rpms / ovmf

Clone
Source Code
GIT

Blame SOURCES/0012-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch

c7 c7-alt c7-beta
  1.   6ef48d494ee8a9b0a6e6f45e6a634cec2a034076
  2.   SOURCES
  3.   0012-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
Blob History Raw
6ef48d 
From 98c91b36997e3afc4192449263182fbdcc771a1a Mon Sep 17 00:00:00 2001
eb7fe6 
From: Laszlo Ersek <lersek@redhat.com>
eb7fe6 
Date: Tue, 4 Nov 2014 23:02:55 +0100
eb7fe6 
Subject: OvmfPkg: EnrollDefaultKeys: application for enrolling default keys
eb7fe6 
 (RH only)
eb7fe6
eb7fe6 
Message-id: <1415138578-27173-16-git-send-email-lersek@redhat.com>
eb7fe6 
Patchwork-id: 62121
eb7fe6 
O-Subject:  [RHEL-7.1 ovmf PATCH v2 15/18] OvmfPkg: EnrollDefaultKeys:
eb7fe6 
	application for enrolling default keys (RH only)
eb7fe6 
Bugzilla: 1148296
eb7fe6 
1160400
eb7fe6 
Acked-by: Andrew Jones <drjones@redhat.com>
eb7fe6 
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
eb7fe6 
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
eb7fe6
eb7fe6 
This application is meant to be invoked by the management layer, after
eb7fe6 
booting the UEFI shell and getting a shell prompt on the serial console.
eb7fe6 
The app enrolls a number of certificates (see below), and then reports
eb7fe6 
status to the serial console as well. The expected output is "info:
eb7fe6 
success":
eb7fe6
eb7fe6 
> Shell> EnrollDefaultKeys.efi
eb7fe6 
> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
eb7fe6 
> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
eb7fe6 
> info: success
eb7fe6 
> Shell>
eb7fe6
eb7fe6 
In case of success, the management layer can force off or reboot the VM
eb7fe6 
(for example with the "reset -s" or "reset -c" UEFI shell commands,
eb7fe6 
respectively), and start the guest installation with SecureBoot enabled.
eb7fe6
eb7fe6 
PK:
eb7fe6 
- A unique, static, ad-hoc certificate whose private half has been
eb7fe6 
  destroyed (more precisely, never saved) and is therefore unusable for
eb7fe6 
  signing. (The command for creating this certificate is saved in the
eb7fe6 
  source code.) Background:
eb7fe6
eb7fe6 
On 09/30/14 20:00, Peter Jones wrote:
eb7fe6 
> We should generate a special key that's not in our normal signing chains
eb7fe6 
> for PK and KEK.  The reason for this is that [in practice] PK gets
eb7fe6 
> treated as part of DB (*).
eb7fe6 
>
eb7fe6 
> [Shipping a key in our normal signing chains] as PK means you can run
eb7fe6 
> grub directly, in which case it won't have access to the shim protocol.
eb7fe6 
> When grub is run without the shim protocol registered, it assumes SB is
eb7fe6 
> disabled and boots without verifying the kernel.  We don't want that to
eb7fe6 
> be a thing you can do, but allowing that is the inevitable result of
eb7fe6 
> shipping with any of our normal signing chain in PK or KEK.
eb7fe6 
>
eb7fe6 
> (* USRT has actually agreed that since you can escalate to this behavior
eb7fe6 
> if you have the secret half of a key in KEK or PK anyway, and many
eb7fe6 
> vendors had already shipped it this way, that it is fine and I think
eb7fe6 
> even *expected* at this point, even though it wasn't formally in the
eb7fe6 
> UEFI 2.3.1 Spec that introduced Secure Boot.  I'll try and make sure the
eb7fe6 
> language reflects that in an upcoming spec revision.)
eb7fe6 
>
eb7fe6 
> So let me get SRT to issue a special key to use for PK and KEK.  We can
eb7fe6 
> use it just for those operations, and make sure it's protected with the
eb7fe6 
> same processes and controls as our other signing keys.
eb7fe6
eb7fe6 
  Until SRT generates such a key for us, this ad-hoc key should be a good
eb7fe6 
  placeholder.
eb7fe6
eb7fe6 
KEK:
eb7fe6 
- same ad-hoc certificate as used for the PK,
eb7fe6 
- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
eb7fe6 
  package is signed (indirectly, through a chain) with this; enrolling
eb7fe6 
  such a KEK should allow guests to install those updates.
eb7fe6
eb7fe6 
DB:
eb7fe6 
- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
eb7fe6 
  Server 2012 R2,
eb7fe6 
- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
eb7fe6 
  oproms.
eb7fe6
eb7fe6 
*UPDATE*
eb7fe6
eb7fe6 
OvmfPkg: EnrollDefaultKeys: pick up official Red Hat PK/KEK (RHEL only)
eb7fe6
eb7fe6 
Replace the placeholder ExampleCert with a certificate generated and
eb7fe6 
managed by the Red Hat Security Response Team.
eb7fe6
eb7fe6 
> Certificate:
eb7fe6 
>     Data:
eb7fe6 
>         Version: 3 (0x2)
eb7fe6 
>         Serial Number: 18371740789028339953 (0xfef588e8f396c0f1)
eb7fe6 
>     Signature Algorithm: sha256WithRSAEncryption
eb7fe6 
>         Issuer: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
eb7fe6 
>         Validity
eb7fe6 
>             Not Before: Oct 31 11:15:37 2014 GMT
eb7fe6 
>             Not After : Oct 25 11:15:37 2037 GMT
eb7fe6 
>         Subject: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
eb7fe6 
>         Subject Public Key Info:
eb7fe6 
>             Public Key Algorithm: rsaEncryption
eb7fe6 
>                 Public-Key: (2048 bit)
eb7fe6 
>                 Modulus:
eb7fe6 
>                     00:90:1f:84:7b:8d:bc:eb:97:26:82:6d:88:ab:8a:
eb7fe6 
>                     c9:8c:68:70:f9:df:4b:07:b2:37:83:0b:02:c8:67:
eb7fe6 
>                     68:30:9e:e3:f0:f0:99:4a:b8:59:57:c6:41:f6:38:
eb7fe6 
>                     8b:fe:66:4c:49:e9:37:37:92:2e:98:01:1e:5b:14:
eb7fe6 
>                     50:e6:a8:8d:25:0d:f5:86:e6:ab:30:cb:40:16:ea:
eb7fe6 
>                     8d:8b:16:86:70:43:37:f2:ce:c0:91:df:71:14:8e:
eb7fe6 
>                     99:0e:89:b6:4c:6d:24:1e:8c:e4:2f:4f:25:d0:ba:
eb7fe6 
>                     06:f8:c6:e8:19:18:76:73:1d:81:6d:a8:d8:05:cf:
eb7fe6 
>                     3a:c8:7b:28:c8:36:a3:16:0d:29:8c:99:9a:68:dc:
eb7fe6 
>                     ab:c0:4d:8d:bf:5a:bb:2b:a9:39:4b:04:97:1c:f9:
eb7fe6 
>                     36:bb:c5:3a:86:04:ae:af:d4:82:7b:e0:ab:de:49:
eb7fe6 
>                     05:68:fc:f6:ae:68:1a:6c:90:4d:57:19:3c:64:66:
eb7fe6 
>                     03:f6:c7:52:9b:f7:94:cf:93:6a:a1:68:c9:aa:cf:
eb7fe6 
>                     99:6b:bc:aa:5e:08:e7:39:1c:f7:f8:0f:ba:06:7e:
eb7fe6 
