[mirror_edk2.git] / SecurityPkg / Library / SecureBootVariableProvisionLib / SecureBootVariableProvisionLib.c

/** @file\r
  This library provides functions to set/clear Secure Boot\r
  keys and databases.\r
\r
  Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>\r
  (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>\r
  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
  Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
**/\r
#include <Uefi.h>\r
#include <UefiSecureBoot.h>\r
#include <Guid/GlobalVariable.h>\r
#include <Guid/AuthenticatedVariableFormat.h>\r
#include <Guid/ImageAuthentication.h>\r
#include <Library/BaseLib.h>\r
#include <Library/BaseCryptLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/DebugLib.h>\r
#include <Library/UefiLib.h>\r
#include <Library/MemoryAllocationLib.h>\r
#include <Library/UefiRuntimeServicesTableLib.h>\r
#include <Library/SecureBootVariableLib.h>\r
#include <Library/SecureBootVariableProvisionLib.h>\r
#include <Library/DxeServicesLib.h>\r
\r
/**\r
  Create a EFI Signature List with data fetched from section specified as a argument.\r
  Found keys are verified using RsaGetPublicKeyFromX509().\r
\r
  @param[in]        KeyFileGuid    A pointer to to the FFS filename GUID\r
  @param[out]       SigListsSize   A pointer to size of signature list\r
  @param[out]       SigListOut    a pointer to a callee-allocated buffer with signature lists\r
\r
  @retval EFI_SUCCESS              Create time based payload successfully.\r
  @retval EFI_NOT_FOUND            Section with key has not been found.\r
  @retval EFI_INVALID_PARAMETER    Embedded key has a wrong format.\r
  @retval Others                   Unexpected error happens.\r
\r
**/\r
STATIC\r
EFI_STATUS\r
SecureBootFetchData (\r
  IN  EFI_GUID            *KeyFileGuid,\r
  OUT UINTN               *SigListsSize,\r
  OUT EFI_SIGNATURE_LIST  **SigListOut\r
  )\r
{\r
  EFI_SIGNATURE_LIST            *EfiSig;\r
  EFI_STATUS                    Status;\r
  VOID                          *Buffer;\r
  VOID                          *RsaPubKey;\r
  UINTN                         Size;\r
  UINTN                         KeyIndex;\r
  UINTN                         Index;\r
  SECURE_BOOT_CERTIFICATE_INFO  *CertInfo;\r
  SECURE_BOOT_CERTIFICATE_INFO  *NewCertInfo;\r
\r
  KeyIndex      = 0;\r
  EfiSig        = NULL;\r
  *SigListOut   = NULL;\r
  *SigListsSize = 0;\r
  CertInfo      = AllocatePool (sizeof (SECURE_BOOT_CERTIFICATE_INFO));\r
  NewCertInfo   = CertInfo;\r
  while (1) {\r
    if (NewCertInfo == NULL) {\r
      Status = EFI_OUT_OF_RESOURCES;\r
      break;\r
    } else {\r
      CertInfo = NewCertInfo;\r
    }\r
\r
    Status = GetSectionFromAnyFv (\r
               KeyFileGuid,\r
               EFI_SECTION_RAW,\r
               KeyIndex,\r
               &Buffer,\r
               &Size\r
               );\r
\r
    if (Status == EFI_SUCCESS) {\r
      RsaPubKey = NULL;\r
      if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {\r
        DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));\r
        if (EfiSig != NULL) {\r
          FreePool (EfiSig);\r
        }\r
\r
        FreePool (Buffer);\r
        Status = EFI_INVALID_PARAMETER;\r
        break;\r
      }\r
\r
      CertInfo[KeyIndex].Data     = Buffer;\r
      CertInfo[KeyIndex].DataSize = Size;\r
      KeyIndex++;\r
      NewCertInfo = ReallocatePool (\r
                      sizeof (SECURE_BOOT_CERTIFICATE_INFO) * KeyIndex,\r
                      sizeof (SECURE_BOOT_CERTIFICATE_INFO) * (KeyIndex + 1),\r
                      CertInfo\r
                      );\r
    }\r
\r
    if (Status == EFI_NOT_FOUND) {\r
      Status = EFI_SUCCESS;\r
      break;\r
    }\r
  }\r
\r
  if (EFI_ERROR (Status)) {\r
    goto Cleanup;\r
  }\r
\r
  if (KeyIndex == 0) {\r
    Status = EFI_NOT_FOUND;\r
    goto Cleanup;\r
  }\r
\r
  // Now that we collected all certs from FV, convert it into sig list\r
