rpms / ovmf

Clone
Source Code
GIT

Blame SOURCES/0012-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch

c7-beta
  1.   bdb79cc0e8dbdfa577ed8372ad8cdbf727eb2b1b
  2.   SOURCES
  3.   0012-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
Blob History Raw
bdb79c 
From 98c91b36997e3afc4192449263182fbdcc771a1a Mon Sep 17 00:00:00 2001
bdb79c 
From: Laszlo Ersek <lersek@redhat.com>
bdb79c 
Date: Tue, 4 Nov 2014 23:02:55 +0100
bdb79c 
Subject: OvmfPkg: EnrollDefaultKeys: application for enrolling default keys
bdb79c 
 (RH only)
bdb79c
bdb79c 
Message-id: <1415138578-27173-16-git-send-email-lersek@redhat.com>
bdb79c 
Patchwork-id: 62121
bdb79c 
O-Subject:  [RHEL-7.1 ovmf PATCH v2 15/18] OvmfPkg: EnrollDefaultKeys:
bdb79c 
	application for enrolling default keys (RH only)
bdb79c 
Bugzilla: 1148296
bdb79c 
1160400
bdb79c 
Acked-by: Andrew Jones <drjones@redhat.com>
bdb79c 
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
bdb79c 
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
bdb79c
bdb79c 
This application is meant to be invoked by the management layer, after
bdb79c 
booting the UEFI shell and getting a shell prompt on the serial console.
bdb79c 
The app enrolls a number of certificates (see below), and then reports
bdb79c 
status to the serial console as well. The expected output is "info:
bdb79c 
success":
bdb79c
bdb79c 
> Shell> EnrollDefaultKeys.efi
bdb79c 
> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
bdb79c 
> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
bdb79c 
> info: success
bdb79c 
> Shell>
bdb79c
bdb79c 
In case of success, the management layer can force off or reboot the VM
bdb79c 
(for example with the "reset -s" or "reset -c" UEFI shell commands,
bdb79c 
respectively), and start the guest installation with SecureBoot enabled.
bdb79c
bdb79c 
PK:
bdb79c 
- A unique, static, ad-hoc certificate whose private half has been
bdb79c 
  destroyed (more precisely, never saved) and is therefore unusable for
bdb79c 
  signing. (The command for creating this certificate is saved in the
bdb79c 
  source code.) Background:
bdb79c
bdb79c 
On 09/30/14 20:00, Peter Jones wrote:
bdb79c 
> We should generate a special key that's not in our normal signing chains
bdb79c 
> for PK and KEK.  The reason for this is that [in practice] PK gets
bdb79c 
> treated as part of DB (*).
bdb79c 
>
bdb79c 
> [Shipping a key in our normal signing chains] as PK means you can run
bdb79c 
> grub directly, in which case it won't have access to the shim protocol.
bdb79c 
> When grub is run without the shim protocol registered, it assumes SB is
bdb79c 
> disabled and boots without verifying the kernel.  We don't want that to
bdb79c 
> be a thing you can do, but allowing that is the inevitable result of
bdb79c 
> shipping with any of our normal signing chain in PK or KEK.
bdb79c 
>
bdb79c 
> (* USRT has actually agreed that since you can escalate to this behavior
bdb79c 
> if you have the secret half of a key in KEK or PK anyway, and many
bdb79c 
> vendors had already shipped it this way, that it is fine and I think
bdb79c 
> even *expected* at this point, even though it wasn't formally in the
bdb79c 
> UEFI 2.3.1 Spec that introduced Secure Boot.  I'll try and make sure the
bdb79c 
> language reflects that in an upcoming spec revision.)
bdb79c 
>
bdb79c 
> So let me get SRT to issue a special key to use for PK and KEK.  We can
bdb79c 
> use it just for those operations, and make sure it's protected with the
bdb79c 
> same processes and controls as our other signing keys.
bdb79c
bdb79c 
  Until SRT generates such a key for us, this ad-hoc key should be a good
bdb79c 
  placeholder.
bdb79c
bdb79c 
KEK:
bdb79c 
- same ad-hoc certificate as used for the PK,
bdb79c 
- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
bdb79c 
  package is signed (indirectly, through a chain) with this; enrolling
bdb79c 
  such a KEK should allow guests to install those updates.
bdb79c
bdb79c 
DB:
bdb79c 
- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
bdb79c 
  Server 2012 R2,
bdb79c 
- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
bdb79c 
  oproms.
bdb79c
bdb79c 
*UPDATE*
bdb79c
bdb79c 
OvmfPkg: EnrollDefaultKeys: pick up official Red Hat PK/KEK (RHEL only)
bdb79c
bdb79c 
Replace the placeholder ExampleCert with a certificate generated and
bdb79c 
managed by the Red Hat Security Response Team.
bdb79c
bdb79c 
> Certificate:
bdb79c 
>     Data:
bdb79c 
>         Version: 3 (0x2)
bdb79c 
>         Serial Number: 18371740789028339953 (0xfef588e8f396c0f1)
bdb79c 
>     Signature Algorithm: sha256WithRSAEncryption
bdb79c 
>         Issuer: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
bdb79c 
>         Validity
bdb79c 
>             Not Before: Oct 31 11:15:37 2014 GMT
bdb79c 
>             Not After : Oct 25 11:15:37 2037 GMT
bdb79c 
>         Subject: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
bdb79c 
>         Subject Public Key Info:
bdb79c 
>             Public Key Algorithm: rsaEncryption
bdb79c 
>                 Public-Key: (2048 bit)
bdb79c 
>                 Modulus:
bdb79c 
>                     00:90:1f:84:7b:8d:bc:eb:97:26:82:6d:88:ab:8a:
bdb79c 
>                     c9:8c:68:70:f9:df:4b:07:b2:37:83:0b:02:c8:67:
bdb79c 
>                     68:30:9e:e3:f0:f0:99:4a:b8:59:57:c6:41:f6:38:
bdb79c 
>                     8b:fe:66:4c:49:e9:37:37:92:2e:98:01:1e:5b:14:
bdb79c 
>                     50:e6:a8:8d:25:0d:f5:86:e6:ab:30:cb:40:16:ea:
bdb79c 
>                     8d:8b:16:86:70:43:37:f2:ce:c0:91:df:71:14:8e:
bdb79c 
>                     99:0e:89:b6:4c:6d:24:1e:8c:e4:2f:4f:25:d0:ba:
bdb79c 
>                     06:f8:c6:e8:19:18:76:73:1d:81:6d:a8:d8:05:cf:
bdb79c 
>                     3a:c8:7b:28:c8:36:a3:16:0d:29:8c:99:9a:68:dc:
bdb79c 
>                     ab:c0:4d:8d:bf:5a:bb:2b:a9:39:4b:04:97:1c:f9:
bdb79c 
>                     36:bb:c5:3a:86:04:ae:af:d4:82:7b:e0:ab:de:49:
bdb79c 
>                     05:68:fc:f6:ae:68:1a:6c:90:4d:57:19:3c:64:66:
bdb79c 
>                     03:f6:c7:52:9b:f7:94:cf:93:6a:a1:68:c9:aa:cf:
bdb79c 
>                     99:6b:bc:aa:5e:08:e7:39:1c:f7:f8:0f:ba:06:7e:
bdb79c 
