rpms / ovmf

Clone
Source Code
GIT

Blame SOURCES/0018-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch

c7 c7-alt c7-beta
  1.   eb7fe63c56b9ac296cdbb1bf9c837e56de0588e7
  2.   SOURCES
  3.   0018-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
Blob History Raw
eb7fe6 
From c0b2615a9c0b4a4be1bffe45681a32915449279d Mon Sep 17 00:00:00 2001
eb7fe6 
From: Laszlo Ersek <lersek@redhat.com>
eb7fe6 
Date: Tue, 4 Nov 2014 23:02:55 +0100
eb7fe6 
Subject: OvmfPkg: EnrollDefaultKeys: application for enrolling default keys
eb7fe6 
 (RH only)
eb7fe6
eb7fe6 
Message-id: <1415138578-27173-16-git-send-email-lersek@redhat.com>
eb7fe6 
Patchwork-id: 62121
eb7fe6 
O-Subject:  [RHEL-7.1 ovmf PATCH v2 15/18] OvmfPkg: EnrollDefaultKeys:
eb7fe6 
	application for enrolling default keys (RH only)
eb7fe6 
Bugzilla: 1148296
eb7fe6 
1160400
eb7fe6 
Acked-by: Andrew Jones <drjones@redhat.com>
eb7fe6 
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
eb7fe6 
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
eb7fe6
eb7fe6 
This application is meant to be invoked by the management layer, after
eb7fe6 
booting the UEFI shell and getting a shell prompt on the serial console.
eb7fe6 
The app enrolls a number of certificates (see below), and then reports
eb7fe6 
status to the serial console as well. The expected output is "info:
eb7fe6 
success":
eb7fe6
eb7fe6 
> Shell> EnrollDefaultKeys.efi
eb7fe6 
> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
eb7fe6 
> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
eb7fe6 
> info: success
eb7fe6 
> Shell>
eb7fe6
eb7fe6 
In case of success, the management layer can force off or reboot the VM
eb7fe6 
(for example with the "reset -s" or "reset -c" UEFI shell commands,
eb7fe6 
respectively), and start the guest installation with SecureBoot enabled.
eb7fe6
eb7fe6 
PK:
eb7fe6 
- A unique, static, ad-hoc certificate whose private half has been
eb7fe6 
  destroyed (more precisely, never saved) and is therefore unusable for
eb7fe6 
  signing. (The command for creating this certificate is saved in the
eb7fe6 
  source code.) Background:
eb7fe6
eb7fe6 
On 09/30/14 20:00, Peter Jones wrote:
eb7fe6 
> We should generate a special key that's not in our normal signing chains
eb7fe6 
> for PK and KEK.  The reason for this is that [in practice] PK gets
eb7fe6 
> treated as part of DB (*).
eb7fe6 
>
eb7fe6 
> [Shipping a key in our normal signing chains] as PK means you can run
eb7fe6 
> grub directly, in which case it won't have access to the shim protocol.
eb7fe6 
> When grub is run without the shim protocol registered, it assumes SB is
eb7fe6 
> disabled and boots without verifying the kernel.  We don't want that to
eb7fe6 
> be a thing you can do, but allowing that is the inevitable result of
eb7fe6 
> shipping with any of our normal signing chain in PK or KEK.
eb7fe6 
>
eb7fe6 
> (* USRT has actually agreed that since you can escalate to this behavior
eb7fe6 
> if you have the secret half of a key in KEK or PK anyway, and many
eb7fe6 
> vendors had already shipped it this way, that it is fine and I think
eb7fe6 
> even *expected* at this point, even though it wasn't formally in the
eb7fe6 
> UEFI 2.3.1 Spec that introduced Secure Boot.  I'll try and make sure the
eb7fe6 
> language reflects that in an upcoming spec revision.)
eb7fe6 
>
eb7fe6 
> So let me get SRT to issue a special key to use for PK and KEK.  We can
eb7fe6 
> use it just for those operations, and make sure it's protected with the
eb7fe6 
> same processes and controls as our other signing keys.
eb7fe6
eb7fe6 
  Until SRT generates such a key for us, this ad-hoc key should be a good
eb7fe6 
  placeholder.
eb7fe6
eb7fe6 
KEK:
eb7fe6 
- same ad-hoc certificate as used for the PK,
eb7fe6 
- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
eb7fe6 
  package is signed (indirectly, through a chain) with this; enrolling
eb7fe6 
  such a KEK should allow guests to install those updates.
eb7fe6
eb7fe6 
DB:
eb7fe6 
- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
eb7fe6 
  Server 2012 R2,
eb7fe6 
- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
eb7fe6 
  oproms.
eb7fe6
eb7fe6 
*UPDATE*
eb7fe6
eb7fe6 
OvmfPkg: EnrollDefaultKeys: pick up official Red Hat PK/KEK (RHEL only)
eb7fe6
eb7fe6 
Replace the placeholder ExampleCert with a certificate generated and
eb7fe6 
managed by the Red Hat Security Response Team.
