summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/ovmf
diff options
context:
space:
mode:
authorRicardo Neri <ricardo.neri-calderon@linux.intel.com>2019-07-29 19:59:15 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-08-12 16:23:57 +0100
commitbc59000e77b08d50d5dca3f38f8e52c9b6796304 (patch)
treef112b334077ea81ba20b6c2b295dbbff4891c613 /meta/recipes-core/ovmf
parentb2dd0b1c7c75522f9bef63160d921585c2e4300b (diff)
downloadpoky-bc59000e77b08d50d5dca3f38f8e52c9b6796304.tar.gz
ovmf: Update to version edk2-stable201905
Fixes [YOCTO #13438] Update OVMF to edk2-stable201905. Since the last update, several things have changed. Many of the patches we were carrying have now been taken upstream in EDK2 or become obsolete. See below for details. Also, as of commit 0c1ffb9504c3("CryptoPkg: Adding OpenSSL as one submodule of EDKII repo"), openssl is not embedded into EDK2 using a patching script but a git submodule. Then, use the gitsm bitbabke fetcher and drop the extra SRC_URI from openssl when building with secureboot enabled. Also remove all related variables. OVMF switched to BSD+Patent license as detailed in https://bugzilla.tianocore.org/show_bug.cgi?id=1373. Hence, update LIC_FILES_CHKSUM accordingly to reflect this change. Patches are updated as follows: Drop 0001-ia32-Dont-use-pie.patch as it is implemented in upstream EDK2 in commits are 11d0cd23dd1b ("BaseTools/tools_def IA32: drop -no-pie linker option for GCC49" and c25d3905523a ("BaseTools/tools_def IA32: disable PIE code generation explicitly") for the applicable GCC versions. Rebase 0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch to edk2-stable201905. Drop VfrCompile-increase-path-length-limit.patch as it has been taken upstream in EDK2 in commit ba78032bc8c9f("BaseTools/VfrCompile: Remove the MAX_PATH limitation"). Rebase no-stack-protector-all-archs.patch to keep behavior on not using stack protector on all archs. Drop 0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch, 0002-BaseTools-header.makefile-add-Wno-restrict.patch, and 0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch. These patches have been taken in upstream EDK2 in commits 9222154ae7b3("BaseTools /header.makefile: add "-Wno-restrict"), 1d212a83df0e("BaseTools/ header.makefile: add "-Wno-stringop-truncation"), and 777f4aa083e9 ("BaseTools/header.makefile: revert gcc-8 '-Wno-xxx' options on OSX"), respectively. Also, drop 0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch. GenVtf has been removed from EDK2 in commit 64ab2c82e8f6("BaseTools: Remove GenVtf"). Also, this patch had been taken in EDK2 upstream in commit 9de306701312("BaseTools/GenVtf: silence false 'stringop-overflow' warning with memcpy()"). Drop patch 0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch as it also has been taken by EDK2. Patches 0002-ovmf-update-path-to-native-BaseTools.patch and 0004-ovmf-enable-long-path-file.patch did not need any update. Lastly, add a needed dependency on bc. Cc: Ross Burton <ross.burton@intel.com> Cc: Patrick Ohly <patrick.ohly@intel.com> (From OE-Core rev: 1f64ecf92fa77b682b18efe72fb6b27ff64ee052) Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/ovmf')
-rw-r--r--meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch71
-rw-r--r--meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch46
-rw-r--r--meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch102
-rw-r--r--meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch53
-rw-r--r--meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch33
-rw-r--r--meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch66
-rw-r--r--meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch1124
-rw-r--r--meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch26
-rw-r--r--meta/recipes-core/ovmf/ovmf_git.bb28
9 files changed, 47 insertions, 1502 deletions
diff --git a/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch b/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
deleted file mode 100644
index 342fcc6231..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
+++ /dev/null
@@ -1,71 +0,0 @@
1From 9fce4bab014b9aa618060eba13d6dd04b0fa1b70 Mon Sep 17 00:00:00 2001
2From: Laszlo Ersek <lersek@redhat.com>
3Date: Fri, 2 Mar 2018 17:11:52 +0100
4Subject: [PATCH 1/4] BaseTools/header.makefile: add "-Wno-stringop-truncation"
5
6gcc-8 (which is part of Fedora 28) enables the new warning
7"-Wstringop-truncation" in "-Wall". This warning is documented in detail
8at <https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
9introduction says
10
11> Warn for calls to bounded string manipulation functions such as strncat,
12> strncpy, and stpncpy that may either truncate the copied string or leave
13> the destination unchanged.
14
15It breaks the BaseTools build with:
16
17> EfiUtilityMsgs.c: In function 'PrintMessage':
18> EfiUtilityMsgs.c:484:9: error: 'strncat' output may be truncated copying
19> between 0 and 511 bytes from a string of length 511
20> [-Werror=stringop-truncation]
21> strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
22> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
23> EfiUtilityMsgs.c:469:9: error: 'strncat' output may be truncated copying
24> between 0 and 511 bytes from a string of length 511
25> [-Werror=stringop-truncation]
26> strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
27> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
28> EfiUtilityMsgs.c:511:5: error: 'strncat' output may be truncated copying
29> between 0 and 511 bytes from a string of length 511
30> [-Werror=stringop-truncation]
31> strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
32> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
33
34The right way to fix the warning would be to implement string concat with
35snprintf(). However, Microsoft does not appear to support snprintf()
36before VS2015
37<https://stackoverflow.com/questions/2915672/snprintf-and-visual-studio-2010>,
38so we just have to shut up the warning. The strncat() calls flagged above
39are valid BTW.
40
41Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
42Cc: Cole Robinson <crobinso@redhat.com>
43Cc: Liming Gao <liming.gao@intel.com>
44Cc: Paolo Bonzini <pbonzini@redhat.com>
45Cc: Yonghong Zhu <yonghong.zhu@intel.com>
46Contributed-under: TianoCore Contribution Agreement 1.1
47Signed-off-by: Laszlo Ersek <lersek@redhat.com>
48Reviewed-by: Liming Gao <liming.gao@intel.com>
49---
50Signed-off-by: Khem Raj <raj.khem@gmail.com>
51Upstream-Status: Backport
52
53 BaseTools/Source/C/Makefiles/header.makefile | 4 ++--
54 1 file changed, 2 insertions(+), 2 deletions(-)
55
56Index: git/BaseTools/Source/C/Makefiles/header.makefile
57===================================================================
58--- git.orig/BaseTools/Source/C/Makefiles/header.makefile
59+++ git/BaseTools/Source/C/Makefiles/header.makefile
60@@ -47,9 +47,9 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
61 BUILD_CPPFLAGS += $(INCLUDE) -O2
62 ifeq ($(DARWIN),Darwin)
63 # assume clang or clang compatible flags on OS X
64-BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
65+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-self-assign -Wno-unused-result -nostdlib -c -g
66 else
67-BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
68+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-unused-result -nostdlib -c -g
69 endif
70 BUILD_LFLAGS = $(LDFLAGS)
71 BUILD_CXXFLAGS += -Wno-unused-result
diff --git a/meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch b/meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch
deleted file mode 100644
index 5bb418b954..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From f65e9cc025278387b494c2383c5d9ff3bed98687 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Sun, 11 Jun 2017 00:47:24 -0700
4Subject: [PATCH] ia32: Dont use -pie
5
6Upstream-Status: Pending
7
8Signed-off-by: Khem Raj <raj.khem@gmail.com>
9---
10 BaseTools/Conf/tools_def.template | 4 ++--
11 1 file changed, 2 insertions(+), 2 deletions(-)
12
13Index: git/BaseTools/Conf/tools_def.template
14===================================================================
15--- git.orig/BaseTools/Conf/tools_def.template
16+++ git/BaseTools/Conf/tools_def.template
17@@ -4336,7 +4336,7 @@ RELEASE_*_*_OBJCOPY_ADDDEBUGFLAG =
18 NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --add-gnu-debuglink=$(DEBUG_DIR)/$(MODULE_NAME).debug
19
20 DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
21-DEFINE GCC_IA32_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -m32 -malign-double -freorder-blocks -freorder-blocks-and-partition -O2 -mno-stack-arg-probe
22+DEFINE GCC_IA32_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -m32 -malign-double -freorder-blocks -freorder-blocks-and-partition -O2 -mno-stack-arg-probe -fno-PIE -no-pie
23 DEFINE GCC_X64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mno-red-zone -Wno-address -mno-stack-arg-probe
24 DEFINE GCC_IPF_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -minline-int-divide-min-latency
25 DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -mfloat-abi=soft -fno-pic -fno-pie
26@@ -4369,9 +4369,9 @@ DEFINE GCC_ARM_RC_FLAGS = -I
27 DEFINE GCC_AARCH64_RC_FLAGS = -I binary -O elf64-littleaarch64 -B aarch64 --rename-section .data=.hii
28
29 DEFINE GCC44_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
30-DEFINE GCC44_IA32_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables
31+DEFINE GCC44_IA32_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -fno-PIE -no-pie
32 DEFINE GCC44_X64_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables
33-DEFINE GCC44_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
34+DEFINE GCC44_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 -no-pie
35 DEFINE GCC44_IA32_X64_ASLDLINK_FLAGS = DEF(GCC44_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
36 DEFINE GCC44_IA32_X64_DLINK_FLAGS = DEF(GCC44_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map
37 DEFINE GCC44_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
38@@ -4451,7 +4451,7 @@ DEFINE GCC48_AARCH64_ASLDLINK_FLAGS = D
39
40 DEFINE GCC49_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS)
41 DEFINE GCC49_X64_CC_FLAGS = DEF(GCC48_X64_CC_FLAGS)
42-DEFINE GCC49_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x40
43+DEFINE GCC49_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x40 -no-pie
44 DEFINE GCC49_IA32_X64_ASLDLINK_FLAGS = DEF(GCC49_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
45 DEFINE GCC49_IA32_X64_DLINK_FLAGS = DEF(GCC49_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map
46 DEFINE GCC49_IA32_DLINK2_FLAGS = DEF(GCC48_IA32_DLINK2_FLAGS)
diff --git a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch b/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
deleted file mode 100644
index a076665c33..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
+++ /dev/null
@@ -1,102 +0,0 @@
1From 86dbdac5a25bd23deb4a0e0a97b527407e02184d Mon Sep 17 00:00:00 2001
2From: Laszlo Ersek <lersek@redhat.com>
3Date: Fri, 2 Mar 2018 17:11:52 +0100
4Subject: [PATCH 2/4] BaseTools/header.makefile: add "-Wno-restrict"
5
6gcc-8 (which is part of Fedora 28) enables the new warning
7"-Wrestrict" in "-Wall". This warning is documented in detail
8at <https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
9introduction says
10
11> Warn when an object referenced by a restrict-qualified parameter (or, in
12> C++, a __restrict-qualified parameter) is aliased by another argument,
13> or when copies between such objects overlap.
14
15It breaks the BaseTools build (in the Brotli compression library) with:
16
17> In function 'ProcessCommandsInternal',
18> inlined from 'ProcessCommands' at dec/decode.c:1828:10:
19> dec/decode.c:1781:9: error: 'memcpy' accessing between 17 and 2147483631
20> bytes at offsets 16 and 16 overlaps between 17 and 2147483631 bytes at
21> offset 16 [-Werror=restrict]
22> memcpy(copy_dst + 16, copy_src + 16, (size_t)(i - 16));
23> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
24> In function 'ProcessCommandsInternal',
25> inlined from 'SafeProcessCommands' at dec/decode.c:1833:10:
26> dec/decode.c:1781:9: error: 'memcpy' accessing between 17 and 2147483631
27> bytes at offsets 16 and 16 overlaps between 17 and 2147483631 bytes at
28> offset 16 [-Werror=restrict]
29> memcpy(copy_dst + 16, copy_src + 16, (size_t)(i - 16));
30> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
31
32Paolo Bonzini <pbonzini@redhat.com> analyzed the Brotli source in detail,
33and concluded that the warning is a false positive:
34
35> This seems safe to me, because it's preceded by:
36>
37> uint8_t* copy_dst = &s->ringbuffer[pos];
38> uint8_t* copy_src = &s->ringbuffer[src_start];
39> int dst_end = pos + i;
40> int src_end = src_start + i;
41> if (src_end > pos && dst_end > src_start) {
42> /* Regions intersect. */
43> goto CommandPostWrapCopy;
44> }
45>
46> If [src_start, src_start + i) and [pos, pos + i) don't intersect, then
47> neither do [src_start + 16, src_start + i) and [pos + 16, pos + i).
48>
49> The if seems okay:
50>
51> (src_start + i > pos && pos + i > src_start)
52>
53> which can be rewritten to:
54>
55> (pos < src_start + i && src_start < pos + i)
56>
57> Then the numbers are in one of these two orders:
58>
59> pos <= src_start < pos + i <= src_start + i
60> src_start <= pos < src_start + i <= pos + i
61>
62> These two would be allowed by the "if", but they can only happen if pos
63> == src_start so they degenerate to the same two orders above:
64>
65> pos <= src_start < src_start + i <= pos + i
66> src_start <= pos < pos + i <= src_start + i
67>
68> So it is a false positive in GCC.
69
70Disable the warning for now.
71
72Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
73Cc: Cole Robinson <crobinso@redhat.com>
74Cc: Liming Gao <liming.gao@intel.com>
75Cc: Paolo Bonzini <pbonzini@redhat.com>
76Cc: Yonghong Zhu <yonghong.zhu@intel.com>
77Reported-by: Cole Robinson <crobinso@redhat.com>
78Contributed-under: TianoCore Contribution Agreement 1.1
79Signed-off-by: Laszlo Ersek <lersek@redhat.com>
80Reviewed-by: Liming Gao <liming.gao@intel.com>
81---
82Signed-off-by: Khem Raj <raj.khem@gmail.com>
83Upstream-Status: Backport
84 BaseTools/Source/C/Makefiles/header.makefile | 4 ++--
85 1 file changed, 2 insertions(+), 2 deletions(-)
86
87Index: git/BaseTools/Source/C/Makefiles/header.makefile
88===================================================================
89--- git.orig/BaseTools/Source/C/Makefiles/header.makefile
90+++ git/BaseTools/Source/C/Makefiles/header.makefile
91@@ -47,9 +47,9 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
92 BUILD_CPPFLAGS += $(INCLUDE) -O2
93 ifeq ($(DARWIN),Darwin)
94 # assume clang or clang compatible flags on OS X
95-BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-self-assign -Wno-unused-result -nostdlib -c -g
96+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-self-assign -Wno-unused-result -nostdlib -c -g
97 else
98-BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-unused-result -nostdlib -c -g
99+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -c -g
100 endif
101 BUILD_LFLAGS = $(LDFLAGS)
102 BUILD_CXXFLAGS += -Wno-unused-result
diff --git a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
deleted file mode 100644
index 920723e326..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
+++ /dev/null
@@ -1,53 +0,0 @@
1From 6866325dd9c17412e555974dde41f9631224db52 Mon Sep 17 00:00:00 2001
2From: Laszlo Ersek <lersek@redhat.com>
3Date: Wed, 7 Mar 2018 10:17:28 +0100
4Subject: [PATCH 3/4] BaseTools/header.makefile: revert gcc-8 "-Wno-xxx"
5 options on OSX
6
7I recently added the gcc-8 specific "-Wno-stringop-truncation" and
8"-Wno-restrict" options to BUILD_CFLAGS, both for "Darwin" (XCODE5 /
9clang, OSX) and otherwise (gcc, Linux / Cygwin).
10
11I also regression-tested the change with gcc-4.8 on Linux -- gcc-4.8 does
12not know either of the (gcc-8 specific) "-Wno-stringop-truncation" and
13"-Wno-restrict" options, yet the build completed fine (by GCC design).
14
15Regarding OSX, my expectation was that
16
17- XCODE5 / clang would either recognize these warnings options (because
18 clang does recognize most -W options of gcc),
19
20- or, similarly to gcc, clang would simply ignore the "-Wno-xxx" flags
21 that it didn't recognize.
22
23Neither is the case; the new flags have broken the BaseTools build on OSX.
24Revert them (for OSX only).
25
26Cc: Liming Gao <liming.gao@intel.com>
27Cc: Yonghong Zhu <yonghong.zhu@intel.com>
28Reported-by: Liming Gao <liming.gao@intel.com>
29Fixes: 1d212a83df0eaf32a6f5d4159beb2d77832e0231
30Fixes: 9222154ae7b3eef75ae88cdb56158256227cb929
31Contributed-under: TianoCore Contribution Agreement 1.1
32Signed-off-by: Laszlo Ersek <lersek@redhat.com>
33Reviewed-by: Liming Gao <liming.gao@intel.com>
34Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
35---
36Signed-off-by: Khem Raj <raj.khem@gmail.com>
37Upstream-Status: Backport
38 BaseTools/Source/C/Makefiles/header.makefile | 2 +-
39 1 file changed, 1 insertion(+), 1 deletion(-)
40
41Index: git/BaseTools/Source/C/Makefiles/header.makefile
42===================================================================
43--- git.orig/BaseTools/Source/C/Makefiles/header.makefile
44+++ git/BaseTools/Source/C/Makefiles/header.makefile
45@@ -47,7 +47,7 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
46 BUILD_CPPFLAGS += $(INCLUDE) -O2
47 ifeq ($(DARWIN),Darwin)
48 # assume clang or clang compatible flags on OS X
49-BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-self-assign -Wno-unused-result -nostdlib -c -g
50+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
51 else
52 BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -c -g
53 endif
diff --git a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
index 65b5c16dcb..070b0ac5a6 100644
--- a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
+++ b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
@@ -1,6 +1,6 @@
1From 2320650c6d381b914fe91b2dedaa5870279a8bcf Mon Sep 17 00:00:00 2001 1From 2320650c6d381b914fe91b2dedaa5870279a8bcf Mon Sep 17 00:00:00 2001
2From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> 2From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
3Date: Sun, 27 Nov 2016 18:42:55 -0800 3Date: Fri, 26 Jul 2019 17:34:26 -0400
4Subject: [PATCH] BaseTools: makefile: adjust to build in under bitbake 4Subject: [PATCH] BaseTools: makefile: adjust to build in under bitbake
5 5
6Prepend the build flags with those of bitbake. This is to build 6Prepend the build flags with those of bitbake. This is to build
@@ -9,31 +9,42 @@ using the bitbake native sysroot include and library directories.
9Signed-off-by: Ricardo Neri <ricardo.neri@linux.intel.com> 9Signed-off-by: Ricardo Neri <ricardo.neri@linux.intel.com>
10Upstream-Status: Pending 10Upstream-Status: Pending
11--- 11---
12 BaseTools/Source/C/Makefiles/header.makefile | 8 ++++---- 12 BaseTools/Source/C/Makefiles/header.makefile | 10 +++++-----
13 1 file changed, 4 insertions(+), 4 deletions(-) 13 1 file changed, 5 insertions(+), 5 deletions(-)
14 14
15Index: git/BaseTools/Source/C/Makefiles/header.makefile 15Index: git/BaseTools/Source/C/Makefiles/header.makefile
16=================================================================== 16===================================================================
17--- git.orig/BaseTools/Source/C/Makefiles/header.makefile 17--- git.orig/BaseTools/Source/C/Makefiles/header.makefile
18+++ git/BaseTools/Source/C/Makefiles/header.makefile 18+++ git/BaseTools/Source/C/Makefiles/header.makefile
19@@ -44,15 +44,15 @@ ARCH_INCLUDE = -I $(MAKEROOT)/Include/AA 19@@ -62,23 +62,23 @@ $(error Bad HOST_ARCH)
20 endif 20 endif
21 21
22 INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE) 22 INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)
23-BUILD_CPPFLAGS = $(INCLUDE) -O2 23-BUILD_CPPFLAGS = $(INCLUDE)
24+BUILD_CPPFLAGS += $(INCLUDE) -O2 24+BUILD_CPPFLAGS += $(INCLUDE)
25
26 # keep EXTRA_OPTFLAGS last
27 BUILD_OPTFLAGS = -O2 $(EXTRA_OPTFLAGS)
28
25 ifeq ($(DARWIN),Darwin) 29 ifeq ($(DARWIN),Darwin)
26 # assume clang or clang compatible flags on OS X 30 # assume clang or clang compatible flags on OS X
27-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g 31-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
28+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g 32+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
33 -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
29 else 34 else
30-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g 35-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
31+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g 36+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
37 -fno-delete-null-pointer-checks -Wall -Werror \
38 -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
39 -Wno-unused-result -nostdlib -g
32 endif 40 endif
33-BUILD_LFLAGS = 41-BUILD_LFLAGS =
34-BUILD_CXXFLAGS = -Wno-unused-result 42-BUILD_CXXFLAGS = -Wno-unused-result
35+BUILD_LFLAGS = $(LDFLAGS) 43+BUILD_LFLAGS = $(LDFLAGS)
36+BUILD_CXXFLAGS += -Wno-unused-result 44+BUILD_CXXFLAGS += -Wno-unused-result
37 45
38 ifeq ($(ARCH), IA32) 46 ifeq ($(HOST_ARCH), IA32)
39 # 47 #
48--
492.20.1
50
diff --git a/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch b/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
deleted file mode 100644
index 7ad7cdf0ce..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
+++ /dev/null
@@ -1,66 +0,0 @@
1From dfb42a5bff78d9239a80731e337855234badef3e Mon Sep 17 00:00:00 2001
2From: Laszlo Ersek <lersek@redhat.com>
3Date: Fri, 2 Mar 2018 17:11:52 +0100
4Subject: [PATCH 4/4] BaseTools/GenVtf: silence false "stringop-overflow"
5 warning with memcpy()
6
7gcc-8 (which is part of Fedora 28) enables the new warning
8"-Wstringop-overflow" in "-Wall". This warning is documented in detail at
9<https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
10introduction says
11
12> Warn for calls to string manipulation functions such as memcpy and
13> strcpy that are determined to overflow the destination buffer.
14
15It breaks the BaseTools build with:
16
17> GenVtf.c: In function 'ConvertVersionInfo':
18> GenVtf.c:132:7: error: 'strncpy' specified bound depends on the length
19> of the source argument [-Werror=stringop-overflow=]
20> strncpy (TemStr + 4 - Length, Str, Length);
21> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22> GenVtf.c:130:14: note: length computed here
23> Length = strlen(Str);
24> ^~~~~~~~~~~
25
26It is a false positive because, while the bound equals the length of the
27source argument, the destination pointer is moved back towards the
28beginning of the destination buffer by the same amount (and this amount is
29range-checked first, so we can't precede the start of the dest buffer).
30
31Replace both strncpy() calls with memcpy().
32
33Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
34Cc: Cole Robinson <crobinso@redhat.com>
35Cc: Liming Gao <liming.gao@intel.com>
36Cc: Paolo Bonzini <pbonzini@redhat.com>
37Cc: Yonghong Zhu <yonghong.zhu@intel.com>
38Reported-by: Cole Robinson <crobinso@redhat.com>
39Contributed-under: TianoCore Contribution Agreement 1.1
40Signed-off-by: Laszlo Ersek <lersek@redhat.com>
41Reviewed-by: Liming Gao <liming.gao@intel.com>
42---
43Signed-off-by: Khem Raj <raj.khem@gmail.com>
44Upstream-Status: Backport
45 BaseTools/Source/C/GenVtf/GenVtf.c | 4 ++--
46 1 file changed, 2 insertions(+), 2 deletions(-)
47
48diff --git a/BaseTools/Source/C/GenVtf/GenVtf.c b/BaseTools/Source/C/GenVtf/GenVtf.c
49index 2ae9a7be2c..0cd33e71e9 100644
50--- a/BaseTools/Source/C/GenVtf/GenVtf.c
51+++ b/BaseTools/Source/C/GenVtf/GenVtf.c
52@@ -129,9 +129,9 @@ Returns:
53 } else {
54 Length = strlen(Str);
55 if (Length < 4) {
56- strncpy (TemStr + 4 - Length, Str, Length);
57+ memcpy (TemStr + 4 - Length, Str, Length);
58 } else {
59- strncpy (TemStr, Str + Length - 4, 4);
60+ memcpy (TemStr, Str + Length - 4, 4);
61 }
62
63 sscanf (
64--
652.17.0
66
diff --git a/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch b/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
deleted file mode 100644
index 3aa6cc4acb..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
+++ /dev/null
@@ -1,1124 +0,0 @@
1From: Laszlo Ersek <lersek@redhat.com>
2Date: Mon, 6 Jul 2015 20:22:02 +0200
3Subject: [PATCH] OvmfPkg: EnrollDefaultKeys: application for enrolling default
4 keys
5
6(A port of the <https://bugzilla.redhat.com/show_bug.cgi?id=1148296> patch
7to Gerd's public RPMs.)
8
9This application is meant to be invoked by the management layer, after
10booting the UEFI shell and getting a shell prompt on the serial console.
11The app enrolls a number of certificates (see below), and then reports
12status to the serial console as well. The expected output is "info:
13success":
14
15> Shell> EnrollDefaultKeys.efi
16> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
17> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
18> info: success
19> Shell>
20
21In case of success, the management layer can force off or reboot the VM
22(for example with the "reset -s" or "reset -c" UEFI shell commands,
23respectively), and start the guest installation with SecureBoot enabled.
24
25PK:
26- A unique, static, ad-hoc certificate whose private half has been
27 destroyed (more precisely, never saved) and is therefore unusable for
28 signing. (The command for creating this certificate is saved in the
29 source code.)
30
31KEK:
32- same ad-hoc certificate as used for the PK,
33- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
34 package is signed (indirectly, through a chain) with this; enrolling
35 such a KEK should allow guests to install those updates.
36
37DB:
38- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
39 Server 2012 R2,
40- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
41 oproms.
42
43Contributed-under: TianoCore Contribution Agreement 1.0
44Signed-off-by: Laszlo Ersek <lersek@redhat.com>
45Upstream-Status: Inappropriate [not author]
46Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
47---
48 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 960 ++++++++++++++++++++++++
49 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 51 ++
50 OvmfPkg/OvmfPkgIa32.dsc | 4 +
51 OvmfPkg/OvmfPkgIa32X64.dsc | 4 +
52 OvmfPkg/OvmfPkgX64.dsc | 4 +
53 5 files changed, 1023 insertions(+)
54 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
55 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
56
57diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
58new file mode 100644
59index 0000000..081212b
60--- /dev/null
61+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
62@@ -0,0 +1,960 @@
63+/** @file
64+ Enroll default PK, KEK, DB.
65+
66+ Copyright (C) 2014, Red Hat, Inc.
67+
68+ This program and the accompanying materials are licensed and made available
69+ under the terms and conditions of the BSD License which accompanies this
70+ distribution. The full text of the license may be found at
71+ http://opensource.org/licenses/bsd-license.
72+
73+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
74+ WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
75+**/
76+#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
77+#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
78+#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
79+#include <Library/BaseMemoryLib.h> // CopyGuid()
80+#include <Library/DebugLib.h> // ASSERT()
81+#include <Library/MemoryAllocationLib.h> // FreePool()
82+#include <Library/ShellCEntryLib.h> // ShellAppMain()
83+#include <Library/UefiLib.h> // AsciiPrint()
84+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
85+
86+//
87+// The example self-signed certificate below, which we'll use for both Platform
88+// Key, and first Key Exchange Key, has been generated with the following
89+// non-interactive openssl command. The passphrase is read from /dev/urandom,
90+// and not saved, and the private key is written to /dev/null. In other words,
91+// we can't sign anything else against this certificate, which is our purpose.
92+//
93+/*
94+ openssl req \
95+ -passout file:<(head -c 16 /dev/urandom) \
96+ -x509 \
97+ -newkey rsa:2048 \
98+ -keyout /dev/null \
99+ -outform DER \
100+ -subj $(
101+ printf /C=US
102+ printf /ST=TestStateOrProvince
103+ printf /L=TestLocality
104+ printf /O=TestOrganization
105+ printf /OU=TestOrganizationalUnit
106+ printf /CN=TestCommonName
107+ printf /emailAddress=test@example.com
108+ ) \
109+ 2>/dev/null \
110+ | xxd -i
111+*/
112+STATIC CONST UINT8 ExampleCert[] = {
113+ 0x30, 0x82, 0x04, 0x45, 0x30, 0x82, 0x03, 0x2d, 0xa0, 0x03, 0x02, 0x01, 0x02,
114+ 0x02, 0x09, 0x00, 0xcf, 0x9f, 0x51, 0xa3, 0x07, 0xdb, 0x54, 0xa1, 0x30, 0x0d,
115+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
116+ 0x30, 0x81, 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
117+ 0x02, 0x55, 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
118+ 0x13, 0x54, 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50,
119+ 0x72, 0x6f, 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
120+ 0x55, 0x04, 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61,
121+ 0x6c, 0x69, 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a,
122+ 0x0c, 0x10, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a,
123+ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
124+ 0x0b, 0x0c, 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69,
125+ 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31,
126+ 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73,
127+ 0x74, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f,
128+ 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01,
129+ 0x16, 0x10, 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
130+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
131+ 0x30, 0x39, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x34,
132+ 0x31, 0x31, 0x30, 0x38, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x30, 0x81,
133+ 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
134+ 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x13, 0x54,
135+ 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50, 0x72, 0x6f,
136+ 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
137+ 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69,
138+ 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x10,
139+ 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74,
140+ 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
141+ 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61,
142+ 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31, 0x17, 0x30,
143+ 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73, 0x74, 0x43,
144+ 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f, 0x30, 0x1d,
145+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10,
146+ 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
147+ 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
148+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
149+ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0xf1, 0xce,
150+ 0x17, 0x32, 0xac, 0xc4, 0x4b, 0xb2, 0xed, 0x84, 0x76, 0xe5, 0xd0, 0xf8, 0x21,
151+ 0xac, 0x10, 0xf8, 0x18, 0x09, 0x0e, 0x07, 0x13, 0x76, 0x21, 0x5c, 0xc4, 0xcc,
152+ 0xd5, 0xe6, 0x25, 0xa7, 0x26, 0x53, 0x79, 0x2f, 0x16, 0x4b, 0x85, 0xbd, 0xae,
153+ 0x42, 0x64, 0x58, 0xcb, 0x5e, 0xe8, 0x6e, 0x5a, 0xd0, 0xc4, 0x0f, 0x38, 0x16,
154+ 0xbe, 0xd3, 0x22, 0xa7, 0x3c, 0x9b, 0x8b, 0x5e, 0xcb, 0x62, 0x35, 0xc5, 0x9b,
155+ 0xe2, 0x8e, 0x4c, 0x65, 0x57, 0x4f, 0xcb, 0x27, 0xad, 0xe7, 0x63, 0xa7, 0x77,
156+ 0x2b, 0xd5, 0x02, 0x42, 0x70, 0x46, 0xac, 0xba, 0xb6, 0x60, 0x57, 0xd9, 0xce,
157+ 0x31, 0xc5, 0x12, 0x03, 0x4a, 0xf7, 0x2a, 0x2b, 0x40, 0x06, 0xb4, 0xdb, 0x31,
158+ 0xb7, 0x83, 0x6c, 0x67, 0x87, 0x98, 0x8b, 0xce, 0x1b, 0x30, 0x7a, 0xfa, 0x35,
159+ 0x6c, 0x86, 0x20, 0x74, 0xc5, 0x7d, 0x32, 0x31, 0x18, 0xeb, 0x69, 0xf7, 0x2d,
160+ 0x20, 0xc4, 0xf0, 0xd2, 0xfa, 0x67, 0x81, 0xc1, 0xbb, 0x23, 0xbb, 0x75, 0x1a,
161+ 0xe4, 0xb4, 0x49, 0x99, 0xdf, 0x12, 0x4c, 0xe3, 0x6d, 0x76, 0x24, 0x85, 0x24,
162+ 0xae, 0x5a, 0x9e, 0xbd, 0x54, 0x1c, 0xf9, 0x0e, 0xed, 0x96, 0xb5, 0xd8, 0xa2,
163+ 0x0d, 0x2a, 0x38, 0x5d, 0x12, 0x97, 0xb0, 0x4d, 0x75, 0x85, 0x1e, 0x47, 0x6d,
164+ 0xe1, 0x25, 0x59, 0xcb, 0xe9, 0x33, 0x86, 0x6a, 0xef, 0x98, 0x24, 0xa0, 0x2b,
165+ 0x02, 0x7b, 0xc0, 0x9f, 0x88, 0x03, 0xb0, 0xbe, 0x22, 0x65, 0x83, 0x77, 0xb3,
166+ 0x30, 0xba, 0xe0, 0x3b, 0x54, 0x31, 0x3a, 0x45, 0x81, 0x9c, 0x48, 0xaf, 0xc1,
167+ 0x11, 0x5b, 0xf2, 0x3a, 0x1e, 0x33, 0x1b, 0x8f, 0x0e, 0x04, 0xa4, 0x16, 0xd4,
168+ 0x6b, 0x57, 0xee, 0xe7, 0xba, 0xf5, 0xee, 0xaf, 0xe2, 0x4c, 0x50, 0xf8, 0x68,
169+ 0x57, 0x88, 0xfb, 0x7f, 0xa3, 0xcf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50,
170+ 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
171+ 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e, 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3,
172+ 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29, 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
173+ 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e,
174+ 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3, 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29,
175+ 0x61, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
176+ 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
177+ 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x12, 0x9c, 0x3e, 0x38,
178+ 0xfc, 0x26, 0xea, 0x6d, 0xb7, 0x5c, 0x29, 0x3c, 0x76, 0x20, 0x0c, 0xb2, 0xa9,
179+ 0x0f, 0xdf, 0xc0, 0x85, 0xfe, 0xeb, 0xec, 0x1d, 0x5d, 0x73, 0x84, 0xac, 0x8a,
180+ 0xb4, 0x2a, 0x86, 0x38, 0x30, 0xaf, 0xd2, 0x2d, 0x2a, 0xde, 0x54, 0xc8, 0x5c,
181+ 0x29, 0x90, 0x24, 0xf2, 0x39, 0xc1, 0xa5, 0x00, 0xb4, 0xb7, 0xd8, 0xdc, 0x59,
182+ 0x64, 0x50, 0x62, 0x5f, 0x54, 0xf1, 0x73, 0x02, 0x4d, 0x43, 0xc5, 0xc3, 0xc4,
183+ 0x0e, 0x62, 0x60, 0x8c, 0x53, 0x66, 0x57, 0x77, 0xb5, 0x81, 0xda, 0x1f, 0x81,
184+ 0xda, 0xe9, 0xd6, 0x5e, 0x82, 0xce, 0xa7, 0x5c, 0xc0, 0xa6, 0xbe, 0x9c, 0x5c,
185+ 0x7b, 0xa5, 0x15, 0xc8, 0xd7, 0x14, 0x53, 0xd3, 0x5c, 0x1c, 0x9f, 0x8a, 0x9f,
186+ 0x66, 0x15, 0xd5, 0xd3, 0x2a, 0x27, 0x0c, 0xee, 0x9f, 0x80, 0x39, 0x88, 0x7b,
187+ 0x24, 0xde, 0x0c, 0x61, 0xa3, 0x44, 0xd8, 0x8d, 0x2e, 0x79, 0xf8, 0x1e, 0x04,
188+ 0x5a, 0xcb, 0xd6, 0x9c, 0xa3, 0x22, 0x8f, 0x09, 0x32, 0x1e, 0xe1, 0x65, 0x8f,
189+ 0x10, 0x5f, 0xd8, 0x52, 0x56, 0xd5, 0x77, 0xac, 0x58, 0x46, 0x60, 0xba, 0x2e,
190+ 0xe2, 0x3f, 0x58, 0x7d, 0x60, 0xfc, 0x31, 0x4a, 0x3a, 0xaf, 0x61, 0x55, 0x5f,
191+ 0xfb, 0x68, 0x14, 0x74, 0xda, 0xdc, 0x42, 0x78, 0xcc, 0xee, 0xff, 0x5c, 0x03,
192+ 0x24, 0x26, 0x2c, 0xb8, 0x3a, 0x81, 0xad, 0xdb, 0xe7, 0xed, 0xe1, 0x62, 0x84,
193+ 0x07, 0x1a, 0xc8, 0xa4, 0x4e, 0xb0, 0x87, 0xf7, 0x96, 0xd8, 0x33, 0x9b, 0x0d,
194+ 0xa7, 0x77, 0xae, 0x5b, 0xaf, 0xad, 0xe6, 0x5a, 0xc9, 0xfa, 0xa4, 0xe4, 0xe5,
195+ 0x57, 0xbb, 0x97, 0xdd, 0x92, 0x85, 0xd8, 0x03, 0x45, 0xfe, 0xd8, 0x6b, 0xb1,
196+ 0xdb, 0x85, 0x36, 0xb9, 0xd9, 0x28, 0xbf, 0x17, 0xae, 0x11, 0xde, 0x10, 0x19,
197+ 0x26, 0x5b, 0xc0, 0x3d, 0xc7
198+};
199+
200+//
201+// Second KEK: "Microsoft Corporation KEK CA 2011".
202+// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
203+//
204+// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
205+//
206+STATIC CONST UINT8 MicrosoftKEK[] = {
207+ 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
208+ 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
209+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
210+ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
211+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
212+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
213+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
214+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
215+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
216+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
217+ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
218+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
219+ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
220+ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
221+ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
222+ 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
223+ 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
224+ 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
225+ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
226+ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
227+ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
228+ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
229+ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
230+ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
231+ 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
232+ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
233+ 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
234+ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
235+ 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
236+ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
237+ 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
238+ 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
239+ 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
240+ 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
241+ 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
242+ 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
243+ 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
244+ 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
245+ 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
246+ 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
247+ 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
248+ 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
249+ 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
250+ 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
251+ 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
252+ 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
253+ 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
254+ 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
255+ 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
256+ 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
257+ 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
258+ 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
259+ 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
260+ 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
261+ 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
262+ 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
263+ 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
264+ 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
265+ 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
266+ 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
267+ 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
268+ 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
269+ 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
270+ 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
271+ 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
272+ 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
273+ 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
274+ 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
275+ 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
276+ 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
277+ 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
278+ 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
279+ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
280+ 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
281+ 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
282+ 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
283+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
284+ 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
285+ 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
286+ 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
287+ 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
288+ 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
289+ 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
290+ 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
291+ 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
292+ 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
293+ 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
294+ 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
295+ 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
296+ 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
297+ 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
298+ 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
299+ 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
300+ 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
301+ 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
302+ 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
303+ 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
304+ 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
305+ 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
306+ 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
307+ 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
308+ 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
309+ 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
310+ 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
311+ 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
312+ 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
313+ 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
314+ 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
315+ 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
316+ 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
317+ 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
318+ 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
319+ 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
320+ 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
321+ 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
322+ 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
323+ 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
324+};
325+
326+//
327+// First DB entry: "Microsoft Windows Production PCA 2011"
328+// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
329+//
330+// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
331+// rooted in this certificate.
332+//
333+STATIC CONST UINT8 MicrosoftPCA[] = {
334+ 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
335+ 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
336+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
337+ 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
338+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
339+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
340+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
341+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
342+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
343+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
344+ 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
345+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
346+ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
347+ 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
348+ 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
349+ 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
350+ 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
351+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
352+ 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
353+ 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
354+ 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
355+ 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
356+ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
357+ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
358+ 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
359+ 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
360+ 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
361+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
362+ 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
363+ 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
364+ 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
365+ 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
366+ 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
367+ 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
368+ 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
369+ 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
370+ 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
371+ 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
372+ 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
373+ 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
374+ 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
375+ 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
376+ 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
377+ 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
378+ 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
379+ 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
380+ 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
381+ 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
382+ 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
383+ 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
384+ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
385+ 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
386+ 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
387+ 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
388+ 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
389+ 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
390+ 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
391+ 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
392+ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
393+ 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
394+ 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
395+ 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
396+ 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
397+ 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
398+ 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
399+ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
400+ 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
401+ 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
402+ 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
403+ 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
404+ 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
405+ 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
406+ 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
407+ 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
408+ 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
409+ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
410+ 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
411+ 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
412+ 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
413+ 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
414+ 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
415+ 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
416+ 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
417+ 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
418+ 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
419+ 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
420+ 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
421+ 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
422+ 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
423+ 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
424+ 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
425+ 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
426+ 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
427+ 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
428+ 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
429+ 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
430+ 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
431+ 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
432+ 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
433+ 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
434+ 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
435+ 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
436+ 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
437+ 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
438+ 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
439+ 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
440+ 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
441+ 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
442+ 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
443+ 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
444+ 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
445+ 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
446+ 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
447+ 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
448+ 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
449+ 0x62, 0x1c, 0x59, 0x7e
450+};
451+
452+//
453+// Second DB entry: "Microsoft Corporation UEFI CA 2011"
454+// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
455+//
456+// To verify the "shim" binary and PCI expansion ROMs with.
457+//
458+STATIC CONST UINT8 MicrosoftUefiCA[] = {
459+ 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
460+ 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
461+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
462+ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
463+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
464+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
465+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
466+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
467+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
468+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
469+ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
470+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
471+ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
472+ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
473+ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
474+ 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
475+ 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
476+ 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
477+ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
478+ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
479+ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
480+ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
481+ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
482+ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
483+ 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
484+ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
485+ 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
486+ 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
487+ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
488+ 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
489+ 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
490+ 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
491+ 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
492+ 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
493+ 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
494+ 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
495+ 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
496+ 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
497+ 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
498+ 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
499+ 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
500+ 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
501+ 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
502+ 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
503+ 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
504+ 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
505+ 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
506+ 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
507+ 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
508+ 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
509+ 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
510+ 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
511+ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
512+ 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
513+ 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
514+ 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
515+ 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
516+ 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
517+ 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
518+ 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
519+ 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
520+ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
521+ 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
522+ 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
523+ 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
524+ 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
525+ 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
526+ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
527+ 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
528+ 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
529+ 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
530+ 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
531+ 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
532+ 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
533+ 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
534+ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
535+ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
536+ 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
537+ 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
538+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
539+ 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
540+ 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
541+ 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
542+ 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
543+ 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
544+ 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
545+ 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
546+ 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
547+ 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
548+ 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
549+ 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
550+ 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
551+ 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
552+ 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
553+ 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
554+ 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
555+ 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
556+ 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
557+ 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
558+ 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
559+ 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
560+ 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
561+ 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
562+ 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
563+ 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
564+ 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
565+ 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
566+ 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
567+ 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
568+ 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
569+ 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
570+ 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
571+ 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
572+ 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
573+ 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
574+ 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
575+ 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
576+ 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
577+ 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
578+ 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
579+};
580+
581+//
582+// The most important thing about the variable payload is that it is a list of
583+// lists, where the element size of any given *inner* list is constant.
584+//
585+// Since X509 certificates vary in size, each of our *inner* lists will contain
586+// one element only (one X.509 certificate). This is explicitly mentioned in
587+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
588+//
589+// The list structure looks as follows:
590+//
591+// struct EFI_VARIABLE_AUTHENTICATION_2 { |
592+// struct EFI_TIME { |
593+// UINT16 Year; |
594+// UINT8 Month; |
595+// UINT8 Day; |
596+// UINT8 Hour; |
597+// UINT8 Minute; |
598+// UINT8 Second; |
599+// UINT8 Pad1; |
600+// UINT32 Nanosecond; |
601+// INT16 TimeZone; |
602+// UINT8 Daylight; |
603+// UINT8 Pad2; |
604+// } TimeStamp; |
605+// |
606+// struct WIN_CERTIFICATE_UEFI_GUID { | |
607+// struct WIN_CERTIFICATE { | |
608+// UINT32 dwLength; ----------------------------------------+ |
609+// UINT16 wRevision; | |
610+// UINT16 wCertificateType; | |
611+// } Hdr; | +- DataSize
612+// | |
613+// EFI_GUID CertType; | |
614+// UINT8 CertData[1] = { <--- "struct hack" | |
615+// struct EFI_SIGNATURE_LIST { | | |
616+// EFI_GUID SignatureType; | | |
617+// UINT32 SignatureListSize; -------------------------+ | |
618+// UINT32 SignatureHeaderSize; | | |
619+// UINT32 SignatureSize; ---------------------------+ | | |
620+// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
621+// v | | |
622+// struct EFI_SIGNATURE_DATA { | | | |
623+// EFI_GUID SignatureOwner; | | | |
624+// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
625+// X.509 payload | | | |
626+// } | | | |
627+// } Signatures[]; | | |
628+// } SigLists[]; | |
629+// }; | |
630+// } AuthInfo; | |
631+// }; |
632+//
633+// Given that the "struct hack" invokes undefined behavior (which is why C99
634+// introduced the flexible array member), and because subtracting those pesky
635+// sizes of 1 is annoying, and because the format is fully specified in the
636+// UEFI specification, we'll introduce two matching convenience structures that
637+// are customized for our X.509 purposes.
638+//
639+#pragma pack(1)
640+typedef struct {
641+ EFI_TIME TimeStamp;
642+
643+ //
644+ // dwLength covers data below
645+ //
646+ UINT32 dwLength;
647+ UINT16 wRevision;
648+ UINT16 wCertificateType;
649+ EFI_GUID CertType;
650+} SINGLE_HEADER;
651+
652+typedef struct {
653+ //
654+ // SignatureListSize covers data below
655+ //
656+ EFI_GUID SignatureType;
657+ UINT32 SignatureListSize;
658+ UINT32 SignatureHeaderSize; // constant 0
659+ UINT32 SignatureSize;
660+
661+ //
662+ // SignatureSize covers data below
663+ //
664+ EFI_GUID SignatureOwner;
665+
666+ //
667+ // X.509 certificate follows
668+ //
669+} REPEATING_HEADER;
670+#pragma pack()
671+
672+/**
673+ Enroll a set of DER-formatted X.509 certificates in a global variable,
674+ overwriting it.
675+
676+ The variable will be rewritten with NV+BS+RT+AT attributes.
677+
678+ @param[in] VariableName The name of the variable to overwrite.
679+
680+ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
681+ overwrite.
682+
683+ @param[in] ... A list of
684+
685+ IN CONST UINT8 *Cert,
686+ IN UINTN CertSize,
687+ IN CONST EFI_GUID *OwnerGuid
688+
689+ triplets. If the first component of a triplet is
690+ NULL, then the other two components are not
691+ accessed, and processing is terminated. The list of
692+ X.509 certificates is enrolled in the variable
693+ specified, overwriting it. The OwnerGuid component
694+ identifies the agent installing the certificate.
695+
696+ @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert
697+ value is NULL), or one of the CertSize values
698+ is 0, or one of the CertSize values would
699+ overflow the accumulated UINT32 data size.
700+
701+ @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable
702+ payload.
703+
704+ @retval EFI_SUCCESS Enrollment successful; the variable has been
705+ overwritten (or created).
706+
707+ @return Error codes from gRT->GetTime() and
708+ gRT->SetVariable().
709+**/
710+STATIC
711+EFI_STATUS
712+EFIAPI
713+EnrollListOfX509Certs (
714+ IN CHAR16 *VariableName,
715+ IN EFI_GUID *VendorGuid,
716+ ...
717+ )
718+{
719+ UINTN DataSize;
720+ SINGLE_HEADER *SingleHeader;
721+ REPEATING_HEADER *RepeatingHeader;
722+ VA_LIST Marker;
723+ CONST UINT8 *Cert;
724+ EFI_STATUS Status = EFI_SUCCESS;
725+ UINT8 *Data;
726+ UINT8 *Position;
727+
728+ //
729+ // compute total size first, for UINT32 range check, and allocation
730+ //
731+ DataSize = sizeof *SingleHeader;
732+ VA_START (Marker, VendorGuid);
733+ for (Cert = VA_ARG (Marker, CONST UINT8 *);
734+ Cert != NULL;
735+ Cert = VA_ARG (Marker, CONST UINT8 *)) {
736+ UINTN CertSize;
737+
738+ CertSize = VA_ARG (Marker, UINTN);
739+ (VOID)VA_ARG (Marker, CONST EFI_GUID *);
740+
741+ if (CertSize == 0 ||
742+ CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
743+ DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
744+ Status = EFI_INVALID_PARAMETER;
745+ break;
746+ }
747+ DataSize += sizeof *RepeatingHeader + CertSize;
748+ }
749+ VA_END (Marker);
750+
751+ if (DataSize == sizeof *SingleHeader) {
752+ Status = EFI_INVALID_PARAMETER;
753+ }
754+ if (EFI_ERROR (Status)) {
755+ goto Out;
756+ }
757+
758+ Data = AllocatePool (DataSize);
759+ if (Data == NULL) {
760+ Status = EFI_OUT_OF_RESOURCES;
761+ goto Out;
762+ }
763+
764+ Position = Data;
765+
766+ SingleHeader = (SINGLE_HEADER *)Position;
767+ Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
768+ if (EFI_ERROR (Status)) {
769+ goto FreeData;
770+ }
771+ SingleHeader->TimeStamp.Pad1 = 0;
772+ SingleHeader->TimeStamp.Nanosecond = 0;
773+ SingleHeader->TimeStamp.TimeZone = 0;
774+ SingleHeader->TimeStamp.Daylight = 0;
775+ SingleHeader->TimeStamp.Pad2 = 0;
776+#if 0
777+ SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp;
778+#else
779+ //
780+ // This looks like a bug in edk2. According to the UEFI specification,
781+ // dwLength is "The length of the entire certificate, including the length of
782+ // the header, in bytes". That shouldn't stop right after CertType -- it
783+ // should include everything below it.
784+ //
785+ SingleHeader->dwLength = sizeof *SingleHeader
786+ - sizeof SingleHeader->TimeStamp;
787+#endif
788+ SingleHeader->wRevision = 0x0200;
789+ SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
790+ CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
791+ Position += sizeof *SingleHeader;
792+
793+ VA_START (Marker, VendorGuid);
794+ for (Cert = VA_ARG (Marker, CONST UINT8 *);
795+ Cert != NULL;
796+ Cert = VA_ARG (Marker, CONST UINT8 *)) {
797+ UINTN CertSize;
798+ CONST EFI_GUID *OwnerGuid;
799+
800+ CertSize = VA_ARG (Marker, UINTN);
801+ OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
802+
803+ RepeatingHeader = (REPEATING_HEADER *)Position;
804+ CopyGuid (&RepeatingHeader->SignatureType, &gEfiCertX509Guid);
805+ RepeatingHeader->SignatureListSize = sizeof *RepeatingHeader + CertSize;
806+ RepeatingHeader->SignatureHeaderSize = 0;
807+ RepeatingHeader->SignatureSize =
808+ sizeof RepeatingHeader->SignatureOwner + CertSize;
809+ CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
810+ Position += sizeof *RepeatingHeader;
811+
812+ CopyMem (Position, Cert, CertSize);
813+ Position += CertSize;
814+ }
815+ VA_END (Marker);
816+
817+ ASSERT (Data + DataSize == Position);
818+
819+ Status = gRT->SetVariable (VariableName, VendorGuid,
820+ (EFI_VARIABLE_NON_VOLATILE |
821+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
822+ EFI_VARIABLE_RUNTIME_ACCESS |
823+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
824+ DataSize, Data);
825+
826+FreeData:
827+ FreePool (Data);
828+
829+Out:
830+ if (EFI_ERROR (Status)) {
831+ AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
832+ VendorGuid, Status);
833+ }
834+ return Status;
835+}
836+
837+
838+STATIC
839+EFI_STATUS
840+EFIAPI
841+GetExact (
842+ IN CHAR16 *VariableName,
843+ IN EFI_GUID *VendorGuid,
844+ OUT VOID *Data,
845+ IN UINTN DataSize,
846+ IN BOOLEAN AllowMissing
847+ )
848+{
849+ UINTN Size;
850+ EFI_STATUS Status;
851+
852+ Size = DataSize;
853+ Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
854+ if (EFI_ERROR (Status)) {
855+ if (Status == EFI_NOT_FOUND && AllowMissing) {
856+ ZeroMem (Data, DataSize);
857+ return EFI_SUCCESS;
858+ }
859+
860+ AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
861+ VendorGuid, Status);
862+ return Status;
863+ }
864+
865+ if (Size != DataSize) {
866+ AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
867+ "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
868+ return EFI_PROTOCOL_ERROR;
869+ }
870+
871+ return EFI_SUCCESS;
872+}
873+
874+typedef struct {
875+ UINT8 SetupMode;
876+ UINT8 SecureBoot;
877+ UINT8 SecureBootEnable;
878+ UINT8 CustomMode;
879+ UINT8 VendorKeys;
880+} SETTINGS;
881+
882+STATIC
883+EFI_STATUS
884+EFIAPI
885+GetSettings (
886+ OUT SETTINGS *Settings
887+ )
888+{
889+ EFI_STATUS Status;
890+
891+ Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
892+ &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
893+ if (EFI_ERROR (Status)) {
894+ return Status;
895+ }
896+
897+ Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
898+ &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
899+ if (EFI_ERROR (Status)) {
900+ return Status;
901+ }
902+
903+ Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
904+ &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
905+ sizeof Settings->SecureBootEnable, TRUE);
906+ if (EFI_ERROR (Status)) {
907+ return Status;
908+ }
909+
910+ Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
911+ &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
912+ if (EFI_ERROR (Status)) {
913+ return Status;
914+ }
915+
916+ Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
917+ &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
918+ return Status;
919+}
920+
921+STATIC
922+VOID
923+EFIAPI
924+PrintSettings (
925+ IN CONST SETTINGS *Settings
926+ )
927+{
928+ AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
929+ "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
930+ Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
931+}
932+
933+
934+INTN
935+EFIAPI
936+ShellAppMain (
937+ IN UINTN Argc,
938+ IN CHAR16 **Argv
939+ )
940+{
941+ EFI_STATUS Status;
942+ SETTINGS Settings;
943+
944+ Status = GetSettings (&Settings);
945+ if (EFI_ERROR (Status)) {
946+ return 1;
947+ }
948+ PrintSettings (&Settings);
949+
950+ if (Settings.SetupMode != 1) {
951+ AsciiPrint ("error: already in User Mode\n");
952+ return 1;
953+ }
954+
955+ if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
956+ Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
957+ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
958+ (EFI_VARIABLE_NON_VOLATILE |
959+ EFI_VARIABLE_BOOTSERVICE_ACCESS),
960+ sizeof Settings.CustomMode, &Settings.CustomMode);
961+ if (EFI_ERROR (Status)) {
962+ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
963+ &gEfiCustomModeEnableGuid, Status);
964+ return 1;
965+ }
966+ }
967+
968+ Status = EnrollListOfX509Certs (
969+ EFI_IMAGE_SECURITY_DATABASE,
970+ &gEfiImageSecurityDatabaseGuid,
971+ MicrosoftPCA, sizeof MicrosoftPCA, &gEfiCallerIdGuid,
972+ MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid,
973+ NULL);
974+ if (EFI_ERROR (Status)) {
975+ return 1;
976+ }
977+
978+ Status = EnrollListOfX509Certs (
979+ EFI_KEY_EXCHANGE_KEY_NAME,
980+ &gEfiGlobalVariableGuid,
981+ ExampleCert, sizeof ExampleCert, &gEfiCallerIdGuid,
982+ MicrosoftKEK, sizeof MicrosoftKEK, &gEfiCallerIdGuid,
983+ NULL);
984+ if (EFI_ERROR (Status)) {
985+ return 1;
986+ }
987+
988+ Status = EnrollListOfX509Certs (
989+ EFI_PLATFORM_KEY_NAME,
990+ &gEfiGlobalVariableGuid,
991+ ExampleCert, sizeof ExampleCert, &gEfiGlobalVariableGuid,
992+ NULL);
993+ if (EFI_ERROR (Status)) {
994+ return 1;
995+ }
996+
997+ Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
998+ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
999+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
1000+ sizeof Settings.CustomMode, &Settings.CustomMode);
1001+ if (EFI_ERROR (Status)) {
1002+ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
1003+ &gEfiCustomModeEnableGuid, Status);
1004+ return 1;
1005+ }
1006+
1007+ Status = GetSettings (&Settings);
1008+ if (EFI_ERROR (Status)) {
1009+ return 1;
1010+ }
1011+ PrintSettings (&Settings);
1012+
1013+ if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
1014+ Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
1015+ Settings.VendorKeys != 0) {
1016+ AsciiPrint ("error: unexpected\n");
1017+ return 1;
1018+ }
1019+
1020+ AsciiPrint ("info: success\n");
1021+ return 0;
1022+}
1023diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
1024new file mode 100644
1025index 0000000..ac919bb
1026--- /dev/null
1027+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
1028@@ -0,0 +1,51 @@
1029+## @file
1030+# Enroll default PK, KEK, DB.
1031+#
1032+# Copyright (C) 2014, Red Hat, Inc.
1033+#
1034+# This program and the accompanying materials are licensed and made available
1035+# under the terms and conditions of the BSD License which accompanies this
1036+# distribution. The full text of the license may be found at
1037+# http://opensource.org/licenses/bsd-license.
1038+#
1039+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
1040+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
1041+# IMPLIED.
1042+##
1043+
1044+[Defines]
1045+ INF_VERSION = 0x00010006
1046+ BASE_NAME = EnrollDefaultKeys
1047+ FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
1048+ MODULE_TYPE = UEFI_APPLICATION
1049+ VERSION_STRING = 0.1
1050+ ENTRY_POINT = ShellCEntryLib
1051+
1052+#
1053+# VALID_ARCHITECTURES = IA32 X64
1054+#
1055+
1056+[Sources]
1057+ EnrollDefaultKeys.c
1058+
1059+[Packages]
1060+ MdePkg/MdePkg.dec
1061+ MdeModulePkg/MdeModulePkg.dec
1062+ SecurityPkg/SecurityPkg.dec
1063+ ShellPkg/ShellPkg.dec
1064+
1065+[Guids]
1066+ gEfiCertPkcs7Guid
1067+ gEfiCertX509Guid
1068+ gEfiCustomModeEnableGuid
1069+ gEfiGlobalVariableGuid
1070+ gEfiImageSecurityDatabaseGuid
1071+ gEfiSecureBootEnableDisableGuid
1072+
1073+[LibraryClasses]
1074+ BaseMemoryLib
1075+ DebugLib
1076+ MemoryAllocationLib
1077+ ShellCEntryLib
1078+ UefiLib
1079+ UefiRuntimeServicesTableLib
1080diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
1081index fa9661c..e2e6ba3 100644
1082--- a/OvmfPkg/OvmfPkgIa32.dsc
1083+++ b/OvmfPkg/OvmfPkgIa32.dsc
1084@@ -764,6 +764,10 @@
1085
1086 !if $(SECURE_BOOT_ENABLE) == TRUE
1087 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
1088+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
1089+ <LibraryClasses>
1090+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
1091+ }
1092 !endif
1093
1094 OvmfPkg/PlatformDxe/Platform.inf
1095diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
1096index 667584a..a0ae1aa 100644
1097--- a/OvmfPkg/OvmfPkgIa32X64.dsc
1098+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
1099@@ -773,6 +773,10 @@
1100
1101 !if $(SECURE_BOOT_ENABLE) == TRUE
1102 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
1103+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
1104+ <LibraryClasses>
1105+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
1106+ }
1107 !endif
1108
1109 OvmfPkg/PlatformDxe/Platform.inf
1110diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
1111index 5ae8469..87cee52 100644
1112--- a/OvmfPkg/OvmfPkgX64.dsc
1113+++ b/OvmfPkg/OvmfPkgX64.dsc
1114@@ -771,6 +771,10 @@
1115
1116 !if $(SECURE_BOOT_ENABLE) == TRUE
1117 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
1118+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
1119+ <LibraryClasses>
1120+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
1121+ }
1122 !endif
1123
1124 OvmfPkg/PlatformDxe/Platform.inf
diff --git a/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch b/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch
index 25e5b58e70..1b65348e84 100644
--- a/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch
+++ b/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch
@@ -9,12 +9,26 @@ Index: git/BaseTools/Conf/tools_def.template
9=================================================================== 9===================================================================
10--- git.orig/BaseTools/Conf/tools_def.template 10--- git.orig/BaseTools/Conf/tools_def.template
11+++ git/BaseTools/Conf/tools_def.template 11+++ git/BaseTools/Conf/tools_def.template
12@@ -4368,7 +4368,7 @@ DEFINE GCC_IPF_RC_FLAGS = -I 12@@ -1736,10 +1736,10 @@ DEFINE GCC_X64_RC_FLAGS = -I binary -O elf64-x86-64 -B i386
13 DEFINE GCC_ARM_RC_FLAGS = -I binary -O elf32-littlearm -B arm --rename-section .data=.hii 13 DEFINE GCC_ARM_RC_FLAGS = -I binary -O elf32-littlearm -B arm --rename-section .data=.hii
14 DEFINE GCC_AARCH64_RC_FLAGS = -I binary -O elf64-littleaarch64 -B aarch64 --rename-section .data=.hii 14 DEFINE GCC_AARCH64_RC_FLAGS = -I binary -O elf64-littleaarch64 -B aarch64 --rename-section .data=.hii
15 15
16-DEFINE GCC44_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings 16-DEFINE GCC48_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
17+DEFINE GCC44_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -fno-stack-protector -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings 17+DEFINE GCC48_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -fno-stack-protector -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
18 DEFINE GCC44_IA32_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -fno-PIE -no-pie 18 DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
19 DEFINE GCC44_X64_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables 19-DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address
20 DEFINE GCC44_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 -no-pie 20-DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address
21+DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -D EFI32 -fno-asynchronous-unwind-tables -Wno-address
22+DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address
23 DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
24 DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive
25 DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
26@@ -1748,7 +1748,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x228 DEF
27 DEFINE GCC48_ASM_FLAGS = DEF(GCC_ASM_FLAGS)
28 DEFINE GCC48_ARM_ASM_FLAGS = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
29 DEFINE GCC48_AARCH64_ASM_FLAGS = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
30-DEFINE GCC48_ARM_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ARM_CC_FLAGS) -fstack-protector -mword-relocations
31+DEFINE GCC48_ARM_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ARM_CC_FLAGS) -mword-relocations
32 DEFINE GCC48_ARM_CC_XIPFLAGS = DEF(GCC_ARM_CC_XIPFLAGS)
33 DEFINE GCC48_AARCH64_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) -mcmodel=large DEF(GCC_AARCH64_CC_FLAGS)
34 DEFINE GCC48_AARCH64_CC_XIPFLAGS = DEF(GCC_AARCH64_CC_XIPFLAGS)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 71828d8d8d..11793f0d1a 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -4,7 +4,7 @@ Virtual Machines. OVMF contains sample UEFI firmware for QEMU and KVM"
4HOMEPAGE = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF" 4HOMEPAGE = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF"
5LICENSE = "BSD" 5LICENSE = "BSD"
6LICENSE_class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD & OpenSSL', 'BSD', d)}" 6LICENSE_class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD & OpenSSL', 'BSD', d)}"
7LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496" 7LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=06357ddc23f46577c2aeaeaf7b776d65"
8 8
9# Enabling Secure Boot adds a dependency on OpenSSL and implies 9# Enabling Secure Boot adds a dependency on OpenSSL and implies
10# compiling OVMF twice, so it is disabled by default. Distros 10# compiling OVMF twice, so it is disabled by default. Distros
@@ -12,30 +12,15 @@ LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3
12PACKAGECONFIG ??= "" 12PACKAGECONFIG ??= ""
13PACKAGECONFIG[secureboot] = ",,," 13PACKAGECONFIG[secureboot] = ",,,"
14 14
15SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \ 15SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=git \
16 file://0001-ia32-Dont-use-pie.patch \
17 file://0002-ovmf-update-path-to-native-BaseTools.patch \ 16 file://0002-ovmf-update-path-to-native-BaseTools.patch \
18 file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ 17 file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
19 file://0004-ovmf-enable-long-path-file.patch \ 18 file://0004-ovmf-enable-long-path-file.patch \
20 file://VfrCompile-increase-path-length-limit.patch \
21 file://no-stack-protector-all-archs.patch \ 19 file://no-stack-protector-all-archs.patch \
22 file://0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch \
23 file://0002-BaseTools-header.makefile-add-Wno-restrict.patch \
24 file://0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch \
25 file://0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch \
26 " 20 "
27UPSTREAM_VERSION_UNKNOWN = "1" 21UPSTREAM_VERSION_UNKNOWN = "1"
28 22
29OPENSSL_RELEASE = "openssl-1.1.0e" 23SRCREV="20d2e5a125e34fc8501026613a71549b2a1a3e54"
30
31SRC_URI_append_class-target = " \
32 ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/${OPENSSL_RELEASE}.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
33 file://0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch \
34"
35
36SRCREV="ec4910cd3336565fdb61dafdd9ec4ae7a6160ba3"
37SRC_URI[openssl.md5sum] = "51c42d152122e474754aea96f66928c6"
38SRC_URI[openssl.sha256sum] = "57be8618979d80c910728cfc99369bf97b2a1abd8f366ab6ebdee8975ad3874c"
39 24
40inherit deploy 25inherit deploy
41 26
@@ -44,7 +29,7 @@ PARALLEL_MAKE = ""
44S = "${WORKDIR}/git" 29S = "${WORKDIR}/git"
45 30
46DEPENDS_class-native="util-linux-native iasl-native" 31DEPENDS_class-native="util-linux-native iasl-native"
47DEPENDS_class-target="ovmf-native" 32DEPENDS_class-target="ovmf-native bc-native"
48 33
49DEPENDS_append = " nasm-native" 34DEPENDS_append = " nasm-native"
50 35
@@ -191,12 +176,9 @@ do_compile_class-target() {
191 ln ${build_dir}/${OVMF_ARCH}/Shell.efi ${WORKDIR}/ovmf/ 176 ln ${build_dir}/${OVMF_ARCH}/Shell.efi ${WORKDIR}/ovmf/
192 177
193 if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then 178 if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
194 # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and 179 # Repeat build with the Secure Boot flags.
195 # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
196 # building with Secure Boot enabled.
197 bbnote "Building with Secure Boot." 180 bbnote "Building with Secure Boot."
198 rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX 181 rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
199 ln -sf ${OPENSSL_RELEASE} ${S}/CryptoPkg/Library/OpensslLib/openssl
200 ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} 182 ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
201 ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd 183 ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd
202 ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd 184 ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-10 14:21:08 +0000