>                     f1:cb:e8:76:dd:fe:22:da:ad:3a:5e:5b:34:ea:b3:
bdb79c 
>                     c9:e0:4d:04:29:7e:b8:60:b9:05:ef:b5:d9:17:58:
bdb79c 
>                     56:16:60:b9:30:32:f0:36:4a:c3:f2:79:8d:12:40:
bdb79c 
>                     70:f3
bdb79c 
>                 Exponent: 65537 (0x10001)
bdb79c 
>         X509v3 extensions:
bdb79c 
>             X509v3 Basic Constraints:
bdb79c 
>                 CA:FALSE
bdb79c 
>             Netscape Comment:
bdb79c 
>                 OpenSSL Generated Certificate
bdb79c 
>             X509v3 Subject Key Identifier:
bdb79c 
>                 3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
bdb79c 
>             X509v3 Authority Key Identifier:
bdb79c 
>                 keyid:3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
bdb79c 
>
bdb79c 
>     Signature Algorithm: sha256WithRSAEncryption
bdb79c 
>          5c:4d:92:88:b4:82:5f:1d:ad:8b:11:ec:df:06:a6:7a:a5:2b:
bdb79c 
>          9f:37:55:0c:8d:6e:05:00:ad:b7:0c:41:89:69:cf:d6:65:06:
bdb79c 
>          9b:51:78:d2:ad:c7:bf:9c:dc:05:73:7f:e7:1e:39:13:b4:ea:
bdb79c 
>          b6:30:7d:40:75:ab:9c:43:0b:df:b0:c2:1b:bf:30:e0:f4:fe:
bdb79c 
>          c0:db:62:21:98:f6:c5:af:de:3b:4f:49:0a:e6:1e:f9:86:b0:
bdb79c 
>          3f:0d:d6:d4:46:37:db:54:74:5e:ff:11:c2:60:c6:70:58:c5:
bdb79c 
>          1c:6f:ec:b2:d8:6e:6f:c3:bc:33:87:38:a4:f3:44:64:9c:34:
bdb79c 
>          3b:28:94:26:78:27:9f:16:17:e8:3b:69:0a:25:a9:73:36:7e:
bdb79c 
>          9e:37:5c:ec:e8:3f:db:91:f9:12:b3:3d:ce:e7:dd:15:c3:ae:
bdb79c 
>          8c:05:20:61:9b:95:de:9b:af:fa:b1:5c:1c:e5:97:e7:c3:34:
bdb79c 
>          11:85:f5:8a:27:26:a4:70:36:ec:0c:f6:83:3d:90:f7:36:f3:
bdb79c 
>          f9:f3:15:d4:90:62:be:53:b4:af:d3:49:af:ef:f4:73:e8:7b:
bdb79c 
>          76:e4:44:2a:37:ba:81:a4:99:0c:3a:31:24:71:a0:e4:e4:b7:
bdb79c 
>          1a:cb:47:e4:aa:22:cf:ef:75:61:80:e3:43:b7:48:57:73:11:
bdb79c 
>          3d:78:9b:69
bdb79c 
> -----BEGIN CERTIFICATE-----
bdb79c 
> MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
bdb79c 
> BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
bdb79c 
> 9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
bdb79c 
> MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
bdb79c 
> RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
bdb79c 
> IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
bdb79c 
> +d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
bdb79c 
> huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
bdb79c 
> bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
bdb79c 
> 3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
bdb79c 
> y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
bdb79c 
> AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
bdb79c 
> YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
bdb79c 
> HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
bdb79c 
> ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
bdb79c 
> 3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
bdb79c 
> 1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
bdb79c 
> qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
bdb79c 
> NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
bdb79c 
> R+SqIs/vdWGA40O3SFdzET14m2k=
bdb79c 
> -----END CERTIFICATE-----
bdb79c
bdb79c 
Notes about the 9ece15a -> c9e5618 rebase:
bdb79c 
- resolved conflicts in:
bdb79c 
    OvmfPkg/OvmfPkgIa32.dsc
bdb79c 
    OvmfPkg/OvmfPkgIa32X64.dsc
bdb79c 
    OvmfPkg/OvmfPkgX64.dsc
bdb79c 
  due to OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf having
bdb79c 
  disappeared in upstream (commit 57446bb9).
bdb79c
bdb79c 
Notes about the c9e5618 -> b9ffeab rebase:
bdb79c 
- Guid/VariableFormat.h now lives under MdeModulePkg.
bdb79c
bdb79c 
Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
bdb79c
bdb79c 
- This patch now squashes the following commits:
bdb79c 
  - 014f459c197b OvmfPkg: EnrollDefaultKeys: application for enrolling
bdb79c 
                 default keys (RH only)
bdb79c 
  - 18422a18d0e9 OvmfPkg/EnrollDefaultKeys: assign Status before reading
bdb79c 
                 it (RH only)
bdb79c 
  - ddb90568e874 OvmfPkg/EnrollDefaultKeys: silence VS2015x86 warning (RH
bdb79c 
                 only)
bdb79c
bdb79c 
Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
bdb79c
bdb79c 
- This patch now squashes the following commits:
bdb79c 
  - c0b2615a9c0b OvmfPkg: EnrollDefaultKeys: application for enrolling
bdb79c 
                 default keys (RH only)
bdb79c 
  - 22f4d33d0168 OvmfPkg/EnrollDefaultKeys: update SignatureOwner GUID for
bdb79c 
                 Windows HCK (RH)
bdb79c 
  - ff7f2c1d870d OvmfPkg/EnrollDefaultKeys: expose CertType parameter of
bdb79c 
                 EnrollListOfCerts (RH)
bdb79c 
  - aee7b5ba60b4 OvmfPkg/EnrollDefaultKeys: blacklist empty file in dbx
bdb79c 
                 for Windows HCK (RH)
bdb79c
bdb79c 
- Consequently, OvmfPkg/EnrollDefaultKeys/ is identical to the same
bdb79c 
  directory at the "RHEL-7.4" tag (49d06d386736).
bdb79c
bdb79c 
Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
bdb79c
bdb79c 
- no changes
bdb79c
bdb79c 
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
bdb79c 
(cherry picked from commit c0b2615a9c0b4a4be1bffe45681a32915449279d)
bdb79c 
(cherry picked from commit 92424de98ffaf1fa81e6346949b1d2b5f9a637ca)
bdb79c 
---
bdb79c 
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c   | 1015 +++++++++++++++++++++++
bdb79c 
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf |   52 ++
bdb79c 
 OvmfPkg/OvmfPkgIa32.dsc                         |    4 +
bdb79c 
 OvmfPkg/OvmfPkgIa32X64.dsc                      |    4 +
bdb79c 
 OvmfPkg/OvmfPkgX64.dsc                          |    4 +
bdb79c 
 5 files changed, 1079 insertions(+)
bdb79c 
 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
bdb79c 
 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
bdb79c
bdb79c 
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
bdb79c 
new file mode 100644
bdb79c 
index 0000000..dd413df
bdb79c 
--- /dev/null
bdb79c 
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
bdb79c 
@@ -0,0 +1,1015 @@
bdb79c 
+/** @file
bdb79c 
+  Enroll default PK, KEK, DB.