eb7fe6
eb7fe6 
> Certificate:
eb7fe6 
>     Data:
eb7fe6 
>         Version: 3 (0x2)
eb7fe6 
>         Serial Number: 18371740789028339953 (0xfef588e8f396c0f1)
eb7fe6 
>     Signature Algorithm: sha256WithRSAEncryption
eb7fe6 
>         Issuer: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
eb7fe6 
>         Validity
eb7fe6 
>             Not Before: Oct 31 11:15:37 2014 GMT
eb7fe6 
>             Not After : Oct 25 11:15:37 2037 GMT
eb7fe6 
>         Subject: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
eb7fe6 
>         Subject Public Key Info:
eb7fe6 
>             Public Key Algorithm: rsaEncryption
eb7fe6 
>                 Public-Key: (2048 bit)
eb7fe6 
>                 Modulus:
eb7fe6 
>                     00:90:1f:84:7b:8d:bc:eb:97:26:82:6d:88:ab:8a:
eb7fe6 
>                     c9:8c:68:70:f9:df:4b:07:b2:37:83:0b:02:c8:67:
eb7fe6 
>                     68:30:9e:e3:f0:f0:99:4a:b8:59:57:c6:41:f6:38:
eb7fe6 
>                     8b:fe:66:4c:49:e9:37:37:92:2e:98:01:1e:5b:14:
eb7fe6 
>                     50:e6:a8:8d:25:0d:f5:86:e6:ab:30:cb:40:16:ea:
eb7fe6 
>                     8d:8b:16:86:70:43:37:f2:ce:c0:91:df:71:14:8e:
eb7fe6 
>                     99:0e:89:b6:4c:6d:24:1e:8c:e4:2f:4f:25:d0:ba:
eb7fe6 
>                     06:f8:c6:e8:19:18:76:73:1d:81:6d:a8:d8:05:cf:
eb7fe6 
>                     3a:c8:7b:28:c8:36:a3:16:0d:29:8c:99:9a:68:dc:
eb7fe6 
>                     ab:c0:4d:8d:bf:5a:bb:2b:a9:39:4b:04:97:1c:f9:
eb7fe6 
>                     36:bb:c5:3a:86:04:ae:af:d4:82:7b:e0:ab:de:49:
eb7fe6 
>                     05:68:fc:f6:ae:68:1a:6c:90:4d:57:19:3c:64:66:
eb7fe6 
>                     03:f6:c7:52:9b:f7:94:cf:93:6a:a1:68:c9:aa:cf:
eb7fe6 
>                     99:6b:bc:aa:5e:08:e7:39:1c:f7:f8:0f:ba:06:7e:
eb7fe6 
>                     f1:cb:e8:76:dd:fe:22:da:ad:3a:5e:5b:34:ea:b3:
eb7fe6 
>                     c9:e0:4d:04:29:7e:b8:60:b9:05:ef:b5:d9:17:58:
eb7fe6 
>                     56:16:60:b9:30:32:f0:36:4a:c3:f2:79:8d:12:40:
eb7fe6 
>                     70:f3
eb7fe6 
>                 Exponent: 65537 (0x10001)
eb7fe6 
>         X509v3 extensions:
eb7fe6 
>             X509v3 Basic Constraints:
eb7fe6 
>                 CA:FALSE
eb7fe6 
>             Netscape Comment:
eb7fe6 
>                 OpenSSL Generated Certificate
eb7fe6 
>             X509v3 Subject Key Identifier:
eb7fe6 
>                 3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
eb7fe6 
>             X509v3 Authority Key Identifier:
eb7fe6 
>                 keyid:3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
eb7fe6 
>
eb7fe6 
>     Signature Algorithm: sha256WithRSAEncryption
eb7fe6 
>          5c:4d:92:88:b4:82:5f:1d:ad:8b:11:ec:df:06:a6:7a:a5:2b:
eb7fe6 
>          9f:37:55:0c:8d:6e:05:00:ad:b7:0c:41:89:69:cf:d6:65:06:
eb7fe6 
>          9b:51:78:d2:ad:c7:bf:9c:dc:05:73:7f:e7:1e:39:13:b4:ea:
eb7fe6 
>          b6:30:7d:40:75:ab:9c:43:0b:df:b0:c2:1b:bf:30:e0:f4:fe:
eb7fe6 
>          c0:db:62:21:98:f6:c5:af:de:3b:4f:49:0a:e6:1e:f9:86:b0:
eb7fe6 
>          3f:0d:d6:d4:46:37:db:54:74:5e:ff:11:c2:60:c6:70:58:c5:
eb7fe6 
>          1c:6f:ec:b2:d8:6e:6f:c3:bc:33:87:38:a4:f3:44:64:9c:34:
eb7fe6 
>          3b:28:94:26:78:27:9f:16:17:e8:3b:69:0a:25:a9:73:36:7e:
eb7fe6 
>          9e:37:5c:ec:e8:3f:db:91:f9:12:b3:3d:ce:e7:dd:15:c3:ae:
eb7fe6 
>          8c:05:20:61:9b:95:de:9b:af:fa:b1:5c:1c:e5:97:e7:c3:34:
eb7fe6 
>          11:85:f5:8a:27:26:a4:70:36:ec:0c:f6:83:3d:90:f7:36:f3:
eb7fe6 
>          f9:f3:15:d4:90:62:be:53:b4:af:d3:49:af:ef:f4:73:e8:7b:
eb7fe6 
>          76:e4:44:2a:37:ba:81:a4:99:0c:3a:31:24:71:a0:e4:e4:b7:
eb7fe6 
>          1a:cb:47:e4:aa:22:cf:ef:75:61:80:e3:43:b7:48:57:73:11:
eb7fe6 
>          3d:78:9b:69
eb7fe6 
> -----BEGIN CERTIFICATE-----
eb7fe6 
> MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
eb7fe6 
> BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
eb7fe6 
> 9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
eb7fe6 
> MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
eb7fe6 
> RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
eb7fe6 
> IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
eb7fe6 
> +d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
eb7fe6 
> huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
eb7fe6 
> bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
eb7fe6 
> 3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
eb7fe6 
> y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
eb7fe6 
> AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
eb7fe6 
> YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
eb7fe6 
> HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
eb7fe6 
> ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
eb7fe6 
> 3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
eb7fe6 
> 1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
eb7fe6 
> qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
eb7fe6 
> NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
eb7fe6 
> R+SqIs/vdWGA40O3SFdzET14m2k=
eb7fe6 
> -----END CERTIFICATE-----
eb7fe6
eb7fe6 
Notes about the 9ece15a -> c9e5618 rebase:
eb7fe6 
- resolved conflicts in:
eb7fe6 
    OvmfPkg/OvmfPkgIa32.dsc
eb7fe6 
    OvmfPkg/OvmfPkgIa32X64.dsc
eb7fe6 
    OvmfPkg/OvmfPkgX64.dsc
eb7fe6 
  due to OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf having
eb7fe6 
  disappeared in upstream (commit 57446bb9).
eb7fe6
eb7fe6 
Notes about the c9e5618 -> b9ffeab rebase:
eb7fe6 
- Guid/VariableFormat.h now lives under MdeModulePkg.
eb7fe6
eb7fe6 
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
eb7fe6
eb7fe6 
- This patch now squashes the following commits:
eb7fe6 
  - 014f459c197b OvmfPkg: EnrollDefaultKeys: application for enrolling
eb7fe6 
                 default keys (RH only)
eb7fe6 
  - 18422a18d0e9 OvmfPkg/EnrollDefaultKeys: assign Status before reading
eb7fe6 
                 it (RH only)
eb7fe6 
  - ddb90568e874 OvmfPkg/EnrollDefaultKeys: silence VS2015x86 warning (RH
eb7fe6 
                 only)
eb7fe6
eb7fe6 
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
eb7fe6 
---
eb7fe6 
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c   | 931 ++++++++++++++++++++++++
eb7fe6 
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf |  51 ++
eb7fe6 
 OvmfPkg/OvmfPkgIa32.dsc                         |   4 +
eb7fe6 
 OvmfPkg/OvmfPkgIa32X64.dsc                      |   4 +
eb7fe6 
 OvmfPkg/OvmfPkgX64.dsc                          |   4 +
eb7fe6 
 5 files changed, 994 insertions(+)
eb7fe6 
 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
eb7fe6 
 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
eb7fe6
eb7fe6 
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
eb7fe6 
new file mode 100644
eb7fe6 
index 0000000..0dd485e
eb7fe6 
--- /dev/null
eb7fe6 
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
eb7fe6 
@@ -0,0 +1,931 @@
eb7fe6 
+/** @file
eb7fe6 
+  Enroll default PK, KEK, DB.
