--- /dev/null
+/** @file\r
+ Enroll default PK, KEK, db, dbx.\r
+\r
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
+Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
+\r
+SPDX-License-Identifier: BSD-2-Clause-Patent\r
+**/\r
+\r
+#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid\r
+#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME\r
+#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE\r
+#include <Library/BaseLib.h> // GUID_STRING_LENGTH\r
+#include <Library/BaseMemoryLib.h> // CopyGuid()\r
+#include <Library/DebugLib.h> // ASSERT()\r
+#include <Library/MemoryAllocationLib.h> // FreePool()\r
+#include <Library/PrintLib.h> // AsciiSPrint()\r
+#include <Library/UefiBootServicesTableLib.h> // gBS\r
+#include <Library/UefiLib.h> // AsciiPrint()\r
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT\r
+#include <Uefi/UefiMultiPhase.h>\r
+#include <Library/SecureBootVariableLib.h>\r
+#include <Library/SecureBootVariableProvisionLib.h>\r
+\r
+/**\r
+ Entry point function of this shell application.\r
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.\r
+ @param[in] SystemTable A pointer to the EFI System Table.\r
+\r
+ @retval 0 The entry point is executed successfully.\r
+ @retval other Some error occurs when executing this entry point.\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+UefiMain (\r
+ IN EFI_HANDLE ImageHandle,\r
+ IN EFI_SYSTEM_TABLE *SystemTable\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ UINT8 SetupMode;\r
+\r
+ Status = GetSetupMode (&SetupMode);\r
+ if (EFI_ERROR (Status)) {\r
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);\r
+ return 1;\r
+ }\r
+\r
+ if (SetupMode == USER_MODE) {\r
+ AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");\r
+ return 1;\r
+ }\r
+\r
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);\r
+ return 1;\r
+ }\r
+\r
+ Status = EnrollDbFromDefault ();\r
+ if (EFI_ERROR (Status)) {\r
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);\r
+ goto error;\r
+ }\r
+\r
+ Status = EnrollDbxFromDefault ();\r
+ if (EFI_ERROR (Status)) {\r
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);\r
+ }\r
+\r
+ Status = EnrollDbtFromDefault ();\r
+ if (EFI_ERROR (Status)) {\r
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);\r
+ }\r
+\r
+ Status = EnrollKEKFromDefault ();\r
+ if (EFI_ERROR (Status)) {\r
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);\r
+ goto cleardbs;\r
+ }\r
+\r
+ Status = EnrollPKFromDefault ();\r
+ if (EFI_ERROR (Status)) {\r
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);\r
+ goto clearKEK;\r
+ }\r
+\r
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ AsciiPrint (\r
+ "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r
+ "Please do it manually, otherwise system can be easily compromised\n"\r
+ );\r
+ }\r
+ return 0;\r
+\r
+clearKEK:\r
+ DeleteKEK ();\r
+\r
+cleardbs:\r
+ DeleteDbt ();\r
+ DeleteDbx ();\r
+ DeleteDb ();\r
+\r
+error:\r
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ AsciiPrint (\r
+ "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r
+ "Please do it manually, otherwise system can be easily compromised\n"\r
+ );\r
+ }\r
+\r
+ return 1;\r
+}\r
--- /dev/null
+## @file\r
+# Enroll PK, KEK, db, dbx from Default variables\r
+#\r
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
+# Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
+# SPDX-License-Identifier: BSD-2-Clause-Patent\r
+##\r
+\r
+[Defines]\r
+ INF_VERSION = 1.28\r
+ BASE_NAME = EnrollFromDefaultKeysApp\r
+ FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E\r
+ MODULE_TYPE = UEFI_APPLICATION\r
+ VERSION_STRING = 0.1\r
+ ENTRY_POINT = UefiMain\r
+\r
+[Sources]\r
+ EnrollFromDefaultKeysApp.c\r
+\r
+[Packages]\r
+ MdeModulePkg/MdeModulePkg.dec\r
+ MdePkg/MdePkg.dec\r
+ SecurityPkg/SecurityPkg.dec\r
+\r
+[Guids]\r
+ gEfiCertPkcs7Guid\r
+ gEfiCertSha256Guid\r
+ gEfiCertX509Guid\r
+ gEfiCustomModeEnableGuid\r
+ gEfiGlobalVariableGuid\r
+ gEfiImageSecurityDatabaseGuid\r
+ gEfiSecureBootEnableDisableGuid\r
+\r
+[Protocols]\r
+ gEfiSmbiosProtocolGuid ## CONSUMES\r
+\r
+[LibraryClasses]\r
+ BaseLib\r
+ BaseMemoryLib\r
+ DebugLib\r
+ MemoryAllocationLib\r
+ PrintLib\r
+ UefiApplicationEntryPoint\r
+ UefiBootServicesTableLib\r
+ UefiLib\r
+ UefiRuntimeServicesTableLib\r
+ SecureBootVariableLib\r
+ SecureBootVariableProvisionLib\r