  Status = SecureBootCreateDataFromInput (SigListsSize, SigListOut, KeyIndex, CertInfo);\r
  if (EFI_ERROR (Status)) {\r
    goto Cleanup;\r
  }\r
\r
Cleanup:\r
  if (CertInfo) {\r
    for (Index = 0; Index < KeyIndex; Index++) {\r
      FreePool ((VOID *)CertInfo[Index].Data);\r
    }\r
\r
    FreePool (CertInfo);\r
  }\r
\r
  return Status;\r
}\r
\r
/**\r
  Enroll a key/certificate based on a default variable.\r
\r
  @param[in] VariableName        The name of the key/database.\r
  @param[in] DefaultName         The name of the default variable.\r
  @param[in] VendorGuid          The namespace (ie. vendor GUID) of the variable\r
\r
  @retval EFI_OUT_OF_RESOURCES   Out of memory while allocating AuthHeader.\r
  @retval EFI_SUCCESS            Successful enrollment.\r
  @return                        Error codes from GetTime () and SetVariable ().\r
**/\r
STATIC\r
EFI_STATUS\r
EnrollFromDefault (\r
  IN CHAR16    *VariableName,\r
  IN CHAR16    *DefaultName,\r
  IN EFI_GUID  *VendorGuid\r
  )\r
{\r
  VOID        *Data;\r
  UINTN       DataSize;\r
  EFI_STATUS  Status;\r
\r
  Status = EFI_SUCCESS;\r
\r
  DataSize = 0;\r
  Status   = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));\r
    return Status;\r
  }\r
\r
  Status = EnrollFromInput (VariableName, VendorGuid, DataSize, Data);\r
\r
  if (Data != NULL) {\r
    FreePool (Data);\r
  }\r
\r
  return Status;\r
}\r
\r
/** Initializes PKDefault variable with data from FFS section.\r
\r
  @retval  EFI_SUCCESS           Variable was initialized successfully.\r
  @retval  EFI_UNSUPPORTED       Variable already exists.\r
**/\r
EFI_STATUS\r
SecureBootInitPKDefault (\r
  IN VOID\r
  )\r
{\r
  EFI_SIGNATURE_LIST  *EfiSig;\r
  UINTN               SigListsSize;\r
  EFI_STATUS          Status;\r
  UINT8               *Data;\r
  UINTN               DataSize;\r
\r
  //\r
  // Check if variable exists, if so do not change it\r
  //\r
  Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
  if (Status == EFI_SUCCESS) {\r
    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
    FreePool (Data);\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    return Status;\r
  }\r
\r
  //\r
  // Variable does not exist, can be initialized\r
  //\r
  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
\r
  Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
    return Status;\r
  }\r
\r
  Status = gRT->SetVariable (\r
                  EFI_PK_DEFAULT_VARIABLE_NAME,\r
                  &gEfiGlobalVariableGuid,\r
                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  SigListsSize,\r
                  (VOID *)EfiSig\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
  }\r
\r
  FreePool (EfiSig);\r
\r
  return Status;\r
}\r
\r
/** Initializes KEKDefault variable with data from FFS section.\r
\r
  @retval  EFI_SUCCESS           Variable was initialized successfully.\r
  @retval  EFI_UNSUPPORTED       Variable already exists.\r
**/\r
EFI_STATUS\r
SecureBootInitKEKDefault (\r
  IN VOID\r
  )\r
{\r
  EFI_SIGNATURE_LIST  *EfiSig;\r
  UINTN               SigListsSize;\r
  EFI_STATUS          Status;\r
  UINT8               *Data;\r
  UINTN               DataSize;\r
\r
  //\r
  // Check if variable exists, if so do not change it\r
  //\r
  Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
  if (Status == EFI_SUCCESS) {\r
    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
    FreePool (Data);\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    return Status;\r
  }\r
\r
  //\r
  // Variable does not exist, can be initialized\r
  //\r
  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
\r
  Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
    return Status;\r
  }\r
\r
  Status = gRT->SetVariable (\r
                  EFI_KEK_DEFAULT_VARIABLE_NAME,\r
                  &gEfiGlobalVariableGuid,\r