eb7fe6 
+
eb7fe6 
+  Copyright (C) 2014, Red Hat, Inc.
eb7fe6 
+
eb7fe6 
+  This program and the accompanying materials are licensed and made available
eb7fe6 
+  under the terms and conditions of the BSD License which accompanies this
eb7fe6 
+  distribution. The full text of the license may be found at
eb7fe6 
+  http://opensource.org/licenses/bsd-license.
eb7fe6 
+
eb7fe6 
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
eb7fe6 
+  WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
eb7fe6 
+**/
eb7fe6 
+#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
eb7fe6 
+#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
eb7fe6 
+#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
eb7fe6 
+#include <Library/BaseMemoryLib.h>               // CopyGuid()
eb7fe6 
+#include <Library/DebugLib.h>                    // ASSERT()
eb7fe6 
+#include <Library/MemoryAllocationLib.h>         // FreePool()
eb7fe6 
+#include <Library/ShellCEntryLib.h>              // ShellAppMain()
eb7fe6 
+#include <Library/UefiLib.h>                     // AsciiPrint()
eb7fe6 
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
eb7fe6 
+
eb7fe6 
+//
eb7fe6 
+// We'll use the certificate below as both Platform Key and as first Key
eb7fe6 
+// Exchange Key.
eb7fe6 
+//
eb7fe6 
+// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
eb7fe6 
+// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
eb7fe6 
+//
eb7fe6 
+STATIC CONST UINT8 RedHatPkKek1[] = {
eb7fe6 
+  0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
eb7fe6 
+  0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
eb7fe6 
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
eb7fe6 
+  0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
eb7fe6 
+  0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
eb7fe6 
+  0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
eb7fe6 
+  0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
eb7fe6 
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
eb7fe6 
+  0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
eb7fe6 
+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
eb7fe6 
+  0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
eb7fe6 
+  0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
eb7fe6 
+  0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
eb7fe6 
+  0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
eb7fe6 
+  0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
eb7fe6 
+  0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
eb7fe6 
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
eb7fe6 
+  0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
eb7fe6 
+  0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
eb7fe6 
+  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
eb7fe6 
+  0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
eb7fe6 
+  0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
eb7fe6 
+  0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
eb7fe6 
+  0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
eb7fe6 
+  0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
eb7fe6 
+  0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
eb7fe6 
+  0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
eb7fe6 
+  0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
eb7fe6 
+  0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
eb7fe6 
+  0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
eb7fe6 
+  0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
eb7fe6 
+  0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
eb7fe6 
+  0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
eb7fe6 
+  0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
eb7fe6 
+  0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
eb7fe6 
+  0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
eb7fe6 
+  0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
eb7fe6 
+  0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
eb7fe6 
+  0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
eb7fe6 
+  0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
eb7fe6 
+  0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
eb7fe6 
+  0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
eb7fe6 
+  0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
eb7fe6 
+  0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
eb7fe6 
+  0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
eb7fe6 
+  0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
eb7fe6 
+  0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
eb7fe6 
+  0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
eb7fe6 
+  0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
eb7fe6 
+  0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
eb7fe6 
+  0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
eb7fe6 
+  0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
eb7fe6 
+  0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
eb7fe6 
+  0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
eb7fe6 
+  0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
eb7fe6 
+  0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
eb7fe6 
+  0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
eb7fe6 
+  0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
eb7fe6 
+  0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
eb7fe6 
+  0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
eb7fe6 
+  0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
eb7fe6 
+  0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
eb7fe6 
+  0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
eb7fe6 
+  0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
eb7fe6 
+  0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
eb7fe6 
+  0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
eb7fe6 
+  0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
eb7fe6 
+  0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
eb7fe6 
+  0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
eb7fe6 
+  0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
eb7fe6 
+  0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
eb7fe6 
+  0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
eb7fe6 
+};
eb7fe6 
+
eb7fe6 
+//
eb7fe6 
+// Second KEK: "Microsoft Corporation KEK CA 2011".
eb7fe6 
+// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
eb7fe6 
+//
eb7fe6 
+// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
eb7fe6 
+//
eb7fe6 
+STATIC CONST UINT8 MicrosoftKEK[] = {
eb7fe6 
+  0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
eb7fe6 
+  0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
eb7fe6 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
eb7fe6 
+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
eb7fe6 
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
eb7fe6 
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
eb7fe6 
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
eb7fe6 
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
eb7fe6 
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
eb7fe6 
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
eb7fe6 
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
eb7fe6 
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
eb7fe6 
+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
eb7fe6 
+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
eb7fe6 
+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
eb7fe6 
+  0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
eb7fe6 
+  0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
eb7fe6 
+  0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
eb7fe6 
+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
eb7fe6 
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
eb7fe6 
+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
eb7fe6 
+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
eb7fe6 
+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
eb7fe6 
+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
eb7fe6 
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
eb7fe6 
+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
eb7fe6 
+  0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
eb7fe6 
+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
eb7fe6 
+  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
eb7fe6 
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
eb7fe6 
+  0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
eb7fe6 
+  0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
eb7fe6 
+  0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
eb7fe6 
+  0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
eb7fe6 
+  0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
eb7fe6 
+  0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
eb7fe6 
+  0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
eb7fe6 
+  0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
eb7fe6 
+  0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
eb7fe6 
+  0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
eb7fe6 
+  0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
eb7fe6 
+  0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
eb7fe6 
+  0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
eb7fe6 
+  0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
eb7fe6 
+  0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
eb7fe6 
+  0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
eb7fe6 
+  0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
eb7fe6 
+  0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
eb7fe6 
+  0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
eb7fe6 
+  0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
eb7fe6 
+  0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
eb7fe6 
+  0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
eb7fe6 
+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
eb7fe6 
+  0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
eb7fe6 
+  0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
eb7fe6 
+  0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
eb7fe6 
+  0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
eb7fe6 
+  0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
eb7fe6 
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
eb7fe6 
+  0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
eb7fe6 
+  0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
eb7fe6 
+  0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
eb7fe6 
+  0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
eb7fe6 
+  0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
eb7fe6 
+  0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
eb7fe6 
+  0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
eb7fe6 
+  0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
eb7fe6 
+  0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
eb7fe6 
+  0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
eb7fe6 
+  0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
eb7fe6 
+  0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
eb7fe6 
+  0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
eb7fe6 
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
eb7fe6 
+  0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
eb7fe6 
+  0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
eb7fe6 
+  0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
eb7fe6 
+  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
eb7fe6 
+  0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
eb7fe6 
+  0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
eb7fe6 
+  0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
eb7fe6 
+  0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
eb7fe6 
+  0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
eb7fe6 
+  0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
eb7fe6 
+  0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
eb7fe6 
+  0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
eb7fe6 
+  0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
eb7fe6 
+  0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
eb7fe6 
+  0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
eb7fe6 
+  0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
eb7fe6 
+  0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
eb7fe6 
+  0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
eb7fe6 
+  0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
eb7fe6 
+  0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
eb7fe6 
+  0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
eb7fe6 
+  0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
eb7fe6 
+  0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
eb7fe6 
+  0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
eb7fe6 
+  0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
eb7fe6 
+  0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
eb7fe6 
+  0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
eb7fe6 
+  0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
eb7fe6 
+  0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
eb7fe6 
+  0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
eb7fe6 
+  0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
eb7fe6 
+  0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
eb7fe6 
+  0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
eb7fe6 
+  0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
eb7fe6 
+  0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
eb7fe6 
+  0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
eb7fe6 
+  0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
eb7fe6 
+  0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
eb7fe6 
+  0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
eb7fe6 
+  0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
eb7fe6 
+  0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
eb7fe6 
+  0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
eb7fe6 
+  0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
eb7fe6 
+  0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
eb7fe6 
+};
eb7fe6 
+
eb7fe6 
+//
eb7fe6 
+// First DB entry: "Microsoft Windows Production PCA 2011"
eb7fe6 
+// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
eb7fe6 
+//
eb7fe6 
+// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
eb7fe6 
+// rooted in this certificate.