>                     f1:cb:e8:76:dd:fe:22:da:ad:3a:5e:5b:34:ea:b3:
eb7fe6 
>                     c9:e0:4d:04:29:7e:b8:60:b9:05:ef:b5:d9:17:58:
eb7fe6 
>                     56:16:60:b9:30:32:f0:36:4a:c3:f2:79:8d:12:40:
eb7fe6 
>                     70:f3
eb7fe6 
>                 Exponent: 65537 (0x10001)
eb7fe6 
>         X509v3 extensions:
eb7fe6 
>             X509v3 Basic Constraints:
eb7fe6 
>                 CA:FALSE
eb7fe6 
>             Netscape Comment:
eb7fe6 
>                 OpenSSL Generated Certificate
eb7fe6 
>             X509v3 Subject Key Identifier:
eb7fe6 
>                 3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
eb7fe6 
>             X509v3 Authority Key Identifier:
eb7fe6 
>                 keyid:3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
eb7fe6 
>
eb7fe6 
>     Signature Algorithm: sha256WithRSAEncryption
eb7fe6 
>          5c:4d:92:88:b4:82:5f:1d:ad:8b:11:ec:df:06:a6:7a:a5:2b:
eb7fe6 
>          9f:37:55:0c:8d:6e:05:00:ad:b7:0c:41:89:69:cf:d6:65:06:
eb7fe6 
>          9b:51:78:d2:ad:c7:bf:9c:dc:05:73:7f:e7:1e:39:13:b4:ea:
eb7fe6 
>          b6:30:7d:40:75:ab:9c:43:0b:df:b0:c2:1b:bf:30:e0:f4:fe:
eb7fe6 
>          c0:db:62:21:98:f6:c5:af:de:3b:4f:49:0a:e6:1e:f9:86:b0:
eb7fe6 
>          3f:0d:d6:d4:46:37:db:54:74:5e:ff:11:c2:60:c6:70:58:c5:
eb7fe6 
>          1c:6f:ec:b2:d8:6e:6f:c3:bc:33:87:38:a4:f3:44:64:9c:34:
eb7fe6 
>          3b:28:94:26:78:27:9f:16:17:e8:3b:69:0a:25:a9:73:36:7e:
eb7fe6 
>          9e:37:5c:ec:e8:3f:db:91:f9:12:b3:3d:ce:e7:dd:15:c3:ae:
eb7fe6 
>          8c:05:20:61:9b:95:de:9b:af:fa:b1:5c:1c:e5:97:e7:c3:34:
eb7fe6 
>          11:85:f5:8a:27:26:a4:70:36:ec:0c:f6:83:3d:90:f7:36:f3:
eb7fe6 
>          f9:f3:15:d4:90:62:be:53:b4:af:d3:49:af:ef:f4:73:e8:7b:
eb7fe6 
>          76:e4:44:2a:37:ba:81:a4:99:0c:3a:31:24:71:a0:e4:e4:b7:
eb7fe6 
>          1a:cb:47:e4:aa:22:cf:ef:75:61:80:e3:43:b7:48:57:73:11:
eb7fe6 
>          3d:78:9b:69
eb7fe6 
> -----BEGIN CERTIFICATE-----
eb7fe6 
> MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
eb7fe6 
> BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
eb7fe6 
> 9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
eb7fe6 
> MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
eb7fe6 
> RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
eb7fe6 
> IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
eb7fe6 
> +d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
eb7fe6 
> huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
eb7fe6 
> bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
eb7fe6 
> 3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
eb7fe6 
> y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
eb7fe6 
> AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
eb7fe6 
> YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
eb7fe6 
> HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
eb7fe6 
> ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
eb7fe6 
> 3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
eb7fe6 
> 1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
eb7fe6 
> qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
eb7fe6 
> NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
eb7fe6 
> R+SqIs/vdWGA40O3SFdzET14m2k=
eb7fe6 
> -----END CERTIFICATE-----
eb7fe6
eb7fe6 
Notes about the 9ece15a -> c9e5618 rebase:
eb7fe6 
- resolved conflicts in:
eb7fe6 
    OvmfPkg/OvmfPkgIa32.dsc
eb7fe6 
    OvmfPkg/OvmfPkgIa32X64.dsc
eb7fe6 
    OvmfPkg/OvmfPkgX64.dsc
eb7fe6 
  due to OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf having
eb7fe6 
  disappeared in upstream (commit 57446bb9).
eb7fe6
eb7fe6 
Notes about the c9e5618 -> b9ffeab rebase:
eb7fe6 
- Guid/VariableFormat.h now lives under MdeModulePkg.
eb7fe6
eb7fe6 
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
eb7fe6
eb7fe6 
- This patch now squashes the following commits:
eb7fe6 
  - 014f459c197b OvmfPkg: EnrollDefaultKeys: application for enrolling
eb7fe6 
                 default keys (RH only)
eb7fe6 
  - 18422a18d0e9 OvmfPkg/EnrollDefaultKeys: assign Status before reading
eb7fe6 
                 it (RH only)
eb7fe6 
  - ddb90568e874 OvmfPkg/EnrollDefaultKeys: silence VS2015x86 warning (RH
eb7fe6 
                 only)
eb7fe6
fcf9e8 
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
fcf9e8
fcf9e8 
- This patch now squashes the following commits:
fcf9e8 
  - c0b2615a9c0b OvmfPkg: EnrollDefaultKeys: application for enrolling
fcf9e8 
                 default keys (RH only)
fcf9e8 
  - 22f4d33d0168 OvmfPkg/EnrollDefaultKeys: update SignatureOwner GUID for
fcf9e8 
                 Windows HCK (RH)
fcf9e8 
  - ff7f2c1d870d OvmfPkg/EnrollDefaultKeys: expose CertType parameter of
fcf9e8 
                 EnrollListOfCerts (RH)
fcf9e8 
  - aee7b5ba60b4 OvmfPkg/EnrollDefaultKeys: blacklist empty file in dbx
fcf9e8 
                 for Windows HCK (RH)
fcf9e8
fcf9e8 
- Consequently, OvmfPkg/EnrollDefaultKeys/ is identical to the same
fcf9e8 
  directory at the "RHEL-7.4" tag (49d06d386736).
fcf9e8
6ef48d 
Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
6ef48d
6ef48d 
- no changes
6ef48d
eb7fe6 
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
fcf9e8 
(cherry picked from commit c0b2615a9c0b4a4be1bffe45681a32915449279d)
6ef48d 
(cherry picked from commit 92424de98ffaf1fa81e6346949b1d2b5f9a637ca)
eb7fe6 
---
fcf9e8 
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c   | 1015 +++++++++++++++++++++++
fcf9e8 
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf |   52 ++
fcf9e8 
 OvmfPkg/OvmfPkgIa32.dsc                         |    4 +
fcf9e8 
 OvmfPkg/OvmfPkgIa32X64.dsc                      |    4 +
fcf9e8 
 OvmfPkg/OvmfPkgX64.dsc                          |    4 +
fcf9e8 
 5 files changed, 1079 insertions(+)
eb7fe6 
 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
eb7fe6 
 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
eb7fe6
eb7fe6 
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
eb7fe6 
new file mode 100644
fcf9e8 
index 0000000..dd413df
eb7fe6 
--- /dev/null
eb7fe6 
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
fcf9e8 
@@ -0,0 +1,1015 @@
eb7fe6 
+/** @file
eb7fe6 
+  Enroll default PK, KEK, DB.