bdb79c 
+
bdb79c 
+  Copyright (C) 2014, Red Hat, Inc.
bdb79c 
+
bdb79c 
+  This program and the accompanying materials are licensed and made available
bdb79c 
+  under the terms and conditions of the BSD License which accompanies this
bdb79c 
+  distribution. The full text of the license may be found at
bdb79c 
+  http://opensource.org/licenses/bsd-license.
bdb79c 
+
bdb79c 
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
bdb79c 
+  WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
bdb79c 
+**/
bdb79c 
+#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
bdb79c 
+#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
bdb79c 
+#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
bdb79c 
+#include <Library/BaseMemoryLib.h>               // CopyGuid()
bdb79c 
+#include <Library/DebugLib.h>                    // ASSERT()
bdb79c 
+#include <Library/MemoryAllocationLib.h>         // FreePool()
bdb79c 
+#include <Library/ShellCEntryLib.h>              // ShellAppMain()
bdb79c 
+#include <Library/UefiLib.h>                     // AsciiPrint()
bdb79c 
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
bdb79c 
+
bdb79c 
+//
bdb79c 
+// We'll use the certificate below as both Platform Key and as first Key
bdb79c 
+// Exchange Key.
bdb79c 
+//
bdb79c 
+// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
bdb79c 
+// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
bdb79c 
+//
bdb79c 
+STATIC CONST UINT8 RedHatPkKek1[] = {
bdb79c 
+  0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
bdb79c 
+  0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
bdb79c 
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
bdb79c 
+  0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
bdb79c 
+  0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
bdb79c 
+  0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
bdb79c 
+  0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
bdb79c 
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
bdb79c 
+  0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
bdb79c 
+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
bdb79c 
+  0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
bdb79c 
+  0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
bdb79c 
+  0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
bdb79c 
+  0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
bdb79c 
+  0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
bdb79c 
+  0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
bdb79c 
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
bdb79c 
+  0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
bdb79c 
+  0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
bdb79c 
+  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
bdb79c 
+  0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
bdb79c 
+  0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
bdb79c 
+  0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
bdb79c 
+  0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
bdb79c 
+  0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
bdb79c 
+  0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
bdb79c 
+  0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
bdb79c 
+  0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
bdb79c 
+  0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
bdb79c 
+  0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
bdb79c 
+  0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
bdb79c 
+  0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
bdb79c 
+  0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
bdb79c 
+  0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
bdb79c 
+  0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
bdb79c 
+  0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
bdb79c 
+  0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
bdb79c 
+  0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
bdb79c 
+  0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
bdb79c 
+  0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
bdb79c 
+  0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
bdb79c 
+  0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
bdb79c 
+  0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
bdb79c 
+  0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
bdb79c 
+  0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
bdb79c 
+  0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
bdb79c 
+  0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
bdb79c 
+  0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
bdb79c 
+  0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
bdb79c 
+  0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
bdb79c 
+  0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
bdb79c 
+  0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
bdb79c 
+  0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
bdb79c 
+  0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
bdb79c 
+  0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
bdb79c 
+  0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
bdb79c 
+  0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
bdb79c 
+  0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
bdb79c 
+  0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
bdb79c 
+  0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
bdb79c 
+  0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
bdb79c 
+  0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
bdb79c 
+  0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
bdb79c 
+  0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
bdb79c 
+  0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
bdb79c 
+  0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
bdb79c 
+  0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
bdb79c 
+  0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
bdb79c 
+  0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
bdb79c 
+  0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
bdb79c 
+  0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
bdb79c 
+  0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
bdb79c 
+};
bdb79c 
+
bdb79c 
+//
bdb79c 
+// Second KEK: "Microsoft Corporation KEK CA 2011".
bdb79c 
+// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
bdb79c 
+//
bdb79c 
+// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
bdb79c 
+//
bdb79c 
+STATIC CONST UINT8 MicrosoftKEK[] = {
bdb79c 
+  0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
bdb79c 
+  0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
bdb79c 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
bdb79c 
+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
bdb79c 
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
bdb79c 
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
bdb79c 
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
bdb79c 
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
bdb79c 
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
bdb79c 
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
bdb79c 
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
bdb79c 
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
bdb79c 
+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
bdb79c 
+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
bdb79c 
+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
bdb79c 
+  0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
bdb79c 
+  0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
bdb79c 
+  0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
bdb79c 
+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
bdb79c 
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
bdb79c 
+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
bdb79c 
+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
bdb79c 
+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
bdb79c 
+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
bdb79c 
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
bdb79c 
+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
bdb79c 
+  0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
bdb79c 
+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
bdb79c 
+  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
bdb79c 
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
bdb79c 
+  0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
bdb79c 
+  0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
bdb79c 
+  0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
bdb79c 
+  0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
bdb79c 
+  0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
bdb79c 
+  0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
bdb79c 
+  0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
bdb79c 
+  0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
bdb79c 
+  0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
bdb79c 
+  0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
bdb79c 
+  0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
bdb79c 
+  0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
bdb79c 
+  0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
bdb79c 
+  0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
bdb79c 
+  0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
bdb79c 
+  0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
bdb79c 
+  0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
bdb79c 
+  0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
bdb79c 
+  0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
bdb79c 
+  0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
bdb79c 
+  0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
bdb79c 
+  0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
bdb79c 
+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
bdb79c 
+  0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
bdb79c 
+  0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
bdb79c 
+  0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
bdb79c 
+  0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
bdb79c 
+  0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
bdb79c 
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
bdb79c 
+  0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
bdb79c 
+  0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
bdb79c 
+  0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
bdb79c 
+  0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
bdb79c 
+  0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
bdb79c 
+  0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
bdb79c 
+  0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
bdb79c 
+  0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
bdb79c 
+  0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
bdb79c 
+  0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
bdb79c 
+  0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
bdb79c 
+  0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
bdb79c 
+  0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
bdb79c 
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
bdb79c 
+  0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
bdb79c 
+  0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
bdb79c 
+  0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
bdb79c 
+  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
bdb79c 
+  0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
bdb79c 
+  0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
bdb79c 
+  0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
bdb79c 
+  0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
bdb79c 
+  0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
bdb79c 
+  0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
bdb79c 
+  0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
bdb79c 
+  0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
bdb79c 
+  0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
bdb79c 
+  0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
bdb79c 
+  0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
bdb79c 
+  0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
bdb79c 
+  0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
bdb79c 
+  0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
bdb79c 
+  0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
bdb79c 
+  0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
bdb79c 
+  0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
bdb79c 
+  0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
bdb79c 
+  0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
bdb79c 
+  0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
bdb79c 
+  0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
bdb79c 
+  0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
bdb79c 
+  0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
bdb79c 
+  0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
bdb79c 
+  0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
bdb79c 
+  0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
bdb79c 
+  0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
bdb79c 
+  0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
bdb79c 
+  0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
bdb79c 
+  0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
bdb79c 
+  0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
bdb79c 
+  0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
bdb79c 
+  0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
bdb79c 
+  0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
bdb79c 
+  0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
bdb79c 
+  0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
bdb79c 
+  0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
bdb79c 
+  0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
bdb79c 
+  0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
bdb79c 
+  0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
bdb79c 
+};
bdb79c 
+
bdb79c 
+//
bdb79c 
+// First DB entry: "Microsoft Windows Production PCA 2011"
bdb79c 
+// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
bdb79c 
+//
bdb79c 
+// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
bdb79c 
+// rooted in this certificate.