eb7fe6 
+//
eb7fe6 
+STATIC CONST UINT8 MicrosoftPCA[] = {
eb7fe6 
+  0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
eb7fe6 
+  0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
eb7fe6 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
eb7fe6 
+  0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
eb7fe6 
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
eb7fe6 
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
eb7fe6 
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
eb7fe6 
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
eb7fe6 
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
eb7fe6 
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
eb7fe6 
+  0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
eb7fe6 
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
eb7fe6 
+  0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
eb7fe6 
+  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
eb7fe6 
+  0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
eb7fe6 
+  0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
eb7fe6 
+  0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
eb7fe6 
+  0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
eb7fe6 
+  0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
eb7fe6 
+  0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
eb7fe6 
+  0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
eb7fe6 
+  0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
eb7fe6 
+  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
eb7fe6 
+  0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
eb7fe6 
+  0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
eb7fe6 
+  0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
eb7fe6 
+  0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
eb7fe6 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
eb7fe6 
+  0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
eb7fe6 
+  0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
eb7fe6 
+  0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
eb7fe6 
+  0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
eb7fe6 
+  0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
eb7fe6 
+  0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
eb7fe6 
+  0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
eb7fe6 
+  0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
eb7fe6 
+  0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
eb7fe6 
+  0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
eb7fe6 
+  0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
eb7fe6 
+  0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
eb7fe6 
+  0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
eb7fe6 
+  0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
eb7fe6 
+  0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
eb7fe6 
+  0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
eb7fe6 
+  0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
eb7fe6 
+  0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
eb7fe6 
+  0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
eb7fe6 
+  0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
eb7fe6 
+  0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
eb7fe6 
+  0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
eb7fe6 
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
eb7fe6 
+  0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
eb7fe6 
+  0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
eb7fe6 
+  0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
eb7fe6 
+  0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
eb7fe6 
+  0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
eb7fe6 
+  0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
eb7fe6 
+  0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
eb7fe6 
+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
eb7fe6 
+  0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
eb7fe6 
+  0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
eb7fe6 
+  0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
eb7fe6 
+  0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
eb7fe6 
+  0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
eb7fe6 
+  0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
eb7fe6 
+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
eb7fe6 
+  0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
eb7fe6 
+  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
eb7fe6 
+  0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
eb7fe6 
+  0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
eb7fe6 
+  0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
eb7fe6 
+  0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
eb7fe6 
+  0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
eb7fe6 
+  0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
eb7fe6 
+  0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
eb7fe6 
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
eb7fe6 
+  0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
eb7fe6 
+  0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
eb7fe6 
+  0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
eb7fe6 
+  0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
eb7fe6 
+  0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
eb7fe6 
+  0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
eb7fe6 
+  0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
eb7fe6 
+  0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
eb7fe6 
+  0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
eb7fe6 
+  0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
eb7fe6 
+  0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
eb7fe6 
+  0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
eb7fe6 
+  0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
eb7fe6 
+  0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
eb7fe6 
+  0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
eb7fe6 
+  0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
eb7fe6 
+  0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
eb7fe6 
+  0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
eb7fe6 
+  0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
eb7fe6 
+  0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
eb7fe6 
+  0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
eb7fe6 
+  0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
eb7fe6 
+  0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
eb7fe6 
+  0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
eb7fe6 
+  0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
eb7fe6 
+  0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
eb7fe6 
+  0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
eb7fe6 
+  0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
eb7fe6 
+  0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
eb7fe6 
+  0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
eb7fe6 
+  0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
eb7fe6 
+  0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
eb7fe6 
+  0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
eb7fe6 
+  0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
eb7fe6 
+  0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
eb7fe6 
+  0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
eb7fe6 
+  0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
eb7fe6 
+  0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
eb7fe6 
+  0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
eb7fe6 
+  0x62, 0x1c, 0x59, 0x7e
eb7fe6 
+};
eb7fe6 
+
eb7fe6 
+//
eb7fe6 
+// Second DB entry: "Microsoft Corporation UEFI CA 2011"
eb7fe6 
+// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
eb7fe6 
+//
eb7fe6 
+// To verify the "shim" binary and PCI expansion ROMs with.
