3af
  signing. (The command for creating this certificate is saved in the
Paolo Bonzini 348500
  source code.) Background:
Paolo Bonzini 348500
Paolo Bonzini 348500
On 09/30/14 20:00, Peter Jones wrote:
Paolo Bonzini 348500
> We should generate a special key that's not in our normal signing chains
Paolo Bonzini 348500
> for PK and KEK.  The reason for this is that [in practice] PK gets
Paolo Bonzini 348500
> treated as part of DB (*).
Paolo Bonzini 348500
>
Paolo Bonzini 348500
> [Shipping a key in our normal signing chains] as PK means you can run
Paolo Bonzini 348500
> grub directly, in which case it won't have access to the shim protocol.
Paolo Bonzini 348500
> When grub is run without the shim protocol registered, it assumes SB is
Paolo Bonzini 348500
> disabled and boots without verifying the kernel.  We don't want that to
Paolo Bonzini 348500
> be a thing you can do, but allowing that is the inevitable result of
Paolo Bonzini 348500
> shipping with any of our normal signing chain in PK or KEK.
Paolo Bonzini 348500
>
Paolo Bonzini 348500
> (* USRT has actually agreed that since you can escalate to this behavior
Paolo Bonzini 348500
> if you have the secret half of a key in KEK or PK anyway, and many
Paolo Bonzini 348500
> vendors had already shipped it this way, that it is fine and I think
Paolo Bonzini 348500
> even *expected* at this point, even though it wasn't formally in the
Paolo Bonzini 348500
> UEFI 2.3.1 Spec that introduced Secure Boot.  I'll try and make sure the
Paolo Bonzini 348500
> language reflects that in an upcoming spec revision.)
Paolo Bonzini 348500
>
Paolo Bonzini 348500
> So let me get SRT to issue a special key to use for PK and KEK.  We can
Paolo Bonzini 348500
> use it just for those operations, and make sure it's protected with the
Paolo Bonzini 348500
> same processes and controls as our other signing keys.
Paolo Bonzini 348500
Paolo Bonzini 348500
  Until SRT generates such a key for us, this ad-hoc key should be a good
Paolo Bonzini 348500
  placeholder.
Gerd Hoffmann b0c3af
Gerd Hoffmann b0c3af
KEK:
Gerd Hoffmann b0c3af
- same ad-hoc certificate as used for the PK,
Gerd Hoffmann b0c3af
- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
Gerd Hoffmann b0c3af
  package is signed (indirectly, through a chain) with this; enrolling
Gerd Hoffmann b0c3af
  such a KEK should allow guests to install those updates.
Gerd Hoffmann b0c3af
Gerd Hoffmann b0c3af
DB:
Gerd Hoffmann b0c3af
- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
Gerd Hoffmann b0c3af
  Server 2012 R2,
Gerd Hoffmann b0c3af
- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
Gerd Hoffmann b0c3af
  oproms.
Gerd Hoffmann b0c3af
Paolo Bonzini 348500
*UPDATE*
Paolo Bonzini 348500
Paolo Bonzini 348500
OvmfPkg: EnrollDefaultKeys: pick up official Red Hat PK/KEK (RHEL only)
Paolo Bonzini 348500
Paolo Bonzini 348500
Replace the placeholder ExampleCert with a certificate generated and
Paolo Bonzini 348500
managed by the Red Hat Security Response Team.
Paolo Bonzini 348500
Paolo Bonzini 348500
> Certificate:
Paolo Bonzini 348500
>     Data:
Paolo Bonzini 348500
>         Version: 3 (0x2)
Paolo Bonzini 348500
>         Serial Number: 18371740789028339953 (0xfef588e8f396c0f1)
Paolo Bonzini 348500
>     Signature Algorithm: sha256WithRSAEncryption
Paolo Bonzini 348500
>         Issuer: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
Paolo Bonzini 348500
>         Validity
Paolo Bonzini 348500
>             Not Before: Oct 31 11:15:37 2014 GMT
Paolo Bonzini 348500
>             Not After : Oct 25 11:15:37 2037 GMT
Paolo Bonzini 348500
>         Subject: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
Paolo Bonzini 348500
>         Subject Public Key Info:
Paolo Bonzini 348500
>             Public Key Algorithm: rsaEncryption
Paolo Bonzini 348500
>                 Public-Key: (2048 bit)
Paolo Bonzini 348500
>                 Modulus:
Paolo Bonzini 348500
>                     00:90:1f:84:7b:8d:bc:eb:97:26:82:6d:88:ab:8a:
Paolo Bonzini 348500
>                     c9:8c:68:70:f9:df:4b:07:b2:37:83:0b:02:c8:67:
Paolo Bonzini 348500
>                     68:30:9e:e3:f0:f0:99:4a:b8:59:57:c6:41:f6:38:
Paolo Bonzini 348500
>                     8b:fe:66:4c:49:e9:37:37:92:2e:98:01:1e:5b:14:
Paolo Bonzini 348500
>                     50:e6:a8:8d:25:0d:f5:86:e6:ab:30:cb:40:16:ea:
Paolo Bonzini 348500
>                     8d:8b:16:86:70:43:37:f2:ce:c0:91:df:71:14:8e:
Paolo Bonzini 348500
>                     99:0e:89:b6:4c:6d:24:1e:8c:e4:2f:4f:25:d0:ba:
Paolo Bonzini 348500
>                     06:f8:c6:e8:19:18:76:73:1d:81:6d:a8:d8:05:cf:
Paolo Bonzini 348500
>                     3a:c8:7b:28:c8:36:a3:16:0d:29:8c:99:9a:68:dc:
Paolo Bonzini 348500
>                     ab:c0:4d:8d:bf:5a:bb:2b:a9:39:4b:04:97:1c:f9:
Paolo Bonzini 348500
>                     36:bb:c5:3a:86:04:ae:af:d4:82:7b:e0:ab:de:49:
Paolo Bonzini 348500
>                     05:68:fc:f6:ae:68:1a:6c:90:4d:57:19:3c:64:66:
Paolo Bonzini 348500
>                     03:f6:c7:52:9b:f7:94:cf:93:6a:a1:68:c9:aa:cf:
Paolo Bonzini 348500
>                     99:6b:bc:aa:5e:08:e7:39:1c:f7:f8:0f:ba:06:7e:
Paolo Bonzini 348500
>                     f1:cb:e8:76:dd:fe:22:da:ad:3a:5e:5b:34:ea:b3:
Paolo Bonzini 348500
>                     c9:e0:4d:04:29:7e:b8:60:b9:05:ef:b5:d9:17:58:
Paolo Bonzini 348500
>                     56:16:60:b9:30:32:f0:36:4a:c3:f2:79:8d:12:40:
Paolo Bonzini 348500
>                     70:f3
Paolo Bonzini 348500
>                 Exponent: 65537 (0x10001)
Paolo Bonzini 348500
>         X509v3 extensions:
Paolo Bonzini 348500
>             X509v3 Basic Constraints:
Paolo Bonzini 348500
>                 CA:FALSE
Paolo Bonzini 348500
>             Netscape Comment:
Paolo Bonzini 348500
>                 OpenSSL Generated Certificate
Paolo Bonzini 348500
>             X509v3 Subject Key Identifier:
Paolo Bonzini 348500
>                 3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
Paolo Bonzini 348500
>             X509v3 Authority Key Identifier:
Paolo Bonzini 348500
>                 keyid:3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
Paolo Bonzini 348500
>
Paolo Bonzini 348500
>     Signature Algorithm: sha256WithRSAEncryption
Paolo Bonzini 348500
>          5c:4d:92:88:b4:82:5f:1d:ad:8b:11:ec:df:06:a6:7a:a5:2b:
Paolo Bonzini 348500
>          9f:37:55:0c:8d:6e:05:00:ad:b7:0c:41:89:69:cf:d6:65:06:
Paolo Bonzini 348500
>          9b:51:78:d2:ad:c7:bf:9c:dc:05:73:7f:e7:1e:39:13:b4:ea:
Paolo Bonzini 348500
>          b6:30:7d:40:75:ab:9c:43:0b:df:b0:c2:1b:bf:30:e0:f4:fe:
Paolo Bonzini 348500
>          c0:db:62:21:98:f6:c5:af:de:3b:4f:49:0a:e6:1e:f9:86:b0:
Paolo Bonzini 348500
>          3f:0d:d6:d4:46:37:db:54:74:5e:ff:11:c2:60:c6:70:58:c5:
Paolo Bonzini 348500
>          1c:6f:ec:b2:d8:6e:6f:c3:bc:33:87:38:a4:f3:44:64:9c:34:
Paolo Bonzini 348500
>          3b:28:94:26:78:27:9f:16:17:e8:3b:69:0a:25:a9:73:36:7e:
Paolo Bonzini 348500
>          9e:37:5c:ec:e8:3f:db:91:f9:12:b3:3d:ce:e7:dd:15:c3:ae:
Paolo Bonzini 348500
>          8c:05:20:61:9b:95:de:9b:af:fa:b1:5c:1c:e5:97:e7:c3:34:
Paolo Bonzini 348500
>          11:85:f5:8a:27:26:a4:70:36:ec:0c:f6:83:3d:90:f7:36:f3:
Paolo Bonzini 348500
>          f9:f3:15:d4:90:62:be:53:b4:af:d3:49:af:ef:f4:73:e8:7b:
Paolo Bonzini 348500
>          76:e4:44:2a:37:ba:81:a4:99:0c:3a:31:24:71:a0:e4:e4:b7:
Paolo Bonzini 348500
>          1a:cb:47:e4:aa:22:cf:ef:75:61:80:e3:43:b7:48:57:73:11:
Paolo Bonzini 348500
>          3d:78:9b:69
Paolo Bonzini 348500
> -----BEGIN CERTIFICATE-----
Paolo Bonzini 348500
> MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
Paolo Bonzini 348500
> BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
Paolo Bonzini 348500
> 9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
Paolo Bonzini 348500
> MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
Paolo Bonzini 348500
> RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
Paolo Bonzini 348500
> IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
Paolo Bonzini 348500
> +d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
Paolo Bonzini 348500
> huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
Paolo Bonzini 348500
> bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
Paolo Bonzini 348500
> 3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
Paolo Bonzini 348500
> y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
Paolo Bonzini 348500
> AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
Paolo Bonzini 348500
> YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
Paolo Bonzini 348500
> HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
Paolo Bonzini 348500
> ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
Paolo Bonzini 348500
> 3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
Paolo Bonzini 348500
> 1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
Paolo Bonzini 348500
> qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
Paolo Bonzini 348500
> NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
Paolo Bonzini 348500
> R+SqIs/vdWGA40O3SFdzET14m2k=
Paolo Bonzini 348500
> -----END CERTIFICATE-----
Paolo Bonzini 348500
Paolo Bonzini 348500
Notes about the 9ece15a -> c9e5618 rebase:
Paolo Bonzini 348500
- resolved conflicts in:
Paolo Bonzini 348500
    OvmfPkg/OvmfPkgIa32.dsc
Paolo Bonzini 348500
    OvmfPkg/OvmfPkgIa32X64.dsc
Paolo Bonzini 348500
    OvmfPkg/OvmfPkgX64.dsc
Paolo Bonzini 348500
  due to OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf having
Paolo Bonzini 348500
  disappeared in upstream (commit 57446bb9).
Paolo Bonzini 348500
Paolo Bonzini 348500
Notes about the c9e5618 -> b9ffeab rebase:
Paolo Bonzini 348500
- Guid/VariableFormat.h now lives under MdeModulePkg.
Paolo Bonzini 348500
Paolo Bonzini 348500
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
Paolo Bonzini 348500
Paolo Bonzini 348500
- This patch now squashes the following commits:
Paolo Bonzini 348500
  - 014f459c197b OvmfPkg: EnrollDefaultKeys: application for enrolling
Paolo Bonzini 348500
                 default keys (RH only)
Paolo Bonzini 348500
  - 18422a18d0e9 OvmfPkg/EnrollDefaultKeys: assign Status before reading
Paolo Bonzini 348500
                 it (RH only)
Paolo Bonzini 348500
  - ddb90568e874 OvmfPkg/EnrollDefaultKeys: silence VS2015x86 warning (RH
Paolo Bonzini 348500
                 only)
Paolo Bonzini 348500
Paolo Bonzini 348500
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
Paolo Bonzini 348500
Paolo Bonzini 348500
- This patch now squashes the following commits:
Paolo Bonzini 348500
  - c0b2615a9c0b OvmfPkg: EnrollDefaultKeys: application for enrolling
Paolo Bonzini 348500
                 default keys (RH only)
Paolo Bonzini 348500
  - 22f4d33d0168 OvmfPkg/EnrollDefaultKeys: update SignatureOwner GUID for
Paolo Bonzini 348500
                 Windows HCK (RH)
Paolo Bonzini 348500
  - ff7f2c1d870d OvmfPkg/EnrollDefaultKeys: expose CertType parameter of
Paolo Bonzini 348500
                 EnrollListOfCerts (RH)
Paolo Bonzini 348500
  - aee7b5ba60b4 OvmfPkg/EnrollDefaultKeys: blacklist empty file in dbx
Paolo Bonzini 348500
                 for Windows HCK (RH)
Paolo Bonzini 348500
Paolo Bonzini 348500
- Consequently, OvmfPkg/EnrollDefaultKeys/ is identical to the same
Paolo Bonzini 348500
  directory at the "RHEL-7.4" tag (49d06d386736).
Paolo Bonzini 348500
Gerd Hoffmann b0c3af
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Paolo Bonzini 348500
