diff --git a/UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.c new file mode 100644 index 0000000000000..199dcb2add2d1 --- /dev/null +++ b/UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -0,0 +1,605 @@ +/** @file + Enroll default PK, KEK, DB and DBX + + Copyright (C) 2014, Red Hat, Inc. + + This program and the accompanying materials are licensed and made available + under the terms and conditions of the BSD License which accompanies this + distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license. + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT + WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + **/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "EnrollDefaultKeys.h" + +/** + Enroll a set of certificates in a global variable, overwriting it. + + The variable will be rewritten with NV+BS+RT+AT attributes. + + @param[in] VariableName The name of the variable to overwrite. + + @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to + overwrite. + + @param[in] CertType The GUID determining the type of all the + certificates in the set that is passed in. For + example, gEfiCertX509Guid stands for DER-encoded + X.509 certificates, while gEfiCertSha256Guid stands + for SHA256 image hashes. + + @param[in] ... A list of + + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST EFI_GUID *OwnerGuid + + triplets. If the first component of a triplet is + NULL, then the other two components are not + accessed, and processing is terminated. The list of + certificates is enrolled in the variable specified, + overwriting it. The OwnerGuid component identifies + the agent installing the certificate. + + @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert + value is NULL), or one of the CertSize values + is 0, or one of the CertSize values would + overflow the accumulated UINT32 data size. + + @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable + payload. + + @retval EFI_SUCCESS Enrollment successful; the variable has been + overwritten (or created). + + @return Error codes from gRT->GetTime() and + gRT->SetVariable(). + **/ +STATIC +EFI_STATUS +EFIAPI +EnrollListOfCerts ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + IN EFI_GUID *CertType, + ... + ) +{ + UINTN DataSize; + SINGLE_HEADER *SingleHeader; + REPEATING_HEADER *RepeatingHeader; + VA_LIST Marker; + CONST UINT8 *Cert; + EFI_STATUS Status; + UINT8 *Data; + UINT8 *Position; + + Status = EFI_SUCCESS; + + // + // compute total size first, for UINT32 range check, and allocation + // + DataSize = sizeof *SingleHeader; + VA_START (Marker, CertType); + for (Cert = VA_ARG (Marker, CONST UINT8 *); + Cert != NULL; + Cert = VA_ARG (Marker, CONST UINT8 *)) { + UINTN CertSize; + + CertSize = VA_ARG (Marker, UINTN); + (VOID)VA_ARG (Marker, CONST EFI_GUID *); + + if (CertSize == 0 || + CertSize > MAX_UINT32 - sizeof *RepeatingHeader || + DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) { + Status = EFI_INVALID_PARAMETER; + break; + } + DataSize += sizeof *RepeatingHeader + CertSize; + } + VA_END (Marker); + + if (DataSize == sizeof *SingleHeader) { + Status = EFI_INVALID_PARAMETER; + } + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "EnrollDefaultKeys: Invalid certificate parameters\n")); + goto Out; + } + + Data = AllocatePool (DataSize); + if (Data == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto Out; + } + + Position = Data; + + SingleHeader = (SINGLE_HEADER *)Position; + Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL); + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_INFO, "EnrollDefaultKeys: GetTime failed\n")); + // Fill in dummy values + SingleHeader->TimeStamp.Year = 2018; + SingleHeader->TimeStamp.Month = 1; + SingleHeader->TimeStamp.Day = 1; + SingleHeader->TimeStamp.Hour = 0; + SingleHeader->TimeStamp.Minute = 0; + SingleHeader->TimeStamp.Second = 0; + Status = EFI_SUCCESS; + } + SingleHeader->TimeStamp.Pad1 = 0; + SingleHeader->TimeStamp.Nanosecond = 0; + SingleHeader->TimeStamp.TimeZone = 0; + SingleHeader->TimeStamp.Daylight = 0; + SingleHeader->TimeStamp.Pad2 = 0; + + // + // This looks like a bug in edk2. According to the UEFI specification, + // dwLength is "The length of the entire certificate, including the length of + // the header, in bytes". That shouldn't stop right after CertType -- it + // should include everything below it. + // + SingleHeader->dwLength = sizeof *SingleHeader - sizeof SingleHeader->TimeStamp; + SingleHeader->wRevision = 0x0200; + SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID; + CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid); + Position += sizeof *SingleHeader; + + VA_START (Marker, CertType); + for (Cert = VA_ARG (Marker, CONST UINT8 *); + Cert != NULL; + Cert = VA_ARG (Marker, CONST UINT8 *)) { + UINTN CertSize; + CONST EFI_GUID *OwnerGuid; + + CertSize = VA_ARG (Marker, UINTN); + OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *); + + RepeatingHeader = (REPEATING_HEADER *)Position; + CopyGuid (&RepeatingHeader->SignatureType, CertType); + RepeatingHeader->SignatureListSize = + (UINT32)(sizeof *RepeatingHeader + CertSize); + RepeatingHeader->SignatureHeaderSize = 0; + RepeatingHeader->SignatureSize = + (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize); + CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid); + Position += sizeof *RepeatingHeader; + + CopyMem (Position, Cert, CertSize); + Position += CertSize; + } + VA_END (Marker); + + ASSERT (Data + DataSize == Position); + + Status = gRT->SetVariable (VariableName, VendorGuid, + (EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), + DataSize, Data); + + FreePool (Data); + +Out: + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "EnrollDefaultKeys: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName, + VendorGuid, Status)); + } + return Status; +} + +/** + Read a UEFI variable into a caller-allocated buffer, enforcing an exact size. + + @param[in] VariableName The name of the variable to read; passed to + gRT->GetVariable(). + + @param[in] VendorGuid The vendor (namespace) GUID of the variable to read; + passed to gRT->GetVariable(). + + @param[out] Data The caller-allocated buffer that is supposed to + receive the variable's contents. On error, the + contents of Data are indeterminate. + + @param[in] DataSize The size in bytes that the caller requires the UEFI + variable to have. The caller is responsible for + providing room for DataSize bytes in Data. + + @param[in] AllowMissing If FALSE, the variable is required to exist. If + TRUE, the variable is permitted to be missing. + + @retval EFI_SUCCESS The UEFI variable exists, has the required size + (DataSize), and has been read into Data. + + @retval EFI_SUCCESS The UEFI variable doesn't exist, and + AllowMissing is TRUE. DataSize bytes in Data + have been zeroed out. + + @retval EFI_NOT_FOUND The UEFI variable doesn't exist, and + AllowMissing is FALSE. + + @retval EFI_BUFFER_TOO_SMALL The UEFI variable exists, but its size is + greater than DataSize. + + @retval EFI_PROTOCOL_ERROR The UEFI variable exists, but its size is + smaller than DataSize. + + @return Error codes propagated from gRT->GetVariable(). + +**/ +STATIC +EFI_STATUS +EFIAPI +GetExact ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + OUT VOID *Data, + IN UINTN DataSize, + IN BOOLEAN AllowMissing + ) +{ + UINTN Size; + EFI_STATUS Status; + + Size = DataSize; + Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data); + if (EFI_ERROR (Status)) { + if (Status == EFI_NOT_FOUND && AllowMissing) { + ZeroMem (Data, DataSize); + return EFI_SUCCESS; + } + + DEBUG ((DEBUG_ERROR, "EnrollDefaultKeys: GetVariable(\"%s\", %g): %r\n", VariableName, + VendorGuid, Status)); + return Status; + } + + if (Size != DataSize) { + DEBUG ((EFI_D_INFO, "EnrollDefaultKeys: GetVariable(\"%s\", %g): expected size 0x%Lx, " + "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size)); + return EFI_PROTOCOL_ERROR; + } + + return EFI_SUCCESS; +} + +/** + Populate a SETTINGS structure from the underlying UEFI variables. + + The following UEFI variables are standard variables: + - L"SetupMode" (EFI_SETUP_MODE_NAME) + - L"SecureBoot" (EFI_SECURE_BOOT_MODE_NAME) + - L"VendorKeys" (EFI_VENDOR_KEYS_VARIABLE_NAME) + + The following UEFI variables are edk2 extensions: + - L"SecureBootEnable" (EFI_SECURE_BOOT_ENABLE_NAME) + - L"CustomMode" (EFI_CUSTOM_MODE_NAME) + + The L"SecureBootEnable" UEFI variable is permitted to be missing, in which + case the corresponding field in the SETTINGS object will be zeroed out. The + rest of the covered UEFI variables are required to exist; otherwise, the + function will fail. + + @param[out] Settings The SETTINGS object to fill. + @param[in] AllowMissing If FALSE, the required variables must exist; if + TRUE, the function can succeed even if some + variables are missing. + + @retval EFI_SUCCESS Settings has been populated. + + @return Error codes propagated from the GetExact() function. The + contents of Settings are indeterminate. +**/ +STATIC +EFI_STATUS +EFIAPI +GetSettings ( + OUT SETTINGS *Settings, + BOOLEAN AllowMissing + ) +{ + EFI_STATUS Status; + + ZeroMem (Settings, sizeof(SETTINGS)); + + Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, + &Settings->SetupMode, sizeof Settings->SetupMode, AllowMissing); + if (EFI_ERROR (Status)) { + return Status; + } + + Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, + &Settings->SecureBoot, sizeof Settings->SecureBoot, AllowMissing); + if (EFI_ERROR (Status)) { + return Status; + } + + Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME, + &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable, + sizeof Settings->SecureBootEnable, AllowMissing); + if (EFI_ERROR (Status)) { + return Status; + } + + Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, + &Settings->CustomMode, sizeof Settings->CustomMode, AllowMissing); + if (EFI_ERROR (Status)) { + return Status; + } + + Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, + &Settings->VendorKeys, sizeof Settings->VendorKeys, AllowMissing); + return Status; +} + +/** + + Print the contents of a SETTINGS structure to the UEFI console. + + @param[in] Settings The SETTINGS object to print the contents of. + +**/ +STATIC +VOID +EFIAPI +PrintSettings ( + IN CONST SETTINGS *Settings + ) +{ + DEBUG ((EFI_D_INFO, "EnrollDefaultKeys: SetupMode=%d SecureBoot=%d SecureBootEnable=%d " + "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot, + Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys)); +} + +/** + Install SecureBoot certificates once the VariableDriver is running. + + @param[in] Event Event whose notification function is being invoked + @param[in] Context Pointer to the notification function's context +**/ +VOID +EFIAPI +EnrollDefaultKeys ( + IN EFI_EVENT Event, + IN VOID *Context + ) +{ + EFI_STATUS Status; + VOID *Protocol; + SETTINGS Settings; + + UINT8 *DbMicrosoftUefi2011 = 0; + UINTN DbMicrosoftUefi2011Size; + UINT8 *DbMicrosoftUefi2023 = 0; + UINTN DbMicrosoftUefi2023Size; + UINT8 *DbMicrosoftWin2011 = 0; + UINTN DbMicrosoftWin2011Size; + UINT8 *DbMicrosoftWinuefi2023 = 0; + UINTN DbMicrosoftWinuefi2023Size; + UINT8 *DbxMicrosoftUpdate = 0; + UINTN DbxMicrosoftUpdateSize; + UINT8 *KekMicrosoft2011 = 0; + UINTN KekMicrosoft2011Size; + UINT8 *KekMicrosoft2023 = 0; + UINTN KekMicrosoft2023Size; + UINT8 *KekMicrosoftUefi2023 = 0; + UINTN KekMicrosoftUefi2023Size; + UINT8 *PkMicrosoftOem2023 = 0; + UINTN PkMicrosoftOem2023Size; + + Status = gBS->LocateProtocol (&gEfiVariableWriteArchProtocolGuid, NULL, (VOID **)&Protocol); + if (EFI_ERROR (Status)) { + return; + } + + Status = GetSettings (&Settings, TRUE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "EnrollDefaultKeys: Failed to get current settings\n")); + return; + } + + if (Settings.SetupMode != SETUP_MODE) { + DEBUG ((DEBUG_ERROR, "EnrollDefaultKeys: already in User Mode\n")); + return; + } + PrintSettings (&Settings); + + if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) { + Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE; + Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, + (EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS), + sizeof Settings.CustomMode, &Settings.CustomMode); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "EnrollDefaultKeys: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME, + &gEfiCustomModeEnableGuid, Status)); + ASSERT_EFI_ERROR (Status); + } + } + + Status = GetSectionFromAnyFv(&gMicrosoftDbUefi2011Guid, EFI_SECTION_RAW, 0, (void **)&DbMicrosoftUefi2011, &DbMicrosoftUefi2011Size); + ASSERT_EFI_ERROR(Status); + Status = GetSectionFromAnyFv(&gMicrosoftDbUefi2023Guid, EFI_SECTION_RAW, 0, (void **)&DbMicrosoftUefi2023, &DbMicrosoftUefi2023Size); + ASSERT_EFI_ERROR(Status); + Status = GetSectionFromAnyFv(&gMicrosoftDbWin2011Guid, EFI_SECTION_RAW, 0, (void **)&DbMicrosoftWin2011, &DbMicrosoftWin2011Size); + ASSERT_EFI_ERROR(Status); + Status = GetSectionFromAnyFv(&gMicrosoftDbWinUefi2023Guid, EFI_SECTION_RAW, 0, (void **)&DbMicrosoftWinuefi2023, &DbMicrosoftWinuefi2023Size); + ASSERT_EFI_ERROR(Status); + Status = GetSectionFromAnyFv(&gMicrosoftDbxUpdateGuid, EFI_SECTION_RAW, 0, (void **)&DbxMicrosoftUpdate, &DbxMicrosoftUpdateSize); + ASSERT_EFI_ERROR(Status); + Status = GetSectionFromAnyFv(&gMicrosoftKek2011Guid, EFI_SECTION_RAW, 0, (void **)&KekMicrosoft2011, &KekMicrosoft2011Size); + ASSERT_EFI_ERROR(Status); + Status = GetSectionFromAnyFv(&gMicrosoftKek2023Guid, EFI_SECTION_RAW, 0, (void **)&KekMicrosoft2023, &KekMicrosoft2023Size); + ASSERT_EFI_ERROR(Status); + Status = GetSectionFromAnyFv(&gMicrosoftKekUefi2023Guid, EFI_SECTION_RAW, 0, (void **)&KekMicrosoftUefi2023, &KekMicrosoftUefi2023Size); + ASSERT_EFI_ERROR(Status); + Status = GetSectionFromAnyFv(&gMicrosoftPkOem2023Guid, EFI_SECTION_RAW, 0, (void **)&PkMicrosoftOem2023, &PkMicrosoftOem2023Size); + ASSERT_EFI_ERROR(Status); + + Status = gRT->SetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, + (EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), + DbxMicrosoftUpdateSize, DbxMicrosoftUpdate); + ASSERT_EFI_ERROR (Status); + + Status = EnrollListOfCerts ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + &gEfiCertX509Guid, + DbMicrosoftUefi2011, DbMicrosoftUefi2011Size, DbMicrosoftWinuefi2023Size, + DbMicrosoftUefi2023, DbMicrosoftUefi2023Size, DbMicrosoftWinuefi2023Size, + DbMicrosoftWin2011, DbMicrosoftWin2011Size, DbMicrosoftWinuefi2023Size, + DbMicrosoftWinuefi2023, DbMicrosoftWinuefi2023Size, DbMicrosoftWinuefi2023Size, + NULL); + ASSERT_EFI_ERROR (Status); + + Status = EnrollListOfCerts ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + &gEfiCertX509Guid, + KekMicrosoft2011, KekMicrosoft2011Size, gMicrosoftVendorGuid, + KekMicrosoft2023, KekMicrosoft2023Size, gMicrosoftVendorGuid, + KekMicrosoftUefi2023, KekMicrosoftUefi2023Size, gMicrosoftVendorGuid, + NULL); + ASSERT_EFI_ERROR (Status); + + Status = EnrollListOfCerts ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + &gEfiCertX509Guid, + PkMicrosoftOem2023, PkMicrosoftOem2023Size, gMicrosoftVendorGuid, + NULL); + ASSERT_EFI_ERROR (Status); + + FreePool(DbMicrosoftUefi2011); + FreePool(DbMicrosoftUefi2023); + FreePool(DbMicrosoftWin2011); + FreePool(DbMicrosoftWinuefi2023); + FreePool(DbxMicrosoftUpdate); + FreePool(KekMicrosoft2011); + FreePool(KekMicrosoft2023); + FreePool(KekMicrosoftUefi2023); + FreePool(PkMicrosoftOem2023); + + Settings.CustomMode = STANDARD_SECURE_BOOT_MODE; + Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, + sizeof Settings.CustomMode, &Settings.CustomMode); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "EnrollDefaultKeys: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME, + &gEfiCustomModeEnableGuid, Status)); + ASSERT_EFI_ERROR (Status); + } + + // FIXME: Force SecureBoot to ON. The AuthService will do this if authenticated variables + // are supported, which aren't as the SMM handler isn't able to verify them. + + Settings.SecureBootEnable = SECURE_BOOT_DISABLE; + Status = gRT->SetVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, + sizeof Settings.SecureBootEnable, &Settings.SecureBootEnable); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "EnrollDefaultKeys: SetVariable(\"%s\", %g): %r\n", EFI_SECURE_BOOT_ENABLE_NAME, + &gEfiSecureBootEnableDisableGuid, Status)); + ASSERT_EFI_ERROR (Status); + } + + Settings.SecureBoot = SECURE_BOOT_DISABLE; + Status = gRT->SetVariable (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, + sizeof Settings.SecureBoot, &Settings.SecureBoot); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "EnrollDefaultKeys: SetVariable(\"%s\", %g): %r\n", EFI_SECURE_BOOT_MODE_NAME, + &gEfiGlobalVariableGuid, Status)); + ASSERT_EFI_ERROR (Status); + } + + Status = GetSettings (&Settings, FALSE); + ASSERT_EFI_ERROR (Status); + + // + // Final sanity check: + // + // [SetupMode] + // (read-only, standardized by UEFI) + // / \_ + // 0 1, default + // / \_ + // PK enrolled no PK enrolled yet, + // (this is called "User Mode") PK enrollment possible + // | + // | + // [SecureBootEnable] + // (read-write, edk2-specific, boot service only) + // / \_ + // 0 1, default + // / \_ + // [SecureBoot]=0 [SecureBoot]=1 + // (read-only, standardized by UEFI) (read-only, standardized by UEFI) + // images are not verified images are verified, platform is + // operating in Secure Boot mode + // | + // | + // [CustomMode] + // (read-write, edk2-specific, boot service only) + // / \_ + // 0, default 1 + // / \_ + // PK, KEK, db, dbx PK, KEK, db, dbx + // updates are verified updates are not verified + // + + PrintSettings (&Settings); + + if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 || + Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 || + Settings.VendorKeys != 0) { + DEBUG ((DEBUG_ERROR, "EnrollDefaultKeys: disabled\n")); + return; + } + + DEBUG ((EFI_D_INFO, "EnrollDefaultKeys: SecureBoot enabled\n")); +} + +EFI_STATUS +EFIAPI +DriverEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + VOID *Registration; + + DEBUG ((DEBUG_INFO, "EnrollDefaultKeys hook\n")); + + // + // Create event callback, because we need access variable on SecureBootPolicyVariable + // We should use VariableWriteArch instead of VariableArch, because Variable driver + // may update SecureBoot value based on last setting. + // + EfiCreateProtocolNotifyEvent ( + &gEfiVariableWriteArchProtocolGuid, + TPL_CALLBACK, + EnrollDefaultKeys, + NULL, + &Registration); + + return EFI_SUCCESS; +} diff --git a/UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.h new file mode 100644 index 0000000000000..abfaf3ab65774 --- /dev/null +++ b/UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.h @@ -0,0 +1,121 @@ +/** @file + Type definitions and object declarations for the EnrollDefaultKeys + application. + + Copyright (C) 2014-2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef ENROLL_DEFAULT_KEYS_H_ +#define ENROLL_DEFAULT_KEYS_H_ + +#include + +// +// Convenience structure types for constructing "signature lists" for +// authenticated UEFI variables. +// +// The most important thing about the variable payload is that it is a list of +// lists, where the element size of any given *inner* list is constant. +// +// Since X509 certificates vary in size, each of our *inner* lists will contain +// one element only (one X.509 certificate). This is explicitly mentioned in +// the UEFI specification, in "28.4.1 Signature Database", in a Note. +// +// The list structure looks as follows: +// +// struct EFI_VARIABLE_AUTHENTICATION_2 { | +// struct EFI_TIME { | +// UINT16 Year; | +// UINT8 Month; | +// UINT8 Day; | +// UINT8 Hour; | +// UINT8 Minute; | +// UINT8 Second; | +// UINT8 Pad1; | +// UINT32 Nanosecond; | +// INT16 TimeZone; | +// UINT8 Daylight; | +// UINT8 Pad2; | +// } TimeStamp; | +// | +// struct WIN_CERTIFICATE_UEFI_GUID { | | +// struct WIN_CERTIFICATE { | | +// UINT32 dwLength; ----------------------------------------+ | +// UINT16 wRevision; | | +// UINT16 wCertificateType; | | +// } Hdr; | +- DataSize +// | | +// EFI_GUID CertType; | | +// UINT8 CertData[1] = { <--- "struct hack" | | +// struct EFI_SIGNATURE_LIST { | | | +// EFI_GUID SignatureType; | | | +// UINT32 SignatureListSize; -------------------------+ | | +// UINT32 SignatureHeaderSize; | | | +// UINT32 SignatureSize; ---------------------------+ | | | +// UINT8 SignatureHeader[SignatureHeaderSize]; | | | | +// v | | | +// struct EFI_SIGNATURE_DATA { | | | | +// EFI_GUID SignatureOwner; | | | | +// UINT8 SignatureData[1] = { <--- "struct hack" | | | | +// X.509 payload | | | | +// } | | | | +// } Signatures[]; | | | +// } SigLists[]; | | +// }; | | +// } AuthInfo; | | +// }; | +// +// Given that the "struct hack" invokes undefined behavior (which is why C99 +// introduced the flexible array member), and because subtracting those pesky +// sizes of 1 is annoying, and because the format is fully specified in the +// UEFI specification, we'll introduce two matching convenience structures that +// are customized for our X.509 purposes. +// +#pragma pack (1) +typedef struct { + EFI_TIME TimeStamp; + + // + // dwLength covers data below + // + UINT32 dwLength; + UINT16 wRevision; + UINT16 wCertificateType; + EFI_GUID CertType; +} SINGLE_HEADER; + +typedef struct { + // + // SignatureListSize covers data below + // + EFI_GUID SignatureType; + UINT32 SignatureListSize; + UINT32 SignatureHeaderSize; // constant 0 + UINT32 SignatureSize; + + // + // SignatureSize covers data below + // + EFI_GUID SignatureOwner; + + // + // X.509 certificate follows + // +} REPEATING_HEADER; +#pragma pack () + +// +// A structure that collects the values of UEFI variables related to Secure +// Boot. +// +typedef struct { + UINT8 SetupMode; + UINT8 SecureBoot; + UINT8 SecureBootEnable; + UINT8 CustomMode; + UINT8 VendorKeys; +} SETTINGS; + +#endif /* ENROLL_DEFAULT_KEYS_H_ */ diff --git a/UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf new file mode 100644 index 0000000000000..e639084cb84f3 --- /dev/null +++ b/UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -0,0 +1,63 @@ +## @file +# This file handels SecureBoot setup. +# +# Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = EnrollDefaultKeys + FILE_GUID = 14693BD4-D114-4177-979E-37F279BAD620 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 0.1 + ENTRY_POINT = DriverEntry + +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Sources] + EnrollDefaultKeys.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + UefiPayloadPkg/UefiPayloadPkg.dec + +[Guids] + gEfiCertPkcs7Guid + gEfiCertX509Guid + gEfiCustomModeEnableGuid + gEfiGlobalVariableGuid + gEfiImageSecurityDatabaseGuid + gEfiSecureBootEnableDisableGuid + gMicrosoftVendorGuid + gMicrosoftDbxUpdateGuid + gMicrosoftDbUefi2011Guid + gMicrosoftDbWin2011Guid + gMicrosoftDbUefi2023Guid + gMicrosoftDbWinUefi2023Guid + gMicrosoftKek2011Guid + gMicrosoftKek2023Guid + gMicrosoftKekUefi2023Guid + gMicrosoftPkOem2023Guid + +[LibraryClasses] + BaseMemoryLib + DebugLib + DxeServicesLib + MemoryAllocationLib + UefiBootServicesTableLib + UefiDriverEntryPoint + UefiRuntimeServicesTableLib + +[Protocols] + gEfiVariableWriteArchProtocolGuid ## CONSUMES + +[Depex] + TRUE diff --git a/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_uefi_2011.der b/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_uefi_2011.der new file mode 100644 index 0000000000000..9aa6ac6c79b21 Binary files /dev/null and b/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_uefi_2011.der differ diff --git a/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_uefi_2023.der b/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_uefi_2023.der new file mode 100644 index 0000000000000..39a91b31730ad Binary files /dev/null and b/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_uefi_2023.der differ diff --git a/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_win_2011.der b/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_win_2011.der new file mode 100644 index 0000000000000..a6d001c219389 Binary files /dev/null and b/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_win_2011.der differ diff --git a/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_win_uefi_2023.der b/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_win_uefi_2023.der new file mode 100644 index 0000000000000..4c5430b28340d Binary files /dev/null and b/UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_win_uefi_2023.der differ diff --git a/UefiPayloadPkg/EnrollDefaultKeys/keys/dbx_microsoft_update.bin b/UefiPayloadPkg/EnrollDefaultKeys/keys/dbx_microsoft_update.bin new file mode 100644 index 0000000000000..e2f6b0259ae03 Binary files /dev/null and b/UefiPayloadPkg/EnrollDefaultKeys/keys/dbx_microsoft_update.bin differ diff --git a/UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_2011.der b/UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_2011.der new file mode 100644 index 0000000000000..2787083e0cb61 Binary files /dev/null and b/UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_2011.der differ diff --git