bdb79c 
+//
bdb79c 
+STATIC CONST UINT8 MicrosoftPCA[] = {
bdb79c 
+  0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
bdb79c 
+  0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
bdb79c 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
bdb79c 
+  0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
bdb79c 
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
bdb79c 
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
bdb79c 
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
bdb79c 
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
bdb79c 
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
bdb79c 
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
bdb79c 
+  0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
bdb79c 
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
bdb79c 
+  0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
bdb79c 
+  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
bdb79c 
+  0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
bdb79c 
+  0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
bdb79c 
+  0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
bdb79c 
+  0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
bdb79c 
+  0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
bdb79c 
+  0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
bdb79c 
+  0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
bdb79c 
+  0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
bdb79c 
+  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
bdb79c 
+  0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
bdb79c 
+  0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
bdb79c 
+  0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
bdb79c 
+  0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
bdb79c 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
bdb79c 
+  0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
bdb79c 
+  0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
bdb79c 
+  0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
bdb79c 
+  0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
bdb79c 
+  0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
bdb79c 
+  0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
bdb79c 
+  0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
bdb79c 
+  0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
bdb79c 
+  0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
bdb79c 
+  0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
bdb79c 
+  0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
bdb79c 
+  0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
bdb79c 
+  0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
bdb79c 
+  0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
bdb79c 
+  0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
bdb79c 
+  0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
bdb79c 
+  0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
bdb79c 
+  0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
bdb79c 
+  0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
bdb79c 
+  0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
bdb79c 
+  0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
bdb79c 
+  0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
bdb79c 
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
bdb79c 
+  0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
bdb79c 
+  0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
bdb79c 
+  0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
bdb79c 
+  0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
bdb79c 
+  0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
bdb79c 
+  0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
bdb79c 
+  0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
bdb79c 
+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
bdb79c 
+  0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
bdb79c 
+  0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
bdb79c 
+  0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
bdb79c 
+  0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
bdb79c 
+  0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
bdb79c 
+  0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
bdb79c 
+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
bdb79c 
+  0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
bdb79c 
+  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
bdb79c 
+  0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
bdb79c 
+  0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
bdb79c 
+  0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
bdb79c 
+  0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
bdb79c 
+  0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
bdb79c 
+  0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
bdb79c 
+  0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
bdb79c 
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
bdb79c 
+  0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
bdb79c 
+  0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
bdb79c 
+  0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
bdb79c 
+  0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
bdb79c 
+  0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
bdb79c 
+  0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
bdb79c 
+  0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
bdb79c 
+  0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
bdb79c 
+  0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
bdb79c 
+  0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
bdb79c 
+  0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
bdb79c 
+  0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
bdb79c 
+  0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
bdb79c 
+  0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
bdb79c 
+  0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
bdb79c 
+  0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
bdb79c 
+  0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
bdb79c 
+  0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
bdb79c 
+  0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
bdb79c 
+  0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
bdb79c 
+  0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
bdb79c 
+  0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
bdb79c 
+  0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
bdb79c 
+  0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
bdb79c 
+  0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
bdb79c 
+  0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
bdb79c 
+  0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
bdb79c 
+  0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
bdb79c 
+  0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
bdb79c 
+  0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
bdb79c 
+  0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
bdb79c 
+  0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
bdb79c 
+  0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
bdb79c 
+  0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
bdb79c 
+  0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
bdb79c 
+  0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
bdb79c 
+  0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
bdb79c 
+  0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
bdb79c 
+  0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
bdb79c 
+  0x62, 0x1c, 0x59, 0x7e
bdb79c 
+};
bdb79c 
+
bdb79c 
+//
bdb79c 
+// Second DB entry: "Microsoft Corporation UEFI CA 2011"
bdb79c 
+// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
bdb79c 
+//
bdb79c 
+// To verify the "shim" binary and PCI expansion ROMs with.
bdb79c 
+//
bdb79c 
+STATIC CONST UINT8 MicrosoftUefiCA[] = {
bdb79c 
+  0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
bdb79c 
+  0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
bdb79c 
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
bdb79c 
+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
bdb79c 
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
bdb79c 
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
bdb79c 
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
bdb79c 
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
bdb79c 
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
bdb79c 
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
bdb79c 
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
bdb79c 
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
bdb79c 
+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
bdb79c 
+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
bdb79c 
+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
bdb79c 
+  0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
bdb79c 
+  0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
bdb79c 
+  0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
bdb79c 
+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
bdb79c 
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
bdb79c 
+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
bdb79c 
+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
bdb79c 
+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
bdb79c 
+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
bdb79c 
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
bdb79c 
+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
bdb79c 
+  0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
bdb79c 
+  0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
bdb79c 
+  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
bdb79c 
+  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
bdb79c 
+  0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
bdb79c 
+  0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
bdb79c 
+  0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
bdb79c 
+  0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
bdb79c 
+  0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
bdb79c 
+  0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
bdb79c 
+  0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
bdb79c 
+  0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
bdb79c 
+  0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
bdb79c 
+  0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
bdb79c 
+  0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
bdb79c 
+  0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
bdb79c 
+  0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
bdb79c 
+  0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
bdb79c 
+  0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
bdb79c 
+  0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
bdb79c 
+  0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
bdb79c 
+  0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
bdb79c 
+  0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
bdb79c 
+  0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
bdb79c 
+  0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
bdb79c 
+  0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
bdb79c 
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
bdb79c 
+  0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
bdb79c 
+  0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
bdb79c 
+  0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
bdb79c 
+  0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
bdb79c 
+  0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
bdb79c 
+  0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
bdb79c 
+  0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
bdb79c 
+  0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
bdb79c 
+  0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
bdb79c 
+  0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
bdb79c 
+  0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
bdb79c 
+  0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
bdb79c 
+  0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
bdb79c 
+  0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
bdb79c 
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
bdb79c 
+  0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
bdb79c 
+  0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
bdb79c 
+  0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
bdb79c 
+  0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
bdb79c 
+  0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
bdb79c 
+  0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
bdb79c 
+  0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
bdb79c 
+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
bdb79c 
+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
bdb79c 
+  0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
bdb79c 
+  0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
bdb79c 
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
bdb79c 
+  0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
bdb79c 
+  0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
bdb79c 
+  0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
bdb79c 
+  0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
bdb79c 
+  0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
bdb79c 
+  0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
bdb79c 
+  0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
bdb79c 
+  0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
bdb79c 
+  0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
bdb79c 
+  0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
bdb79c 
+  0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
bdb79c 
+  0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
bdb79c 
+  0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
bdb79c 
+  0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
bdb79c 
+  0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
bdb79c 
+  0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
bdb79c 
+  0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
bdb79c 
+  0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
bdb79c 
+  0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
bdb79c 
+  0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
bdb79c 
+  0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
bdb79c 
+  0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
bdb79c 
+  0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
bdb79c 
+  0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
bdb79c 
+  0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
bdb79c 
+  0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
bdb79c 
+  0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
bdb79c 
+  0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
bdb79c 
+  0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
bdb79c 
+  0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
bdb79c 
+  0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
bdb79c 
+  0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
bdb79c 
+  0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
bdb79c 
+  0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
bdb79c 
+  0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
bdb79c 
+  0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
bdb79c 
+  0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
bdb79c 
+  0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
bdb79c 
+  0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
bdb79c 
+  0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
bdb79c 
+};
bdb79c 
+
bdb79c 
+//
bdb79c 
+// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
bdb79c 
+// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
bdb79c 
+// expects that the "dbx" variable exist.