eb7fe6 
+
eb7fe6 
+  Copyright (C) 2014, Red Hat, Inc.
eb7fe6 
+
eb7fe6 
+  This program and the accompanying materials are licensed and made available
eb7fe6 
+  under the terms and conditions of the BSD License which accompanies this
eb7fe6 
+  distribution. The full text of the license may be found at
eb7fe6 
+  http://opensource.org/licenses/bsd-license.
eb7fe6 
+
eb7fe6 
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
eb7fe6 
+  WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
eb7fe6 
+**/
eb7fe6 
+#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
eb7fe6 
+#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
eb7fe6 
+#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
eb7fe6 
+#include <Library/BaseMemoryLib.h>               // CopyGuid()
eb7fe6 
+#include <Library/DebugLib.h>                    // ASSERT()
eb7fe6 
+#include <Library/MemoryAllocationLib.h>         // FreePool()
eb7fe6 
+#include <Library/ShellCEntryLib.h>              // ShellAppMain()
eb7fe6 
+#include <Library/UefiLib.h>                     // AsciiPrint()
eb7fe6 
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
eb7fe6 
+
eb7fe6 
+//
eb7fe6 
+// We'll use the certificate below as both Platform Key and as first Key
eb7fe6 
+// Exchange Key.
eb7fe6 
+//
eb7fe6 
+// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
eb7fe6 
+// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
eb7fe6 
+//
eb7fe6 
+STATIC CONST UINT8 RedHatPkKek1[] = {
eb7fe6 
+  0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
eb7fe6 
+  0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
eb7fe6 
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
eb7fe6 
+  0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
eb7fe6 
+  0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
eb7fe6 
+  0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
eb7fe6 
+  0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
eb7fe6 
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
eb7fe6 
+  0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
eb7fe6 
+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
eb7fe6 
+  0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
eb7fe6 
+  0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
eb7fe6 
+  0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
eb7fe6 
+  0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
eb7fe6 
+  0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
eb7fe6 
+  0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
eb7fe6 
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
eb7fe6 
+  0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
eb7fe6 
+  0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
eb7fe6 
+  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
eb7fe6 
+  0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
eb7fe6 
+  0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
eb7fe6 
+  0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
eb7fe6 
+  0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
eb7fe6 
+  0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
eb7fe6 
+  0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
eb7fe6 
+  0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
eb7fe6 
+  0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
eb7fe6 
+  0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
eb7fe6 
+  0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
eb7fe6 
+  0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
eb7fe6 
+  0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
eb7fe6 
+  0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
eb7fe6 
+  0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
eb7fe6 
+  0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
eb7fe6 
+  0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
eb7fe6 
+  0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
eb7fe6 
+  0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
eb7fe6 
+  0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
eb7fe6 
+  0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
eb7fe6 
+  0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
eb7fe6 
+  0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
eb7fe6 
+  0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
eb7fe6 
+  0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
eb7fe6 
+  0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
eb7fe6 
+  0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
eb7fe6 
+  0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
eb7fe6 
+  0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
eb7fe6 
+  0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
eb7fe6 
+  0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
eb7fe6 
+  0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
eb7fe6 
+  0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
eb7fe6 
+  0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
eb7fe6 
+  0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
eb7fe6 
+  0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
eb7fe6 
+  0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
eb7fe6 
+  0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
eb7fe6 
+  0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
eb7fe6 
+  0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
eb7fe6 
+  0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
eb7fe6 
+  0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
eb7fe6 
+  0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
eb7fe6 
+  0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
eb7fe6 
+  0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
eb7fe6 
+  0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
eb7fe6 
+  0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
eb7fe6 
+  0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
eb7fe6 
+  0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
eb7fe6 
+  0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
eb7fe6 
+  0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
eb7fe6 
+  0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
eb7fe6 
+  0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
eb7fe6 
+};
eb7fe6 
+
eb7fe6 
+//
eb7fe6 
+// Second KEK: "Microsoft Corporation KEK CA 2011".
eb7fe6 
+// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
eb7fe6 
+//
eb7fe6 
+// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
eb7fe6 
+//
eb7fe6 
+STATIC CONST UINT8 MicrosoftKEK[] = {
eb7fe6 
+  0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
eb7fe6 
+  0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
eb7fe6 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
eb7fe6 
+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
eb7fe6 
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
eb7fe6 
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
eb7fe6 
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
eb7fe6 
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
eb7fe6 
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
eb7fe6 
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
eb7fe6 
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
eb7fe6 
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
eb7fe6 
+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
eb7fe6 
+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
eb7fe6 
+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
eb7fe6 
+  0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
eb7fe6 
+  0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
eb7fe6 
+  0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
eb7fe6 
+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
eb7fe6 
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
eb7fe6 
+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
eb7fe6 
+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
eb7fe6 
+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
eb7fe6 
+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
eb7fe6 
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
eb7fe6 
+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
eb7fe6 
+  0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
eb7fe6 
+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
eb7fe6 
+  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
eb7fe6 
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
eb7fe6 
+  0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
eb7fe6 
+  0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
eb7fe6 
+  0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
eb7fe6 
+  0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
eb7fe6 
+  0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
eb7fe6 
+  0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
eb7fe6 
+  0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
eb7fe6 
+  0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
eb7fe6 
+  0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
eb7fe6 
+  0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
eb7fe6 
+  0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
eb7fe6 
+  0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
eb7fe6 
+  0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
eb7fe6 
+  0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
eb7fe6 
+  0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
eb7fe6 
+  0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
eb7fe6 
+  0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
eb7fe6 
+  0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
eb7fe6 
+  0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
eb7fe6 
+  0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
eb7fe6 
+  0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
eb7fe6 
+  0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
eb7fe6 
+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
eb7fe6 
+  0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
eb7fe6 
+  0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
eb7fe6 
+  0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
eb7fe6 
+  0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
eb7fe6 
+  0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
eb7fe6 
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
eb7fe6 
+  0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
eb7fe6 
+  0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
eb7fe6 
+  0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
eb7fe6 
+  0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
eb7fe6 
+  0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
eb7fe6 
+  0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
eb7fe6 
+  0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
eb7fe6 
+  0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
eb7fe6 
+  0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
eb7fe6 
+  0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
eb7fe6 
+  0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
eb7fe6 
+  0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
eb7fe6 
+  0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
eb7fe6 
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
eb7fe6 
+  0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
eb7fe6 
+  0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
eb7fe6 
+  0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
eb7fe6 
+  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
eb7fe6 
+  0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
eb7fe6 
+  0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
eb7fe6 
+  0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
eb7fe6 
+  0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
eb7fe6 
+  0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
eb7fe6 
+  0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
eb7fe6 
+  0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
eb7fe6 
+  0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
eb7fe6 
+  0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
eb7fe6 
+  0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
eb7fe6 
+  0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
eb7fe6 
+  0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
eb7fe6 
+  0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
eb7fe6 
+  0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
eb7fe6 
+  0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
eb7fe6 
+  0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
eb7fe6 
+  0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
eb7fe6 
+  0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
eb7fe6 
+  0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
eb7fe6 
+  0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
eb7fe6 
+  0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
eb7fe6 
+  0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
eb7fe6 
+  0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
eb7fe6 
+  0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
eb7fe6 
+  0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
eb7fe6 
+  0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
eb7fe6 
+  0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
eb7fe6 
+  0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
eb7fe6 
+  0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
eb7fe6 
+  0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
eb7fe6 
+  0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
eb7fe6 
+  0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
eb7fe6 
+  0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
eb7fe6 
+  0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
eb7fe6 
+  0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
eb7fe6 
+  0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
eb7fe6 
+  0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
eb7fe6 
+  0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
eb7fe6 
+  0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
eb7fe6 
+  0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
eb7fe6 
+};
eb7fe6 
+
eb7fe6 
+//
eb7fe6 
+// First DB entry: "Microsoft Windows Production PCA 2011"
eb7fe6 
+// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
eb7fe6 
+//
eb7fe6 
+// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
eb7fe6 
+// rooted in this certificate.