eb7fe6 
+//
eb7fe6 
+STATIC CONST UINT8 MicrosoftUefiCA[] = {
eb7fe6 
+  0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
eb7fe6 
+  0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
eb7fe6 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
eb7fe6 
+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
eb7fe6 
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
eb7fe6 
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
eb7fe6 
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
eb7fe6 
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
eb7fe6 
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
eb7fe6 
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
eb7fe6 
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
eb7fe6 
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
eb7fe6 
+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
eb7fe6 
+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
eb7fe6 
+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
eb7fe6 
+  0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
eb7fe6 
+  0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
eb7fe6 
+  0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
eb7fe6 
+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
eb7fe6 
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
eb7fe6 
+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
eb7fe6 
+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
eb7fe6 
+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
eb7fe6 
+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
eb7fe6 
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
eb7fe6 
+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
eb7fe6 
+  0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
eb7fe6 
+  0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
eb7fe6 
+  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
eb7fe6 
+  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
eb7fe6 
+  0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
eb7fe6 
+  0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
eb7fe6 
+  0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
eb7fe6 
+  0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
eb7fe6 
+  0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
eb7fe6 
+  0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
eb7fe6 
+  0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
eb7fe6 
+  0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
eb7fe6 
+  0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
eb7fe6 
+  0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
eb7fe6 
+  0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
eb7fe6 
+  0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
eb7fe6 
+  0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
eb7fe6 
+  0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
eb7fe6 
+  0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
eb7fe6 
+  0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
eb7fe6 
+  0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
eb7fe6 
+  0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
eb7fe6 
+  0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
eb7fe6 
+  0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
eb7fe6 
+  0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
eb7fe6 
+  0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
eb7fe6 
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
eb7fe6 
+  0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
eb7fe6 
+  0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
eb7fe6 
+  0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
eb7fe6 
+  0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
eb7fe6 
+  0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
eb7fe6 
+  0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
eb7fe6 
+  0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
eb7fe6 
+  0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
eb7fe6 
+  0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
eb7fe6 
+  0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
eb7fe6 
+  0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
eb7fe6 
+  0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
eb7fe6 
+  0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
eb7fe6 
+  0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
eb7fe6 
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
eb7fe6 
+  0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
eb7fe6 
+  0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
eb7fe6 
+  0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
eb7fe6 
+  0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
eb7fe6 
+  0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
eb7fe6 
+  0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
eb7fe6 
+  0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
eb7fe6 
+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
eb7fe6 
+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
eb7fe6 
+  0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
eb7fe6 
+  0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
eb7fe6 
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
eb7fe6 
+  0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
eb7fe6 
+  0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
eb7fe6 
+  0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
eb7fe6 
+  0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
eb7fe6 
+  0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
eb7fe6 
+  0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
eb7fe6 
+  0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
eb7fe6 
+  0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
eb7fe6 
+  0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
eb7fe6 
+  0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
eb7fe6 
+  0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
eb7fe6 
+  0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
eb7fe6 
+  0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
eb7fe6 
+  0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
eb7fe6 
+  0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
eb7fe6 
+  0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
eb7fe6 
+  0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
eb7fe6 
+  0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
eb7fe6 
+  0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
eb7fe6 
+  0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
eb7fe6 
+  0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
eb7fe6 
+  0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
eb7fe6 
+  0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
eb7fe6 
+  0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
eb7fe6 
+  0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
eb7fe6 
+  0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
eb7fe6 
+  0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
eb7fe6 
+  0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
eb7fe6 
+  0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
eb7fe6 
+  0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
eb7fe6 
+  0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
eb7fe6 
+  0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
eb7fe6 
+  0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
eb7fe6 
+  0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
eb7fe6 
+  0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
eb7fe6 
+  0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
eb7fe6 
+  0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
eb7fe6 
+  0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
eb7fe6 
+  0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
eb7fe6 
+  0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
eb7fe6 
+};
eb7fe6 
+
eb7fe6 
+//
eb7fe6 
+// The most important thing about the variable payload is that it is a list of
eb7fe6 
+// lists, where the element size of any given *inner* list is constant.
eb7fe6 
+//
eb7fe6 
+// Since X509 certificates vary in size, each of our *inner* lists will contain
eb7fe6 
+// one element only (one X.509 certificate). This is explicitly mentioned in
eb7fe6 
+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
eb7fe6 
+//
eb7fe6 
+// The list structure looks as follows:
eb7fe6 
+//
eb7fe6 
+// struct EFI_VARIABLE_AUTHENTICATION_2 {                           |
eb7fe6 
+//   struct EFI_TIME {                                              |
eb7fe6 
+//     UINT16 Year;                                                 |
eb7fe6 
+//     UINT8  Month;                                                |
eb7fe6 
+//     UINT8  Day;                                                  |
eb7fe6 
+//     UINT8  Hour;                                                 |
eb7fe6 
+//     UINT8  Minute;                                               |
eb7fe6 
+//     UINT8  Second;                                               |
eb7fe6 
+//     UINT8  Pad1;                                                 |
eb7fe6 
+//     UINT32 Nanosecond;                                           |
eb7fe6 
+//     INT16  TimeZone;                                             |
eb7fe6 
+//     UINT8  Daylight;                                             |
eb7fe6 
+//     UINT8  Pad2;                                                 |
eb7fe6 
+//   } TimeStamp;                                                   |
eb7fe6 
+//                                                                  |
eb7fe6 
+//   struct WIN_CERTIFICATE_UEFI_GUID {                           | |
eb7fe6 
+//     struct WIN_CERTIFICATE {                                   | |
eb7fe6 
+//       UINT32 dwLength; ----------------------------------------+ |
eb7fe6 
+//       UINT16 wRevision;                                        | |
eb7fe6 
+//       UINT16 wCertificateType;                                 | |
eb7fe6 
+//     } Hdr;                                                     | +- DataSize
eb7fe6 
+//                                                                | |
eb7fe6 
+//     EFI_GUID CertType;                                         | |
eb7fe6 
+//     UINT8    CertData[1] = { <--- "struct hack"                | |
eb7fe6 
+//       struct EFI_SIGNATURE_LIST {                            | | |
eb7fe6 
+//         EFI_GUID SignatureType;                              | | |
eb7fe6 
+//         UINT32   SignatureListSize; -------------------------+ | |
eb7fe6 
+//         UINT32   SignatureHeaderSize;                        | | |
eb7fe6 
+//         UINT32   SignatureSize; ---------------------------+ | | |
eb7fe6 
+//         UINT8    SignatureHeader[SignatureHeaderSize];     | | | |
eb7fe6 
+//                                                            v | | |
eb7fe6 
+//         struct EFI_SIGNATURE_DATA {                        | | | |
eb7fe6 
+//           EFI_GUID SignatureOwner;                         | | | |
eb7fe6 
+//           UINT8    SignatureData[1] = { <--- "struct hack" | | | |
eb7fe6 
+//             X.509 payload                                  | | | |
eb7fe6 
+//           }                                                | | | |
eb7fe6 
+//         } Signatures[];                                      | | |
eb7fe6 
+//       } SigLists[];                                            | |
eb7fe6 
+//     };                                                         | |
eb7fe6 
+//   } AuthInfo;                                                  | |
eb7fe6 
+// };                                                               |
eb7fe6 
+//
eb7fe6 
+// Given that the "struct hack" invokes undefined behavior (which is why C99
eb7fe6 
+// introduced the flexible array member), and because subtracting those pesky
eb7fe6 
+// sizes of 1 is annoying, and because the format is fully specified in the
eb7fe6 
+// UEFI specification, we'll introduce two matching convenience structures that
eb7fe6 
+// are customized for our X.509 purposes.