bdb79c 
+//
bdb79c 
+// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
bdb79c 
+// writes (excerpt):
bdb79c 
+//
bdb79c 
+//    Windows 8.1 Secure Boot Key Creation and Management Guidance
bdb79c 
+//    1. Secure Boot, Windows 8.1 and Key Management
bdb79c 
+//    1.4 Signature Databases (Db and Dbx)
bdb79c 
+//    1.4.3 Forbidden Signature Database (dbx)
bdb79c 
+//
bdb79c 
+//    The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when
bdb79c 
+//    verifying images before checking db and any matches must prevent the
bdb79c 
+//    image from executing. The database may contain multiple certificates,
bdb79c 
+//    keys, and hashes in order to identify forbidden images. The Windows
bdb79c 
+//    Hardware Certification Requirements state that a dbx must be present, so
bdb79c 
+//    any dummy value, such as the SHA-256 hash of 0, may be used as a safe
bdb79c 
+//    placeholder until such time as Microsoft begins delivering dbx updates.
bdb79c 
+//
bdb79c 
+// The byte array below captures the SHA256 checksum of the empty file,
bdb79c 
+// blacklisting it for loading & execution. This qualifies as a dummy, since
bdb79c 
+// the empty file is not a valid UEFI binary anyway.
bdb79c 
+//
bdb79c 
+// Technically speaking, we could also capture an official (although soon to be
bdb79c 
+// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
bdb79c 
+// the terms and conditions on distributing that binary aren't exactly light
bdb79c 
+// reading, so let's best steer clear of it, and follow the "dummy entry"
bdb79c 
+// practice recommended -- in natural English langauge -- in the
bdb79c 
+// above-referenced TechNet article.
bdb79c 
+//
bdb79c 
+STATIC CONST UINT8 mSha256OfDevNull[] = {
bdb79c 
+  0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
bdb79c 
+  0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
bdb79c 
+  0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
bdb79c 
+};
bdb79c 
+
bdb79c 
+//
bdb79c 
+// The following test cases of the Secure Boot Logo Test in the Microsoft
bdb79c 
+// Hardware Certification Kit:
bdb79c 
+//
bdb79c 
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
bdb79c 
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
bdb79c 
+//
bdb79c 
+// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
bdb79c 
+// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
bdb79c 
+// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
bdb79c 
+// certificates:
bdb79c 
+//
bdb79c 
+// - "Microsoft Corporation KEK CA 2011" (in KEK)
bdb79c 
+// - "Microsoft Windows Production PCA 2011" (in db)
bdb79c 
+// - "Microsoft Corporation UEFI CA 2011" (in db)
bdb79c 
+//
bdb79c 
+// This is despite the fact that the UEFI specification requires
bdb79c 
+// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
bdb79c 
+// application or driver) that enrolled and therefore owns
bdb79c 
+// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
bdb79c 
+// EFI_SIGNATURE_DATA.SignatureData.
bdb79c 
+//
bdb79c 
+STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
bdb79c 
+  0x77fa9abd, 0x0359, 0x4d32,
bdb79c 
+  { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
bdb79c 
+};
bdb79c 
+
bdb79c 
+//
bdb79c 
+// The most important thing about the variable payload is that it is a list of
bdb79c 
+// lists, where the element size of any given *inner* list is constant.
bdb79c 
+//
bdb79c 
+// Since X509 certificates vary in size, each of our *inner* lists will contain
bdb79c 
+// one element only (one X.509 certificate). This is explicitly mentioned in
bdb79c 
+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
bdb79c 
+//
bdb79c 
+// The list structure looks as follows:
bdb79c 
+//
bdb79c 
+// struct EFI_VARIABLE_AUTHENTICATION_2 {                           |
bdb79c 
+//   struct EFI_TIME {                                              |
bdb79c 
+//     UINT16 Year;                                                 |
bdb79c 
+//     UINT8  Month;                                                |
bdb79c 
+//     UINT8  Day;                                                  |
bdb79c 
+//     UINT8  Hour;                                                 |
bdb79c 
+//     UINT8  Minute;                                               |
bdb79c 
+//     UINT8  Second;                                               |
bdb79c 
+//     UINT8  Pad1;                                                 |
bdb79c 
+//     UINT32 Nanosecond;                                           |
bdb79c 
+//     INT16  TimeZone;                                             |
bdb79c 
+//     UINT8  Daylight;                                             |
bdb79c 
+//     UINT8  Pad2;                                                 |
bdb79c 
+//   } TimeStamp;                                                   |
bdb79c 
+//                                                                  |
bdb79c 
+//   struct WIN_CERTIFICATE_UEFI_GUID {                           | |
bdb79c 
+//     struct WIN_CERTIFICATE {                                   | |
bdb79c 
+//       UINT32 dwLength; ----------------------------------------+ |
bdb79c 
+//       UINT16 wRevision;                                        | |
bdb79c 
+//       UINT16 wCertificateType;                                 | |
bdb79c 
+//     } Hdr;                                                     | +- DataSize
bdb79c 
+//                                                                | |
bdb79c 
+//     EFI_GUID CertType;                                         | |
bdb79c 
+//     UINT8    CertData[1] = { <--- "struct hack"                | |
bdb79c 
+//       struct EFI_SIGNATURE_LIST {                            | | |
bdb79c 
+//         EFI_GUID SignatureType;                              | | |
bdb79c 
+//         UINT32   SignatureListSize; -------------------------+ | |
bdb79c 
+//         UINT32   SignatureHeaderSize;                        | | |
bdb79c 
+//         UINT32   SignatureSize; ---------------------------+ | | |
bdb79c 
+//         UINT8    SignatureHeader[SignatureHeaderSize];     | | | |
bdb79c 
+//                                                            v | | |
bdb79c 
+//         struct EFI_SIGNATURE_DATA {                        | | | |
bdb79c 
+//           EFI_GUID SignatureOwner;                         | | | |
bdb79c 
+//           UINT8    SignatureData[1] = { <--- "struct hack" | | | |
bdb79c 
+//             X.509 payload                                  | | | |
bdb79c 
+//           }                                                | | | |
bdb79c 
+//         } Signatures[];                                      | | |
bdb79c 
+//       } SigLists[];                                            | |
bdb79c 
+//     };                                                         | |
bdb79c 
+//   } AuthInfo;                                                  | |
bdb79c 
+// };                                                               |
bdb79c 
+//
bdb79c 
+// Given that the "struct hack" invokes undefined behavior (which is why C99
bdb79c 
+// introduced the flexible array member), and because subtracting those pesky
bdb79c 
+// sizes of 1 is annoying, and because the format is fully specified in the
bdb79c 
+// UEFI specification, we'll introduce two matching convenience structures that
bdb79c 
+// are customized for our X.509 purposes.
bdb79c 
+//
bdb79c 
+#pragma pack(1)
bdb79c 
+typedef struct {
bdb79c 
+  EFI_TIME TimeStamp;
bdb79c 
+
bdb79c 
+  //
bdb79c 
+  // dwLength covers data below
bdb79c 
+  //
bdb79c 
+  UINT32   dwLength;
bdb79c 
+  UINT16   wRevision;
bdb79c 
+  UINT16   wCertificateType;
bdb79c 
+  EFI_GUID CertType;
bdb79c 
+} SINGLE_HEADER;
bdb79c 
+
bdb79c 
+typedef struct {
bdb79c 
+  //
bdb79c 
+  // SignatureListSize covers data below
bdb79c 
+  //
bdb79c 
+  EFI_GUID SignatureType;
bdb79c 
+  UINT32   SignatureListSize;
bdb79c 
+  UINT32   SignatureHeaderSize; // constant 0
bdb79c 
+  UINT32   SignatureSize;
bdb79c 
+
bdb79c 
+  //
bdb79c 
+  // SignatureSize covers data below
bdb79c 
+  //
bdb79c 
+  EFI_GUID SignatureOwner;
bdb79c 
+
bdb79c 
+  //
bdb79c 
+  // X.509 certificate follows
bdb79c 
+  //
bdb79c 
+} REPEATING_HEADER;
bdb79c 
+#pragma pack()
bdb79c 
+
bdb79c 
+/**
bdb79c 
+  Enroll a set of certificates in a global variable, overwriting it.
bdb79c 
+
bdb79c 
+  The variable will be rewritten with NV+BS+RT+AT attributes.
bdb79c 
+
bdb79c 
+  @param[in] VariableName  The name of the variable to overwrite.
bdb79c 
+
bdb79c 
+  @param[in] VendorGuid    The namespace (ie. vendor GUID) of the variable to
bdb79c 
+                           overwrite.
bdb79c 
+
bdb79c 
+  @param[in] CertType      The GUID determining the type of all the
bdb79c 
+                           certificates in the set that is passed in. For
bdb79c 
+                           example, gEfiCertX509Guid stands for DER-encoded
bdb79c 
+                           X.509 certificates, while gEfiCertSha256Guid stands
bdb79c 
+                           for SHA256 image hashes.
bdb79c 
+
bdb79c 
+  @param[in] ...           A list of
bdb79c 
+
bdb79c 
+                             IN CONST UINT8    *Cert,
bdb79c 
+                             IN UINTN          CertSize,
bdb79c 
+                             IN CONST EFI_GUID *OwnerGuid
bdb79c 
+
bdb79c 
+                           triplets. If the first component of a triplet is
bdb79c 
+                           NULL, then the other two components are not
bdb79c 
+                           accessed, and processing is terminated. The list of
bdb79c 
+                           certificates is enrolled in the variable specified,
bdb79c 
+                           overwriting it. The OwnerGuid component identifies
bdb79c 
+                           the agent installing the certificate.
bdb79c 
+
bdb79c 
+  @retval EFI_INVALID_PARAMETER  The triplet list is empty (ie. the first Cert
bdb79c 
+                                 value is NULL), or one of the CertSize values
bdb79c 
+                                 is 0, or one of the CertSize values would
bdb79c 
+                                 overflow the accumulated UINT32 data size.
bdb79c 
+
bdb79c 
+  @retval EFI_OUT_OF_RESOURCES   Out of memory while formatting variable
bdb79c 
+                                 payload.
bdb79c 
+
bdb79c 
+  @retval EFI_SUCCESS            Enrollment successful; the variable has been
bdb79c 
+                                 overwritten (or created).
bdb79c 
+
bdb79c 
+  @return                        Error codes from gRT->GetTime() and
bdb79c 
+                                 gRT->SetVariable().
bdb79c 
+**/
bdb79c 
+STATIC
bdb79c 
+EFI_STATUS
bdb79c 
+EFIAPI
bdb79c 
+EnrollListOfCerts (
bdb79c 
+  IN CHAR16   *VariableName,
bdb79c 
+  IN EFI_GUID *VendorGuid,
bdb79c 
+  IN EFI_GUID *CertType,
bdb79c 
+  ...
bdb79c 
+  )
bdb79c 
+{
bdb79c 
+  UINTN            DataSize;
bdb79c 
+  SINGLE_HEADER    *SingleHeader;
bdb79c 
+  REPEATING_HEADER *RepeatingHeader;
bdb79c 
+  VA_LIST          Marker;
bdb79c 
+  CONST UINT8      *Cert;
bdb79c 
+  EFI_STATUS       Status;
bdb79c 
+  UINT8            *Data;
bdb79c 
+  UINT8            *Position;
bdb79c 
+
bdb79c 
+  Status = EFI_SUCCESS;
bdb79c 
+
bdb79c 
+  //
bdb79c 
+  // compute total size first, for UINT32 range check, and allocation
bdb79c 
+  //
bdb79c 
+  DataSize = sizeof *SingleHeader;
bdb79c 
+  VA_START (Marker, CertType);
bdb79c 
+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
bdb79c 
+       Cert != NULL;
bdb79c 
+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
bdb79c 
+    UINTN          CertSize;
bdb79c 
+
bdb79c 
+    CertSize = VA_ARG (Marker, UINTN);
bdb79c 
+    (VOID)VA_ARG (Marker, CONST EFI_GUID *);
bdb79c 
+
bdb79c 
+    if (CertSize == 0 ||
bdb79c 
+        CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
bdb79c 
+        DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
bdb79c 
+      Status = EFI_INVALID_PARAMETER;
bdb79c 
+      break;
bdb79c 
+    }
bdb79c 
+    DataSize += sizeof *RepeatingHeader + CertSize;
bdb79c 
+  }
bdb79c 
+  VA_END (Marker);
bdb79c 
+
bdb79c 
+  if (DataSize == sizeof *SingleHeader) {
bdb79c 
+    Status = EFI_INVALID_PARAMETER;
bdb79c 
+  }
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    goto Out;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Data = AllocatePool (DataSize);
bdb79c 
+  if (Data == NULL) {
bdb79c 
+    Status = EFI_OUT_OF_RESOURCES;
bdb79c 
+    goto Out;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Position = Data;
bdb79c 
+
bdb79c 
+  SingleHeader = (SINGLE_HEADER *)Position;
bdb79c 
+  Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    goto FreeData;
bdb79c 
+  }
bdb79c 
+  SingleHeader->TimeStamp.Pad1       = 0;
bdb79c 
+  SingleHeader->TimeStamp.Nanosecond = 0;
bdb79c 
+  SingleHeader->TimeStamp.TimeZone   = 0;
bdb79c 
+  SingleHeader->TimeStamp.Daylight   = 0;
bdb79c 
+  SingleHeader->TimeStamp.Pad2       = 0;
bdb79c 
+#if 0
bdb79c 
+  SingleHeader->dwLength         = DataSize - sizeof SingleHeader->TimeStamp;
bdb79c 
+#else
bdb79c 
+  //
bdb79c 
+  // This looks like a bug in edk2. According to the UEFI specification,
bdb79c 
+  // dwLength is "The length of the entire certificate, including the length of
bdb79c 
+  // the header, in bytes". That shouldn't stop right after CertType -- it
bdb79c 
+  // should include everything below it.
bdb79c 
+  //
bdb79c 
+  SingleHeader->dwLength         = sizeof *SingleHeader
bdb79c 
+                                     - sizeof SingleHeader->TimeStamp;
bdb79c 
+#endif
bdb79c 
+  SingleHeader->wRevision        = 0x0200;
bdb79c 
+  SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
bdb79c 
+  CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
bdb79c 
+  Position += sizeof *SingleHeader;
bdb79c 
+
bdb79c 
+  VA_START (Marker, CertType);
bdb79c 
+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
bdb79c 
+       Cert != NULL;
bdb79c 
+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
bdb79c 
+    UINTN            CertSize;
bdb79c 
+    CONST EFI_GUID   *OwnerGuid;
bdb79c 
+
bdb79c 
+    CertSize  = VA_ARG (Marker, UINTN);
bdb79c 
+    OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
bdb79c 
+
bdb79c 
+    RepeatingHeader = (REPEATING_HEADER *)Position;
bdb79c 
+    CopyGuid (&RepeatingHeader->SignatureType, CertType);
bdb79c 
+    RepeatingHeader->SignatureListSize   =
bdb79c 
+      (UINT32)(sizeof *RepeatingHeader + CertSize);
bdb79c 
+    RepeatingHeader->SignatureHeaderSize = 0;
bdb79c 
+    RepeatingHeader->SignatureSize       =
bdb79c 
+      (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);
bdb79c 
+    CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
bdb79c 
+    Position += sizeof *RepeatingHeader;
bdb79c 
+
bdb79c 
+    CopyMem (Position, Cert, CertSize);
bdb79c 
+    Position += CertSize;
bdb79c 
+  }
bdb79c 
+  VA_END (Marker);
bdb79c 
+
bdb79c 
+  ASSERT (Data + DataSize == Position);
bdb79c 
+
bdb79c 
+  Status = gRT->SetVariable (VariableName, VendorGuid,
bdb79c 
+                  (EFI_VARIABLE_NON_VOLATILE |
bdb79c 
+                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
bdb79c 
+                   EFI_VARIABLE_RUNTIME_ACCESS |
bdb79c 
+                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
bdb79c 
+                  DataSize, Data);
bdb79c 
+
bdb79c 
+FreeData:
bdb79c 
+  FreePool (Data);
bdb79c 
+
bdb79c 
+Out:
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
bdb79c 
+      VendorGuid, Status);
bdb79c 
+  }
bdb79c 
+  return Status;
bdb79c 
+}
bdb79c 
+
bdb79c 
+
bdb79c 
+STATIC
bdb79c 
+EFI_STATUS
bdb79c 
+EFIAPI
bdb79c 
+GetExact (
bdb79c 
+  IN CHAR16   *VariableName,
bdb79c 
+  IN EFI_GUID *VendorGuid,
bdb79c 
+  OUT VOID    *Data,
bdb79c 
+  IN UINTN    DataSize,
bdb79c 
+  IN BOOLEAN  AllowMissing
bdb79c 
+  )
bdb79c 
+{
bdb79c 
+  UINTN      Size;
bdb79c 
+  EFI_STATUS Status;
bdb79c 
+
bdb79c 
+  Size = DataSize;
bdb79c 
+  Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    if (Status == EFI_NOT_FOUND && AllowMissing) {
bdb79c 
+      ZeroMem (Data, DataSize);
bdb79c 
+      return EFI_SUCCESS;
bdb79c 
+    }
bdb79c 
+
bdb79c 
+    AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
bdb79c 
+      VendorGuid, Status);
bdb79c 
+    return Status;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  if (Size != DataSize) {
bdb79c 
+    AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
bdb79c 
+      "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
bdb79c 
+    return EFI_PROTOCOL_ERROR;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  return EFI_SUCCESS;
bdb79c 
+}
bdb79c 
+
bdb79c 
+typedef struct {
bdb79c 
+  UINT8 SetupMode;
bdb79c 
+  UINT8 SecureBoot;
bdb79c 
+  UINT8 SecureBootEnable;
bdb79c 
+  UINT8 CustomMode;
bdb79c 
+  UINT8 VendorKeys;
bdb79c 
+} SETTINGS;
bdb79c 
+
bdb79c 
+STATIC
bdb79c 
+EFI_STATUS
bdb79c 
+EFIAPI
bdb79c 
+GetSettings (
bdb79c 
+  OUT SETTINGS *Settings
bdb79c 
+  )
bdb79c 
+{
bdb79c 
+  EFI_STATUS Status;
bdb79c 
+
bdb79c 
+  Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
bdb79c 
+             &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    return Status;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
bdb79c 
+             &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    return Status;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
bdb79c 
+             &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
bdb79c 
+             sizeof Settings->SecureBootEnable, TRUE);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    return Status;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
bdb79c 
+             &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    return Status;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
bdb79c 
+             &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
bdb79c 
+  return Status;
bdb79c 
+}
bdb79c 
+
bdb79c 
+STATIC
bdb79c 
+VOID
bdb79c 
+EFIAPI
bdb79c 
+PrintSettings (
bdb79c 
+  IN CONST SETTINGS *Settings
bdb79c 
+  )
bdb79c 
+{
bdb79c 
+  AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
bdb79c 
+    "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
bdb79c 
+    Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
bdb79c 
+}
bdb79c 
+
bdb79c 
+
bdb79c 
+INTN
bdb79c 
+EFIAPI
bdb79c 
+ShellAppMain (
bdb79c 
+  IN UINTN  Argc,
bdb79c 
+  IN CHAR16 **Argv
bdb79c 
+  )
bdb79c 
+{
bdb79c 
+  EFI_STATUS Status;
bdb79c 
+  SETTINGS   Settings;
bdb79c 
+
bdb79c 
+  Status = GetSettings (&Settings);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    return 1;
bdb79c 
+  }
bdb79c 
+  PrintSettings (&Settings);
bdb79c 
+
bdb79c 
+  if (Settings.SetupMode != 1) {
bdb79c 
+    AsciiPrint ("error: already in User Mode\n");
bdb79c 
+    return 1;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
bdb79c 
+    Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
bdb79c 
+    Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
bdb79c 
+                    (EFI_VARIABLE_NON_VOLATILE |
bdb79c 
+                     EFI_VARIABLE_BOOTSERVICE_ACCESS),
bdb79c 
+                    sizeof Settings.CustomMode, &Settings.CustomMode);
bdb79c 
+    if (EFI_ERROR (Status)) {
bdb79c 
+      AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
bdb79c 
+        &gEfiCustomModeEnableGuid, Status);
bdb79c 
+      return 1;
bdb79c 
+    }
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Status = EnrollListOfCerts (
bdb79c 
+             EFI_IMAGE_SECURITY_DATABASE,
bdb79c 
+             &gEfiImageSecurityDatabaseGuid,
bdb79c 
+             &gEfiCertX509Guid,
bdb79c 