eb7fe6 
+//
eb7fe6 
+STATIC CONST UINT8 MicrosoftPCA[] = {
eb7fe6 
+  0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
eb7fe6 
+  0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
eb7fe6 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
eb7fe6 
+  0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
eb7fe6 
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
eb7fe6 
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
eb7fe6 
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
eb7fe6 
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
eb7fe6 
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
eb7fe6 
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
eb7fe6 
+  0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
eb7fe6 
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
eb7fe6 
+  0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
eb7fe6 
+  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
eb7fe6 
+  0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
eb7fe6 
+  0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
eb7fe6 
+  0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
eb7fe6 
+  0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
eb7fe6 
+  0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
eb7fe6 
+  0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
eb7fe6 
+  0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
eb7fe6 
+  0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
eb7fe6 
+  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
eb7fe6 
+  0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
eb7fe6 
+  0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
eb7fe6 
+  0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
eb7fe6 
+  0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
eb7fe6 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
eb7fe6 
+  0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
eb7fe6 
+  0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
eb7fe6 
+  0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
eb7fe6 
+  0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
eb7fe6 
+  0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
eb7fe6 
+  0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
eb7fe6 
+  0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
eb7fe6 
+  0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
eb7fe6 
+  0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
eb7fe6 
+  0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
eb7fe6 
+  0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
eb7fe6 
+  0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
eb7fe6 
+  0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
eb7fe6 
+  0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
eb7fe6 
+  0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
eb7fe6 
+  0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
eb7fe6 
+  0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
eb7fe6 
+  0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
eb7fe6 
+  0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
eb7fe6 
+  0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
eb7fe6 
+  0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
eb7fe6 
+  0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
eb7fe6 
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
eb7fe6 
+  0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
eb7fe6 
+  0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
eb7fe6 
+  0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
eb7fe6 
+  0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
eb7fe6 
+  0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
eb7fe6 
+  0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
eb7fe6 
+  0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
eb7fe6 
+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
eb7fe6 
+  0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
eb7fe6 
+  0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
eb7fe6 
+  0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
eb7fe6 
+  0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
eb7fe6 
+  0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
eb7fe6 
+  0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
eb7fe6 
+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
eb7fe6 
+  0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
eb7fe6 
+  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
eb7fe6 
+  0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
eb7fe6 
+  0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
eb7fe6 
+  0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
eb7fe6 
+  0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
eb7fe6 
+  0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
eb7fe6 
+  0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
eb7fe6 
+  0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
eb7fe6 
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
eb7fe6 
+  0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
eb7fe6 
+  0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
eb7fe6 
+  0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
eb7fe6 
+  0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
eb7fe6 
+  0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
eb7fe6 
+  0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
eb7fe6 
+  0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
eb7fe6 
+  0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
eb7fe6 
+  0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
eb7fe6 
+  0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
eb7fe6 
+  0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
eb7fe6 
+  0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
eb7fe6 
+  0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
eb7fe6 
+  0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
eb7fe6 
+  0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
eb7fe6 
+  0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
eb7fe6 
+  0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
eb7fe6 
+  0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
eb7fe6 
+  0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
eb7fe6 
+  0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
eb7fe6 
+  0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
eb7fe6 
+  0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
eb7fe6 
+  0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
eb7fe6 
+  0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
eb7fe6 
+  0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
eb7fe6 
+  0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
eb7fe6 
+  0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
eb7fe6 
+  0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
eb7fe6 
+  0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
eb7fe6 
+  0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
eb7fe6 
+  0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
eb7fe6 
+  0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
eb7fe6 
+  0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
eb7fe6 
+  0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
eb7fe6 
+  0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
eb7fe6 
+  0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
eb7fe6 
+  0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
eb7fe6 
+  0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
eb7fe6 
+  0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
eb7fe6 
+  0x62, 0x1c, 0x59, 0x7e
eb7fe6 
+};
eb7fe6 
+
eb7fe6 
+//
eb7fe6 
+// Second DB entry: "Microsoft Corporation UEFI CA 2011"
eb7fe6 
+// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
eb7fe6 
+//
eb7fe6 
+// To verify the "shim" binary and PCI expansion ROMs with.
eb7fe6 
+//
eb7fe6 
+STATIC CONST UINT8 MicrosoftUefiCA[] = {
eb7fe6 
+  0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
eb7fe6 
+  0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
eb7fe6 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
eb7fe6 
+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
eb7fe6 
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
eb7fe6 
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
eb7fe6 
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
eb7fe6 
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
eb7fe6 
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
eb7fe6 
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
eb7fe6 
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
eb7fe6 
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
eb7fe6 
+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
eb7fe6 
+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
eb7fe6 
+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
eb7fe6 
+  0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
eb7fe6 
+  0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
eb7fe6 
+  0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
eb7fe6 
+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
eb7fe6 
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
eb7fe6 
+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
eb7fe6 
+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
eb7fe6 
+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
eb7fe6 
+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
eb7fe6 
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
eb7fe6 
+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
eb7fe6 
+  0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
eb7fe6 
+  0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
eb7fe6 
+  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
eb7fe6 
+  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
eb7fe6 
+  0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
eb7fe6 
+  0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
eb7fe6 
+  0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
eb7fe6 
+  0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
eb7fe6 
+  0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
eb7fe6 
+  0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
eb7fe6 
+  0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
eb7fe6 
+  0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
eb7fe6 
+  0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
eb7fe6 
+  0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
eb7fe6 
+  0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
eb7fe6 
+  0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
eb7fe6 
+  0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
eb7fe6 
+  0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
eb7fe6 
+  0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
eb7fe6 
+  0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
eb7fe6 
+  0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
eb7fe6 
+  0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
eb7fe6 
+  0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
eb7fe6 
+  0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
eb7fe6 
+  0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
eb7fe6 
+  0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
eb7fe6 
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
eb7fe6 
+  0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
eb7fe6 
+  0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
eb7fe6 
+  0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
eb7fe6 
+  0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
eb7fe6 
+  0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
eb7fe6 
+  0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
eb7fe6 
+  0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
eb7fe6 
+  0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
eb7fe6 
+  0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
eb7fe6 
+  0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
eb7fe6 
+  0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
eb7fe6 
+  0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
eb7fe6 
+  0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
eb7fe6 
+  0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
eb7fe6 
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
eb7fe6 
+  0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
eb7fe6 
+  0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
eb7fe6 
+  0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
eb7fe6 
+  0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
eb7fe6 
+  0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
eb7fe6 
+  0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
eb7fe6 
+  0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
eb7fe6 
+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
eb7fe6 
+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
eb7fe6 
+  0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
eb7fe6 
+  0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
eb7fe6 
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
eb7fe6 
+  0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
eb7fe6 
+  0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
eb7fe6 
+  0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
eb7fe6 
+  0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
eb7fe6 
+  0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
eb7fe6 
+  0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
eb7fe6 
+  0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
eb7fe6 
+  0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
eb7fe6 
+  0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
eb7fe6 
+  0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
eb7fe6 
+  0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
eb7fe6 
+  0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
eb7fe6 
+  0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
eb7fe6 
+  0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
eb7fe6 
+  0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
eb7fe6 
+  0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
eb7fe6 
+  0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
eb7fe6 
+  0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
eb7fe6 
+  0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
eb7fe6 
+  0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
eb7fe6 
+  0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
eb7fe6 
+  0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
eb7fe6 
+  0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
eb7fe6 
+  0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
eb7fe6 
+  0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
eb7fe6 
+  0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
eb7fe6 
+  0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
eb7fe6 
+  0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
eb7fe6 
+  0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
eb7fe6 
+  0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
eb7fe6 
+  0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
eb7fe6 
+  0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
eb7fe6 
+  0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
eb7fe6 
+  0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
eb7fe6 
+  0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
eb7fe6 
+  0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
eb7fe6 
+  0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
eb7fe6 
+  0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
eb7fe6 
+  0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
eb7fe6 
+  0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
eb7fe6 
+};
eb7fe6 
+
eb7fe6 
+//
fcf9e8 
+// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
fcf9e8 
+// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
fcf9e8 
+// expects that the "dbx" variable exist.
fcf9e8 
+//
fcf9e8 
+// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
fcf9e8 
+// writes (excerpt):
fcf9e8 
+//
fcf9e8 
+//    Windows 8.1 Secure Boot Key Creation and Management Guidance
fcf9e8 
+//    1. Secure Boot, Windows 8.1 and Key Management
fcf9e8 
+//    1.4 Signature Databases (Db and Dbx)
fcf9e8 
+//    1.4.3 Forbidden Signature Database (dbx)
fcf9e8 
+//
fcf9e8 
+//    The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when
fcf9e8 
+//    verifying images before checking db and any matches must prevent the
fcf9e8 
+//    image from executing. The database may contain multiple certificates,
fcf9e8 
+//    keys, and hashes in order to identify forbidden images. The Windows
fcf9e8 
+//    Hardware Certification Requirements state that a dbx must be present, so
fcf9e8 
+//    any dummy value, such as the SHA-256 hash of 0, may be used as a safe
fcf9e8 
+//    placeholder until such time as Microsoft begins delivering dbx updates.
fcf9e8 
+//
fcf9e8 
+// The byte array below captures the SHA256 checksum of the empty file,
fcf9e8 
+// blacklisting it for loading & execution. This qualifies as a dummy, since
fcf9e8 
+// the empty file is not a valid UEFI binary anyway.
fcf9e8 
+//
fcf9e8 
+// Technically speaking, we could also capture an official (although soon to be
fcf9e8 
+// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
fcf9e8 
+// the terms and conditions on distributing that binary aren't exactly light
fcf9e8 
+// reading, so let's best steer clear of it, and follow the "dummy entry"
fcf9e8 
+// practice recommended -- in natural English langauge -- in the
fcf9e8 
+// above-referenced TechNet article.
fcf9e8 
+//
fcf9e8 
+STATIC CONST UINT8 mSha256OfDevNull[] = {
fcf9e8 
+  0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
fcf9e8 
+  0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
fcf9e8 
+  0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
fcf9e8 
+};
fcf9e8 
+
fcf9e8 
+//
fcf9e8 
+// The following test cases of the Secure Boot Logo Test in the Microsoft
fcf9e8 
+// Hardware Certification Kit:
fcf9e8 
+//
fcf9e8 
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
fcf9e8 
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
fcf9e8 
+//
fcf9e8 
+// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
fcf9e8 
+// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
fcf9e8 
+// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
fcf9e8 
+// certificates:
fcf9e8 
+//
fcf9e8 
+// - "Microsoft Corporation KEK CA 2011" (in KEK)
fcf9e8 
+// - "Microsoft Windows Production PCA 2011" (in db)
fcf9e8 
+// - "Microsoft Corporation UEFI CA 2011" (in db)
fcf9e8 
+//
fcf9e8 
+// This is despite the fact that the UEFI specification requires
fcf9e8 
+// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
fcf9e8 
+// application or driver) that enrolled and therefore owns
fcf9e8 
+// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
fcf9e8 
+// EFI_SIGNATURE_DATA.SignatureData.
fcf9e8 
+//
fcf9e8 
+STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
fcf9e8 
+  0x77fa9abd, 0x0359, 0x4d32,
fcf9e8 
+  { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
fcf9e8 
+};
fcf9e8 
+
fcf9e8 
+//
eb7fe6 
+// The most important thing about the variable payload is that it is a list of
eb7fe6 
+// lists, where the element size of any given *inner* list is constant.
eb7fe6 
+//
eb7fe6 
+// Since X509 certificates vary in size, each of our *inner* lists will contain
eb7fe6 
+// one element only (one X.509 certificate). This is explicitly mentioned in
eb7fe6 
+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
eb7fe6 
+//
eb7fe6 
+// The list structure looks as follows:
eb7fe6 
+//
eb7fe6 
+// struct EFI_VARIABLE_AUTHENTICATION_2 {                           |
eb7fe6 
+//   struct EFI_TIME {                                              |
eb7fe6 
+//     UINT16 Year;                                                 |
eb7fe6 
+//     UINT8  Month;                                                |
eb7fe6 
+//     UINT8  Day;                                                  |
eb7fe6 
+//     UINT8  Hour;                                                 |
eb7fe6 
+//     UINT8  Minute;                                               |
eb7fe6 
+//     UINT8  Second;                                               |
eb7fe6 
+//     UINT8  Pad1;                                                 |
eb7fe6 
+//     UINT32 Nanosecond;                                           |
eb7fe6 
+//     INT16  TimeZone;                                             |
eb7fe6 
+//     UINT8  Daylight;                                             |
eb7fe6 
+//     UINT8  Pad2;                                                 |
eb7fe6 
+//   } TimeStamp;                                                   |
eb7fe6 
+//                                                                  |
eb7fe6 
+//   struct WIN_CERTIFICATE_UEFI_GUID {                           | |
eb7fe6 
+//     struct WIN_CERTIFICATE {                                   | |
eb7fe6 
+//       UINT32 dwLength; ----------------------------------------+ |
eb7fe6 
+//       UINT16 wRevision;                                        | |
eb7fe6 
+//       UINT16 wCertificateType;                                 | |
eb7fe6 
+//     } Hdr;                                                     | +- DataSize
eb7fe6 
+//                                                                | |
eb7fe6 
+//     EFI_GUID CertType;                                         | |
eb7fe6 
+//     UINT8    CertData[1] = { <--- "struct hack"                | |
eb7fe6 
+//       struct EFI_SIGNATURE_LIST {                            | | |
eb7fe6 
+//         EFI_GUID SignatureType;                              | | |
eb7fe6 
+//         UINT32   SignatureListSize; -------------------------+ | |
eb7fe6 
+//         UINT32   SignatureHeaderSize;                        | | |
eb7fe6 
+//         UINT32   SignatureSize; ---------------------------+ | | |
eb7fe6 
+//         UINT8    SignatureHeader[SignatureHeaderSize];     | | | |
eb7fe6 
+//                                                            v | | |
eb7fe6 
+//         struct EFI_SIGNATURE_DATA {                        | | | |
eb7fe6 
+//           EFI_GUID SignatureOwner;                         | | | |
eb7fe6 
+//           UINT8    SignatureData[1] = { <--- "struct hack" | | | |
eb7fe6 
+//             X.509 payload                                  | | | |
eb7fe6 
+//           }                                                | | | |
eb7fe6 
+//         } Signatures[];                                      | | |
eb7fe6 
+//       } SigLists[];                                            | |
eb7fe6 
+//     };                                                         | |
eb7fe6 
+//   } AuthInfo;                                                  | |
eb7fe6 
+// };                                                               |
eb7fe6 
+//
eb7fe6 
+// Given that the "struct hack" invokes undefined behavior (which is why C99
eb7fe6 
+// introduced the flexible array member), and because subtracting those pesky
eb7fe6 
+// sizes of 1 is annoying, and because the format is fully specified in the
eb7fe6 
+// UEFI specification, we'll introduce two matching convenience structures that
eb7fe6 
+// are customized for our X.509 purposes.