                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  SigListsSize,\r
                  (VOID *)EfiSig\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
  }\r
\r
  FreePool (EfiSig);\r
\r
  return Status;\r
}\r
\r
/** Initializes dbDefault variable with data from FFS section.\r
\r
  @retval  EFI_SUCCESS           Variable was initialized successfully.\r
  @retval  EFI_UNSUPPORTED       Variable already exists.\r
**/\r
EFI_STATUS\r
SecureBootInitDbDefault (\r
  IN VOID\r
  )\r
{\r
  EFI_SIGNATURE_LIST  *EfiSig;\r
  UINTN               SigListsSize;\r
  EFI_STATUS          Status;\r
  UINT8               *Data;\r
  UINTN               DataSize;\r
\r
  Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
  if (Status == EFI_SUCCESS) {\r
    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
    FreePool (Data);\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    return Status;\r
  }\r
\r
  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
\r
  Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = gRT->SetVariable (\r
                  EFI_DB_DEFAULT_VARIABLE_NAME,\r
                  &gEfiGlobalVariableGuid,\r
                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  SigListsSize,\r
                  (VOID *)EfiSig\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
  }\r
\r
  FreePool (EfiSig);\r
\r
  return Status;\r
}\r
\r
/** Initializes dbxDefault variable with data from FFS section.\r
\r
  @retval  EFI_SUCCESS           Variable was initialized successfully.\r
  @retval  EFI_UNSUPPORTED       Variable already exists.\r
**/\r
EFI_STATUS\r
SecureBootInitDbxDefault (\r
  IN VOID\r
  )\r
{\r
  EFI_SIGNATURE_LIST  *EfiSig;\r
  UINTN               SigListsSize;\r
  EFI_STATUS          Status;\r
  UINT8               *Data;\r
  UINTN               DataSize;\r
\r
  //\r
  // Check if variable exists, if so do not change it\r
  //\r
  Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
  if (Status == EFI_SUCCESS) {\r
    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
    FreePool (Data);\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    return Status;\r
  }\r
\r
  //\r
  // Variable does not exist, can be initialized\r
  //\r
  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
\r
  Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
    return Status;\r
  }\r
\r
  Status = gRT->SetVariable (\r
                  EFI_DBX_DEFAULT_VARIABLE_NAME,\r
                  &gEfiGlobalVariableGuid,\r
                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  SigListsSize,\r
                  (VOID *)EfiSig\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
  }\r
\r
  FreePool (EfiSig);\r
\r
  return Status;\r
}\r
\r
/** Initializes dbtDefault variable with data from FFS section.\r
\r
  @retval  EFI_SUCCESS           Variable was initialized successfully.\r
  @retval  EFI_UNSUPPORTED       Variable already exists.\r
**/\r
EFI_STATUS\r
SecureBootInitDbtDefault (\r
  IN VOID\r
  )\r
{\r
  EFI_SIGNATURE_LIST  *EfiSig;\r
  UINTN               SigListsSize;\r
  EFI_STATUS          Status;\r
  UINT8               *Data;\r
  UINTN               DataSize;\r
\r
  //\r
  // Check if variable exists, if so do not change it\r
  //\r
  Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
  if (Status == EFI_SUCCESS) {\r
    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
    FreePool (Data);\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    return Status;\r
  }\r
\r
  //\r
  // Variable does not exist, can be initialized\r
  //\r
  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
\r
  Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = gRT->SetVariable (\r
                  EFI_DBT_DEFAULT_VARIABLE_NAME,\r
                  &gEfiGlobalVariableGuid,\r
                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  SigListsSize,\r
                  (VOID *)EfiSig\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
  }\r
\r
  FreePool (EfiSig);\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
  Sets the content of the 'db' variable based on 'dbDefault' variable content.\r
\r
  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
                                    while VendorGuid is NULL.\r
  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()\r
**/\r
EFI_STATUS\r
EFIAPI\r
EnrollDbFromDefault (\r
  VOID\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  Status = EnrollFromDefault (\r
             EFI_IMAGE_SECURITY_DATABASE,\r
             EFI_DB_DEFAULT_VARIABLE_NAME,\r
             &gEfiImageSecurityDatabaseGuid\r
             );\r
\r
  return Status;\r
}\r
\r
/**\r
  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.\r
\r
  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
                                    while VendorGuid is NULL.\r
  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()\r
**/\r
EFI_STATUS\r
EFIAPI\r
EnrollDbxFromDefault (\r
  VOID\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  Status = EnrollFromDefault (\r
             EFI_IMAGE_SECURITY_DATABASE1,\r
             EFI_DBX_DEFAULT_VARIABLE_NAME,\r
             &gEfiImageSecurityDatabaseGuid\r
             );\r
\r
  return Status;\r
}\r
\r
/**\r
  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.\r
\r
  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
                                    while VendorGuid is NULL.\r
  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()\r
**/\r
EFI_STATUS\r
EFIAPI\r
EnrollDbtFromDefault (\r
  VOID\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  Status = EnrollFromDefault (\r
             EFI_IMAGE_SECURITY_DATABASE2,\r
             EFI_DBT_DEFAULT_VARIABLE_NAME,\r
             &gEfiImageSecurityDatabaseGuid\r
             );\r
\r
  return Status;\r
}\r
\r
/**\r
  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.\r
\r
  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
                                    while VendorGuid is NULL.\r
  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()\r
**/\r
EFI_STATUS\r
EFIAPI\r
EnrollKEKFromDefault (\r
  VOID\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  Status = EnrollFromDefault (\r
             EFI_KEY_EXCHANGE_KEY_NAME,\r
             EFI_KEK_DEFAULT_VARIABLE_NAME,\r
             &gEfiGlobalVariableGuid\r
             );\r
\r
  return Status;\r
}\r
\r
/**\r
  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.\r
\r
  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
                                    while VendorGuid is NULL.\r
  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()\r
**/\r
EFI_STATUS\r
EFIAPI\r
EnrollPKFromDefault (\r
  VOID\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  Status = EnrollFromDefault (\r
             EFI_PLATFORM_KEY_NAME,\r
             EFI_PK_DEFAULT_VARIABLE_NAME,\r
             &gEfiGlobalVariableGuid\r
             );\r
\r
  return Status;\r
}\r
Commit	Line	Data
97326596 GB	1	/** @file\r
	2	This library provides functions to set/clear Secure Boot\r
	3	keys and databases.\r
	4	\r
	5	Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>\r
	6	(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>\r
	7	Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
	8	Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
	9	SPDX-License-Identifier: BSD-2-Clause-Patent\r
	10	**/\r
fe73e9cd KQ	11	#include <Uefi.h>\r
fe73e9cd KQ	12	#include <UefiSecureBoot.h>\r
97326596 GB	13	#include <Guid/GlobalVariable.h>\r
	14	#include <Guid/AuthenticatedVariableFormat.h>\r
	15	#include <Guid/ImageAuthentication.h>\r
	16	#include <Library/BaseLib.h>\r
fe73e9cd	17	#include <Library/BaseCryptLib.h>\r
97326596 GB	18	#include <Library/BaseMemoryLib.h>\r
	19	#include <Library/DebugLib.h>\r
	20	#include <Library/UefiLib.h>\r
	21	#include <Library/MemoryAllocationLib.h>\r
	22	#include <Library/UefiRuntimeServicesTableLib.h>\r
	23	#include <Library/SecureBootVariableLib.h>\r
	24	#include <Library/SecureBootVariableProvisionLib.h>\r
fe73e9cd KQ	25	#include <Library/DxeServicesLib.h>\r
	26	\r
	27	/**\r
	28	Create a EFI Signature List with data fetched from section specified as a argument.\r
	29	Found keys are verified using RsaGetPublicKeyFromX509().\r
	30	\r
	31	@param[in] KeyFileGuid A pointer to to the FFS filename GUID\r
	32	@param[out] SigListsSize A pointer to size of signature list\r
	33	@param[out] SigListOut a pointer to a callee-allocated buffer with signature lists\r
	34	\r
	35	@retval EFI_SUCCESS Create time based payload successfully.\r
	36	@retval EFI_NOT_FOUND Section with key has not been found.\r
	37	@retval EFI_INVALID_PARAMETER Embedded key has a wrong format.\r
	38	@retval Others Unexpected error happens.\r
	39	\r
	40	**/\r
	41	STATIC\r
	42	EFI_STATUS\r
	43	SecureBootFetchData (\r
	44	IN EFI_GUID *KeyFileGuid,\r
	45	OUT UINTN *SigListsSize,\r
	46	OUT EFI_SIGNATURE_LIST **SigListOut\r
	47	)\r
	48	{\r
	49	EFI_SIGNATURE_LIST *EfiSig;\r
	50	EFI_STATUS Status;\r
	51	VOID *Buffer;\r
	52	VOID *RsaPubKey;\r
	53	UINTN Size;\r
	54	UINTN KeyIndex;\r
	55	UINTN Index;\r
	56	SECURE_BOOT_CERTIFICATE_INFO *CertInfo;\r
	57	SECURE_BOOT_CERTIFICATE_INFO *NewCertInfo;\r
	58	\r
	59	KeyIndex = 0;\r
	60	EfiSig = NULL;\r
	61	*SigListOut = NULL;\r
	62	*SigListsSize = 0;\r
	63	CertInfo = AllocatePool (sizeof (SECURE_BOOT_CERTIFICATE_INFO));\r
	64	NewCertInfo = CertInfo;\r
	65	while (1) {\r
	66	if (NewCertInfo == NULL) {\r
	67	Status = EFI_OUT_OF_RESOURCES;\r
	68	break;\r
	69	} else {\r
	70	CertInfo = NewCertInfo;\r
	71	}\r
	72	\r
	73	Status = GetSectionFromAnyFv (\r
	74	KeyFileGuid,\r
	75	EFI_SECTION_RAW,\r
	76	KeyIndex,\r
	77	&Buffer,\r
	78	&Size\r
	79	);\r
	80	\r
	81	if (Status == EFI_SUCCESS) {\r
	82	RsaPubKey = NULL;\r
	83	if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {\r
	84	DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));\r
	85	if (EfiSig != NULL) {\r
	86	FreePool (EfiSig);\r
	87	}\r
	88	\r
89	FreePool (Buffer);\r
90	Status = EFI_INVALID_PARAMETER;\r
91	break;\r
92	}\r
93	\r
94	CertInfo[KeyIndex].Data = Buffer;\r
95	CertInfo[KeyIndex].DataSize = Size;\r
96	KeyIndex++;\r
97	NewCertInfo = ReallocatePool (\r
98	sizeof (SECURE_BOOT_CERTIFICATE_INFO) * KeyIndex,\r
99	sizeof (SECURE_BOOT_CERTIFICATE_INFO) * (KeyIndex + 1),\r
100	CertInfo\r
101	);\r
102	}\r
103	\r
104	if (Status == EFI_NOT_FOUND) {\r
105	Status = EFI_SUCCESS;\r
106	break;\r
107	}\r
108	}\r
109	\r
110	if (EFI_ERROR (Status)) {\r
111	goto Cleanup;\r
112	}\r
113	\r
114	if (KeyIndex == 0) {\r
115	Status = EFI_NOT_FOUND;\r
116	goto Cleanup;\r
117	}\r
118	\r
119	// Now that we collected all certs from FV, convert it into sig list\r
120	Status = SecureBootCreateDataFromInput (SigListsSize, SigListOut, KeyIndex, CertInfo);\r
121	if (EFI_ERROR (Status)) {\r
122	goto Cleanup;\r
123	}\r
124	\r
125	Cleanup:\r
126	if (CertInfo) {\r
127	for (Index = 0; Index < KeyIndex; Index++) {\r
128	FreePool ((VOID *)CertInfo[Index].Data);\r
129	}\r
130	\r
131	FreePool (CertInfo);\r
132	}\r
133	\r
134	return Status;\r
135	}\r
97326596 GB	136	\r
	137	/**\r
	138	Enroll a key/certificate based on a default variable.\r
	139	\r
	140	@param[in] VariableName The name of the key/database.\r
	141	@param[in] DefaultName The name of the default variable.\r
	142	@param[in] VendorGuid The namespace (ie. vendor GUID) of the variable\r
	143	\r
	144	@retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader.\r
	145	@retval EFI_SUCCESS Successful enrollment.\r
	146	@return Error codes from GetTime () and SetVariable ().\r
	147	**/\r
	148	STATIC\r
	149	EFI_STATUS\r
	150	EnrollFromDefault (\r
c411b485 MK	151	IN CHAR16 *VariableName,\r
	152	IN CHAR16 *DefaultName,\r
	153	IN EFI_GUID *VendorGuid\r
97326596 GB	154	)\r
97326596 GB	155	{\r
c411b485	156	VOID *Data;\r
97326596 GB	157	UINTN DataSize;\r
	158	EFI_STATUS Status;\r
	159	\r
	160	Status = EFI_SUCCESS;\r
	161	\r
	162	DataSize = 0;\r
c411b485	163	Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);\r
97326596	164	if (EFI_ERROR (Status)) {\r
c411b485 MK	165	DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));\r
c411b485 MK	166	return Status;\r
97326596 GB	167	}\r
97326596 GB	168	\r
fe73e9cd	169	Status = EnrollFromInput (VariableName, VendorGuid, DataSize, Data);\r
97326596 GB	170	\r
	171	if (Data != NULL) {\r
	172	FreePool (Data);\r
	173	}\r
	174	\r
	175	return Status;\r
	176	}\r
	177	\r
	178	/** Initializes PKDefault variable with data from FFS section.\r
	179	\r
	180	@retval EFI_SUCCESS Variable was initialized successfully.\r
	181	@retval EFI_UNSUPPORTED Variable already exists.\r
	182	**/\r
	183	EFI_STATUS\r
	184	SecureBootInitPKDefault (\r
	185	IN VOID\r
	186	)\r
	187	{\r
c411b485	188	EFI_SIGNATURE_LIST *EfiSig;\r
97326596 GB	189	UINTN SigListsSize;\r
	190	EFI_STATUS Status;\r
	191	UINT8 *Data;\r
	192	UINTN DataSize;\r
	193	\r
	194	//\r
	195	// Check if variable exists, if so do not change it\r
	196	//\r
c411b485	197	Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
97326596 GB	198	if (Status == EFI_SUCCESS) {\r
	199	DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
	200	FreePool (Data);\r
	201	return EFI_UNSUPPORTED;\r
	202	}\r
	203	\r
	204	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	205	return Status;\r
	206	}\r
	207	\r
	208	//\r
	209	// Variable does not exist, can be initialized\r
	210	//\r
	211	DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
	212	\r
	213	Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);\r
	214	if (EFI_ERROR (Status)) {\r
	215	DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
	216	return Status;\r
	217	}\r
	218	\r
	219	Status = gRT->SetVariable (\r
	220	EFI_PK_DEFAULT_VARIABLE_NAME,\r
	221	&gEfiGlobalVariableGuid,\r
	222	EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	223	SigListsSize,\r
	224	(VOID *)EfiSig\r
	225	);\r
	226	if (EFI_ERROR (Status)) {\r
	227	DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
	228	}\r
	229	\r
	230	FreePool (EfiSig);\r
	231	\r
	232	return Status;\r
	233	}\r
	234	\r
	235	/** Initializes KEKDefault variable with data from FFS section.\r
	236	\r
	237	@retval EFI_SUCCESS Variable was initialized successfully.\r
	238	@retval EFI_UNSUPPORTED Variable already exists.\r
	239	**/\r
	240	EFI_STATUS\r
	241	SecureBootInitKEKDefault (\r
	242	IN VOID\r
	243	)\r
	244	{\r
c411b485	245	EFI_SIGNATURE_LIST *EfiSig;\r
97326596 GB	246	UINTN SigListsSize;\r
97326596 GB	247	EFI_STATUS Status;\r
c411b485	248	UINT8 *Data;\r
97326596 GB	249	UINTN DataSize;\r
	250	\r
	251	//\r
	252	// Check if variable exists, if so do not change it\r
	253	//\r
c411b485	254	Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
97326596 GB	255	if (Status == EFI_SUCCESS) {\r
	256	DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
	257	FreePool (Data);\r
	258	return EFI_UNSUPPORTED;\r
	259	}\r
	260	\r
	261	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	262	return Status;\r
	263	}\r
	264	\r
	265	//\r
	266	// Variable does not exist, can be initialized\r
	267	//\r
	268	DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
	269	\r
	270	Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);\r
	271	if (EFI_ERROR (Status)) {\r
	272	DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
	273	return Status;\r
	274	}\r
	275	\r
97326596 GB	276	Status = gRT->SetVariable (\r
	277	EFI_KEK_DEFAULT_VARIABLE_NAME,\r
	278	&gEfiGlobalVariableGuid,\r
	279	EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	280	SigListsSize,\r
	281	(VOID *)EfiSig\r
	282	);\r
	283	if (EFI_ERROR (Status)) {\r
	284	DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
	285	}\r
	286	\r
	287	FreePool (EfiSig);\r
	288	\r
	289	return Status;\r
	290	}\r
	291	\r
	292	/** Initializes dbDefault variable with data from FFS section.\r
	293	\r
	294	@retval EFI_SUCCESS Variable was initialized successfully.\r
	295	@retval EFI_UNSUPPORTED Variable already exists.\r
	296	**/\r
	297	EFI_STATUS\r
	298	SecureBootInitDbDefault (\r
	299	IN VOID\r
	300	)\r
	301	{\r
c411b485	302	EFI_SIGNATURE_LIST *EfiSig;\r
97326596 GB	303	UINTN SigListsSize;\r
97326596 GB	304	EFI_STATUS Status;\r
c411b485	305	UINT8 *Data;\r
97326596 GB	306	UINTN DataSize;\r
97326596 GB	307	\r
c411b485	308	Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
97326596 GB	309	if (Status == EFI_SUCCESS) {\r
	310	DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
	311	FreePool (Data);\r
	312	return EFI_UNSUPPORTED;\r
	313	}\r
	314	\r
	315	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	316	return Status;\r
	317	}\r
	318	\r
	319	DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
	320	\r
	321	Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);\r
	322	if (EFI_ERROR (Status)) {\r
c411b485	323	return Status;\r
97326596 GB	324	}\r
	325	\r
	326	Status = gRT->SetVariable (\r
	327	EFI_DB_DEFAULT_VARIABLE_NAME,\r
	328	&gEfiGlobalVariableGuid,\r
	329	EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	330	SigListsSize,\r
	331	(VOID *)EfiSig\r
	332	);\r
	333	if (EFI_ERROR (Status)) {\r
c411b485	334	DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
97326596 GB	335	}\r
	336	\r
	337	FreePool (EfiSig);\r
	338	\r
	339	return Status;\r
	340	}\r
	341	\r
	342	/** Initializes dbxDefault variable with data from FFS section.\r
	343	\r
	344	@retval EFI_SUCCESS Variable was initialized successfully.\r
	345	@retval EFI_UNSUPPORTED Variable already exists.\r
	346	**/\r
	347	EFI_STATUS\r
	348	SecureBootInitDbxDefault (\r
	349	IN VOID\r
	350	)\r
	351	{\r
c411b485	352	EFI_SIGNATURE_LIST *EfiSig;\r
97326596 GB	353	UINTN SigListsSize;\r
97326596 GB	354	EFI_STATUS Status;\r
c411b485	355	UINT8 *Data;\r
97326596 GB	356	UINTN DataSize;\r
	357	\r
	358	//\r
	359	// Check if variable exists, if so do not change it\r
	360	//\r
c411b485	361	Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
97326596 GB	362	if (Status == EFI_SUCCESS) {\r
	363	DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
	364	FreePool (Data);\r
	365	return EFI_UNSUPPORTED;\r
	366	}\r
	367	\r
	368	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	369	return Status;\r
	370	}\r
	371	\r
	372	//\r
	373	// Variable does not exist, can be initialized\r
	374	//\r
	375	DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
	376	\r
	377	Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);\r
	378	if (EFI_ERROR (Status)) {\r
	379	DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
	380	return Status;\r
	381	}\r
	382	\r
	383	Status = gRT->SetVariable (\r
	384	EFI_DBX_DEFAULT_VARIABLE_NAME,\r
	385	&gEfiGlobalVariableGuid,\r
	386	EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	387	SigListsSize,\r
	388	(VOID *)EfiSig\r
	389	);\r
	390	if (EFI_ERROR (Status)) {\r
	391	DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
	392	}\r
	393	\r
	394	FreePool (EfiSig);\r
	395	\r
	396	return Status;\r
	397	}\r
	398	\r
	399	/** Initializes dbtDefault variable with data from FFS section.\r
	400	\r
	401	@retval EFI_SUCCESS Variable was initialized successfully.\r
	402	@retval EFI_UNSUPPORTED Variable already exists.\r
	403	**/\r
	404	EFI_STATUS\r
	405	SecureBootInitDbtDefault (\r
	406	IN VOID\r
	407	)\r
	408	{\r
c411b485	409	EFI_SIGNATURE_LIST *EfiSig;\r
97326596 GB	410	UINTN SigListsSize;\r
97326596 GB	411	EFI_STATUS Status;\r
c411b485	412	UINT8 *Data;\r
97326596 GB	413	UINTN DataSize;\r
	414	\r
	415	//\r
	416	// Check if variable exists, if so do not change it\r
	417	//\r
c411b485	418	Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
97326596 GB	419	if (Status == EFI_SUCCESS) {\r
	420	DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
	421	FreePool (Data);\r
	422	return EFI_UNSUPPORTED;\r
	423	}\r
	424	\r
	425	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	426	return Status;\r
	427	}\r
	428	\r
	429	//\r
	430	// Variable does not exist, can be initialized\r
	431	//\r
	432	DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
	433	\r
	434	Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);\r
	435	if (EFI_ERROR (Status)) {\r
c411b485	436	return Status;\r
97326596 GB	437	}\r
	438	\r
	439	Status = gRT->SetVariable (\r
	440	EFI_DBT_DEFAULT_VARIABLE_NAME,\r
	441	&gEfiGlobalVariableGuid,\r
	442	EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	443	SigListsSize,\r
	444	(VOID *)EfiSig\r
	445	);\r
	446	if (EFI_ERROR (Status)) {\r
	447	DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
	448	}\r
	449	\r
	450	FreePool (EfiSig);\r
	451	\r
	452	return EFI_SUCCESS;\r
	453	}\r
	454	\r
	455	/**\r
	456	Sets the content of the 'db' variable based on 'dbDefault' variable content.\r
	457	\r
	458	@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
	459	while VendorGuid is NULL.\r
	460	@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
	461	**/\r
	462	EFI_STATUS\r
	463	EFIAPI\r
	464	EnrollDbFromDefault (\r
	465	VOID\r
c411b485	466	)\r
97326596	467	{\r
c411b485	468	EFI_STATUS Status;\r
97326596 GB	469	\r
	470	Status = EnrollFromDefault (\r
	471	EFI_IMAGE_SECURITY_DATABASE,\r
	472	EFI_DB_DEFAULT_VARIABLE_NAME,\r
	473	&gEfiImageSecurityDatabaseGuid\r
	474	);\r
	475	\r
	476	return Status;\r
	477	}\r
	478	\r
	479	/**\r
	480	Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.\r
	481	\r
	482	@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
	483	while VendorGuid is NULL.\r
	484	@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
	485	**/\r
	486	EFI_STATUS\r
	487	EFIAPI\r
	488	EnrollDbxFromDefault (\r
	489	VOID\r
c411b485	490	)\r
97326596	491	{\r
c411b485	492	EFI_STATUS Status;\r
97326596 GB	493	\r
	494	Status = EnrollFromDefault (\r
	495	EFI_IMAGE_SECURITY_DATABASE1,\r
	496	EFI_DBX_DEFAULT_VARIABLE_NAME,\r
	497	&gEfiImageSecurityDatabaseGuid\r
	498	);\r
	499	\r
	500	return Status;\r
	501	}\r
	502	\r
	503	/**\r
	504	Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.\r
	505	\r
	506	@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
	507	while VendorGuid is NULL.\r
	508	@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
	509	**/\r
	510	EFI_STATUS\r
	511	EFIAPI\r
	512	EnrollDbtFromDefault (\r
	513	VOID\r
c411b485	514	)\r
97326596	515	{\r
c411b485	516	EFI_STATUS Status;\r
97326596 GB	517	\r
	518	Status = EnrollFromDefault (\r
	519	EFI_IMAGE_SECURITY_DATABASE2,\r
	520	EFI_DBT_DEFAULT_VARIABLE_NAME,\r
c411b485 MK	521	&gEfiImageSecurityDatabaseGuid\r
c411b485 MK	522	);\r
97326596 GB	523	\r
	524	return Status;\r
	525	}\r
	526	\r
	527	/**\r
	528	Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.\r
	529	\r
	530	@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
	531	while VendorGuid is NULL.\r
	532	@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
	533	**/\r
	534	EFI_STATUS\r
	535	EFIAPI\r
	536	EnrollKEKFromDefault (\r
	537	VOID\r
c411b485	538	)\r
97326596	539	{\r
c411b485	540	EFI_STATUS Status;\r
97326596 GB	541	\r
	542	Status = EnrollFromDefault (\r
	543	EFI_KEY_EXCHANGE_KEY_NAME,\r
	544	EFI_KEK_DEFAULT_VARIABLE_NAME,\r
	545	&gEfiGlobalVariableGuid\r
	546	);\r
	547	\r
	548	return Status;\r
	549	}\r
	550	\r
	551	/**\r
	552	Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.\r
	553	\r
	554	@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
	555	while VendorGuid is NULL.\r
	556	@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
	557	**/\r
	558	EFI_STATUS\r
	559	EFIAPI\r
	560	EnrollPKFromDefault (\r
	561	VOID\r
c411b485	562	)\r
97326596	563	{\r
c411b485	564	EFI_STATUS Status;\r
97326596 GB	565	\r
	566	Status = EnrollFromDefault (\r
	567	EFI_PLATFORM_KEY_NAME,\r
	568	EFI_PK_DEFAULT_VARIABLE_NAME,\r
	569	&gEfiGlobalVariableGuid\r
	570	);\r
	571	\r
	572	return Status;\r
	573	}\r