eb7fe6 
+//
eb7fe6 
+#pragma pack(1)
eb7fe6 
+typedef struct {
eb7fe6 
+  EFI_TIME TimeStamp;
eb7fe6 
+
eb7fe6 
+  //
eb7fe6 
+  // dwLength covers data below
eb7fe6 
+  //
eb7fe6 
+  UINT32   dwLength;
eb7fe6 
+  UINT16   wRevision;
eb7fe6 
+  UINT16   wCertificateType;
eb7fe6 
+  EFI_GUID CertType;
eb7fe6 
+} SINGLE_HEADER;
eb7fe6 
+
eb7fe6 
+typedef struct {
eb7fe6 
+  //
eb7fe6 
+  // SignatureListSize covers data below
eb7fe6 
+  //
eb7fe6 
+  EFI_GUID SignatureType;
eb7fe6 
+  UINT32   SignatureListSize;
eb7fe6 
+  UINT32   SignatureHeaderSize; // constant 0
eb7fe6 
+  UINT32   SignatureSize;
eb7fe6 
+
eb7fe6 
+  //
eb7fe6 
+  // SignatureSize covers data below
eb7fe6 
+  //
eb7fe6 
+  EFI_GUID SignatureOwner;
eb7fe6 
+
eb7fe6 
+  //
eb7fe6 
+  // X.509 certificate follows
eb7fe6 
+  //
eb7fe6 
+} REPEATING_HEADER;
eb7fe6 
+#pragma pack()
eb7fe6 
+
eb7fe6 
+/**
eb7fe6 
+  Enroll a set of DER-formatted X.509 certificates in a global variable,
eb7fe6 
+  overwriting it.
eb7fe6 
+
eb7fe6 
+  The variable will be rewritten with NV+BS+RT+AT attributes.
eb7fe6 
+
eb7fe6 
+  @param[in] VariableName  The name of the variable to overwrite.
eb7fe6 
+
eb7fe6 
+  @param[in] VendorGuid    The namespace (ie. vendor GUID) of the variable to
eb7fe6 
+                           overwrite.
eb7fe6 
+
eb7fe6 
+  @param[in] ...           A list of
eb7fe6 
+
eb7fe6 
+                             IN CONST UINT8    *Cert,
eb7fe6 
+                             IN UINTN          CertSize,
eb7fe6 
+                             IN CONST EFI_GUID *OwnerGuid
eb7fe6 
+
eb7fe6 
+                           triplets. If the first component of a triplet is
eb7fe6 
+                           NULL, then the other two components are not
eb7fe6 
+                           accessed, and processing is terminated. The list of
eb7fe6 
+                           X.509 certificates is enrolled in the variable
eb7fe6 
+                           specified, overwriting it. The OwnerGuid component
eb7fe6 
+                           identifies the agent installing the certificate.
eb7fe6 
+
eb7fe6 
+  @retval EFI_INVALID_PARAMETER  The triplet list is empty (ie. the first Cert
eb7fe6 
+                                 value is NULL), or one of the CertSize values
eb7fe6 
+                                 is 0, or one of the CertSize values would
eb7fe6 
+                                 overflow the accumulated UINT32 data size.
eb7fe6 
+
eb7fe6 
+  @retval EFI_OUT_OF_RESOURCES   Out of memory while formatting variable
eb7fe6 
+                                 payload.
eb7fe6 
+
eb7fe6 
+  @retval EFI_SUCCESS            Enrollment successful; the variable has been
eb7fe6 
+                                 overwritten (or created).
eb7fe6 
+
eb7fe6 
+  @return                        Error codes from gRT->GetTime() and
eb7fe6 
+                                 gRT->SetVariable().
eb7fe6 
+**/
eb7fe6 
+STATIC
eb7fe6 
+EFI_STATUS
eb7fe6 
+EFIAPI
eb7fe6 
+EnrollListOfX509Certs (
eb7fe6 
+  IN CHAR16   *VariableName,
eb7fe6 
+  IN EFI_GUID *VendorGuid,
eb7fe6 
+  ...
eb7fe6 
+  )
eb7fe6 
+{
eb7fe6 
+  UINTN            DataSize;
eb7fe6 
+  SINGLE_HEADER    *SingleHeader;
eb7fe6 
+  REPEATING_HEADER *RepeatingHeader;
eb7fe6 
+  VA_LIST          Marker;
eb7fe6 
+  CONST UINT8      *Cert;
eb7fe6 
+  EFI_STATUS       Status;
eb7fe6 
+  UINT8            *Data;
eb7fe6 
+  UINT8            *Position;
eb7fe6 
+
eb7fe6 
+  Status = EFI_SUCCESS;
eb7fe6 
+
eb7fe6 
+  //
eb7fe6 
+  // compute total size first, for UINT32 range check, and allocation
eb7fe6 
+  //
eb7fe6 
+  DataSize = sizeof *SingleHeader;
eb7fe6 
+  VA_START (Marker, VendorGuid);
eb7fe6 
+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
eb7fe6 
+       Cert != NULL;
eb7fe6 
+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
eb7fe6 
+    UINTN          CertSize;
eb7fe6 
+
eb7fe6 
+    CertSize = VA_ARG (Marker, UINTN);
eb7fe6 
+    (VOID)VA_ARG (Marker, CONST EFI_GUID *);
eb7fe6 
+
eb7fe6 
+    if (CertSize == 0 ||
eb7fe6 
+        CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
eb7fe6 
+        DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
eb7fe6 
+      Status = EFI_INVALID_PARAMETER;
eb7fe6 
+      break;
eb7fe6 
+    }
eb7fe6 
+    DataSize += sizeof *RepeatingHeader + CertSize;
eb7fe6 
+  }
eb7fe6 
+  VA_END (Marker);
eb7fe6 
+
eb7fe6 
+  if (DataSize == sizeof *SingleHeader) {
eb7fe6 
+    Status = EFI_INVALID_PARAMETER;
eb7fe6 
+  }
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    goto Out;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Data = AllocatePool (DataSize);
eb7fe6 
+  if (Data == NULL) {
eb7fe6 
+    Status = EFI_OUT_OF_RESOURCES;
eb7fe6 
+    goto Out;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Position = Data;
eb7fe6 
+
eb7fe6 
+  SingleHeader = (SINGLE_HEADER *)Position;
eb7fe6 
+  Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    goto FreeData;
eb7fe6 
+  }
eb7fe6 
+  SingleHeader->TimeStamp.Pad1       = 0;
eb7fe6 
+  SingleHeader->TimeStamp.Nanosecond = 0;
eb7fe6 
+  SingleHeader->TimeStamp.TimeZone   = 0;
eb7fe6 
+  SingleHeader->TimeStamp.Daylight   = 0;
eb7fe6 
+  SingleHeader->TimeStamp.Pad2       = 0;
eb7fe6 
+#if 0
eb7fe6 
+  SingleHeader->dwLength         = DataSize - sizeof SingleHeader->TimeStamp;
eb7fe6 
+#else
eb7fe6 
+  //
eb7fe6 
+  // This looks like a bug in edk2. According to the UEFI specification,
eb7fe6 
+  // dwLength is "The length of the entire certificate, including the length of
eb7fe6 
+  // the header, in bytes". That shouldn't stop right after CertType -- it
eb7fe6 
+  // should include everything below it.