+             MicrosoftPCA,    sizeof MicrosoftPCA,    &mMicrosoftOwnerGuid,
bdb79c 
+             MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid,
bdb79c 
+             NULL);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    return 1;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Status = EnrollListOfCerts (
bdb79c 
+             EFI_IMAGE_SECURITY_DATABASE1,
bdb79c 
+             &gEfiImageSecurityDatabaseGuid,
bdb79c 
+             &gEfiCertSha256Guid,
bdb79c 
+             mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
bdb79c 
+             NULL);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    return 1;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Status = EnrollListOfCerts (
bdb79c 
+             EFI_KEY_EXCHANGE_KEY_NAME,
bdb79c 
+             &gEfiGlobalVariableGuid,
bdb79c 
+             &gEfiCertX509Guid,
bdb79c 
+             RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
bdb79c 
+             MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid,
bdb79c 
+             NULL);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    return 1;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Status = EnrollListOfCerts (
bdb79c 
+             EFI_PLATFORM_KEY_NAME,
bdb79c 
+             &gEfiGlobalVariableGuid,
bdb79c 
+             &gEfiCertX509Guid,
bdb79c 
+             RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
bdb79c 
+             NULL);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    return 1;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
bdb79c 
+  Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
bdb79c 
+                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
bdb79c 
+                  sizeof Settings.CustomMode, &Settings.CustomMode);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
bdb79c 
+      &gEfiCustomModeEnableGuid, Status);
bdb79c 
+    return 1;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  Status = GetSettings (&Settings);
bdb79c 
+  if (EFI_ERROR (Status)) {
bdb79c 
+    return 1;
bdb79c 
+  }
bdb79c 
+  PrintSettings (&Settings);
bdb79c 
+
bdb79c 
+  if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
bdb79c 
+      Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
bdb79c 
+      Settings.VendorKeys != 0) {
bdb79c 
+    AsciiPrint ("error: unexpected\n");
bdb79c 
+    return 1;
bdb79c 
+  }
bdb79c 
+
bdb79c 
+  AsciiPrint ("info: success\n");
bdb79c 
+  return 0;
bdb79c 
+}
bdb79c 
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
bdb79c 
new file mode 100644
bdb79c 
index 0000000..0ad86a2
bdb79c 
--- /dev/null
bdb79c 
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
bdb79c 
@@ -0,0 +1,52 @@
bdb79c 
+## @file
bdb79c 
+#  Enroll default PK, KEK, DB.
bdb79c 
+#
bdb79c 
+#  Copyright (C) 2014, Red Hat, Inc.
bdb79c 
+#
bdb79c 
+#  This program and the accompanying materials are licensed and made available
bdb79c 
+#  under the terms and conditions of the BSD License which accompanies this
bdb79c 
+#  distribution. The full text of the license may be found at
bdb79c 
+#  http://opensource.org/licenses/bsd-license.
bdb79c 
+#
bdb79c 
+#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
bdb79c 
+#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
bdb79c 
+#  IMPLIED.
bdb79c 
+##
bdb79c 
+
bdb79c 
+[Defines]
bdb79c 
+  INF_VERSION                    = 0x00010006
bdb79c 
+  BASE_NAME                      = EnrollDefaultKeys
bdb79c 
+  FILE_GUID                      = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
bdb79c 
+  MODULE_TYPE                    = UEFI_APPLICATION
bdb79c 
+  VERSION_STRING                 = 0.1
bdb79c 
+  ENTRY_POINT                    = ShellCEntryLib
bdb79c 
+
bdb79c 
+#
bdb79c 
+#  VALID_ARCHITECTURES           = IA32 X64
bdb79c 
+#
bdb79c 
+
bdb79c 
+[Sources]
bdb79c 
+  EnrollDefaultKeys.c
bdb79c 
+
bdb79c 
+[Packages]
bdb79c 
+  MdePkg/MdePkg.dec
bdb79c 
+  MdeModulePkg/MdeModulePkg.dec
bdb79c 
+  SecurityPkg/SecurityPkg.dec
bdb79c 
+  ShellPkg/ShellPkg.dec
bdb79c 
+
bdb79c 
+[Guids]
bdb79c 
+  gEfiCertPkcs7Guid
bdb79c 
+  gEfiCertSha256Guid
bdb79c 
+  gEfiCertX509Guid
bdb79c 
+  gEfiCustomModeEnableGuid
bdb79c 
+  gEfiGlobalVariableGuid
bdb79c 
+  gEfiImageSecurityDatabaseGuid
bdb79c 
+  gEfiSecureBootEnableDisableGuid
bdb79c 
+
bdb79c 
+[LibraryClasses]
bdb79c 
+  BaseMemoryLib
bdb79c 
+  DebugLib
bdb79c 
+  MemoryAllocationLib
bdb79c 
+  ShellCEntryLib
bdb79c 
+  UefiLib
bdb79c 
+  UefiRuntimeServicesTableLib
bdb79c 
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
bdb79c 
index b577767..4d268c9 100644
bdb79c 
--- a/OvmfPkg/OvmfPkgIa32.dsc
bdb79c 
+++ b/OvmfPkg/OvmfPkgIa32.dsc
bdb79c 
@@ -865,6 +865,10 @@
bdb79c
bdb79c 
 !if $(SECURE_BOOT_ENABLE) == TRUE
bdb79c 
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
bdb79c 
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
bdb79c 
+    <LibraryClasses>
bdb79c 
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
bdb79c 
+  }
bdb79c 
 !endif
bdb79c
bdb79c 
   OvmfPkg/PlatformDxe/Platform.inf
bdb79c 
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
bdb79c 
index a6a40be..6836622 100644
bdb79c 
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
bdb79c 
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
bdb79c 
@@ -874,6 +874,10 @@
bdb79c
bdb79c 
 !if $(SECURE_BOOT_ENABLE) == TRUE
bdb79c 
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
bdb79c 
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
bdb79c 
+    <LibraryClasses>
bdb79c 
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
bdb79c 
+  }
bdb79c 
 !endif
bdb79c
bdb79c 
   OvmfPkg/PlatformDxe/Platform.inf
bdb79c 
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
bdb79c 
index 8bd3754..0b3008f 100644
bdb79c 
--- a/OvmfPkg/OvmfPkgX64.dsc
bdb79c 
+++ b/OvmfPkg/OvmfPkgX64.dsc
bdb79c 
@@ -872,6 +872,10 @@
bdb79c
bdb79c 
 !if $(SECURE_BOOT_ENABLE) == TRUE
bdb79c 
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
bdb79c 
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
bdb79c 
+    <LibraryClasses>
bdb79c 
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
bdb79c 
+  }
bdb79c 
 !endif
bdb79c
bdb79c 
   OvmfPkg/PlatformDxe/Platform.inf
bdb79c 
--
bdb79c 
1.8.3.1
bdb79c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation