--- /dev/null
+/** @file\r
+ Provides a helper functions for creating variable authenticated\r
+ payloads, signature lists related to secure boot keys.\r
+\r
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>\r
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>\r
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
+Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
+SPDX-License-Identifier: BSD-2-Clause-Patent\r
+\r
+**/\r
+\r
+#ifndef SECURE_BOOT_VARIABLE_LIB_H_\r
+#define SECURE_BOOT_VARIABLE_LIB_H_\r
+\r
+/**\r
+ Set the platform secure boot mode into "Custom" or "Standard" mode.\r
+\r
+ @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or\r
+ CUSTOM_SECURE_BOOT_MODE.\r
+\r
+ @return EFI_SUCCESS The platform has switched to the special mode successfully.\r
+ @return other Fail to operate the secure boot mode.\r
+\r
+--*/\r
+EFI_STATUS\r
+SetSecureBootMode (\r
+ IN UINT8 SecureBootMode\r
+);\r
+\r
+/**\r
+ Fetches the value of SetupMode variable.\r
+\r
+ @param[out] SetupMode Pointer to UINT8 for SetupMode output\r
+\r
+ @retval other Error codes from GetVariable.\r
+--*/\r
+EFI_STATUS\r
+EFIAPI\r
+GetSetupMode (\r
+ OUT UINT8 *SetupMode\r
+);\r
+\r
+/**\r
+ Create a EFI Signature List with data fetched from section specified as a argument.\r
+ Found keys are verified using RsaGetPublicKeyFromX509().\r
+\r
+ @param[in] KeyFileGuid A pointer to to the FFS filename GUID\r
+ @param[out] SigListsSize A pointer to size of signature list\r
+ @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists\r
+\r
+ @retval EFI_SUCCESS Create time based payload successfully.\r
+ @retval EFI_NOT_FOUND Section with key has not been found.\r
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.\r
+ @retval Others Unexpected error happens.\r
+\r
+--*/\r
+EFI_STATUS\r
+SecureBootFetchData (\r
+ IN EFI_GUID *KeyFileGuid,\r
+ OUT UINTN *SigListsSize,\r
+ OUT EFI_SIGNATURE_LIST **SigListOut\r
+);\r
+\r
+/**\r
+ Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2\r
+ descriptor with the input data. NO authentication is required in this function.\r
+\r
+ @param[in, out] DataSize On input, the size of Data buffer in bytes.\r
+ On output, the size of data returned in Data\r
+ buffer in bytes.\r
+ @param[in, out] Data On input, Pointer to data buffer to be wrapped or\r
+ pointer to NULL to wrap an empty payload.\r
+ On output, Pointer to the new payload date buffer allocated from pool,\r
+ it's caller's responsibility to free the memory when finish using it.\r
+\r
+ @retval EFI_SUCCESS Create time based payload successfully.\r
+ @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval Others Unexpected error happens.\r
+\r
+--*/\r
+EFI_STATUS\r
+CreateTimeBasedPayload (\r
+ IN OUT UINTN *DataSize,\r
+ IN OUT UINT8 **Data\r
+);\r
+\r
+/**\r
+ Clears the content of the 'db' variable.\r
+\r
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
+ while VendorGuid is NULL.\r
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()\r
+--*/\r
+EFI_STATUS\r
+EFIAPI\r
+DeleteDb (\r
+ VOID\r
+);\r
+\r
+/**\r
+ Clears the content of the 'dbx' variable.\r
+\r
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
+ while VendorGuid is NULL.\r
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()\r
+--*/\r
+EFI_STATUS\r
+EFIAPI\r
+DeleteDbx (\r
+ VOID\r
+);\r
+\r
+/**\r
+ Clears the content of the 'dbt' variable.\r
+\r
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
+ while VendorGuid is NULL.\r
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()\r
+--*/\r
+EFI_STATUS\r
+EFIAPI\r
+DeleteDbt (\r
+ VOID\r
+);\r
+\r
+/**\r
+ Clears the content of the 'KEK' variable.\r
+\r
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
+ while VendorGuid is NULL.\r
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()\r
+--*/\r
+EFI_STATUS\r
+EFIAPI\r
+DeleteKEK (\r
+ VOID\r
+);\r
+\r
+/**\r
+ Clears the content of the 'PK' variable.\r
+\r
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
+ while VendorGuid is NULL.\r
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()\r
+--*/\r
+EFI_STATUS\r
+EFIAPI\r
+DeletePlatformKey (\r
+ VOID\r
+);\r
+#endif\r
--- /dev/null
+/** @file\r
+ This library provides helper functions to set/clear Secure Boot\r
+ keys and databases.\r
+\r
+ Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>\r
+ (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>\r
+ Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
+ Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
+ SPDX-License-Identifier: BSD-2-Clause-Patent\r
+**/\r
+#include <Guid/GlobalVariable.h>\r
+#include <Guid/AuthenticatedVariableFormat.h>\r
+#include <Guid/ImageAuthentication.h>\r
+#include <Library/BaseCryptLib.h>\r
+#include <Library/BaseLib.h>\r
+#include <Library/BaseMemoryLib.h>\r
+#include <Library/DebugLib.h>\r
+#include <Library/UefiLib.h>\r
+#include <Library/MemoryAllocationLib.h>\r
+#include <Library/UefiRuntimeServicesTableLib.h>\r
+#include <Library/SecureBootVariableLib.h>\r
+#include "Library/DxeServicesLib.h"\r
+\r
+/** Creates EFI Signature List structure.\r
+\r
+ @param[in] Data A pointer to signature data.\r
+ @param[in] Size Size of signature data.\r
+ @param[out] SigList Created Signature List.\r
+\r
+ @retval EFI_SUCCESS Signature List was created successfully.\r
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
+**/\r
+STATIC\r
+EFI_STATUS\r
+CreateSigList (\r
+ IN VOID *Data,\r
+ IN UINTN Size,\r
+ OUT EFI_SIGNATURE_LIST **SigList\r
+ )\r
+{\r
+ UINTN SigListSize;\r
+ EFI_SIGNATURE_LIST *TmpSigList;\r
+ EFI_SIGNATURE_DATA *SigData;\r
+\r
+ //\r
+ // Allocate data for Signature Database\r
+ //\r
+ SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;\r
+ TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);\r
+ if (TmpSigList == NULL) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+\r
+ //\r
+ // Only gEfiCertX509Guid type is supported\r
+ //\r
+ TmpSigList->SignatureListSize = (UINT32)SigListSize;\r
+ TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + Size);\r
+ TmpSigList->SignatureHeaderSize = 0;\r
+ CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);\r
+\r
+ //\r
+ // Copy key data\r
+ //\r
+ SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);\r
+ CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);\r
+ CopyMem (&SigData->SignatureData[0], Data, Size);\r
+\r
+ *SigList = TmpSigList;\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/** Adds new signature list to signature database.\r
+\r
+ @param[in] SigLists A pointer to signature database.\r
+ @param[in] SigListAppend A signature list to be added.\r
+ @param[out] *SigListOut Created signature database.\r
+ @param[in, out] SigListsSize A size of created signature database.\r
+\r
+ @retval EFI_SUCCESS Signature List was added successfully.\r
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
+**/\r
+STATIC\r
+EFI_STATUS\r
+ConcatenateSigList (\r
+ IN EFI_SIGNATURE_LIST *SigLists,\r
+ IN EFI_SIGNATURE_LIST *SigListAppend,\r
+ OUT EFI_SIGNATURE_LIST **SigListOut,\r
+ IN OUT UINTN *SigListsSize\r
+)\r
+{\r
+ EFI_SIGNATURE_LIST *TmpSigList;\r
+ UINT8 *Offset;\r
+ UINTN NewSigListsSize;\r
+\r
+ NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;\r
+\r
+ TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);\r
+ if (TmpSigList == NULL) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+\r
+ CopyMem (TmpSigList, SigLists, *SigListsSize);\r
+\r
+ Offset = (UINT8 *)TmpSigList;\r
+ Offset += *SigListsSize;\r
+ CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);\r
+\r
+ *SigListsSize = NewSigListsSize;\r
+ *SigListOut = TmpSigList;\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Create a EFI Signature List with data fetched from section specified as a argument.\r
+ Found keys are verified using RsaGetPublicKeyFromX509().\r
+\r
+ @param[in] KeyFileGuid A pointer to to the FFS filename GUID\r
+ @param[out] SigListsSize A pointer to size of signature list\r
+ @param[out] SigListOut a pointer to a callee-allocated buffer with signature lists\r
+\r
+ @retval EFI_SUCCESS Create time based payload successfully.\r
+ @retval EFI_NOT_FOUND Section with key has not been found.\r
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.\r
+ @retval Others Unexpected error happens.\r
+\r
+**/\r
+EFI_STATUS\r
+SecureBootFetchData (\r
+ IN EFI_GUID *KeyFileGuid,\r
+ OUT UINTN *SigListsSize,\r
+ OUT EFI_SIGNATURE_LIST **SigListOut\r
+)\r
+{\r
+ EFI_SIGNATURE_LIST *EfiSig;\r
+ EFI_SIGNATURE_LIST *TmpEfiSig;\r
+ EFI_SIGNATURE_LIST *TmpEfiSig2;\r
+ EFI_STATUS Status;\r
+ VOID *Buffer;\r
+ VOID *RsaPubKey;\r
+ UINTN Size;\r
+ UINTN KeyIndex;\r
+\r
+\r
+ KeyIndex = 0;\r
+ EfiSig = NULL;\r
+ *SigListsSize = 0;\r
+ while (1) {\r
+ Status = GetSectionFromAnyFv (\r
+ KeyFileGuid,\r
+ EFI_SECTION_RAW,\r
+ KeyIndex,\r
+ &Buffer,\r
+ &Size\r
+ );\r
+\r
+ if (Status == EFI_SUCCESS) {\r
+ RsaPubKey = NULL;\r
+ if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {\r
+ DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));\r
+ if (EfiSig != NULL) {\r
+ FreePool(EfiSig);\r
+ }\r
+ FreePool(Buffer);\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = CreateSigList (Buffer, Size, &TmpEfiSig);\r
+\r
+ //\r
+ // Concatenate lists if more than one section found\r
+ //\r
+ if (KeyIndex == 0) {\r
+ EfiSig = TmpEfiSig;\r
+ *SigListsSize = TmpEfiSig->SignatureListSize;\r
+ } else {\r
+ ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);\r
+ FreePool (EfiSig);\r
+ FreePool (TmpEfiSig);\r
+ EfiSig = TmpEfiSig2;\r
+ }\r
+\r
+ KeyIndex++;\r
+ FreePool (Buffer);\r
+ } if (Status == EFI_NOT_FOUND) {\r
+ break;\r
+ }\r
+ };\r
+\r
+ if (KeyIndex == 0) {\r
+ return EFI_NOT_FOUND;\r
+ }\r
+\r
+ *SigListOut = EfiSig;\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2\r
+ descriptor with the input data. NO authentication is required in this function.\r
+\r
+ @param[in, out] DataSize On input, the size of Data buffer in bytes.\r
+ On output, the size of data returned in Data\r
+ buffer in bytes.\r
+ @param[in, out] Data On input, Pointer to data buffer to be wrapped or\r
+ pointer to NULL to wrap an empty payload.\r
+ On output, Pointer to the new payload date buffer allocated from pool,\r
+ it's caller's responsibility to free the memory when finish using it.\r
+\r
+ @retval EFI_SUCCESS Create time based payload successfully.\r
+ @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval Others Unexpected error happens.\r
+\r
+**/\r
+EFI_STATUS\r
+CreateTimeBasedPayload (\r
+ IN OUT UINTN *DataSize,\r
+ IN OUT UINT8 **Data\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ UINT8 *NewData;\r
+ UINT8 *Payload;\r
+ UINTN PayloadSize;\r
+ EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;\r
+ UINTN DescriptorSize;\r
+ EFI_TIME Time;\r
+\r
+ if (Data == NULL || DataSize == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // In Setup mode or Custom mode, the variable does not need to be signed but the\r
+ // parameters to the SetVariable() call still need to be prepared as authenticated\r
+ // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate\r
+ // data in it.\r
+ //\r
+ Payload = *Data;\r
+ PayloadSize = *DataSize;\r
+\r
+ DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);\r
+ NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);\r
+ if (NewData == NULL) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+\r
+ if ((Payload != NULL) && (PayloadSize != 0)) {\r
+ CopyMem (NewData + DescriptorSize, Payload, PayloadSize);\r
+ }\r
+\r
+ DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);\r
+\r
+ ZeroMem (&Time, sizeof (EFI_TIME));\r
+ Status = gRT->GetTime (&Time, NULL);\r
+ if (EFI_ERROR (Status)) {\r
+ FreePool(NewData);\r
+ return Status;\r
+ }\r
+ Time.Pad1 = 0;\r
+ Time.Nanosecond = 0;\r
+ Time.TimeZone = 0;\r
+ Time.Daylight = 0;\r
+ Time.Pad2 = 0;\r
+ CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));\r
+\r
+ DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);\r
+ DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;\r
+ DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;\r
+ CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);\r
+\r
+ if (Payload != NULL) {\r
+ FreePool(Payload);\r
+ }\r
+\r
+ *DataSize = DescriptorSize + PayloadSize;\r
+ *Data = NewData;\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Internal helper function to delete a Variable given its name and GUID, NO authentication\r
+ required.\r
+\r
+ @param[in] VariableName Name of the Variable.\r
+ @param[in] VendorGuid GUID of the Variable.\r
+\r
+ @retval EFI_SUCCESS Variable deleted successfully.\r
+ @retval Others The driver failed to start the device.\r
+\r
+**/\r
+EFI_STATUS\r
+DeleteVariable (\r
+ IN CHAR16 *VariableName,\r
+ IN EFI_GUID *VendorGuid\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ VOID* Variable;\r
+ UINT8 *Data;\r
+ UINTN DataSize;\r
+ UINT32 Attr;\r
+\r
+ GetVariable2 (VariableName, VendorGuid, &Variable, NULL);\r
+ if (Variable == NULL) {\r
+ return EFI_SUCCESS;\r
+ }\r
+ FreePool (Variable);\r
+\r
+ Data = NULL;\r
+ DataSize = 0;\r
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS\r
+ | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
+\r
+ Status = CreateTimeBasedPayload (&DataSize, &Data);\r
+ if (EFI_ERROR (Status)) {\r
+ DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));\r
+ return Status;\r
+ }\r
+\r
+ Status = gRT->SetVariable (\r
+ VariableName,\r
+ VendorGuid,\r
+ Attr,\r
+ DataSize,\r
+ Data\r
+ );\r
+ if (Data != NULL) {\r
+ FreePool (Data);\r
+ }\r
+ return Status;\r
+}\r
+\r
+/**\r
+\r
+ Set the platform secure boot mode into "Custom" or "Standard" mode.\r
+\r
+ @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or\r
+ CUSTOM_SECURE_BOOT_MODE.\r
+\r
+ @return EFI_SUCCESS The platform has switched to the special mode successfully.\r
+ @return other Fail to operate the secure boot mode.\r
+\r
+**/\r
+EFI_STATUS\r
+SetSecureBootMode (\r
+ IN UINT8 SecureBootMode\r
+ )\r
+{\r
+ return gRT->SetVariable (\r
+ EFI_CUSTOM_MODE_NAME,\r
+ &gEfiCustomModeEnableGuid,\r
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
+ sizeof (UINT8),\r
+ &SecureBootMode\r
+ );\r
+}\r
+\r
+/**\r
+ Fetches the value of SetupMode variable.\r
+\r
+ @param[out] SetupMode Pointer to UINT8 for SetupMode output\r
+\r
+ @retval other Retval from GetVariable.\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+GetSetupMode (\r
+ OUT UINT8 *SetupMode\r
+)\r
+{\r
+ UINTN Size;\r
+ EFI_STATUS Status;\r
+\r
+ Size = sizeof (*SetupMode);\r
+ Status = gRT->GetVariable (\r
+ EFI_SETUP_MODE_NAME,\r
+ &gEfiGlobalVariableGuid,\r
+ NULL,\r
+ &Size,\r
+ SetupMode\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Clears the content of the 'db' variable.\r
+\r
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
+ while VendorGuid is NULL.\r
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+DeleteDb (\r
+ VOID\r
+)\r
+{\r
+ EFI_STATUS Status;\r
+\r
+ Status = DeleteVariable (\r
+ EFI_IMAGE_SECURITY_DATABASE,\r
+ &gEfiImageSecurityDatabaseGuid\r
+ );\r
+\r
+ return Status;\r
+}\r
+\r
+/**\r
+ Clears the content of the 'dbx' variable.\r
+\r
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
+ while VendorGuid is NULL.\r
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+DeleteDbx (\r
+ VOID\r
+)\r
+{\r
+ EFI_STATUS Status;\r
+\r
+ Status = DeleteVariable (\r
+ EFI_IMAGE_SECURITY_DATABASE1,\r
+ &gEfiImageSecurityDatabaseGuid\r
+ );\r
+\r
+ return Status;\r
+}\r
+\r
+/**\r
+ Clears the content of the 'dbt' variable.\r
+\r
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
+ while VendorGuid is NULL.\r
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+DeleteDbt (\r
+ VOID\r
+)\r
+{\r
+ EFI_STATUS Status;\r
+\r
+ Status = DeleteVariable (\r
+ EFI_IMAGE_SECURITY_DATABASE2,\r
+ &gEfiImageSecurityDatabaseGuid\r
+ );\r
+\r
+ return Status;\r
+}\r
+\r
+/**\r
+ Clears the content of the 'KEK' variable.\r
+\r
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
+ while VendorGuid is NULL.\r
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+DeleteKEK (\r
+ VOID\r
+)\r
+{\r
+ EFI_STATUS Status;\r
+\r
+ Status = DeleteVariable (\r
+ EFI_KEY_EXCHANGE_KEY_NAME,\r
+ &gEfiGlobalVariableGuid\r
+ );\r
+\r
+ return Status;\r
+}\r
+\r
+/**\r
+ Remove the PK variable.\r
+\r
+ @retval EFI_SUCCESS Delete PK successfully.\r
+ @retval Others Could not allow to delete PK.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+DeletePlatformKey (\r
+ VOID\r
+)\r
+{\r
+ EFI_STATUS Status;\r
+\r
+ Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
+ Status = DeleteVariable (\r
+ EFI_PLATFORM_KEY_NAME,\r
+ &gEfiGlobalVariableGuid\r
+ );\r
+ return Status;\r
+}\r