eb7fe6 
+//
eb7fe6 
+#pragma pack(1)
eb7fe6 
+typedef struct {
eb7fe6 
+  EFI_TIME TimeStamp;
eb7fe6 
+
eb7fe6 
+  //
eb7fe6 
+  // dwLength covers data below
eb7fe6 
+  //
eb7fe6 
+  UINT32   dwLength;
eb7fe6 
+  UINT16   wRevision;
eb7fe6 
+  UINT16   wCertificateType;
eb7fe6 
+  EFI_GUID CertType;
eb7fe6 
+} SINGLE_HEADER;
eb7fe6 
+
eb7fe6 
+typedef struct {
eb7fe6 
+  //
eb7fe6 
+  // SignatureListSize covers data below
eb7fe6 
+  //
eb7fe6 
+  EFI_GUID SignatureType;
eb7fe6 
+  UINT32   SignatureListSize;
eb7fe6 
+  UINT32   SignatureHeaderSize; // constant 0
eb7fe6 
+  UINT32   SignatureSize;
eb7fe6 
+
eb7fe6 
+  //
eb7fe6 
+  // SignatureSize covers data below
eb7fe6 
+  //
eb7fe6 
+  EFI_GUID SignatureOwner;
eb7fe6 
+
eb7fe6 
+  //
eb7fe6 
+  // X.509 certificate follows
eb7fe6 
+  //
eb7fe6 
+} REPEATING_HEADER;
eb7fe6 
+#pragma pack()
eb7fe6 
+
eb7fe6 
+/**
fcf9e8 
+  Enroll a set of certificates in a global variable, overwriting it.
eb7fe6 
+
eb7fe6 
+  The variable will be rewritten with NV+BS+RT+AT attributes.
eb7fe6 
+
eb7fe6 
+  @param[in] VariableName  The name of the variable to overwrite.
eb7fe6 
+
eb7fe6 
+  @param[in] VendorGuid    The namespace (ie. vendor GUID) of the variable to
eb7fe6 
+                           overwrite.
eb7fe6 
+
fcf9e8 
+  @param[in] CertType      The GUID determining the type of all the
fcf9e8 
+                           certificates in the set that is passed in. For
fcf9e8 
+                           example, gEfiCertX509Guid stands for DER-encoded
fcf9e8 
+                           X.509 certificates, while gEfiCertSha256Guid stands
fcf9e8 
+                           for SHA256 image hashes.
fcf9e8 
+
eb7fe6 
+  @param[in] ...           A list of
eb7fe6 
+
eb7fe6 
+                             IN CONST UINT8    *Cert,
eb7fe6 
+                             IN UINTN          CertSize,
eb7fe6 
+                             IN CONST EFI_GUID *OwnerGuid
eb7fe6 
+
eb7fe6 
+                           triplets. If the first component of a triplet is
eb7fe6 
+                           NULL, then the other two components are not
eb7fe6 
+                           accessed, and processing is terminated. The list of
fcf9e8 
+                           certificates is enrolled in the variable specified,
fcf9e8 
+                           overwriting it. The OwnerGuid component identifies
fcf9e8 
+                           the agent installing the certificate.
eb7fe6 
+
eb7fe6 
+  @retval EFI_INVALID_PARAMETER  The triplet list is empty (ie. the first Cert
eb7fe6 
+                                 value is NULL), or one of the CertSize values
eb7fe6 
+                                 is 0, or one of the CertSize values would
eb7fe6 
+                                 overflow the accumulated UINT32 data size.
eb7fe6 
+
eb7fe6 
+  @retval EFI_OUT_OF_RESOURCES   Out of memory while formatting variable
eb7fe6 
+                                 payload.
eb7fe6 
+
eb7fe6 
+  @retval EFI_SUCCESS            Enrollment successful; the variable has been
eb7fe6 
+                                 overwritten (or created).
eb7fe6 
+
eb7fe6 
+  @return                        Error codes from gRT->GetTime() and
eb7fe6 
+                                 gRT->SetVariable().
eb7fe6 
+**/
eb7fe6 
+STATIC
eb7fe6 
+EFI_STATUS
eb7fe6 
+EFIAPI
fcf9e8 
+EnrollListOfCerts (
eb7fe6 
+  IN CHAR16   *VariableName,
eb7fe6 
+  IN EFI_GUID *VendorGuid,
fcf9e8 
+  IN EFI_GUID *CertType,
eb7fe6 
+  ...
eb7fe6 
+  )
eb7fe6 
+{
eb7fe6 
+  UINTN            DataSize;
eb7fe6 
+  SINGLE_HEADER    *SingleHeader;
eb7fe6 
+  REPEATING_HEADER *RepeatingHeader;
eb7fe6 
+  VA_LIST          Marker;
eb7fe6 
+  CONST UINT8      *Cert;
eb7fe6 
+  EFI_STATUS       Status;
eb7fe6 
+  UINT8            *Data;
eb7fe6 
+  UINT8            *Position;
eb7fe6 
+
eb7fe6 
+  Status = EFI_SUCCESS;
eb7fe6 
+
eb7fe6 
+  //
eb7fe6 
+  // compute total size first, for UINT32 range check, and allocation
eb7fe6 
+  //
eb7fe6 
+  DataSize = sizeof *SingleHeader;
fcf9e8 
+  VA_START (Marker, CertType);
eb7fe6 
+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
eb7fe6 
+       Cert != NULL;
eb7fe6 
+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
eb7fe6 
+    UINTN          CertSize;
eb7fe6 
+
eb7fe6 
+    CertSize = VA_ARG (Marker, UINTN);
eb7fe6 
+    (VOID)VA_ARG (Marker, CONST EFI_GUID *);
eb7fe6 
+
eb7fe6 
+    if (CertSize == 0 ||
eb7fe6 
+        CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
eb7fe6 
+        DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
eb7fe6 
+      Status = EFI_INVALID_PARAMETER;
eb7fe6 
+      break;
eb7fe6 
+    }
eb7fe6 
+    DataSize += sizeof *RepeatingHeader + CertSize;
eb7fe6 
+  }
eb7fe6 
+  VA_END (Marker);
eb7fe6 
+
eb7fe6 
+  if (DataSize == sizeof *SingleHeader) {
eb7fe6 
+    Status = EFI_INVALID_PARAMETER;
eb7fe6 
+  }
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    goto Out;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Data = AllocatePool (DataSize);
eb7fe6 
+  if (Data == NULL) {
eb7fe6 
+    Status = EFI_OUT_OF_RESOURCES;
eb7fe6 
+    goto Out;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Position = Data;
eb7fe6 
+
eb7fe6 
+  SingleHeader = (SINGLE_HEADER *)Position;
eb7fe6 
+  Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    goto FreeData;
eb7fe6 
+  }
eb7fe6 
+  SingleHeader->TimeStamp.Pad1       = 0;
eb7fe6 
+  SingleHeader->TimeStamp.Nanosecond = 0;
eb7fe6 
+  SingleHeader->TimeStamp.TimeZone   = 0;
eb7fe6 
+  SingleHeader->TimeStamp.Daylight   = 0;
eb7fe6 
+  SingleHeader->TimeStamp.Pad2       = 0;
eb7fe6 
+#if 0
eb7fe6 
+  SingleHeader->dwLength         = DataSize - sizeof SingleHeader->TimeStamp;
eb7fe6 
+#else
eb7fe6 
+  //
eb7fe6 
+  // This looks like a bug in edk2. According to the UEFI specification,
eb7fe6 
+  // dwLength is "The length of the entire certificate, including the length of
eb7fe6 
+  // the header, in bytes". That shouldn't stop right after CertType -- it
eb7fe6 
+  // should include everything below it.
eb7fe6 
+  //
eb7fe6 
+  SingleHeader->dwLength         = sizeof *SingleHeader
eb7fe6 
+                                     - sizeof SingleHeader->TimeStamp;
eb7fe6 
+#endif
eb7fe6 
+  SingleHeader->wRevision        = 0x0200;
eb7fe6 
+  SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
eb7fe6 
+  CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
eb7fe6 
+  Position += sizeof *SingleHeader;
eb7fe6 
+
fcf9e8 
+  VA_START (Marker, CertType);
eb7fe6 
+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
eb7fe6 
+       Cert != NULL;
eb7fe6 
+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
eb7fe6 
+    UINTN            CertSize;
eb7fe6 
+    CONST EFI_GUID   *OwnerGuid;
eb7fe6 
+
eb7fe6 
+    CertSize  = VA_ARG (Marker, UINTN);
eb7fe6 
+    OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
eb7fe6 
+
eb7fe6 
+    RepeatingHeader = (REPEATING_HEADER *)Position;
fcf9e8 
+    CopyGuid (&RepeatingHeader->SignatureType, CertType);
eb7fe6 
+    RepeatingHeader->SignatureListSize   =
eb7fe6 
+      (UINT32)(sizeof *RepeatingHeader + CertSize);
eb7fe6 
+    RepeatingHeader->SignatureHeaderSize = 0;
eb7fe6 
+    RepeatingHeader->SignatureSize       =
eb7fe6 
+      (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);
eb7fe6 
+    CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
eb7fe6 
+    Position += sizeof *RepeatingHeader;
eb7fe6 
+
eb7fe6 
+    CopyMem (Position, Cert, CertSize);
eb7fe6 
+    Position += CertSize;
eb7fe6 
+  }
eb7fe6 
+  VA_END (Marker);
eb7fe6 
+
eb7fe6 
+  ASSERT (Data + DataSize == Position);
eb7fe6 
+
eb7fe6 
+  Status = gRT->SetVariable (VariableName, VendorGuid,
eb7fe6 
+                  (EFI_VARIABLE_NON_VOLATILE |
eb7fe6 
+                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
eb7fe6 
+                   EFI_VARIABLE_RUNTIME_ACCESS |
eb7fe6 
+                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
eb7fe6 
+                  DataSize, Data);
eb7fe6 
+
eb7fe6 
+FreeData:
eb7fe6 
+  FreePool (Data);
eb7fe6 
+
eb7fe6 
+Out:
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
eb7fe6 
+      VendorGuid, Status);
eb7fe6 
+  }
eb7fe6 
+  return Status;
eb7fe6 
+}
eb7fe6 
+
eb7fe6 
+
eb7fe6 
+STATIC
eb7fe6 
+EFI_STATUS
eb7fe6 
+EFIAPI
eb7fe6 
+GetExact (
eb7fe6 
+  IN CHAR16   *VariableName,
eb7fe6 
+  IN EFI_GUID *VendorGuid,
eb7fe6 
+  OUT VOID    *Data,
eb7fe6 
+  IN UINTN    DataSize,
eb7fe6 
+  IN BOOLEAN  AllowMissing
eb7fe6 
+  )
eb7fe6 
+{
eb7fe6 
+  UINTN      Size;
eb7fe6 
+  EFI_STATUS Status;
eb7fe6 
+
eb7fe6 
+  Size = DataSize;
eb7fe6 
+  Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    if (Status == EFI_NOT_FOUND && AllowMissing) {
eb7fe6 
+      ZeroMem (Data, DataSize);
eb7fe6 
+      return EFI_SUCCESS;
eb7fe6 
+    }
eb7fe6 
+
eb7fe6 
+    AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
eb7fe6 
+      VendorGuid, Status);
eb7fe6 
+    return Status;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  if (Size != DataSize) {
eb7fe6 
+    AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
eb7fe6 
+      "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
eb7fe6 
+    return EFI_PROTOCOL_ERROR;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  return EFI_SUCCESS;
eb7fe6 
+}
eb7fe6 
+
eb7fe6 
+typedef struct {
eb7fe6 
+  UINT8 SetupMode;
eb7fe6 
+  UINT8 SecureBoot;
eb7fe6 
+  UINT8 SecureBootEnable;
eb7fe6 
+  UINT8 CustomMode;
eb7fe6 
+  UINT8 VendorKeys;
eb7fe6 
+} SETTINGS;
eb7fe6 
+
eb7fe6 
+STATIC
eb7fe6 
+EFI_STATUS
eb7fe6 
+EFIAPI
eb7fe6 
+GetSettings (
eb7fe6 
+  OUT SETTINGS *Settings
eb7fe6 
+  )
eb7fe6 
+{
eb7fe6 
+  EFI_STATUS Status;
eb7fe6 
+
eb7fe6 
+  Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
eb7fe6 
+             &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return Status;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
eb7fe6 
+             &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return Status;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
eb7fe6 
+             &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
eb7fe6 
+             sizeof Settings->SecureBootEnable, TRUE);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return Status;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
eb7fe6 
+             &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return Status;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
eb7fe6 
+             &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
eb7fe6 
+  return Status;
eb7fe6 
+}
eb7fe6 
+
eb7fe6 
+STATIC
eb7fe6 
+VOID
eb7fe6 
+EFIAPI
eb7fe6 
+PrintSettings (
eb7fe6 
+  IN CONST SETTINGS *Settings
eb7fe6 
+  )
eb7fe6 
+{
eb7fe6 
+  AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
eb7fe6 
+    "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
eb7fe6 
+    Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
eb7fe6 
+}
eb7fe6 
+
eb7fe6 
+
eb7fe6 
+INTN
eb7fe6 
+EFIAPI
eb7fe6 
+ShellAppMain (
eb7fe6 
+  IN UINTN  Argc,
eb7fe6 
+  IN CHAR16 **Argv
eb7fe6 
+  )
eb7fe6 
+{
eb7fe6 
+  EFI_STATUS Status;
eb7fe6 
+  SETTINGS   Settings;
eb7fe6 
+
eb7fe6 
+  Status = GetSettings (&Settings);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+  PrintSettings (&Settings);
eb7fe6 
+
eb7fe6 
+  if (Settings.SetupMode != 1) {
eb7fe6 
+    AsciiPrint ("error: already in User Mode\n");
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
eb7fe6 
+    Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
eb7fe6 
+    Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
eb7fe6 
+                    (EFI_VARIABLE_NON_VOLATILE |
eb7fe6 
+                     EFI_VARIABLE_BOOTSERVICE_ACCESS),
eb7fe6 
+                    sizeof Settings.CustomMode, &Settings.CustomMode);
eb7fe6 
+    if (EFI_ERROR (Status)) {
eb7fe6 
+      AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
eb7fe6 
+        &gEfiCustomModeEnableGuid, Status);
eb7fe6 
+      return 1;
eb7fe6 
+    }
eb7fe6 
+  }
eb7fe6 
+
fcf9e8 
+  Status = EnrollListOfCerts (
eb7fe6 
+             EFI_IMAGE_SECURITY_DATABASE,
eb7fe6 
+             &gEfiImageSecurityDatabaseGuid,
fcf9e8 
+             &gEfiCertX509Guid,
fcf9e8 
+             MicrosoftPCA,    sizeof MicrosoftPCA,    &mMicrosoftOwnerGuid,
fcf9e8 
+             MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid,
fcf9e8 
+             NULL);
fcf9e8 
+  if (EFI_ERROR (Status)) {
fcf9e8 
+    return 1;
fcf9e8 
+  }
fcf9e8 
+
fcf9e8 
+  Status = EnrollListOfCerts (
fcf9e8 
+             EFI_IMAGE_SECURITY_DATABASE1,
fcf9e8 
+             &gEfiImageSecurityDatabaseGuid,
fcf9e8 
+             &gEfiCertSha256Guid,
fcf9e8 
+             mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
eb7fe6 
+             NULL);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
fcf9e8 
+  Status = EnrollListOfCerts (
eb7fe6 
+             EFI_KEY_EXCHANGE_KEY_NAME,
eb7fe6 
+             &gEfiGlobalVariableGuid,
fcf9e8 
+             &gEfiCertX509Guid,
eb7fe6 
+             RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
fcf9e8 
+             MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid,
eb7fe6 
+             NULL);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
fcf9e8 
+  Status = EnrollListOfCerts (
eb7fe6 
+             EFI_PLATFORM_KEY_NAME,
eb7fe6 
+             &gEfiGlobalVariableGuid,
fcf9e8 
+             &gEfiCertX509Guid,
eb7fe6 
+             RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
eb7fe6 
+             NULL);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
eb7fe6 
+  Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
eb7fe6 
+                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
eb7fe6 
+                  sizeof Settings.CustomMode, &Settings.CustomMode);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
eb7fe6 
+      &gEfiCustomModeEnableGuid, Status);
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = GetSettings (&Settings);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+  PrintSettings (&Settings);
eb7fe6 
+
eb7fe6 
+  if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
eb7fe6 
+      Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
eb7fe6 
+      Settings.VendorKeys != 0) {
eb7fe6 
+    AsciiPrint ("error: unexpected\n");
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  AsciiPrint ("info: success\n");
eb7fe6 
+  return 0;
eb7fe6 
+}
eb7fe6 
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
eb7fe6 
new file mode 100644
fcf9e8 
index 0000000..0ad86a2
eb7fe6 
--- /dev/null
eb7fe6 
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
fcf9e8 
@@ -0,0 +1,52 @@
eb7fe6 
+## @file
eb7fe6 
+#  Enroll default PK, KEK, DB.
eb7fe6 
+#
eb7fe6 
+#  Copyright (C) 2014, Red Hat, Inc.
eb7fe6 
+#
eb7fe6 
+#  This program and the accompanying materials are licensed and made available
eb7fe6 
+#  under the terms and conditions of the BSD License which accompanies this
eb7fe6 
+#  distribution. The full text of the license may be found at
eb7fe6 
+#  http://opensource.org/licenses/bsd-license.
eb7fe6 
+#
eb7fe6 
+#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
eb7fe6 
+#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
eb7fe6 
+#  IMPLIED.
eb7fe6 
+##
eb7fe6 
+
eb7fe6 
+[Defines]
eb7fe6 
+  INF_VERSION                    = 0x00010006
eb7fe6 
+  BASE_NAME                      = EnrollDefaultKeys
eb7fe6 
+  FILE_GUID                      = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
eb7fe6 
+  MODULE_TYPE                    = UEFI_APPLICATION
eb7fe6 
+  VERSION_STRING                 = 0.1
eb7fe6 
+  ENTRY_POINT                    = ShellCEntryLib
eb7fe6 
+
eb7fe6 
+#
eb7fe6 
+#  VALID_ARCHITECTURES           = IA32 X64
eb7fe6 
+#
eb7fe6 
+
eb7fe6 
+[Sources]
eb7fe6 
+  EnrollDefaultKeys.c
eb7fe6 
+
eb7fe6 
+[Packages]
eb7fe6 
+  MdePkg/MdePkg.dec
eb7fe6 
+  MdeModulePkg/MdeModulePkg.dec
eb7fe6 
+  SecurityPkg/SecurityPkg.dec
eb7fe6 
+  ShellPkg/ShellPkg.dec
eb7fe6 
+
eb7fe6 
+[Guids]
eb7fe6 
+  gEfiCertPkcs7Guid
fcf9e8 
+  gEfiCertSha256Guid
eb7fe6 
+  gEfiCertX509Guid
eb7fe6 
+  gEfiCustomModeEnableGuid
eb7fe6 
+  gEfiGlobalVariableGuid
eb7fe6 
+  gEfiImageSecurityDatabaseGuid
eb7fe6 
+  gEfiSecureBootEnableDisableGuid
eb7fe6 
+
eb7fe6 
+[LibraryClasses]
eb7fe6 
+  BaseMemoryLib
eb7fe6 
+  DebugLib
eb7fe6 
+  MemoryAllocationLib
eb7fe6 
+  ShellCEntryLib
eb7fe6 
+  UefiLib
eb7fe6 
+  UefiRuntimeServicesTableLib
eb7fe6 
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
6ef48d 
index b577767..4d268c9 100644
eb7fe6 
--- a/OvmfPkg/OvmfPkgIa32.dsc
eb7fe6 
+++ b/OvmfPkg/OvmfPkgIa32.dsc
6ef48d 
@@ -865,6 +865,10 @@
eb7fe6
eb7fe6 
 !if $(SECURE_BOOT_ENABLE) == TRUE
eb7fe6 
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
eb7fe6 
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
eb7fe6 
+    <LibraryClasses>
eb7fe6 
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
eb7fe6 
+  }
eb7fe6 
 !endif
eb7fe6
eb7fe6 
   OvmfPkg/PlatformDxe/Platform.inf
eb7fe6 
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
6ef48d 
index a6a40be..6836622 100644
eb7fe6 
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
eb7fe6 
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
6ef48d 
@@ -874,6 +874,10 @@
eb7fe6
eb7fe6 
 !if $(SECURE_BOOT_ENABLE) == TRUE
eb7fe6 
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
eb7fe6 
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
eb7fe6 
+    <LibraryClasses>
eb7fe6 
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
eb7fe6 
+  }
eb7fe6 
 !endif
eb7fe6
eb7fe6 
   OvmfPkg/PlatformDxe/Platform.inf
eb7fe6 
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
6ef48d 
index 8bd3754..0b3008f 100644
eb7fe6 
--- a/OvmfPkg/OvmfPkgX64.dsc
eb7fe6 
+++ b/OvmfPkg/OvmfPkgX64.dsc
6ef48d 
@@ -872,6 +872,10 @@
eb7fe6
eb7fe6 
 !if $(SECURE_BOOT_ENABLE) == TRUE
eb7fe6 
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
eb7fe6 
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
eb7fe6 
+    <LibraryClasses>
eb7fe6 
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
eb7fe6 
+  }
eb7fe6 
 !endif
eb7fe6
eb7fe6 
   OvmfPkg/PlatformDxe/Platform.inf
eb7fe6 
--
eb7fe6 
1.8.3.1
eb7fe6

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation