UefiCpuPkg CpuCommFeaturesLib: Fix GP fault issue about ProcTrace

[mirror_edk2.git] / OvmfPkg / EnrollDefaultKeys / EnrollDefaultKeys.c

/** @file\r
  Enroll default PK, KEK, db, dbx.\r
\r
  Copyright (C) 2014-2019, Red Hat, Inc.\r
\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
**/\r
#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid\r
#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME\r
#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE\r
#include <Guid/MicrosoftVendor.h>                // gMicrosoftVendorGuid\r
#include <Guid/OvmfPkKek1AppPrefix.h>            // gOvmfPkKek1AppPrefixGuid\r
#include <IndustryStandard/SmBios.h>             // SMBIOS_HANDLE_PI_RESERVED\r
#include <Library/BaseLib.h>                     // GUID_STRING_LENGTH\r
#include <Library/BaseMemoryLib.h>               // CopyGuid()\r
#include <Library/DebugLib.h>                    // ASSERT()\r
#include <Library/MemoryAllocationLib.h>         // FreePool()\r
#include <Library/PrintLib.h>                    // AsciiSPrint()\r
#include <Library/ShellCEntryLib.h>              // ShellAppMain()\r
#include <Library/UefiBootServicesTableLib.h>    // gBS\r
#include <Library/UefiLib.h>                     // AsciiPrint()\r
#include <Library/UefiRuntimeServicesTableLib.h> // gRT\r
#include <Protocol/Smbios.h>                     // EFI_SMBIOS_PROTOCOL\r
\r
#include "EnrollDefaultKeys.h"\r
\r
\r
/**\r
  Fetch the X509 certificate (to be used as Platform Key and first Key Exchange\r
  Key) from SMBIOS.\r
\r
  @param[out] PkKek1        The X509 certificate in DER encoding from the\r
                            hypervisor, to be enrolled as PK and first KEK\r
                            entry. On success, the caller is responsible for\r
                            releasing PkKek1 with FreePool().\r
\r
  @param[out] SizeOfPkKek1  The size of PkKek1 in bytes.\r
\r
  @retval EFI_SUCCESS           PkKek1 and SizeOfPkKek1 have been set\r
                                successfully.\r
\r
  @retval EFI_NOT_FOUND         An OEM String matching\r
                                OVMF_PK_KEK1_APP_PREFIX_GUID has not been\r
                                found.\r
\r
  @retval EFI_PROTOCOL_ERROR    In the OEM String matching\r
                                OVMF_PK_KEK1_APP_PREFIX_GUID, the certificate\r
                                is empty, or it has invalid base64 encoding.\r
\r
  @retval EFI_OUT_OF_RESOURCES  Memory allocation failed.\r
\r
  @return                       Error codes from gBS->LocateProtocol().\r
**/\r
STATIC\r
EFI_STATUS\r
GetPkKek1 (\r
  OUT UINT8 **PkKek1,\r
  OUT UINTN *SizeOfPkKek1\r
  )\r
{\r
  CONST CHAR8             *Base64Cert;\r
  CHAR8                   OvmfPkKek1AppPrefix[GUID_STRING_LENGTH + 1 + 1];\r
  EFI_STATUS              Status;\r
  EFI_SMBIOS_PROTOCOL     *Smbios;\r
  EFI_SMBIOS_HANDLE       Handle;\r
  EFI_SMBIOS_TYPE         Type;\r
  EFI_SMBIOS_TABLE_HEADER *Header;\r
  SMBIOS_TABLE_TYPE11     *OemStringsTable;\r
  UINTN                   Base64CertLen;\r
  UINTN                   DecodedCertSize;\r
  UINT8                   *DecodedCert;\r
\r
  Base64Cert = NULL;\r
\r
  //\r
  // Format the application prefix, for OEM String matching.\r
  //\r
  AsciiSPrint (OvmfPkKek1AppPrefix, sizeof OvmfPkKek1AppPrefix, "%g:",\r
    &gOvmfPkKek1AppPrefixGuid);\r
\r
  //\r
  // Scan all "OEM Strings" tables.\r
  //\r
  Status = gBS->LocateProtocol (&gEfiSmbiosProtocolGuid, NULL,\r
                  (VOID **)&Smbios);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("error: failed to locate EFI_SMBIOS_PROTOCOL: %r\n", Status);\r
    return Status;\r
  }\r
\r
  Handle = SMBIOS_HANDLE_PI_RESERVED;\r
  Type = SMBIOS_TYPE_OEM_STRINGS;\r
  for (Status = Smbios->GetNext (Smbios, &Handle, &Type, &Header, NULL);\r
       !EFI_ERROR (Status);\r
       Status = Smbios->GetNext (Smbios, &Handle, &Type, &Header, NULL)) {\r
    CONST CHAR8 *OemString;\r
    UINTN       Idx;\r
\r
    if (Header->Length < sizeof *OemStringsTable) {\r
      //\r
      // Malformed table header, skip to next.\r
      //\r
      continue;\r
    }\r
    OemStringsTable = (SMBIOS_TABLE_TYPE11 *)Header;\r
\r
    //\r
    // Scan all strings in the unformatted area of the current "OEM Strings"\r
    // table.\r
    //\r
    OemString = (CONST CHAR8 *)(OemStringsTable + 1);\r
    for (Idx = 0; Idx < OemStringsTable->StringCount; ++Idx) {\r
      CHAR8 CandidatePrefix[sizeof OvmfPkKek1AppPrefix];\r
\r
      //\r
      // NUL-terminate the candidate prefix for case-insensitive comparison.\r
      //\r
      AsciiStrnCpyS (CandidatePrefix, sizeof CandidatePrefix, OemString,\r
        GUID_STRING_LENGTH + 1);\r
      if (AsciiStriCmp (OvmfPkKek1AppPrefix, CandidatePrefix) == 0) {\r
        //\r
        // The current string matches the prefix.\r
        //\r
        Base64Cert = OemString + GUID_STRING_LENGTH + 1;\r
        break;\r
      }\r
      OemString += AsciiStrSize (OemString);\r
    }\r
\r
    if (Idx < OemStringsTable->StringCount) {\r
      //\r
      // The current table has a matching string.\r
      //\r
      break;\r
    }\r
  }\r
\r
  if (EFI_ERROR (Status)) {\r
    //\r
    // No table with a matching string has been found.\r
    //\r
    AsciiPrint ("error: OEM String with app prefix %g not found: %r\n",\r
      &gOvmfPkKek1AppPrefixGuid, Status);\r
    return EFI_NOT_FOUND;\r
  }\r
\r
  ASSERT (Base64Cert != NULL);\r
  Base64CertLen = AsciiStrLen (Base64Cert);\r
\r
  //\r
  // Verify the base64 encoding, and determine the decoded size.\r
  //\r
  DecodedCertSize = 0;\r
  Status = Base64Decode (Base64Cert, Base64CertLen, NULL, &DecodedCertSize);\r
  switch (Status) {\r
  case EFI_BUFFER_TOO_SMALL:\r
    if (DecodedCertSize > 0) {\r
      break;\r
    }\r
    //\r
    // Fall through: the above Base64Decode() call is ill-specified in BaseLib\r
    // if Source decodes to zero bytes (for example if it consists of ignored\r
    // whitespace only).\r
    //\r
  case EFI_SUCCESS:\r
    AsciiPrint ("error: empty certificate after app prefix %g\n",\r
      &gOvmfPkKek1AppPrefixGuid);\r
    return EFI_PROTOCOL_ERROR;\r
  default:\r
    AsciiPrint ("error: invalid base64 string after app prefix %g\n",\r
      &gOvmfPkKek1AppPrefixGuid);\r
    return EFI_PROTOCOL_ERROR;\r
  }\r
\r
  //\r
  // Allocate the output buffer.\r
  //\r
  DecodedCert = AllocatePool (DecodedCertSize);\r
  if (DecodedCert == NULL) {\r
    AsciiPrint ("error: failed to allocate memory\n");\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
\r
  //\r
  // Decoding will succeed at this point.\r
  //\r
  Status = Base64Decode (Base64Cert, Base64CertLen, DecodedCert,\r
             &DecodedCertSize);\r
  ASSERT_EFI_ERROR (Status);\r
\r
  *PkKek1 = DecodedCert;\r
  *SizeOfPkKek1 = DecodedCertSize;\r
  return EFI_SUCCESS;\r
}\r
\r
\r
/**\r
  Enroll a set of certificates in a global variable, overwriting it.\r
\r
  The variable will be rewritten with NV+BS+RT+AT attributes.\r
\r
  @param[in] VariableName  The name of the variable to overwrite.\r
\r
  @param[in] VendorGuid    The namespace (ie. vendor GUID) of the variable to\r
                           overwrite.\r
\r
  @param[in] CertType      The GUID determining the type of all the\r
                           certificates in the set that is passed in. For\r
                           example, gEfiCertX509Guid stands for DER-encoded\r
                           X.509 certificates, while gEfiCertSha256Guid stands\r
                           for SHA256 image hashes.\r
\r
  @param[in] ...           A list of\r
\r
                             IN CONST UINT8    *Cert,\r
                             IN UINTN          CertSize,\r
                             IN CONST EFI_GUID *OwnerGuid\r
\r
                           triplets. If the first component of a triplet is\r
                           NULL, then the other two components are not\r
                           accessed, and processing is terminated. The list of\r
                           certificates is enrolled in the variable specified,\r
                           overwriting it. The OwnerGuid component identifies\r
                           the agent installing the certificate.\r
\r
  @retval EFI_INVALID_PARAMETER  The triplet list is empty (ie. the first Cert\r
                                 value is NULL), or one of the CertSize values\r
                                 is 0, or one of the CertSize values would\r
                                 overflow the accumulated UINT32 data size.\r
\r
  @retval EFI_OUT_OF_RESOURCES   Out of memory while formatting variable\r
                                 payload.\r
\r
  @retval EFI_SUCCESS            Enrollment successful; the variable has been\r
                                 overwritten (or created).\r
\r
  @return                        Error codes from gRT->GetTime() and\r
                                 gRT->SetVariable().\r
**/\r
STATIC\r
EFI_STATUS\r
EFIAPI\r
EnrollListOfCerts (\r
  IN CHAR16   *VariableName,\r
  IN EFI_GUID *VendorGuid,\r
  IN EFI_GUID *CertType,\r
  ...\r
  )\r
{\r
  UINTN            DataSize;\r
  SINGLE_HEADER    *SingleHeader;\r
  REPEATING_HEADER *RepeatingHeader;\r
  VA_LIST          Marker;\r
  CONST UINT8      *Cert;\r
  EFI_STATUS       Status;\r
  UINT8            *Data;\r
  UINT8            *Position;\r
\r
  Status = EFI_SUCCESS;\r
\r
  //\r
  // compute total size first, for UINT32 range check, and allocation\r
  //\r
  DataSize = sizeof *SingleHeader;\r
  VA_START (Marker, CertType);\r
  for (Cert = VA_ARG (Marker, CONST UINT8 *);\r
       Cert != NULL;\r
       Cert = VA_ARG (Marker, CONST UINT8 *)) {\r
    UINTN          CertSize;\r
\r
    CertSize = VA_ARG (Marker, UINTN);\r
    (VOID)VA_ARG (Marker, CONST EFI_GUID *);\r
\r
    if (CertSize == 0 ||\r
        CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||\r
        DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {\r
      Status = EFI_INVALID_PARAMETER;\r
      break;\r
    }\r
    DataSize += sizeof *RepeatingHeader + CertSize;\r
  }\r
  VA_END (Marker);\r
\r
  if (DataSize == sizeof *SingleHeader) {\r
    Status = EFI_INVALID_PARAMETER;\r
  }\r
  if (EFI_ERROR (Status)) {\r
    goto Out;\r
  }\r
\r
  Data = AllocatePool (DataSize);\r
  if (Data == NULL) {\r
    Status = EFI_OUT_OF_RESOURCES;\r
    goto Out;\r
  }\r
\r
  Position = Data;\r
\r
  SingleHeader = (SINGLE_HEADER *)Position;\r
  Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);\r
  if (EFI_ERROR (Status)) {\r
    goto FreeData;\r
  }\r
  SingleHeader->TimeStamp.Pad1       = 0;\r
  SingleHeader->TimeStamp.Nanosecond = 0;\r
  SingleHeader->TimeStamp.TimeZone   = 0;\r
  SingleHeader->TimeStamp.Daylight   = 0;\r
  SingleHeader->TimeStamp.Pad2       = 0;\r
#if 0\r
  SingleHeader->dwLength         = DataSize - sizeof SingleHeader->TimeStamp;\r
#else\r
  //\r
  // This looks like a bug in edk2. According to the UEFI specification,\r
  // dwLength is "The length of the entire certificate, including the length of\r
  // the header, in bytes". That shouldn't stop right after CertType -- it\r
  // should include everything below it.\r
  //\r
  SingleHeader->dwLength         = sizeof *SingleHeader\r
                                     - sizeof SingleHeader->TimeStamp;\r
#endif\r
  SingleHeader->wRevision        = 0x0200;\r
  SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;\r
  CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);\r
  Position += sizeof *SingleHeader;\r
\r
  VA_START (Marker, CertType);\r
  for (Cert = VA_ARG (Marker, CONST UINT8 *);\r
       Cert != NULL;\r
       Cert = VA_ARG (Marker, CONST UINT8 *)) {\r
    UINTN            CertSize;\r
    CONST EFI_GUID   *OwnerGuid;\r
\r
    CertSize  = VA_ARG (Marker, UINTN);\r
    OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);\r
\r
    RepeatingHeader = (REPEATING_HEADER *)Position;\r
    CopyGuid (&RepeatingHeader->SignatureType, CertType);\r
    RepeatingHeader->SignatureListSize   =\r
      (UINT32)(sizeof *RepeatingHeader + CertSize);\r
    RepeatingHeader->SignatureHeaderSize = 0;\r
    RepeatingHeader->SignatureSize       =\r
      (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);\r
    CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);\r
    Position += sizeof *RepeatingHeader;\r
\r
    CopyMem (Position, Cert, CertSize);\r
    Position += CertSize;\r
  }\r
  VA_END (Marker);\r
\r
  ASSERT (Data + DataSize == Position);\r
\r
  Status = gRT->SetVariable (VariableName, VendorGuid,\r
                  (EFI_VARIABLE_NON_VOLATILE |\r
                   EFI_VARIABLE_BOOTSERVICE_ACCESS |\r
                   EFI_VARIABLE_RUNTIME_ACCESS |\r
                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),\r
                  DataSize, Data);\r
\r
FreeData:\r
  FreePool (Data);\r
\r
Out:\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,\r
      VendorGuid, Status);\r
  }\r
  return Status;\r
}\r
\r
\r
/**\r
  Read a UEFI variable into a caller-allocated buffer, enforcing an exact size.\r
\r
  @param[in] VariableName  The name of the variable to read; passed to\r
                           gRT->GetVariable().\r
\r
  @param[in] VendorGuid    The vendor (namespace) GUID of the variable to read;\r
                           passed to gRT->GetVariable().\r
\r
  @param[out] Data         The caller-allocated buffer that is supposed to\r
                           receive the variable's contents. On error, the\r
                           contents of Data are indeterminate.\r
\r
  @param[in] DataSize      The size in bytes that the caller requires the UEFI\r
                           variable to have. The caller is responsible for\r
                           providing room for DataSize bytes in Data.\r
\r
  @param[in] AllowMissing  If FALSE, the variable is required to exist. If\r
                           TRUE, the variable is permitted to be missing.\r
\r
  @retval EFI_SUCCESS           The UEFI variable exists, has the required size\r
                                (DataSize), and has been read into Data.\r
\r
  @retval EFI_SUCCESS           The UEFI variable doesn't exist, and\r
                                AllowMissing is TRUE. DataSize bytes in Data\r
                                have been zeroed out.\r
\r
  @retval EFI_NOT_FOUND         The UEFI variable doesn't exist, and\r
                                AllowMissing is FALSE.\r
\r
  @retval EFI_BUFFER_TOO_SMALL  The UEFI variable exists, but its size is\r
                                greater than DataSize.\r
\r
  @retval EFI_PROTOCOL_ERROR    The UEFI variable exists, but its size is\r
                                smaller than DataSize.\r
\r
  @return                       Error codes propagated from gRT->GetVariable().\r
**/\r
STATIC\r
EFI_STATUS\r
GetExact (\r
  IN CHAR16   *VariableName,\r
  IN EFI_GUID *VendorGuid,\r
  OUT VOID    *Data,\r
  IN UINTN    DataSize,\r
  IN BOOLEAN  AllowMissing\r
  )\r
{\r
  UINTN      Size;\r
  EFI_STATUS Status;\r
\r
  Size = DataSize;\r
  Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);\r
  if (EFI_ERROR (Status)) {\r
    if (Status == EFI_NOT_FOUND && AllowMissing) {\r
      ZeroMem (Data, DataSize);\r
      return EFI_SUCCESS;\r
    }\r
\r
    AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,\r
      VendorGuid, Status);\r
    return Status;\r
  }\r
\r
  if (Size != DataSize) {\r
    AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "\r
      "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);\r
    return EFI_PROTOCOL_ERROR;\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
\r
/**\r
  Populate a SETTINGS structure from the underlying UEFI variables.\r
\r
  The following UEFI variables are standard variables:\r
  - L"SetupMode"  (EFI_SETUP_MODE_NAME)\r
  - L"SecureBoot" (EFI_SECURE_BOOT_MODE_NAME)\r
  - L"VendorKeys" (EFI_VENDOR_KEYS_VARIABLE_NAME)\r
\r
  The following UEFI variables are edk2 extensions:\r
  - L"SecureBootEnable" (EFI_SECURE_BOOT_ENABLE_NAME)\r
  - L"CustomMode"       (EFI_CUSTOM_MODE_NAME)\r
\r
  The L"SecureBootEnable" UEFI variable is permitted to be missing, in which\r
  case the corresponding field in the SETTINGS object will be zeroed out. The\r
  rest of the covered UEFI variables are required to exist; otherwise, the\r
  function will fail.\r
\r
  @param[out] Settings  The SETTINGS object to fill.\r
\r
  @retval EFI_SUCCESS  Settings has been populated.\r
\r
  @return              Error codes propagated from the GetExact() function. The\r
                       contents of Settings are indeterminate.\r
**/\r
STATIC\r
EFI_STATUS\r
GetSettings (\r
  OUT SETTINGS *Settings\r
  )\r
{\r
  EFI_STATUS Status;\r
\r
  Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,\r
             &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,\r
             &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,\r
             &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,\r
             sizeof Settings->SecureBootEnable, TRUE);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
             &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,\r
             &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);\r
  return Status;\r
}\r
\r
\r
/**\r
  Print the contents of a SETTINGS structure to the UEFI console.\r
\r
  @param[in] Settings  The SETTINGS object to print the contents of.\r
**/\r
STATIC\r
VOID\r
PrintSettings (\r
  IN CONST SETTINGS *Settings\r
  )\r
{\r
  AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "\r
    "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,\r
    Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);\r
}\r
\r
\r
/**\r
  Entry point function of this shell application.\r
**/\r
INTN\r
EFIAPI\r
ShellAppMain (\r
  IN UINTN  Argc,\r
  IN CHAR16 **Argv\r
  )\r
{\r
  INTN       RetVal;\r
  EFI_STATUS Status;\r
  SETTINGS   Settings;\r
  UINT8      *PkKek1;\r
  UINTN      SizeOfPkKek1;\r
  BOOLEAN    NoDefault;\r
\r
  if (Argc == 2 && StrCmp (Argv[1], L"--no-default") == 0) {\r
    NoDefault = TRUE;\r
  } else {\r
    NoDefault = FALSE;\r
  }\r
\r
  //\r
  // Prepare for failure.\r
  //\r
  RetVal = 1;\r
\r
  //\r
  // If we're not in Setup Mode, we can't do anything.\r
  //\r
  Status = GetSettings (&Settings);\r
  if (EFI_ERROR (Status)) {\r
    return RetVal;\r
  }\r
  PrintSettings (&Settings);\r
\r
  if (Settings.SetupMode != 1) {\r
    AsciiPrint ("error: already in User Mode\n");\r
    return RetVal;\r
  }\r
\r
  //\r
  // Set PkKek1 and SizeOfPkKek1 to suppress incorrect compiler/analyzer\r
  // warnings.\r
  //\r
  PkKek1 = NULL;\r
  SizeOfPkKek1 = 0;\r
\r
  //\r
  // Fetch the X509 certificate (to be used as Platform Key and first Key\r
  // Exchange Key) from SMBIOS.\r
  //\r
  Status = GetPkKek1 (&PkKek1, &SizeOfPkKek1);\r
  if (EFI_ERROR (Status)) {\r
    return RetVal;\r
  }\r
\r
  //\r
  // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature\r
  // checks on those variable writes.\r
  //\r
  if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {\r
    Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;\r
    Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
                    (EFI_VARIABLE_NON_VOLATILE |\r
                     EFI_VARIABLE_BOOTSERVICE_ACCESS),\r
                    sizeof Settings.CustomMode, &Settings.CustomMode);\r
    if (EFI_ERROR (Status)) {\r
      AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,\r
        &gEfiCustomModeEnableGuid, Status);\r
      goto FreePkKek1;\r
    }\r
  }\r
\r
  //\r
  // Enroll db.\r
  //\r
  if (NoDefault) {\r
    Status = EnrollListOfCerts (\r
               EFI_IMAGE_SECURITY_DATABASE,\r
               &gEfiImageSecurityDatabaseGuid,\r
               &gEfiCertX509Guid,\r
               PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid,\r
               NULL);\r
  } else {\r
    Status = EnrollListOfCerts (\r
               EFI_IMAGE_SECURITY_DATABASE,\r
               &gEfiImageSecurityDatabaseGuid,\r
               &gEfiCertX509Guid,\r
               mMicrosoftPca,    mSizeOfMicrosoftPca,    &gMicrosoftVendorGuid,\r
               mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,\r
               NULL);\r
  }\r
  if (EFI_ERROR (Status)) {\r
    goto FreePkKek1;\r
  }\r
\r
  //\r
  // Enroll dbx.\r
  //\r
  Status = EnrollListOfCerts (\r
             EFI_IMAGE_SECURITY_DATABASE1,\r
             &gEfiImageSecurityDatabaseGuid,\r
             &gEfiCertSha256Guid,\r
             mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid,\r
             NULL);\r
  if (EFI_ERROR (Status)) {\r
    goto FreePkKek1;\r
  }\r
\r
  //\r
  // Enroll KEK.\r
  //\r
  if (NoDefault) {\r
    Status = EnrollListOfCerts (\r
               EFI_KEY_EXCHANGE_KEY_NAME,\r
               &gEfiGlobalVariableGuid,\r
               &gEfiCertX509Guid,\r
               PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid,\r
               NULL);\r
  } else {\r
    Status = EnrollListOfCerts (\r
               EFI_KEY_EXCHANGE_KEY_NAME,\r
               &gEfiGlobalVariableGuid,\r
               &gEfiCertX509Guid,\r
               PkKek1,        SizeOfPkKek1,        &gEfiCallerIdGuid,\r
               mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,\r
               NULL);\r
  }\r
  if (EFI_ERROR (Status)) {\r
    goto FreePkKek1;\r
  }\r
\r
  //\r
  // Enroll PK, leaving Setup Mode (entering User Mode) at once.\r
  //\r
  Status = EnrollListOfCerts (\r
             EFI_PLATFORM_KEY_NAME,\r
             &gEfiGlobalVariableGuid,\r
             &gEfiCertX509Guid,\r
             PkKek1, SizeOfPkKek1, &gEfiGlobalVariableGuid,\r
             NULL);\r
  if (EFI_ERROR (Status)) {\r
    goto FreePkKek1;\r
  }\r
\r
  //\r
  // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid\r
  // signatures.\r
  //\r
  Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;\r
  Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  sizeof Settings.CustomMode, &Settings.CustomMode);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,\r
      &gEfiCustomModeEnableGuid, Status);\r
    goto FreePkKek1;\r
  }\r
\r
  //\r
  // Final sanity check:\r
  //\r
  //                                 [SetupMode]\r
  //                        (read-only, standardized by UEFI)\r
  //                                /                \_\r
  //                               0               1, default\r
  //                              /                    \_\r
  //                      PK enrolled                   no PK enrolled yet,\r
  //              (this is called "User Mode")          PK enrollment possible\r
  //                             |\r
  //                             |\r
  //                     [SecureBootEnable]\r
  //         (read-write, edk2-specific, boot service only)\r
  //                /                           \_\r
  //               0                         1, default\r
  //              /                               \_\r
  //       [SecureBoot]=0                     [SecureBoot]=1\r
  // (read-only, standardized by UEFI)  (read-only, standardized by UEFI)\r
  //     images are not verified         images are verified, platform is\r
  //                                      operating in Secure Boot mode\r
  //                                                 |\r
  //                                                 |\r
  //                                           [CustomMode]\r
  //                          (read-write, edk2-specific, boot service only)\r
  //                                /                           \_\r
  //                          0, default                         1\r
  //                              /                               \_\r
  //                      PK, KEK, db, dbx                PK, KEK, db, dbx\r
  //                    updates are verified          updates are not verified\r
  //\r
  Status = GetSettings (&Settings);\r
  if (EFI_ERROR (Status)) {\r
    goto FreePkKek1;\r
  }\r
  PrintSettings (&Settings);\r
\r
  if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||\r
      Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||\r
      Settings.VendorKeys != 0) {\r
    AsciiPrint ("error: unexpected\n");\r
    goto FreePkKek1;\r
  }\r
\r
  AsciiPrint ("info: success\n");\r
  RetVal = 0;\r
\r
FreePkKek1:\r
  FreePool (PkKek1);\r
\r
  return RetVal;\r
}\r