(cherry picked from commit c0b2615a9c0b4a4be1bffe45681a32915449279d)
Paolo Bonzini 7ae6f1
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Gerd Hoffmann b0c3af
---
Paolo Bonzini 7ae6f1
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 1015 +++++++++++++++++
Paolo Bonzini 7ae6f1
 .../EnrollDefaultKeys/EnrollDefaultKeys.inf   |   52 +
Paolo Bonzini 7ae6f1
 OvmfPkg/OvmfPkgIa32.dsc                       |    4 +
Paolo Bonzini 7ae6f1
 OvmfPkg/OvmfPkgIa32X64.dsc                    |    4 +
Paolo Bonzini 7ae6f1
 OvmfPkg/OvmfPkgX64.dsc                        |    4 +
Paolo Bonzini 348500
 5 files changed, 1079 insertions(+)
Gerd Hoffmann b0c3af
 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
Gerd Hoffmann b0c3af
 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
Gerd Hoffmann b0c3af
Gerd Hoffmann b0c3af
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
Gerd Hoffmann b0c3af
new file mode 100644
9fc821
index 0000000000..dd413df12d
Gerd Hoffmann b0c3af
--- /dev/null
Gerd Hoffmann b0c3af
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
Paolo Bonzini 348500
@@ -0,0 +1,1015 @@
Paolo Bonzini 348500
+/** @file
Paolo Bonzini 348500
+  Enroll default PK, KEK, DB.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Copyright (C) 2014, Red Hat, Inc.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  This program and the accompanying materials are licensed and made available
Paolo Bonzini 348500
+  under the terms and conditions of the BSD License which accompanies this
Paolo Bonzini 348500
+  distribution. The full text of the license may be found at
Paolo Bonzini 348500
+  http://opensource.org/licenses/bsd-license.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
Paolo Bonzini 348500
+  WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
Paolo Bonzini 348500
+**/
Paolo Bonzini 348500
+#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
Paolo Bonzini 348500
+#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
Paolo Bonzini 348500
+#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
Paolo Bonzini 348500
+#include <Library/BaseMemoryLib.h>               // CopyGuid()
Paolo Bonzini 348500
+#include <Library/DebugLib.h>                    // ASSERT()
Paolo Bonzini 348500
+#include <Library/MemoryAllocationLib.h>         // FreePool()
Paolo Bonzini 348500
+#include <Library/ShellCEntryLib.h>              // ShellAppMain()
Paolo Bonzini 348500
+#include <Library/UefiLib.h>                     // AsciiPrint()
Paolo Bonzini 348500
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// We'll use the certificate below as both Platform Key and as first Key
Paolo Bonzini 348500
+// Exchange Key.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
Paolo Bonzini 348500
+// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+STATIC CONST UINT8 RedHatPkKek1[] = {
Paolo Bonzini 348500
+  0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
Paolo Bonzini 348500
+  0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
Paolo Bonzini 348500
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
Paolo Bonzini 348500
+  0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
Paolo Bonzini 348500
+  0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
Paolo Bonzini 348500
+  0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
Paolo Bonzini 348500
+  0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
Paolo Bonzini 348500
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
Paolo Bonzini 348500
+  0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
Paolo Bonzini 348500
+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
Paolo Bonzini 348500
+  0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
Paolo Bonzini 348500
+  0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
Paolo Bonzini 348500
+  0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
Paolo Bonzini 348500
+  0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
Paolo Bonzini 348500
+  0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
Paolo Bonzini 348500
+  0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
Paolo Bonzini 348500
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
Paolo Bonzini 348500
+  0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
Paolo Bonzini 348500
+  0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
Paolo Bonzini 348500
+  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
Paolo Bonzini 348500
+  0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
Paolo Bonzini 348500
+  0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
Paolo Bonzini 348500
+  0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
Paolo Bonzini 348500
+  0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
Paolo Bonzini 348500
+  0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
Paolo Bonzini 348500
+  0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
Paolo Bonzini 348500
+  0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
Paolo Bonzini 348500
+  0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
Paolo Bonzini 348500
+  0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
Paolo Bonzini 348500
+  0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
Paolo Bonzini 348500
+  0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
Paolo Bonzini 348500
+  0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
Paolo Bonzini 348500
+  0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
Paolo Bonzini 348500
+  0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
Paolo Bonzini 348500
+  0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
Paolo Bonzini 348500
+  0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
Paolo Bonzini 348500
+  0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
Paolo Bonzini 348500
+  0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
Paolo Bonzini 348500
+  0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
Paolo Bonzini 348500
+  0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
Paolo Bonzini 348500
+  0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
Paolo Bonzini 348500
+  0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
Paolo Bonzini 348500
+  0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
Paolo Bonzini 348500
+  0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
Paolo Bonzini 348500
+  0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
Paolo Bonzini 348500
+  0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
Paolo Bonzini 348500
+  0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
Paolo Bonzini 348500
+  0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
Paolo Bonzini 348500
+  0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
Paolo Bonzini 348500
+  0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
Paolo Bonzini 348500
+  0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
Paolo Bonzini 348500
+  0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
Paolo Bonzini 348500
+  0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
Paolo Bonzini 348500
+  0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
Paolo Bonzini 348500
+  0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
Paolo Bonzini 348500
+  0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
Paolo Bonzini 348500
+  0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
Paolo Bonzini 348500
+  0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
Paolo Bonzini 348500
+  0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
Paolo Bonzini 348500
+  0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
Paolo Bonzini 348500
+  0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
Paolo Bonzini 348500
+  0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
Paolo Bonzini 348500
+  0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
Paolo Bonzini 348500
+  0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
Paolo Bonzini 348500
+  0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
Paolo Bonzini 348500
+  0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
Paolo Bonzini 348500
+  0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
Paolo Bonzini 348500
+  0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
Paolo Bonzini 348500
+  0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
Paolo Bonzini 348500
+  0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
Paolo Bonzini 348500
+  0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
Paolo Bonzini 348500
+  0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
Paolo Bonzini 348500
+};
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// Second KEK: "Microsoft Corporation KEK CA 2011".
Paolo Bonzini 348500
+// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+STATIC CONST UINT8 MicrosoftKEK[] = {
Paolo Bonzini 348500
+  0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
Paolo Bonzini 348500
+  0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
Paolo Bonzini 348500
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
Paolo Bonzini 348500
+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
Paolo Bonzini 348500
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
Paolo Bonzini 348500
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
Paolo Bonzini 348500
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
Paolo Bonzini 348500
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
Paolo Bonzini 348500
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
Paolo Bonzini 348500
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
Paolo Bonzini 348500
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
Paolo Bonzini 348500
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
Paolo Bonzini 348500
+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
Paolo Bonzini 348500
+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
Paolo Bonzini 348500
+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
Paolo Bonzini 348500
+  0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
Paolo Bonzini 348500
+  0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
Paolo Bonzini 348500
+  0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
Paolo Bonzini 348500
+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
Paolo Bonzini 348500
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
Paolo Bonzini 348500
+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
Paolo Bonzini 348500
+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
Paolo Bonzini 348500
+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
Paolo Bonzini 348500
+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
Paolo Bonzini 348500
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
Paolo Bonzini 348500
+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
Paolo Bonzini 348500
+  0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
Paolo Bonzini 348500
+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
Paolo Bonzini 348500
+  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
Paolo Bonzini 348500
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
Paolo Bonzini 348500
+  0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
Paolo Bonzini 348500
+  0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
Paolo Bonzini 348500
+  0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
Paolo Bonzini 348500
+  0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
Paolo Bonzini 348500
+  0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
Paolo Bonzini 348500
+  0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
Paolo Bonzini 348500
+  0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
Paolo Bonzini 348500
+  0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
Paolo Bonzini 348500
+  0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
Paolo Bonzini 348500
+  0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
Paolo Bonzini 348500
+  0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
Paolo Bonzini 348500
+  0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
Paolo Bonzini 348500
+  0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
Paolo Bonzini 348500
+  0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
Paolo Bonzini 348500
+  0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
Paolo Bonzini 348500
+  0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
Paolo Bonzini 348500
+  0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
Paolo Bonzini 348500
+  0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
Paolo Bonzini 348500
+  0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
Paolo Bonzini 348500
+  0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
Paolo Bonzini 348500
+  0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
Paolo Bonzini 348500
+  0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
Paolo Bonzini 348500
+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
Paolo Bonzini 348500
+  0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
Paolo Bonzini 348500
+  0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
Paolo Bonzini 348500
+  0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
Paolo Bonzini 348500
+  0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
Paolo Bonzini 348500
+  0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
Paolo Bonzini 348500
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
Paolo Bonzini 348500
+  0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
Paolo Bonzini 348500
+  0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
Paolo Bonzini 348500
+  0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
Paolo Bonzini 348500
+  0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
Paolo Bonzini 348500
+  0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
Paolo Bonzini 348500
+  0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
Paolo Bonzini 348500
+  0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
Paolo Bonzini 348500
+  0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
Paolo Bonzini 348500
+  0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
Paolo Bonzini 348500
+  0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
Paolo Bonzini 348500
+  0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
Paolo Bonzini 348500
+  0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
Paolo Bonzini 348500
+  0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
Paolo Bonzini 348500
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
Paolo Bonzini 348500
+  0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
Paolo Bonzini 348500
+  0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
Paolo Bonzini 348500
+  0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
Paolo Bonzini 348500
+  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
Paolo Bonzini 348500
+  0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
Paolo Bonzini 348500
+  0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
Paolo Bonzini 348500
+  0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
Paolo Bonzini 348500
+  0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
Paolo Bonzini 348500
+  0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
Paolo Bonzini 348500
+  0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
Paolo Bonzini 348500
+  0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
Paolo Bonzini 348500
+  0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
Paolo Bonzini 348500
+  0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
Paolo Bonzini 348500
+  0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
Paolo Bonzini 348500
+  0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
Paolo Bonzini 348500
+  0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
Paolo Bonzini 348500
+  0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
Paolo Bonzini 348500
+  0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
Paolo Bonzini 348500
+  0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
Paolo Bonzini 348500
+  0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
Paolo Bonzini 348500
+  0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
Paolo Bonzini 348500
+  0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
Paolo Bonzini 348500
+  0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
Paolo Bonzini 348500
+  0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
Paolo Bonzini 348500
+  0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
Paolo Bonzini 348500
+  0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
Paolo Bonzini 348500
+  0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
Paolo Bonzini 348500
+  0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
Paolo Bonzini 348500
+  0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
Paolo Bonzini 348500
+  0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
Paolo Bonzini 348500
+  0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
Paolo Bonzini 348500
+  0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
Paolo Bonzini 348500
+  0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
Paolo Bonzini 348500
+  0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
Paolo Bonzini 348500
+  0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
Paolo Bonzini 348500
+  0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
Paolo Bonzini 348500
+  0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
Paolo Bonzini 348500
+  0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
Paolo Bonzini 348500
+  0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
Paolo Bonzini 348500
+  0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
Paolo Bonzini 348500
+  0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
Paolo Bonzini 348500
+  0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
Paolo Bonzini 348500
+  0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
Paolo Bonzini 348500
+  0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
Paolo Bonzini 348500
+};
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// First DB entry: "Microsoft Windows Production PCA 2011"
Paolo Bonzini 348500
+// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
Paolo Bonzini 348500
+// rooted in this certificate.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+STATIC CONST UINT8 MicrosoftPCA[] = {
Paolo Bonzini 348500
+  0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
Paolo Bonzini 348500
+  0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
Paolo Bonzini 348500
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
Paolo Bonzini 348500
+  0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
Paolo Bonzini 348500
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
Paolo Bonzini 348500
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
Paolo Bonzini 348500
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
Paolo Bonzini 348500
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
Paolo Bonzini 348500
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
Paolo Bonzini 348500
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
Paolo Bonzini 348500
+  0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
Paolo Bonzini 348500
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
Paolo Bonzini 348500
+  0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
Paolo Bonzini 348500
+  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
Paolo Bonzini 348500
+  0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
Paolo Bonzini 348500
+  0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
Paolo Bonzini 348500
+  0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
Paolo Bonzini 348500
+  0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
Paolo Bonzini 348500
+  0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
Paolo Bonzini 348500
+  0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
Paolo Bonzini 348500
+  0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
Paolo Bonzini 348500
+  0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
Paolo Bonzini 348500
+  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
Paolo Bonzini 348500
+  0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
Paolo Bonzini 348500
+  0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
Paolo Bonzini 348500
+  0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
Paolo Bonzini 348500
+  0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
Paolo Bonzini 348500
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
Paolo Bonzini 348500
+  0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
Paolo Bonzini 348500
+  0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
Paolo Bonzini 348500
+  0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
Paolo Bonzini 348500
+  0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
Paolo Bonzini 348500
+  0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
Paolo Bonzini 348500
+  0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
Paolo Bonzini 348500
+  0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
Paolo Bonzini 348500
+  0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
Paolo Bonzini 348500
+  0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
Paolo Bonzini 348500
+  0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
Paolo Bonzini 348500
+  0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
Paolo Bonzini 348500
+  0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
Paolo Bonzini 348500
+  0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
Paolo Bonzini 348500
+  0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
Paolo Bonzini 348500
+  0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
Paolo Bonzini 348500
+  0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
Paolo Bonzini 348500
+  0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
Paolo Bonzini 348500
+  0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
Paolo Bonzini 348500
+  0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
Paolo Bonzini 348500
+  0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
Paolo Bonzini 348500
+  0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
Paolo Bonzini 348500
+  0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
Paolo Bonzini 348500
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
Paolo Bonzini 348500
+  0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
Paolo Bonzini 348500
+  0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
Paolo Bonzini 348500
+  0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
Paolo Bonzini 348500
+  0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
Paolo Bonzini 348500
+  0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
Paolo Bonzini 348500
+  0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
Paolo Bonzini 348500
+  0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
Paolo Bonzini 348500
+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
Paolo Bonzini 348500
+  0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
Paolo Bonzini 348500
+  0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
Paolo Bonzini 348500
+  0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
Paolo Bonzini 348500
+  0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
Paolo Bonzini 348500
+  0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
Paolo Bonzini 348500
+  0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
Paolo Bonzini 348500
+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
Paolo Bonzini 348500
+  0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
Paolo Bonzini 348500
+  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
Paolo Bonzini 348500
+  0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
Paolo Bonzini 348500
+  0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
Paolo Bonzini 348500
+  0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
Paolo Bonzini 348500
+  0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
Paolo Bonzini 348500
+  0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
Paolo Bonzini 348500
+  0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
Paolo Bonzini 348500
+  0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
Paolo Bonzini 348500
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
Paolo Bonzini 348500
+  0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
Paolo Bonzini 348500
+  0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
Paolo Bonzini 348500
+  0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
Paolo Bonzini 348500
+  0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
Paolo Bonzini 348500
+  0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
Paolo Bonzini 348500
+  0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
Paolo Bonzini 348500
+  0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
Paolo Bonzini 348500
+  0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
Paolo Bonzini 348500
+  0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
Paolo Bonzini 348500
+  0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
Paolo Bonzini 348500
+  0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
Paolo Bonzini 348500
+  0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
Paolo Bonzini 348500
+  0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
Paolo Bonzini 348500
+  0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
Paolo Bonzini 348500
+  0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
Paolo Bonzini 348500
+  0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
Paolo Bonzini 348500
+  0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
Paolo Bonzini 348500
+  0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
Paolo Bonzini 348500
+  0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
Paolo Bonzini 348500
+  0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
Paolo Bonzini 348500
+  0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
Paolo Bonzini 348500
+  0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
Paolo Bonzini 348500
+  0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
Paolo Bonzini 348500
+  0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
Paolo Bonzini 348500
+  0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
Paolo Bonzini 348500
+  0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
Paolo Bonzini 348500
+  0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
Paolo Bonzini 348500
+  0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
Paolo Bonzini 348500
+  0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
Paolo Bonzini 348500
+  0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
Paolo Bonzini 348500
+  0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
Paolo Bonzini 348500
+  0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
Paolo Bonzini 348500
+  0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
Paolo Bonzini 348500
+  0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
Paolo Bonzini 348500
+  0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
Paolo Bonzini 348500
+  0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
Paolo Bonzini 348500
+  0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
Paolo Bonzini 348500
+  0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
Paolo Bonzini 348500
+  0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
Paolo Bonzini 348500
+  0x62, 0x1c, 0x59, 0x7e
Paolo Bonzini 348500
+};
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// Second DB entry: "Microsoft Corporation UEFI CA 2011"
Paolo Bonzini 348500
+// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// To verify the "shim" binary and PCI expansion ROMs with.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+STATIC CONST UINT8 MicrosoftUefiCA[] = {
Paolo Bonzini 348500
+  0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
Paolo Bonzini 348500
+  0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
Paolo Bonzini 348500
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
Paolo Bonzini 348500
+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
Paolo Bonzini 348500
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
Paolo Bonzini 348500
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
Paolo Bonzini 348500
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
Paolo Bonzini 348500
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
Paolo Bonzini 348500
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
Paolo Bonzini 348500
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
Paolo Bonzini 348500
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
Paolo Bonzini 348500
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
Paolo Bonzini 348500
+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
Paolo Bonzini 348500
+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
Paolo Bonzini 348500
+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
Paolo Bonzini 348500
+  0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
Paolo Bonzini 348500
+  0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
Paolo Bonzini 348500
+  0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
Paolo Bonzini 348500
+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
Paolo Bonzini 348500
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
Paolo Bonzini 348500
+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
Paolo Bonzini 348500
+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
Paolo Bonzini 348500
+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
Paolo Bonzini 348500
+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
Paolo Bonzini 348500
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
Paolo Bonzini 348500
+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
Paolo Bonzini 348500
+  0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
Paolo Bonzini 348500
+  0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
Paolo Bonzini 348500
+  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
Paolo Bonzini 348500
+  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
Paolo Bonzini 348500
+  0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
Paolo Bonzini 348500
+  0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
Paolo Bonzini 348500
+  0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
Paolo Bonzini 348500
+  0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
Paolo Bonzini 348500
+  0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
Paolo Bonzini 348500
+  0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
Paolo Bonzini 348500
+  0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
Paolo Bonzini 348500
+  0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
Paolo Bonzini 348500
+  0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
Paolo Bonzini 348500
+  0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
Paolo Bonzini 348500
+  0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
Paolo Bonzini 348500
+  0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
Paolo Bonzini 348500
+  0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
Paolo Bonzini 348500
+  0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
Paolo Bonzini 348500
+  0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
Paolo Bonzini 348500
+  0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
Paolo Bonzini 348500
+  0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
Paolo Bonzini 348500
+  0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
Paolo Bonzini 348500
+  0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
Paolo Bonzini 348500
+  0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
Paolo Bonzini 348500
+  0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
Paolo Bonzini 348500
+  0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
Paolo Bonzini 348500
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
Paolo Bonzini 348500
+  0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
Paolo Bonzini 348500
+  0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
Paolo Bonzini 348500
+  0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
Paolo Bonzini 348500
+  0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
Paolo Bonzini 348500
+  0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
Paolo Bonzini 348500
+  0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
Paolo Bonzini 348500
+  0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
Paolo Bonzini 348500
+  0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
Paolo Bonzini 348500
+  0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
Paolo Bonzini 348500
+  0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
Paolo Bonzini 348500
+  0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
Paolo Bonzini 348500
+  0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
Paolo Bonzini 348500
+  0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
Paolo Bonzini 348500
+  0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
Paolo Bonzini 348500
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
Paolo Bonzini 348500
+  0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
Paolo Bonzini 348500
+  0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
Paolo Bonzini 348500
+  0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
Paolo Bonzini 348500
+  0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
Paolo Bonzini 348500
+  0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
Paolo Bonzini 348500
+  0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
Paolo Bonzini 348500
+  0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
Paolo Bonzini 348500
+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
Paolo Bonzini 348500
+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
Paolo Bonzini 348500
+  0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
Paolo Bonzini 348500
+  0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
Paolo Bonzini 348500
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
Paolo Bonzini 348500
+  0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
Paolo Bonzini 348500
+  0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
Paolo Bonzini 348500
+  0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
Paolo Bonzini 348500
+  0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
Paolo Bonzini 348500
+  0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
Paolo Bonzini 348500
+  0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
Paolo Bonzini 348500
+  0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
Paolo Bonzini 348500
+  0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
Paolo Bonzini 348500
+  0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
Paolo Bonzini 348500
+  0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
Paolo Bonzini 348500
+  0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
Paolo Bonzini 348500
+  0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
Paolo Bonzini 348500
+  0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
Paolo Bonzini 348500
+  0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
Paolo Bonzini 348500
+  0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
Paolo Bonzini 348500
+  0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
Paolo Bonzini 348500
+  0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
Paolo Bonzini 348500
+  0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
Paolo Bonzini 348500
+  0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
Paolo Bonzini 348500
+  0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
Paolo Bonzini 348500
+  0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
Paolo Bonzini 348500
+  0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
Paolo Bonzini 348500
+  0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
Paolo Bonzini 348500
+  0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
Paolo Bonzini 348500
+  0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
Paolo Bonzini 348500
+  0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
Paolo Bonzini 348500
+  0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
Paolo Bonzini 348500
+  0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
Paolo Bonzini 348500
+  0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
Paolo Bonzini 348500
+  0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
Paolo Bonzini 348500
+  0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
Paolo Bonzini 348500
+  0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
Paolo Bonzini 348500
+  0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
Paolo Bonzini 348500
+  0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
Paolo Bonzini 348500
+  0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
Paolo Bonzini 348500
+  0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
Paolo Bonzini 348500
+  0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
Paolo Bonzini 348500
+  0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
Paolo Bonzini 348500
+  0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
Paolo Bonzini 348500
+  0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
Paolo Bonzini 348500
+};
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
Paolo Bonzini 348500
+// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
Paolo Bonzini 348500
+// expects that the "dbx" variable exist.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
Paolo Bonzini 348500
+// writes (excerpt):
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+//    Windows 8.1 Secure Boot Key Creation and Management Guidance
Paolo Bonzini 348500
+//    1. Secure Boot, Windows 8.1 and Key Management
Paolo Bonzini 348500
+//    1.4 Signature Databases (Db and Dbx)
Paolo Bonzini 348500
+//    1.4.3 Forbidden Signature Database (dbx)
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+//    The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when
Paolo Bonzini 348500
+//    verifying images before checking db and any matches must prevent the
Paolo Bonzini 348500
+//    image from executing. The database may contain multiple certificates,
Paolo Bonzini 348500
+//    keys, and hashes in order to identify forbidden images. The Windows
Paolo Bonzini 348500
+//    Hardware Certification Requirements state that a dbx must be present, so
Paolo Bonzini 348500
+//    any dummy value, such as the SHA-256 hash of 0, may be used as a safe
Paolo Bonzini 348500
+//    placeholder until such time as Microsoft begins delivering dbx updates.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// The byte array below captures the SHA256 checksum of the empty file,
Paolo Bonzini 348500
+// blacklisting it for loading & execution. This qualifies as a dummy, since
Paolo Bonzini 348500
+// the empty file is not a valid UEFI binary anyway.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// Technically speaking, we could also capture an official (although soon to be
Paolo Bonzini 348500
+// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
Paolo Bonzini 348500
+// the terms and conditions on distributing that binary aren't exactly light
Paolo Bonzini 348500
+// reading, so let's best steer clear of it, and follow the "dummy entry"
Paolo Bonzini 348500
+// practice recommended -- in natural English langauge -- in the
Paolo Bonzini 348500
+// above-referenced TechNet article.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+STATIC CONST UINT8 mSha256OfDevNull[] = {
Paolo Bonzini 348500
+  0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
Paolo Bonzini 348500
+  0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
Paolo Bonzini 348500
+  0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
Paolo Bonzini 348500
+};
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// The following test cases of the Secure Boot Logo Test in the Microsoft
Paolo Bonzini 348500
+// Hardware Certification Kit:
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
Paolo Bonzini 348500
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
Paolo Bonzini 348500
+// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
Paolo Bonzini 348500
+// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
Paolo Bonzini 348500
+// certificates:
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// - "Microsoft Corporation KEK CA 2011" (in KEK)
Paolo Bonzini 348500
+// - "Microsoft Windows Production PCA 2011" (in db)
Paolo Bonzini 348500
+// - "Microsoft Corporation UEFI CA 2011" (in db)
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// This is despite the fact that the UEFI specification requires
Paolo Bonzini 348500
+// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
Paolo Bonzini 348500
+// application or driver) that enrolled and therefore owns
Paolo Bonzini 348500
+// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
Paolo Bonzini 348500
+// EFI_SIGNATURE_DATA.SignatureData.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
Paolo Bonzini 348500
+  0x77fa9abd, 0x0359, 0x4d32,
Paolo Bonzini 348500
+  { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
Paolo Bonzini 348500
+};
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// The most important thing about the variable payload is that it is a list of
Paolo Bonzini 348500
+// lists, where the element size of any given *inner* list is constant.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// Since X509 certificates vary in size, each of our *inner* lists will contain
Paolo Bonzini 348500
+// one element only (one X.509 certificate). This is explicitly mentioned in
Paolo Bonzini 348500
+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// The list structure looks as follows:
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// struct EFI_VARIABLE_AUTHENTICATION_2 {                           |
Paolo Bonzini 348500
+//   struct EFI_TIME {                                              |
Paolo Bonzini 348500
+//     UINT16 Year;                                                 |
Paolo Bonzini 348500
+//     UINT8  Month;                                                |
Paolo Bonzini 348500
+//     UINT8  Day;                                                  |
Paolo Bonzini 348500
+//     UINT8  Hour;                                                 |
Paolo Bonzini 348500
+//     UINT8  Minute;                                               |
Paolo Bonzini 348500
+//     UINT8  Second;                                               |
Paolo Bonzini 348500
+//     UINT8  Pad1;                                                 |
Paolo Bonzini 348500
+//     UINT32 Nanosecond;                                           |
Paolo Bonzini 348500
+//     INT16  TimeZone;                                             |
Paolo Bonzini 348500
+//     UINT8  Daylight;                                             |
Paolo Bonzini 348500
+//     UINT8  Pad2;                                                 |
Paolo Bonzini 348500
+//   } TimeStamp;                                                   |
Paolo Bonzini 348500
+//                                                                  |
Paolo Bonzini 348500
+//   struct WIN_CERTIFICATE_UEFI_GUID {                           | |
Paolo Bonzini 348500
+//     struct WIN_CERTIFICATE {                                   | |
Paolo Bonzini 348500
+//       UINT32 dwLength; ----------------------------------------+ |
Paolo Bonzini 348500
+//       UINT16 wRevision;                                        | |
Paolo Bonzini 348500
+//       UINT16 wCertificateType;                                 | |
Paolo Bonzini 348500
+//     } Hdr;                                                     | +- DataSize
Paolo Bonzini 348500
+//                                                                | |
Paolo Bonzini 348500
+//     EFI_GUID CertType;                                         | |
Paolo Bonzini 348500
+//     UINT8    CertData[1] = { <--- "struct hack"                | |
Paolo Bonzini 348500
+//       struct EFI_SIGNATURE_LIST {                            | | |
Paolo Bonzini 348500
+//         EFI_GUID SignatureType;                              | | |
Paolo Bonzini 348500
+//         UINT32   SignatureListSize; -------------------------+ | |
Paolo Bonzini 348500
+//         UINT32   SignatureHeaderSize;                        | | |
Paolo Bonzini 348500
+//         UINT32   SignatureSize; ---------------------------+ | | |
Paolo Bonzini 348500
+//         UINT8    SignatureHeader[SignatureHeaderSize];     | | | |
Paolo Bonzini 348500
+//                                                            v | | |
Paolo Bonzini 348500
+//         struct EFI_SIGNATURE_DATA {                        | | | |
Paolo Bonzini 348500
+//           EFI_GUID SignatureOwner;                         | | | |
Paolo Bonzini 348500
+//           UINT8    SignatureData[1] = { <--- "struct hack" | | | |
Paolo Bonzini 348500
+//             X.509 payload                                  | | | |
Paolo Bonzini 348500
+//           }                                                | | | |
Paolo Bonzini 348500
+//         } Signatures[];                                      | | |
Paolo Bonzini 348500
+//       } SigLists[];                                            | |
Paolo Bonzini 348500
+//     };                                                         | |
Paolo Bonzini 348500
+//   } AuthInfo;                                                  | |
Paolo Bonzini 348500
+// };                                                               |
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+// Given that the "struct hack" invokes undefined behavior (which is why C99
Paolo Bonzini 348500
+// introduced the flexible array member), and because subtracting those pesky
Paolo Bonzini 348500
+// sizes of 1 is annoying, and because the format is fully specified in the
Paolo Bonzini 348500
+// UEFI specification, we'll introduce two matching convenience structures that
Paolo Bonzini 348500
+// are customized for our X.509 purposes.
Paolo Bonzini 348500
+//
Paolo Bonzini 348500
+#pragma pack(1)
Paolo Bonzini 348500
+typedef struct {
Paolo Bonzini 348500
+  EFI_TIME TimeStamp;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  // dwLength covers data below
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  UINT32   dwLength;
Paolo Bonzini 348500
+  UINT16   wRevision;
Paolo Bonzini 348500
+  UINT16   wCertificateType;
Paolo Bonzini 348500
+  EFI_GUID CertType;
Paolo Bonzini 348500
+} SINGLE_HEADER;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+typedef struct {
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  // SignatureListSize covers data below
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  EFI_GUID SignatureType;
Paolo Bonzini 348500
+  UINT32   SignatureListSize;
Paolo Bonzini 348500
+  UINT32   SignatureHeaderSize; // constant 0
Paolo Bonzini 348500
+  UINT32   SignatureSize;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  // SignatureSize covers data below
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  EFI_GUID SignatureOwner;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  // X.509 certificate follows
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+} REPEATING_HEADER;
Paolo Bonzini 348500
+#pragma pack()
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+/**
Paolo Bonzini 348500
+  Enroll a set of certificates in a global variable, overwriting it.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  The variable will be rewritten with NV+BS+RT+AT attributes.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  @param[in] VariableName  The name of the variable to overwrite.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  @param[in] VendorGuid    The namespace (ie. vendor GUID) of the variable to
Paolo Bonzini 348500
+                           overwrite.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  @param[in] CertType      The GUID determining the type of all the
Paolo Bonzini 348500
+                           certificates in the set that is passed in. For
Paolo Bonzini 348500
+                           example, gEfiCertX509Guid stands for DER-encoded
Paolo Bonzini 348500
+                           X.509 certificates, while gEfiCertSha256Guid stands
Paolo Bonzini 348500
+                           for SHA256 image hashes.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  @param[in] ...           A list of
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+                             IN CONST UINT8    *Cert,
Paolo Bonzini 348500
+                             IN UINTN          CertSize,
Paolo Bonzini 348500
+                             IN CONST EFI_GUID *OwnerGuid
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+                           triplets. If the first component of a triplet is
Paolo Bonzini 348500
+                           NULL, then the other two components are not
Paolo Bonzini 348500
+                           accessed, and processing is terminated. The list of
Paolo Bonzini 348500
+                           certificates is enrolled in the variable specified,
Paolo Bonzini 348500
+                           overwriting it. The OwnerGuid component identifies
Paolo Bonzini 348500
+                           the agent installing the certificate.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  @retval EFI_INVALID_PARAMETER  The triplet list is empty (ie. the first Cert
Paolo Bonzini 348500
+                                 value is NULL), or one of the CertSize values
Paolo Bonzini 348500
+                                 is 0, or one of the CertSize values would
Paolo Bonzini 348500
+                                 overflow the accumulated UINT32 data size.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  @retval EFI_OUT_OF_RESOURCES   Out of memory while formatting variable
Paolo Bonzini 348500
+                                 payload.
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  @retval EFI_SUCCESS            Enrollment successful; the variable has been
Paolo Bonzini 348500
+                                 overwritten (or created).
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  @return                        Error codes from gRT->GetTime() and
Paolo Bonzini 348500
+                                 gRT->SetVariable().
Paolo Bonzini 348500
+**/
Paolo Bonzini 348500
+STATIC
Paolo Bonzini 348500
+EFI_STATUS
Paolo Bonzini 348500
+EFIAPI
Paolo Bonzini 348500
+EnrollListOfCerts (
Paolo Bonzini 348500
+  IN CHAR16   *VariableName,
Paolo Bonzini 348500
+  IN EFI_GUID *VendorGuid,
Paolo Bonzini 348500
+  IN EFI_GUID *CertType,
Paolo Bonzini 348500
+  ...
Paolo Bonzini 348500
+  )
Paolo Bonzini 348500
+{
Paolo Bonzini 348500
+  UINTN            DataSize;
Paolo Bonzini 348500
+  SINGLE_HEADER    *SingleHeader;
Paolo Bonzini 348500
+  REPEATING_HEADER *RepeatingHeader;
Paolo Bonzini 348500
+  VA_LIST          Marker;
Paolo Bonzini 348500
+  CONST UINT8      *Cert;
Paolo Bonzini 348500
+  EFI_STATUS       Status;
Paolo Bonzini 348500
+  UINT8            *Data;
Paolo Bonzini 348500
+  UINT8            *Position;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = EFI_SUCCESS;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  // compute total size first, for UINT32 range check, and allocation
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  DataSize = sizeof *SingleHeader;
Paolo Bonzini 348500
+  VA_START (Marker, CertType);
Paolo Bonzini 348500
+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
Paolo Bonzini 348500
+       Cert != NULL;
Paolo Bonzini 348500
+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
Paolo Bonzini 348500
+    UINTN          CertSize;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+    CertSize = VA_ARG (Marker, UINTN);
Paolo Bonzini 348500
+    (VOID)VA_ARG (Marker, CONST EFI_GUID *);
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+    if (CertSize == 0 ||
Paolo Bonzini 348500
+        CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
Paolo Bonzini 348500
+        DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
Paolo Bonzini 348500
+      Status = EFI_INVALID_PARAMETER;
Paolo Bonzini 348500
+      break;
Paolo Bonzini 348500
+    }
Paolo Bonzini 348500
+    DataSize += sizeof *RepeatingHeader + CertSize;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+  VA_END (Marker);
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  if (DataSize == sizeof *SingleHeader) {
Paolo Bonzini 348500
+    Status = EFI_INVALID_PARAMETER;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    goto Out;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Data = AllocatePool (DataSize);
Paolo Bonzini 348500
+  if (Data == NULL) {
Paolo Bonzini 348500
+    Status = EFI_OUT_OF_RESOURCES;
Paolo Bonzini 348500
+    goto Out;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Position = Data;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  SingleHeader = (SINGLE_HEADER *)Position;
Paolo Bonzini 348500
+  Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    goto FreeData;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+  SingleHeader->TimeStamp.Pad1       = 0;
Paolo Bonzini 348500
+  SingleHeader->TimeStamp.Nanosecond = 0;
Paolo Bonzini 348500
+  SingleHeader->TimeStamp.TimeZone   = 0;
Paolo Bonzini 348500
+  SingleHeader->TimeStamp.Daylight   = 0;
Paolo Bonzini 348500
+  SingleHeader->TimeStamp.Pad2       = 0;
Paolo Bonzini 348500
+#if 0
Paolo Bonzini 348500
+  SingleHeader->dwLength         = DataSize - sizeof SingleHeader->TimeStamp;
Paolo Bonzini 348500
+#else
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  // This looks like a bug in edk2. According to the UEFI specification,
Paolo Bonzini 348500
+  // dwLength is "The length of the entire certificate, including the length of
Paolo Bonzini 348500
+  // the header, in bytes". That shouldn't stop right after CertType -- it
Paolo Bonzini 348500
+  // should include everything below it.
Paolo Bonzini 348500
+  //
Paolo Bonzini 348500
+  SingleHeader->dwLength         = sizeof *SingleHeader
Paolo Bonzini 348500
+                                     - sizeof SingleHeader->TimeStamp;
Paolo Bonzini 348500
+#endif
Paolo Bonzini 348500
+  SingleHeader->wRevision        = 0x0200;
Paolo Bonzini 348500
+  SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
Paolo Bonzini 348500
+  CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
Paolo Bonzini 348500
+  Position += sizeof *SingleHeader;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  VA_START (Marker, CertType);
Paolo Bonzini 348500
+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
Paolo Bonzini 348500
+       Cert != NULL;
Paolo Bonzini 348500
+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
Paolo Bonzini 348500
+    UINTN            CertSize;
Paolo Bonzini 348500
+    CONST EFI_GUID   *OwnerGuid;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+    CertSize  = VA_ARG (Marker, UINTN);
Paolo Bonzini 348500
+    OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+    RepeatingHeader = (REPEATING_HEADER *)Position;
Paolo Bonzini 348500
+    CopyGuid (&RepeatingHeader->SignatureType, CertType);
Paolo Bonzini 348500
+    RepeatingHeader->SignatureListSize   =
Paolo Bonzini 348500
+      (UINT32)(sizeof *RepeatingHeader + CertSize);
Paolo Bonzini 348500
+    RepeatingHeader->SignatureHeaderSize = 0;
Paolo Bonzini 348500
+    RepeatingHeader->SignatureSize       =
Paolo Bonzini 348500
+      (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);
Paolo Bonzini 348500
+    CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
Paolo Bonzini 348500
+    Position += sizeof *RepeatingHeader;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+    CopyMem (Position, Cert, CertSize);
Paolo Bonzini 348500
+    Position += CertSize;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+  VA_END (Marker);
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  ASSERT (Data + DataSize == Position);
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = gRT->SetVariable (VariableName, VendorGuid,
Paolo Bonzini 348500
+                  (EFI_VARIABLE_NON_VOLATILE |
Paolo Bonzini 348500
+                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
Paolo Bonzini 348500
+                   EFI_VARIABLE_RUNTIME_ACCESS |
Paolo Bonzini 348500
+                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
Paolo Bonzini 348500
+                  DataSize, Data);
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+FreeData:
Paolo Bonzini 348500
+  FreePool (Data);
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+Out:
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
Paolo Bonzini 348500
+      VendorGuid, Status);
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+  return Status;
Paolo Bonzini 348500
+}
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+STATIC
Paolo Bonzini 348500
+EFI_STATUS
Paolo Bonzini 348500
+EFIAPI
Paolo Bonzini 348500
+GetExact (
Paolo Bonzini 348500
+  IN CHAR16   *VariableName,
Paolo Bonzini 348500
+  IN EFI_GUID *VendorGuid,
Paolo Bonzini 348500
+  OUT VOID    *Data,
Paolo Bonzini 348500
+  IN UINTN    DataSize,
Paolo Bonzini 348500
+  IN BOOLEAN  AllowMissing
Paolo Bonzini 348500
+  )
Paolo Bonzini 348500
+{
Paolo Bonzini 348500
+  UINTN      Size;
Paolo Bonzini 348500
+  EFI_STATUS Status;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Size = DataSize;
Paolo Bonzini 348500
+  Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    if (Status == EFI_NOT_FOUND && AllowMissing) {
Paolo Bonzini 348500
+      ZeroMem (Data, DataSize);
Paolo Bonzini 348500
+      return EFI_SUCCESS;
Paolo Bonzini 348500
+    }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+    AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
Paolo Bonzini 348500
+      VendorGuid, Status);
Paolo Bonzini 348500
+    return Status;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  if (Size != DataSize) {
Paolo Bonzini 348500
+    AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
Paolo Bonzini 348500
+      "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
Paolo Bonzini 348500
+    return EFI_PROTOCOL_ERROR;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  return EFI_SUCCESS;
Paolo Bonzini 348500
+}
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+typedef struct {
Paolo Bonzini 348500
+  UINT8 SetupMode;
Paolo Bonzini 348500
+  UINT8 SecureBoot;
Paolo Bonzini 348500
+  UINT8 SecureBootEnable;
Paolo Bonzini 348500
+  UINT8 CustomMode;
Paolo Bonzini 348500
+  UINT8 VendorKeys;
Paolo Bonzini 348500
+} SETTINGS;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+STATIC
Paolo Bonzini 348500
+EFI_STATUS
Paolo Bonzini 348500
+EFIAPI
Paolo Bonzini 348500
+GetSettings (
Paolo Bonzini 348500
+  OUT SETTINGS *Settings
Paolo Bonzini 348500
+  )
Paolo Bonzini 348500
+{
Paolo Bonzini 348500
+  EFI_STATUS Status;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
Paolo Bonzini 348500
+             &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    return Status;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
Paolo Bonzini 348500
+             &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    return Status;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
Paolo Bonzini 348500
+             &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
Paolo Bonzini 348500
+             sizeof Settings->SecureBootEnable, TRUE);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    return Status;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
Paolo Bonzini 348500
+             &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    return Status;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
Paolo Bonzini 348500
+             &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
Paolo Bonzini 348500
+  return Status;
Paolo Bonzini 348500
+}
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+STATIC
Paolo Bonzini 348500
+VOID
Paolo Bonzini 348500
+EFIAPI
Paolo Bonzini 348500
+PrintSettings (
Paolo Bonzini 348500
+  IN CONST SETTINGS *Settings
Paolo Bonzini 348500
+  )
Paolo Bonzini 348500
+{
Paolo Bonzini 348500
+  AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
Paolo Bonzini 348500
+    "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
Paolo Bonzini 348500
+    Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
Paolo Bonzini 348500
+}
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+INTN
Paolo Bonzini 348500
+EFIAPI
Paolo Bonzini 348500
+ShellAppMain (
Paolo Bonzini 348500
+  IN UINTN  Argc,
Paolo Bonzini 348500
+  IN CHAR16 **Argv
Paolo Bonzini 348500
+  )
Paolo Bonzini 348500
+{
Paolo Bonzini 348500
+  EFI_STATUS Status;
Paolo Bonzini 348500
+  SETTINGS   Settings;
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = GetSettings (&Settings);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    return 1;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+  PrintSettings (&Settings);
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  if (Settings.SetupMode != 1) {
Paolo Bonzini 348500
+    AsciiPrint ("error: already in User Mode\n");
Paolo Bonzini 348500
+    return 1;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
Paolo Bonzini 348500
+    Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
Paolo Bonzini 348500
+    Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
Paolo Bonzini 348500
+                    (EFI_VARIABLE_NON_VOLATILE |
Paolo Bonzini 348500
+                     EFI_VARIABLE_BOOTSERVICE_ACCESS),
Paolo Bonzini 348500
+                    sizeof Settings.CustomMode, &Settings.CustomMode);
Paolo Bonzini 348500
+    if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+      AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
Paolo Bonzini 348500
+        &gEfiCustomModeEnableGuid, Status);
Paolo Bonzini 348500
+      return 1;
Paolo Bonzini 348500
+    }
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = EnrollListOfCerts (
Paolo Bonzini 348500
+             EFI_IMAGE_SECURITY_DATABASE,
Paolo Bonzini 348500
+             &gEfiImageSecurityDatabaseGuid,
Paolo Bonzini 348500
+             &gEfiCertX509Guid,
Paolo Bonzini 348500
+             MicrosoftPCA,    sizeof MicrosoftPCA,    &mMicrosoftOwnerGuid,
Paolo Bonzini 348500
+             MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid,
Paolo Bonzini 348500
+             NULL);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    return 1;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = EnrollListOfCerts (
Paolo Bonzini 348500
+             EFI_IMAGE_SECURITY_DATABASE1,
Paolo Bonzini 348500
+             &gEfiImageSecurityDatabaseGuid,
Paolo Bonzini 348500
+             &gEfiCertSha256Guid,
Paolo Bonzini 348500
+             mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
Paolo Bonzini 348500
+             NULL);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    return 1;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = EnrollListOfCerts (
Paolo Bonzini 348500
+             EFI_KEY_EXCHANGE_KEY_NAME,
Paolo Bonzini 348500
+             &gEfiGlobalVariableGuid,
Paolo Bonzini 348500
+             &gEfiCertX509Guid,
Paolo Bonzini 348500
+             RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
Paolo Bonzini 348500
+             MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid,
Paolo Bonzini 348500
+             NULL);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    return 1;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = EnrollListOfCerts (
Paolo Bonzini 348500
+             EFI_PLATFORM_KEY_NAME,
Paolo Bonzini 348500
+             &gEfiGlobalVariableGuid,
Paolo Bonzini 348500
+             &gEfiCertX509Guid,
Paolo Bonzini 348500
+             RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
Paolo Bonzini 348500
+             NULL);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    return 1;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
Paolo Bonzini 348500
+  Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
Paolo Bonzini 348500
+                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
Paolo Bonzini 348500
+                  sizeof Settings.CustomMode, &Settings.CustomMode);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
Paolo Bonzini 348500
+      &gEfiCustomModeEnableGuid, Status);
Paolo Bonzini 348500
+    return 1;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  Status = GetSettings (&Settings);
Paolo Bonzini 348500
+  if (EFI_ERROR (Status)) {
Paolo Bonzini 348500
+    return 1;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+  PrintSettings (&Settings);
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
Paolo Bonzini 348500
+      Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
Paolo Bonzini 348500
+      Settings.VendorKeys != 0) {
Paolo Bonzini 348500
+    AsciiPrint ("error: unexpected\n");
Paolo Bonzini 348500
+    return 1;
Paolo Bonzini 348500
+  }
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+  AsciiPrint ("info: success\n");
Paolo Bonzini 348500
+  return 0;
Paolo Bonzini 348500
+}
Gerd Hoffmann b0c3af
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
Gerd Hoffmann b0c3af
new file mode 100644
9fc821
index 0000000000..0ad86a2843
Gerd Hoffmann b0c3af
--- /dev/null
Gerd Hoffmann b0c3af
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
Paolo Bonzini 348500
@@ -0,0 +1,52 @@
Paolo Bonzini 348500
+## @file
Paolo Bonzini 348500
+#  Enroll default PK, KEK, DB.
Paolo Bonzini 348500
+#
Paolo Bonzini 348500
+#  Copyright (C) 2014, Red Hat, Inc.
Paolo Bonzini 348500
+#
Paolo Bonzini 348500
+#  This program and the accompanying materials are licensed and made available
Paolo Bonzini 348500
+#  under the terms and conditions of the BSD License which accompanies this
Paolo Bonzini 348500
+#  distribution. The full text of the license may be found at
Paolo Bonzini 348500
+#  http://opensource.org/licenses/bsd-license.
Paolo Bonzini 348500
+#
Paolo Bonzini 348500
+#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
Paolo Bonzini 348500
+#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
Paolo Bonzini 348500
+#  IMPLIED.
Paolo Bonzini 348500
+##
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+[Defines]
Paolo Bonzini 348500
+  INF_VERSION                    = 0x00010006
Paolo Bonzini 348500
+  BASE_NAME                      = EnrollDefaultKeys
Paolo Bonzini 348500
+  FILE_GUID                      = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
Paolo Bonzini 348500
+  MODULE_TYPE                    = UEFI_APPLICATION
Paolo Bonzini 348500
+  VERSION_STRING                 = 0.1
Paolo Bonzini 348500
+  ENTRY_POINT                    = ShellCEntryLib
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+#
Paolo Bonzini 348500
+#  VALID_ARCHITECTURES           = IA32 X64
Paolo Bonzini 348500
+#
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+[Sources]
Paolo Bonzini 348500
+  EnrollDefaultKeys.c
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+[Packages]
Paolo Bonzini 348500
+  MdePkg/MdePkg.dec
Paolo Bonzini 348500
+  MdeModulePkg/MdeModulePkg.dec
Paolo Bonzini 348500
+  SecurityPkg/SecurityPkg.dec
Paolo Bonzini 348500
+  ShellPkg/ShellPkg.dec
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+[Guids]
Paolo Bonzini 348500
+  gEfiCertPkcs7Guid
Paolo Bonzini 348500
+  gEfiCertSha256Guid
Paolo Bonzini 348500
+  gEfiCertX509Guid
Paolo Bonzini 348500
+  gEfiCustomModeEnableGuid
Paolo Bonzini 348500
+  gEfiGlobalVariableGuid
Paolo Bonzini 348500
+  gEfiImageSecurityDatabaseGuid
Paolo Bonzini 348500
+  gEfiSecureBootEnableDisableGuid
Paolo Bonzini 348500
+
Paolo Bonzini 348500
+[LibraryClasses]
Paolo Bonzini 348500
+  BaseMemoryLib
Paolo Bonzini 348500
+  DebugLib
Paolo Bonzini 348500
+  MemoryAllocationLib
Paolo Bonzini 348500
+  ShellCEntryLib
Paolo Bonzini 348500
+  UefiLib
Paolo Bonzini 348500
+  UefiRuntimeServicesTableLib
Gerd Hoffmann b0c3af
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
b846ca
index 702d3a86c4..877f0fc83c 100644
Gerd Hoffmann b0c3af
--- a/OvmfPkg/OvmfPkgIa32.dsc
Gerd Hoffmann b0c3af
+++ b/OvmfPkg/OvmfPkgIa32.dsc
b846ca
@@ -873,6 +873,10 @@
Gerd Hoffmann b0c3af
 
Gerd Hoffmann b0c3af
 !if $(SECURE_BOOT_ENABLE) == TRUE
Gerd Hoffmann b0c3af
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
Paolo Bonzini 348500
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
Paolo Bonzini 348500
+    <LibraryClasses>
Paolo Bonzini 348500
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
Paolo Bonzini 348500
+  }
Gerd Hoffmann b0c3af
 !endif
Gerd Hoffmann b0c3af
 
Gerd Hoffmann b0c3af
   OvmfPkg/PlatformDxe/Platform.inf
Gerd Hoffmann b0c3af
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
b846ca
index 46bc3a0b77..6ff2121122 100644
Gerd Hoffmann b0c3af
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
Gerd Hoffmann b0c3af
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
b846ca
@@ -882,6 +882,10 @@
Gerd Hoffmann b0c3af
 
Gerd Hoffmann b0c3af
 !if $(SECURE_BOOT_ENABLE) == TRUE
Gerd Hoffmann b0c3af
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
Paolo Bonzini 348500
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
Paolo Bonzini 348500
+    <LibraryClasses>
Paolo Bonzini 348500
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
Paolo Bonzini 348500
+  }
Gerd Hoffmann b0c3af
 !endif
Gerd Hoffmann b0c3af
 
Gerd Hoffmann b0c3af
   OvmfPkg/PlatformDxe/Platform.inf
Gerd Hoffmann b0c3af
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
b846ca
index 31c5933016..12676f5ba6 100644
Gerd Hoffmann b0c3af
--- a/OvmfPkg/OvmfPkgX64.dsc
Gerd Hoffmann b0c3af
+++ b/OvmfPkg/OvmfPkgX64.dsc
b846ca
@@ -880,6 +880,10 @@
Gerd Hoffmann b0c3af
 
Gerd Hoffmann b0c3af
 !if $(SECURE_BOOT_ENABLE) == TRUE
Gerd Hoffmann b0c3af
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
Paolo Bonzini 348500
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
Paolo Bonzini 348500
+    <LibraryClasses>
Paolo Bonzini 348500
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
Paolo Bonzini 348500
+  }
Gerd Hoffmann b0c3af
 !endif
Gerd Hoffmann b0c3af
 
Gerd Hoffmann b0c3af
   OvmfPkg/PlatformDxe/Platform.inf