a/UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_2023.der b/UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_2023.der new file mode 100644 index 0000000000000..e6ffb4f975fae Binary files /dev/null and b/UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_2023.der differ diff --git a/UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_uefi_2023.der b/UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_uefi_2023.der new file mode 100644 index 0000000000000..bfdda98f6df3e Binary files /dev/null and b/UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_uefi_2023.der differ diff --git a/UefiPayloadPkg/EnrollDefaultKeys/keys/pk_microsoft_oem_2023.der b/UefiPayloadPkg/EnrollDefaultKeys/keys/pk_microsoft_oem_2023.der new file mode 100644 index 0000000000000..0154225b71997 Binary files /dev/null and b/UefiPayloadPkg/EnrollDefaultKeys/keys/pk_microsoft_oem_2023.der differ diff --git a/UefiPayloadPkg/SmmStoreFvb/SmmStoreFvbRuntimeDxe.c b/UefiPayloadPkg/SmmStoreFvb/SmmStoreFvbRuntimeDxe.c index 14d4ec324d08c..f80af6a6fb545 100644 --- a/UefiPayloadPkg/SmmStoreFvb/SmmStoreFvbRuntimeDxe.c +++ b/UefiPayloadPkg/SmmStoreFvb/SmmStoreFvbRuntimeDxe.c @@ -162,7 +162,11 @@ InitializeFvAndVariableStoreHeaders ( // VARIABLE_STORE_HEADER // VariableStoreHeader = (VARIABLE_STORE_HEADER *)((UINTN)Headers + FirmwareVolumeHeader->HeaderLength); - CopyGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid); + // + // Should be gEfiVariableGuid as SMM doesn't authenticate, but userspace does + // Must be gEfiAuthenticatedVariableGuid for SecureBoot + // + CopyGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid); VariableStoreHeader->Size = PcdGet32 (PcdFlashNvStorageVariableSize) - FirmwareVolumeHeader->HeaderLength; VariableStoreHeader->Format = VARIABLE_STORE_FORMATTED; VariableStoreHeader->State = VARIABLE_STORE_HEALTHY; diff --git a/UefiPayloadPkg/UefiPayloadPkg.dec b/UefiPayloadPkg/UefiPayloadPkg.dec index 7c5723bd17569..0427554ec24da 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dec +++ b/UefiPayloadPkg/UefiPayloadPkg.dec @@ -53,6 +53,18 @@ gEfiSmmStoreInfoHobGuid = { 0xf585ca19, 0x881b, 0x44fb, { 0x3f, 0x3d, 0x81, 0x89, 0x7c, 0x57, 0xbb, 0x01 } } + # Secure Boot keys and owners + gMicrosoftVendorGuid = { 0x77fa9abd, 0x0359, 0x4d32, { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b } } + gMicrosoftDbxUpdateGuid = { 0x4e52dd60, 0xd79e, 0x42c5, { 0x83, 0x37, 0x08, 0x92, 0x32, 0xea, 0x5c, 0x87 } } + gMicrosoftDbUefi2011Guid = { 0x73282f84, 0x7909, 0x4e87, { 0xad, 0xf0, 0x84, 0x5d, 0x5d, 0xa3, 0x35, 0xab } } + gMicrosoftDbWin2011Guid = { 0x9b29f606, 0x5102, 0x4de1, { 0xa8, 0x8a, 0xff, 0x62, 0x10, 0xbd, 0x8b, 0x65 } } + gMicrosoftDbUefi2023Guid = { 0xc7769261, 0xfe8d, 0x4e15, { 0xb3, 0x34, 0xca, 0xdf, 0x43, 0x64, 0xad, 0x92 } } + gMicrosoftDbWinUefi2023Guid = { 0x4ac66f32, 0x6895, 0x46fc, { 0xad, 0x00, 0xf1, 0xc8, 0x1d, 0x06, 0xc6, 0x68 } } + gMicrosoftKek2011Guid = { 0x73f89874, 0xb2ec, 0x4c28, { 0xa7, 0xe3, 0x7d, 0x80, 0x30, 0x13, 0x4e, 0x0b } } + gMicrosoftKek2023Guid = { 0xcce7d8e7, 0xaae8, 0x4697, { 0xb5, 0xc0, 0xef, 0x35, 0xa9, 0x2a, 0x05, 0x9f } } + gMicrosoftKekUefi2023Guid = { 0xf5a81b7b, 0x419a, 0x4a92, { 0x82, 0x12, 0x1c, 0x36, 0x9b, 0xcb, 0xe2, 0xcb } } + gMicrosoftPkOem2023Guid = { 0x701649dd, 0x8739, 0x40b9, { 0xbb, 0xdb, 0x9c, 0xa4, 0x34, 0xfd, 0xcd, 0x3b } } + [Ppis] gEfiPayLoadHobBasePpiGuid = { 0xdbe23aa1, 0xa342, 0x4b97, {0x85, 0xb6, 0xb2, 0x26, 0xf1, 0x61, 0x73, 0x89} } diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index 6ed59ce444d13..4f29b93eec474 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -399,6 +399,22 @@ PerformanceLib|MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf + + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + [LibraryClasses.common.DXE_DRIVER] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf @@ -417,6 +433,24 @@ PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf + + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf + + [LibraryClasses.common.DXE_RUNTIME_DRIVER] !if $(SECURE_BOOT_ENABLE) == TRUE BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf @@ -429,6 +463,18 @@ PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf + + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf @@ -762,6 +808,7 @@ !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf + UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf !endif UefiCpuPkg/CpuDxe/CpuDxe.inf diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf index de28cbb5ae5ae..652e71f7794f4 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -215,6 +215,52 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf !if $(UNIVERSAL_PAYLOAD) == FALSE !if $(SECURE_BOOT_ENABLE) == TRUE INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf + INF UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf + + FILE FREEFORM = 4e52dd60-d79e-42c5-8337-089232ea5c87 { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/dbx_microsoft_update.bin + SECTION UI = "Microsoft Corporation DBX Update" + } + + FILE FREEFORM = 73282f84-7909-4e87-adf0-845d5da335ab { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_uefi_2011.der + SECTION UI = "Microsoft Corporation DB UEFI 2011" + } + + FILE FREEFORM = 9b29f606-5102-4de1-a88a-ff6210bd8b65 { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_win_2011.der + SECTION UI = "Microsoft Corporation DB Windows 2011" + } + + FILE FREEFORM = c7769261-fe8d-4e15-b334-cadf4364ad92 { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_uefi_2023.der + SECTION UI = "Microsoft Corporation DB UEFI 2023" + } + + FILE FREEFORM = 4ac66f32-6895-46fc-ad00-f1c81d06c668 { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_win_uefi_2023.der + SECTION UI = "Microsoft Corporation DB Windows UEFI 2023" + } + + FILE FREEFORM = 73f89874-b2ec-4c28-a7e3-7d8030134e0b { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_2011.der + SECTION UI = "Microsoft Corporation KEK CA 2011" + } + + FILE FREEFORM = cce7d8e7-aae8-4697-b5c0-ef35a92a059f { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_2023.der + SECTION UI = "Microsoft Corporation KEK CA 2023" + } + + FILE FREEFORM = f5a81b7b-419a-4a92-8212-1c369bcbe2cb { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_uefi_2023.der + SECTION UI = "Microsoft Corporation UEFI KEK CA 2023" + } + + FILE FREEFORM = 701649dd-8739-40b9-bbdb-9ca434fdcd3b { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/pk_microsoft_oem_2023.der + SECTION UI = "Microsoft Corporation OEM PK 2023" + } !endif !endif @@ -369,6 +415,52 @@ READ_LOCK_CAP = TRUE READ_LOCK_STATUS = TRUE INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +INF UefiPayloadPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf + +FILE FREEFORM = 4e52dd60-d79e-42c5-8337-089232ea5c87 { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/dbx_microsoft_update.bin + SECTION UI = "Microsoft Corporation DBX Update" +} + +FILE FREEFORM = 73282f84-7909-4e87-adf0-845d5da335ab { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_uefi_2011.der + SECTION UI = "Microsoft Corporation DB UEFI 2011" +} + +FILE FREEFORM = 9b29f606-5102-4de1-a88a-ff6210bd8b65 { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_win_2011.der + SECTION UI = "Microsoft Corporation DB Windows 2011" +} + +FILE FREEFORM = c7769261-fe8d-4e15-b334-cadf4364ad92 { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_uefi_2023.der + SECTION UI = "Microsoft Corporation DB UEFI 2023" +} + +FILE FREEFORM = 4ac66f32-6895-46fc-ad00-f1c81d06c668 { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/db_microsoft_win_uefi_2023.der + SECTION UI = "Microsoft Corporation DB Windows UEFI 2023" +} + +FILE FREEFORM = 73f89874-b2ec-4c28-a7e3-7d8030134e0b { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_2011.der + SECTION UI = "Microsoft Corporation KEK CA 2011" +} + +FILE FREEFORM = cce7d8e7-aae8-4697-b5c0-ef35a92a059f { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_2023.der + SECTION UI = "Microsoft Corporation KEK CA 2023" +} + +FILE FREEFORM = f5a81b7b-419a-4a92-8212-1c369bcbe2cb { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/kek_microsoft_uefi_2023.der + SECTION UI = "Microsoft Corporation UEFI KEK CA 2023" +} + +FILE FREEFORM = 701649dd-8739-40b9-bbdb-9ca434fdcd3b { + SECTION RAW = UefiPayloadPkg/EnrollDefaultKeys/keys/pk_microsoft_oem_2023.der + SECTION UI = "Microsoft Corporation OEM PK 2023" +} !endif !endif