eb7fe6 
+  //
eb7fe6 
+  SingleHeader->dwLength         = sizeof *SingleHeader
eb7fe6 
+                                     - sizeof SingleHeader->TimeStamp;
eb7fe6 
+#endif
eb7fe6 
+  SingleHeader->wRevision        = 0x0200;
eb7fe6 
+  SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
eb7fe6 
+  CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
eb7fe6 
+  Position += sizeof *SingleHeader;
eb7fe6 
+
eb7fe6 
+  VA_START (Marker, VendorGuid);
eb7fe6 
+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
eb7fe6 
+       Cert != NULL;
eb7fe6 
+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
eb7fe6 
+    UINTN            CertSize;
eb7fe6 
+    CONST EFI_GUID   *OwnerGuid;
eb7fe6 
+
eb7fe6 
+    CertSize  = VA_ARG (Marker, UINTN);
eb7fe6 
+    OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
eb7fe6 
+
eb7fe6 
+    RepeatingHeader = (REPEATING_HEADER *)Position;
eb7fe6 
+    CopyGuid (&RepeatingHeader->SignatureType, &gEfiCertX509Guid);
eb7fe6 
+    RepeatingHeader->SignatureListSize   =
eb7fe6 
+      (UINT32)(sizeof *RepeatingHeader + CertSize);
eb7fe6 
+    RepeatingHeader->SignatureHeaderSize = 0;
eb7fe6 
+    RepeatingHeader->SignatureSize       =
eb7fe6 
+      (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);
eb7fe6 
+    CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
eb7fe6 
+    Position += sizeof *RepeatingHeader;
eb7fe6 
+
eb7fe6 
+    CopyMem (Position, Cert, CertSize);
eb7fe6 
+    Position += CertSize;
eb7fe6 
+  }
eb7fe6 
+  VA_END (Marker);
eb7fe6 
+
eb7fe6 
+  ASSERT (Data + DataSize == Position);
eb7fe6 
+
eb7fe6 
+  Status = gRT->SetVariable (VariableName, VendorGuid,
eb7fe6 
+                  (EFI_VARIABLE_NON_VOLATILE |
eb7fe6 
+                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
eb7fe6 
+                   EFI_VARIABLE_RUNTIME_ACCESS |
eb7fe6 
+                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
eb7fe6 
+                  DataSize, Data);
eb7fe6 
+
eb7fe6 
+FreeData:
eb7fe6 
+  FreePool (Data);
eb7fe6 
+
eb7fe6 
+Out:
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
eb7fe6 
+      VendorGuid, Status);
eb7fe6 
+  }
eb7fe6 
+  return Status;
eb7fe6 
+}
eb7fe6 
+
eb7fe6 
+
eb7fe6 
+STATIC
eb7fe6 
+EFI_STATUS
eb7fe6 
+EFIAPI
eb7fe6 
+GetExact (
eb7fe6 
+  IN CHAR16   *VariableName,
eb7fe6 
+  IN EFI_GUID *VendorGuid,
eb7fe6 
+  OUT VOID    *Data,
eb7fe6 
+  IN UINTN    DataSize,
eb7fe6 
+  IN BOOLEAN  AllowMissing
eb7fe6 
+  )
eb7fe6 
+{
eb7fe6 
+  UINTN      Size;
eb7fe6 
+  EFI_STATUS Status;
eb7fe6 
+
eb7fe6 
+  Size = DataSize;
eb7fe6 
+  Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    if (Status == EFI_NOT_FOUND && AllowMissing) {
eb7fe6 
+      ZeroMem (Data, DataSize);
eb7fe6 
+      return EFI_SUCCESS;
eb7fe6 
+    }
eb7fe6 
+
eb7fe6 
+    AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
eb7fe6 
+      VendorGuid, Status);
eb7fe6 
+    return Status;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  if (Size != DataSize) {
eb7fe6 
+    AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
eb7fe6 
+      "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
eb7fe6 
+    return EFI_PROTOCOL_ERROR;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  return EFI_SUCCESS;
eb7fe6 
+}
eb7fe6 
+
eb7fe6 
+typedef struct {
eb7fe6 
+  UINT8 SetupMode;
eb7fe6 
+  UINT8 SecureBoot;
eb7fe6 
+  UINT8 SecureBootEnable;
eb7fe6 
+  UINT8 CustomMode;
eb7fe6 
+  UINT8 VendorKeys;
eb7fe6 
+} SETTINGS;
eb7fe6 
+
eb7fe6 
+STATIC
eb7fe6 
+EFI_STATUS
eb7fe6 
+EFIAPI
eb7fe6 
+GetSettings (
eb7fe6 
+  OUT SETTINGS *Settings
eb7fe6 
+  )
eb7fe6 
+{
eb7fe6 
+  EFI_STATUS Status;
eb7fe6 
+
eb7fe6 
+  Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
eb7fe6 
+             &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return Status;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
eb7fe6 
+             &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return Status;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
eb7fe6 
+             &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
eb7fe6 
+             sizeof Settings->SecureBootEnable, TRUE);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return Status;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
eb7fe6 
+             &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return Status;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
eb7fe6 
+             &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
eb7fe6 
+  return Status;
eb7fe6 
+}
eb7fe6 
+
eb7fe6 
+STATIC
eb7fe6 
+VOID
eb7fe6 
+EFIAPI
eb7fe6 
+PrintSettings (
eb7fe6 
+  IN CONST SETTINGS *Settings
eb7fe6 
+  )
eb7fe6 
+{
eb7fe6 
+  AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
eb7fe6 
+    "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
eb7fe6 
+    Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
eb7fe6 
+}
eb7fe6 
+
eb7fe6 
+
eb7fe6 
+INTN
eb7fe6 
+EFIAPI
eb7fe6 
+ShellAppMain (
eb7fe6 
+  IN UINTN  Argc,
eb7fe6 
+  IN CHAR16 **Argv
eb7fe6 
+  )
eb7fe6 
+{
eb7fe6 
+  EFI_STATUS Status;
eb7fe6 
+  SETTINGS   Settings;
eb7fe6 
+
eb7fe6 
+  Status = GetSettings (&Settings);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+  PrintSettings (&Settings);
eb7fe6 
+
eb7fe6 
+  if (Settings.SetupMode != 1) {
eb7fe6 
+    AsciiPrint ("error: already in User Mode\n");
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
eb7fe6 
+    Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
eb7fe6 
+    Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
eb7fe6 
+                    (EFI_VARIABLE_NON_VOLATILE |
eb7fe6 
+                     EFI_VARIABLE_BOOTSERVICE_ACCESS),
eb7fe6 
+                    sizeof Settings.CustomMode, &Settings.CustomMode);
eb7fe6 
+    if (EFI_ERROR (Status)) {
eb7fe6 
+      AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
eb7fe6 
+        &gEfiCustomModeEnableGuid, Status);
eb7fe6 
+      return 1;
eb7fe6 
+    }
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = EnrollListOfX509Certs (
eb7fe6 
+             EFI_IMAGE_SECURITY_DATABASE,
eb7fe6 
+             &gEfiImageSecurityDatabaseGuid,
eb7fe6 
+             MicrosoftPCA,    sizeof MicrosoftPCA,    &gEfiCallerIdGuid,
eb7fe6 
+             MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid,
eb7fe6 
+             NULL);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = EnrollListOfX509Certs (
eb7fe6 
+             EFI_KEY_EXCHANGE_KEY_NAME,
eb7fe6 
+             &gEfiGlobalVariableGuid,
eb7fe6 
+             RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
eb7fe6 
+             MicrosoftKEK, sizeof MicrosoftKEK, &gEfiCallerIdGuid,
eb7fe6 
+             NULL);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = EnrollListOfX509Certs (
eb7fe6 
+             EFI_PLATFORM_KEY_NAME,
eb7fe6 
+             &gEfiGlobalVariableGuid,
eb7fe6 
+             RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
eb7fe6 
+             NULL);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
eb7fe6 
+  Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
eb7fe6 
+                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
eb7fe6 
+                  sizeof Settings.CustomMode, &Settings.CustomMode);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
eb7fe6 
+      &gEfiCustomModeEnableGuid, Status);
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  Status = GetSettings (&Settings);
eb7fe6 
+  if (EFI_ERROR (Status)) {
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+  PrintSettings (&Settings);
eb7fe6 
+
eb7fe6 
+  if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
eb7fe6 
+      Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
eb7fe6 
+      Settings.VendorKeys != 0) {
eb7fe6 
+    AsciiPrint ("error: unexpected\n");
eb7fe6 
+    return 1;
eb7fe6 
+  }
eb7fe6 
+
eb7fe6 
+  AsciiPrint ("info: success\n");
eb7fe6 
+  return 0;
eb7fe6 
+}
eb7fe6 
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
eb7fe6 
new file mode 100644
eb7fe6 
index 0000000..30c127f
eb7fe6 
--- /dev/null
eb7fe6 
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
eb7fe6 
@@ -0,0 +1,51 @@
eb7fe6 
+## @file
eb7fe6 
+#  Enroll default PK, KEK, DB.
eb7fe6 
+#
eb7fe6 
+#  Copyright (C) 2014, Red Hat, Inc.
eb7fe6 
+#
eb7fe6 
+#  This program and the accompanying materials are licensed and made available
eb7fe6 
+#  under the terms and conditions of the BSD License which accompanies this
eb7fe6 
+#  distribution. The full text of the license may be found at
eb7fe6 
+#  http://opensource.org/licenses/bsd-license.
eb7fe6 
+#
eb7fe6 
+#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
eb7fe6 
+#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
eb7fe6 
+#  IMPLIED.
eb7fe6 
+##
eb7fe6 
+
eb7fe6 
+[Defines]
eb7fe6 
+  INF_VERSION                    = 0x00010006
eb7fe6 
+  BASE_NAME                      = EnrollDefaultKeys
eb7fe6 
+  FILE_GUID                      = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
eb7fe6 
+  MODULE_TYPE                    = UEFI_APPLICATION
eb7fe6 
+  VERSION_STRING                 = 0.1
eb7fe6 
+  ENTRY_POINT                    = ShellCEntryLib
eb7fe6 
+
eb7fe6 
+#
eb7fe6 
+#  VALID_ARCHITECTURES           = IA32 X64
eb7fe6 
+#
eb7fe6 
+
eb7fe6 
+[Sources]
eb7fe6 
+  EnrollDefaultKeys.c
eb7fe6 
+
eb7fe6 
+[Packages]
eb7fe6 
+  MdePkg/MdePkg.dec
eb7fe6 
+  MdeModulePkg/MdeModulePkg.dec
eb7fe6 
+  SecurityPkg/SecurityPkg.dec
eb7fe6 
+  ShellPkg/ShellPkg.dec
eb7fe6 
+
eb7fe6 
+[Guids]
eb7fe6 
+  gEfiCertPkcs7Guid
eb7fe6 
+  gEfiCertX509Guid
eb7fe6 
+  gEfiCustomModeEnableGuid
eb7fe6 
+  gEfiGlobalVariableGuid
eb7fe6 
+  gEfiImageSecurityDatabaseGuid
eb7fe6 
+  gEfiSecureBootEnableDisableGuid
eb7fe6 
+
eb7fe6 
+[LibraryClasses]
eb7fe6 
+  BaseMemoryLib
eb7fe6 
+  DebugLib
eb7fe6 
+  MemoryAllocationLib
eb7fe6 
+  ShellCEntryLib
eb7fe6 
+  UefiLib
eb7fe6 
+  UefiRuntimeServicesTableLib
eb7fe6 
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
eb7fe6 
index 3124249..3f13279 100644
eb7fe6 
--- a/OvmfPkg/OvmfPkgIa32.dsc
eb7fe6 
+++ b/OvmfPkg/OvmfPkgIa32.dsc
eb7fe6 
@@ -794,6 +794,10 @@
eb7fe6
eb7fe6 
 !if $(SECURE_BOOT_ENABLE) == TRUE
eb7fe6 
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
eb7fe6 
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
eb7fe6 
+    <LibraryClasses>
eb7fe6 
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
eb7fe6 
+  }
eb7fe6 
 !endif
eb7fe6
eb7fe6 
   OvmfPkg/PlatformDxe/Platform.inf
eb7fe6 
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
eb7fe6 
index 59166e2..cf31696 100644
eb7fe6 
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
eb7fe6 
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
eb7fe6 
@@ -803,6 +803,10 @@
eb7fe6
eb7fe6 
 !if $(SECURE_BOOT_ENABLE) == TRUE
eb7fe6 
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
eb7fe6 
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
eb7fe6 
+    <LibraryClasses>
eb7fe6 
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
eb7fe6 
+  }
eb7fe6 
 !endif
eb7fe6
eb7fe6 
   OvmfPkg/PlatformDxe/Platform.inf
eb7fe6 
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
eb7fe6 
index 1a83d89..cf20651 100644
eb7fe6 
--- a/OvmfPkg/OvmfPkgX64.dsc
eb7fe6 
+++ b/OvmfPkg/OvmfPkgX64.dsc
eb7fe6 
@@ -801,6 +801,10 @@
eb7fe6
eb7fe6 
 !if $(SECURE_BOOT_ENABLE) == TRUE
eb7fe6 
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
eb7fe6 
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
eb7fe6 
+    <LibraryClasses>
eb7fe6 
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
eb7fe6 
+  }
eb7fe6 
 !endif
eb7fe6
eb7fe6 
   OvmfPkg/PlatformDxe/Platform.inf
eb7fe6 
--
eb7fe6 
1.8.3.1
eb7fe6

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation