[edk2] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2f

Message ID 56CDC22D.7030603@redhat.com
State New
Headers show

Commit Message

Laszlo Ersek Feb. 24, 2016, 2:46 p.m.
On 02/24/16 13:05, David Woodhouse wrote:
> On Tue, 2016-02-23 at 21:57 +0100, Laszlo Ersek wrote:


>> First of all, I built it for:

>> - OvmfPkg/OvmfIa32.dsc

>> - OvmfPkg/OvmfIa32X64.dsc

>> - OvmfPkg/OvmfX64.dsc

>> - ArmVirtPkg/ArmVirtQemu.dsc (AARCH64 architecture)

>>

>> The builds complete for the first three DSC files, but it fails for the last one:

>>

>>> .../Build/ArmVirtQemu-AARCH64/DEBUG_GCC48/AARCH64/CryptoPkg/Library/OpensslLib/OpensslLib/OUTPUT/OpensslLib.lib(poly1305.obj): In function `poly1305_blocks':

>>> .../CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/poly1305.c:194: undefined reference to `__multi3'

>>> .../CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/poly1305.c:195: undefined reference to `__multi3'

>>> .../CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/poly1305.c:196: undefined reference to `__multi3'

>>> .../CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/poly1305.c:197: undefined reference to `__multi3'

> 

> That's easily fixed by adding no-poly1305 to my process_files.sh

> script. I've pushed a new version to my edk2.git tree with that change.


Yes, with your master branch @ 55eb3465c077, the ArmVirtQemu build
completes as well. Thanks.

(By the way, do you think that your series should revert, or at least
customize, the following commit:

commit ffbb1b25402c38d25cbbfb059139e76900bdc843
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Tue Jun 16 15:09:19 2015 +0000

    CryptoPkg: add .gitignore for OpenSSL source files
)

>> Anyway, for runtime testing, I used the OvmfIa32X64 build:

>>

>>> (1a) Enroll keys, and confirm SB being active in the Fedora guest,

>>>       using my current build.

>>> (1b) Rebuild the firmware binary with your patches & instructions. Do

>>>       not touch the VM's varstore.

>>> (1c) Confirm SB is still active in the Fedora guest.

>>

>> This step failed, with the OVMF debug output ending with:

>>

>>> Booting Fedora

>>> FSOpen: Open '\EFI\fedora\shim.efi' Success

>>>  

>>> ASSERT_EFI_ERROR (Status = Invalid Parameter)

>>> ASSERT .../MdePkg/Library/UefiMemoryAllocationLib/MemoryAllocationLib.c(819): !EFI_ERROR (Status)

>>

>> I didn't continue testing after this point.

> 

> OK, thanks very much for testing this.

> 

> It sounds like there's a new issue in OpenSSL HEAD that needs fixing,

> and I'm going to need to reproduce that myself to see what's going on.

> 

> Would you mind talking me through the setup above, please? To enroll

> keys, I assume I need to start with a version of qemu that can support

> running OVMF from a writeable flash chip, so it can store NV vars? 

> 

> Also, if you could test just the antepenultimate commit a35e4359d in

> what I've just pushed — which is all the build system improvements but

> still using OpenSSL 1.0.2f — that would also be very much appreciated.


Interestingly, the failure reproduces even when I build OVMF at your
commit a35e4359d; with identical symptoms.

Please find the repro steps below. (Sorry that it took so long to write
them up, but generally I use libvirt, and I had to create these
instructions on the spot, and I also tested them.)

(01) Set up the edk2 tree for building with OpenSSL, using the current
     upstream (master @ b38ec3cd2fcc11435d7fe4d90298c68368a5747b)
     instructions. That is, not your series.

(02) On a branch forked off the above state, please apply the attached
     patch, with

     git am --keep-cr

     (This patch is downstream only, but it is not "secret", it is
     publicly available in <https://www.kraxel.org/repos/> for example.)

(03) On the same branch, please edit the "OvmfPkg/OvmfPkgX64.dsc" file:
     locate "gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel", and
     replace its value with 0x8040004F.

     This will enable EFI_D_VERBOSE debug messages in the OVMF debug
     log.

     It's simplest to commit this change too, as a separate patch.

(04) Build OVMF as follows (assuming you have gcc-4.8):

     source edksetup.sh

     make -C "$EDK_TOOLS_PATH"

     build \
       -a X64 \
       -p OvmfPkg/OvmfPkgX64.dsc \
       -b DEBUG \
       -t GCC48 \
       -n $(getconf _NPROCESSORS_ONLN) \
       --report-file=/tmp/build.ovmf.report \
       --log=/tmp/build.ovmf.log \
       -D SECURE_BOOT_ENABLE \
       -D HTTP_BOOT_ENABLE

(05) Once the build completes, create a directory for testing, and stash
     the build output files there. We'll mark the OVMF binary as
     "upstream", in the file name.

     TESTDIR=$HOME/ovmf-test

     mkdir -p -v -- "$TESTDIR"

     cp -a -v -- \
       Build/OvmfX64/DEBUG_GCC*/FV/OVMF_CODE.fd \
       "$TESTDIR"/OVMF_CODE.upstream.fd

     cp -a -v -- \
       Build/OvmfX64/DEBUG_GCC*/FV/OVMF_VARS.fd \
       Build/OvmfX64/DEBUG_GCC*/X64/EnrollDefaultKeys.efi \
       "$TESTDIR"

(06) In the test directory, download the Fedora ISO that I used for
     testing. Also create an empty disk image for the virtual machine,
     and instantiate an actual varstore file for the virtual machine,
     from the varstore template:

     cd -- "$TESTDIR"

     wget -- https://download.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-22-3.iso

     qemu-img create \
       -f qcow2 \
       -o compat=1.1 \
       -o preallocation=metadata \
       -o lazy_refcounts=on \
       fedora22.qcow2 \
       10G

     cp -a -v -- OVMF_VARS.fd fedora22.vars

(07) Create a raw disk image with a FAT filesystem, with the
     EnrollDefaultKeys.efi binary on it:

     rm -f -- EnrollDefaultKeys.raw

     mkdosfs -C EnrollDefaultKeys.raw -- 3072

     mcopy -i EnrollDefaultKeys.raw -- EnrollDefaultKeys.efi ::

(08) Start the virtual machine for the first time. (All future
     invocations of QEMU will use the exact same command line, except
     you will have to change the value of the OVMF_BINARY variable.)

     During this very first boot, please interrupt the boot process, by
     pressing ESC when the TianoCore splash screen appears (or at the
     progress bar after it). You will have five seconds for this. In
     later invocations, you can speed up the wait by pressing Enter at
     the progress bar.

     The commands are:

     OVMF_BINARY=OVMF_CODE.upstream.fd

     qemu-system-x86_64 \
       -machine accel=kvm \
       -smp cpus=2 \
       -m 2048 \
       \
       -monitor stdio \
       \
       -boot menu=on,splash-time=5000 \
       \
       -debugcon file:ovmf.debug.log \
       -global isa-debugcon.iobase=0x402 \
       \
       -device qxl-vga \
       \
       -net none \
       \
       -usbdevice tablet \
       \
       -drive if=pflash,format=raw,unit=0,readonly,file=$OVMF_BINARY \
       -drive if=pflash,format=raw,unit=1,file=fedora22.vars \
       \
       -device virtio-scsi-pci,id=scsi0 \
       \
       -drive id=cdrom,if=none,readonly,format=raw,file=Fedora-Live-Workstation-x86_64-22-3.iso \
       -device scsi-cd,bus=scsi0.0,drive=cdrom,bootindex=1 \
       \
       -drive id=main_disk,if=none,format=qcow2,cache=writethrough,file=fedora22.qcow2 \
       -device virtio-blk-pci,drive=main_disk,bootindex=0 \
       \
       -drive id=enroller_disk,if=none,readonly,format=raw,file=EnrollDefaultKeys.raw \
       -device virtio-blk-pci,drive=enroller_disk

(09) You should be standing in the UEFI setup utility now. Please
     navigate to

     Boot Manager | EFI Internal Shell

     Once the shell is running, please issue the following commands at
     the prompt (verify that the first command prints "info: success"):

     EnrollDefaultKeys
     reset -s

(10) Start the VM again with the command in step (08). This time you
     should let it boot uninterrupted (or, again, just press Enter at
     the progress bar, to skip the wait). Fedora Live should boot.

     On the Welcome screen, click Try Fedora.

(11) Please verify that Secure Boot is active: open a terminal, and
     enter

     dmesg | grep -i secure

     After this, install Fedora to the disk (Activities | Install to
     Hard Drive). Verify that the installed guest reboots correctly,
     then shut down the guest.

(12) Return to your edk2 directory. Run

     git clean -fdx

     Then *rebase* the branch you created in steps (02) and (03) to your
     own SSL branch. Set up the tree as necessary (according to your new
     instructions) for building OpenSSL.

     Rebuild the tree as written in step (04).

(13) Save the new OVMF binary under a different name:

     cp -a -v -- \
       Build/OvmfX64/DEBUG_GCC*/FV/OVMF_CODE.fd \
       "$TESTDIR"/OVMF_CODE.dwmw2.fd

(14) Boot your guest with the new firmware binary:

     cd -- "$TESTDIR"
     OVMF_BINARY=OVMF_CODE.dwmw2.fd

     Then repeat the rest of step (08).

(15) The boot process will hang at some point, and the assertion failure
     can be seen in the file "ovmf.debug.log".

     The expected result would be a successful boot, and

     dmesg | grep -i secure

     in the guest should again confirm secure boot.

(16) For debugging purposes, you can use DEBUG() calls; they will show
     up in "ovmf.debug.log".

Thanks
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Comments

Laszlo Ersek Feb. 24, 2016, 4:43 p.m. | #1
On 02/24/16 17:26, David Woodhouse wrote:
> On Wed, 2016-02-24 at 15:46 +0100, Laszlo Ersek wrote:


>> Interestingly, the failure reproduces even when I build OVMF at your

>> commit a35e4359d; with identical symptoms.

> 

> Also useful to know; thanks.


The first commit that breaks it is:

commit 6a48e82abc5174e4810e388fdf0fc67564dabb03
Author: David Woodhouse <David.Woodhouse@intel.com>
Date:   Wed Aug 12 12:54:28 2015 +0100

    CryptoPkg/OpensslLib: Update OpenSSL patch

Thanks
Laszlo

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Laszlo Ersek Feb. 24, 2016, 5:12 p.m. | #2
On 02/24/16 18:06, David Woodhouse wrote:
> On Wed, 2016-02-24 at 17:43 +0100, Laszlo Ersek wrote:
>> On 02/24/16 17:26, David Woodhouse wrote:
>>> On Wed, 2016-02-24 at 15:46 +0100, Laszlo Ersek wrote:
>>
>>>> Interestingly, the failure reproduces even when I build OVMF at your
>>>> commit a35e4359d; with identical symptoms.
>>>  
>>> Also useful to know; thanks.
>>
>> The first commit that breaks it is:
>>
>> commit 6a48e82abc5174e4810e388fdf0fc67564dabb03
>> Author: David Woodhouse <David.Woodhouse@intel.com>
>> Date:   Wed Aug 12 12:54:28 2015 +0100
>>
>>     CryptoPkg/OpensslLib: Update OpenSSL patch
> 
> Haha, well that serves me right.

If it helps, here's the stack trace to the failed ASSERT():

> #0  0x000000007fde9789 in CpuDeadLoop () at MdePkg/Library/BaseLib/CpuDeadLoop.c:37
> #1  0x000000007fde3ca5 in DebugAssert (
>     FileName=0x7fe4f1e8 "MdePkg/Library/UefiMemoryAllocationLib/MemoryAllocationLib.c", LineNumber=819, Description=0x7fe4f269 "!EFI_ERROR (Status)")
>     at OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c:153
> #2  0x000000007fdeba3f in FreePool (Buffer=0x0)
>     at MdePkg/Library/UefiMemoryAllocationLib/MemoryAllocationLib.c:819
> #3  0x000000007fdf0385 in free (ptr=0x0)
>     at CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c:41
> #4  0x000000007fdf0917 in CRYPTO_free (str=0x0)
>     at CryptoPkg/Library/OpensslLib/openssl-1.0.2f/crypto/mem.c:442
> #5  0x000000007fe20b47 in PKCS7_verify (p7=0x7ee6ff98, certs=0x0, store=0x7ee62e58, indata=0x7ee62c18, out=0x0, 
>     flags=128)
>     at CryptoPkg/Library/OpensslLib/openssl-1.0.2f/crypto/pkcs7/pk7_smime.c:415
> #6  0x000000007fdef1fb in Pkcs7Verify (
>     P7Data=0x7e3a4a30 "0\202!Ü\006\t*\206H\206÷\r\001\a\002 \202!Í0\202!É\002\001\001\061\017\060\r\006\t`\206H\001e\003\004\002\001\005", P7Length=8672, TrustedCert=0x7ee76044 "0\202\005×0\202\003¿ \003\002\001\002\002\na\avV", 
>     CertLength=1499, InData=0x7ee8939a "0\027\006\n+\006\001\004\001\202\067\002\001\017\060\t\003\001", 
>     DataLength=76) at CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c:875
> #7  0x000000007fdef5b1 in AuthenticodeVerify (
>     AuthData=0x7e3a4a30 "0\202!Ü\006\t*\206H\206÷\r\001\a\002 \202!Í0\202!É\002\001\001\061\017\060\r\006\t`\206H\001e\003\004\002\001\005", DataSize=8672, TrustedCert=0x7ee76044 "0\202\005×0\202\003¿ \003\002\001\002\002\na\avV", 
>     CertSize=1499, ImageHash=0x7fe701c0 "Û¯\236\005m=[8¶\205S0J¼\210\202~¼", HashSize=32)
>     at CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c:189
> #8  0x000000007fde732a in IsAllowedByDb (
>     AuthData=0x7e3a4a30 "0\202!Ü\006\t*\206H\206÷\r\001\a\002 \202!Í0\202!É\002\001\001\061\017\060\r\006\t`\206H\001e\003\004\002\001\005", AuthDataSize=8672, IsAuditMode=0 '\000', ImageName=0x0, ImageDevicePath=0x0)
>     at SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c:1600
> #9  0x000000007fde8643 in DxeImageVerificationHandler (AuthenticationStatus=0, File=0x7ee89418, 
>     FileBuffer=0x7e26b018, FileSize=1293304, BootPolicy=1 '\001')
>     at SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c:2419
> #10 0x000000007fde4cd4 in ExecuteSecurity2Handlers (AuthenticationOperation=15, AuthenticationStatus=0, 
>     File=0x7ee89418, FileBuffer=0x7e26b018, FileSize=1293304, BootPolicy=1 '\001')
>     at MdeModulePkg/Library/DxeSecurityManagementLib/DxeSecurityManagementLib.c:518
> #11 0x000000007fde38df in Security2StubAuthenticate (This=0x7fe6f248, File=0x7ee89418, FileBuffer=0x7e26b018, 
>     FileSize=1293304, BootPolicy=1 '\001')
>     at MdeModulePkg/Universal/SecurityStubDxe/SecurityStub.c:143
> #12 0x000000007ff64c5e in CoreLoadImageCommon (BootPolicy=1 '\001', ParentImageHandle=0x7f240218, 
>     FilePath=0x7ee89418, SourceBuffer=0x0, SourceSize=0, DstBuffer=0, NumberOfPages=0x0, ImageHandle=0x7ff5ec60, 
>     EntryPoint=0x0, Attribute=3) at MdeModulePkg/Core/Dxe/Image/Image.c:1170
> #13 0x000000007ff65216 in CoreLoadImage (BootPolicy=1 '\001', ParentImageHandle=0x7f240218, FilePath=0x7ee89418, 
>     SourceBuffer=0x0, SourceSize=0, ImageHandle=0x7ff5ec60)
>     at MdeModulePkg/Core/Dxe/Image/Image.c:1441
> #14 0x000000007ebe9a8e in BdsLibBootViaBootOption (Option=0x7f05d3d8, DevicePath=0x7ee89418, 
>     ExitDataSize=0x7ff5ed38, ExitData=0x7ff5ed30)
>     at IntelFrameworkModulePkg/Library/GenericBdsLib/BdsBoot.c:2352
> #15 0x000000007ebba00e in BdsBootDeviceSelect ()
>     at IntelFrameworkModulePkg/Universal/BdsDxe/BdsEntry.c:286
> #16 0x000000007ebbab85 in BdsEntry (This=0x7ec06820)
>     at IntelFrameworkModulePkg/Universal/BdsDxe/BdsEntry.c:659
> #17 0x000000007ff60918 in DxeMain (HobStart=0x7fd14018)
>     at MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c:511
> #18 0x000000007ff5f71d in ProcessModuleEntryPointList (HobStart=0x7bfde000)
>     at Build/OvmfX64/DEBUG_GCC48/X64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/AutoGen.c:423
> #19 0x000000007ff5f26d in _ModuleEntryPoint (HobStart=0x7bfde000)
>     at MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.c:54
> #20 0x0000000000000000 in ?? ()

You may ask how I captured this backtrace.

The answer is <https://edk2.bluestop.org/w/tianocore/debugging-with-gdb/>.

(Thanks again Bruce for writing up my email in such a nice form!)

Laszlo
Laszlo Ersek Feb. 24, 2016, 5:20 p.m. | #3
On 02/24/16 18:12, Laszlo Ersek wrote:

>> #4  0x000000007fdf0917 in CRYPTO_free (str=0x0)

>>     at CryptoPkg/Library/OpensslLib/openssl-1.0.2f/crypto/mem.c:442

>> #5  0x000000007fe20b47 in PKCS7_verify (p7=0x7ee6ff98, certs=0x0, store=0x7ee62e58, indata=0x7ee62c18, out=0x0, 

>>     flags=128)

>>     at CryptoPkg/Library/OpensslLib/openssl-1.0.2f/crypto/pkcs7/pk7_smime.c:415


These are the key stack frames. "pk7_smime.c:415" is an error handling
section at the end of PKCS7_verify():

 err:
    OPENSSL_free(buf);
    if (tmpin == indata) {
        if (indata)
            BIO_pop(p7bio);
    }
    BIO_free_all(p7bio);
    sk_X509_free(signers);
    return ret;
}

Now, in the edk2 build, OPENSSL_free() boils down to a FreePool().
However, *unlike* the free() function of the standard C library,
FreePool() does *not* handle a NULL argument transparently.

So we should look for jumps to the err label in PKCS7_verify() that
happen before "buf" is set to anything different from NULL. (It is
initialized to NULL at the top of the function.)

I can see 6 such goto instructions -- I'll try to instrument them with
DEBUG(), and see which one is taken. I'll report back if I succeed.

Thanks
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Laszlo Ersek Feb. 24, 2016, 7:36 p.m. | #4
On 02/24/16 18:20, Laszlo Ersek wrote:
> On 02/24/16 18:12, Laszlo Ersek wrote:

> 

>>> #4  0x000000007fdf0917 in CRYPTO_free (str=0x0)

>>>     at CryptoPkg/Library/OpensslLib/openssl-1.0.2f/crypto/mem.c:442

>>> #5  0x000000007fe20b47 in PKCS7_verify (p7=0x7ee6ff98, certs=0x0, store=0x7ee62e58, indata=0x7ee62c18, out=0x0, 

>>>     flags=128)

>>>     at CryptoPkg/Library/OpensslLib/openssl-1.0.2f/crypto/pkcs7/pk7_smime.c:415

> 

> These are the key stack frames. "pk7_smime.c:415" is an error handling

> section at the end of PKCS7_verify():

> 

>  err:

>     OPENSSL_free(buf);

>     if (tmpin == indata) {

>         if (indata)

>             BIO_pop(p7bio);

>     }

>     BIO_free_all(p7bio);

>     sk_X509_free(signers);

>     return ret;

> }

> 

> Now, in the edk2 build, OPENSSL_free() boils down to a FreePool().

> However, *unlike* the free() function of the standard C library,

> FreePool() does *not* handle a NULL argument transparently.

> 

> So we should look for jumps to the err label in PKCS7_verify() that

> happen before "buf" is set to anything different from NULL. (It is

> initialized to NULL at the top of the function.)


Okay, I found it. There is no error in your patches, just a minimal omission. :)

The above is actually the *entire error*. There is nothing else.

Namely, verifying the "shim.efi" binary takes *two iterations* of the loop(s) in IsAllowedByDb() [SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c].

More precisely, two calls to AuthenticodeVerify().

The first call is supposed to fail. The second call is supposed to succeed.

There is a bug in the free() function, in file "CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c". As I wrote above, unlike in standard C, this implementation of free() doesn't handle a NULL argument transparently -- it is passed to FreePool(), but FreePool() blows up on a NULL argument, in the assertion that I quoted earlier, in file "MdePkg/Library/UefiMemoryAllocationLib/MemoryAllocationLib.c":

VOID
EFIAPI
FreePool (
  IN VOID   *Buffer
  )
{
  EFI_STATUS    Status;

  Status = gBS->FreePool (Buffer);
  ASSERT_EFI_ERROR (Status);
}

The difference is that this bug in free() -- in the "CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c" file -- is *only* exposed by David's patches. Namely, when the first call to AuthenticodeVerify() fails internally (as expected), we trigger the assertion before we could get back out to IsAllowedByDb(), for the second call. This is how:

IsAllowedByDb()                    [SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c]
  //
  // first call in the nested loops, supposed to fail:
  //
  AuthenticodeVerify()             [CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c]
    Pkcs7Verify()                  [CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c]
      PKCS7_verify()               [CryptoPkg/Library/OpensslLib/openssl-1.0.2f/crypto/pkcs7/pk7_smime.c]
        //
        // we jump to the "err" label with buf == NULL
        //
        OPENSSL_free(buf)
          ...
            free()                 [CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c]
              FreePool()           [MdePkg/Library/UefiMemoryAllocationLib/MemoryAllocationLib.c]
                ASSERT_EFI_ERROR()
  //
  // second call in the nested loops, supposed to succeed -- never reached because FreePool() never returns!
  //
  AuthenticodeVerify()           [CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c]

The bug is exposed by the following backport in David's work:

commit e890487ff1ecfaa27d3f035861fba0c5912b8b4b
Author: Rich Salz <rsalz@akamai.com>
Date:   Fri Sep 4 08:13:19 2015 -0400

    RT3955: Reduce some stack usage
    
    Use malloc/free instead of big onstack buffers.
    
    Reviewed-by: Tim Hudson <tjh@openssl.org>

    (cherry picked from commit 8e704858f21983383be2b77e986f475b51719a1e)

It adds an "OPENSSL_free(buf)" call to the error handling / final part of the PKCS7_verify() function (among other things). This function call can be reached with (buf == NULL). Which is fully valid, in standard C, but it exposes the bug in CryptoPkg's free() implementation.

I will send a trivial patch for CryptoPkg in a moment.

Thanks
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Laszlo Ersek Feb. 24, 2016, 7:39 p.m. | #5
On 02/24/16 20:30, David Woodhouse wrote:
> On Wed, 2016-02-24 at 18:20 +0100, Laszlo Ersek wrote:

>>

>> Now, in the edk2 build, OPENSSL_free() boils down to a FreePool().

>> However, *unlike* the free() function of the standard C library,

>> FreePool() does *not* handle a NULL argument transparently.

> 

> Well that's just utterly batshit insane, now isn't it?

> 

> I'm amazed that didn't bite us before. If we're providing a free()

> function especially for OpenSSL because the NIH principle guiding UEFI

> was *so* strong that we even had to eschew even such *fundamentals* of

> the C environment, then the least we can do is provide a *correct* one:

> 

> diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c

> index 544f072..7c7818a 100644

> --- a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c

> +++ b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c

> @@ -38,5 +38,6 @@ void *realloc (void *ptr, size_t size)

>  /* De-allocates or frees a memory block */

>  void free (void *ptr)

>  {

> -  FreePool (ptr);

> +  if (ptr)

> +    FreePool (ptr);

>  }

> 


I started composing my other email before yours arrived, and finished
and sent it after yours arrived, it looks like :)

So yes, this is all. Can I take credit for the analysis, by submitting
the patch? :)

Thanks
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Patch

From bb911da8f3e1ac3a89ae23e667a6bfb8dcc80dae Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Mon, 6 Jul 2015 20:22:02 +0200
Subject: [PATCH] OvmfPkg: EnrollDefaultKeys: application for enrolling default
 keys

(A port of the <https://bugzilla.redhat.com/show_bug.cgi?id=1148296> patch
to Gerd's public RPMs.)

This application is meant to be invoked by the management layer, after
booting the UEFI shell and getting a shell prompt on the serial console.
The app enrolls a number of certificates (see below), and then reports
status to the serial console as well. The expected output is "info:
success":

> Shell> EnrollDefaultKeys.efi
> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
> info: success
> Shell>

In case of success, the management layer can force off or reboot the VM
(for example with the "reset -s" or "reset -c" UEFI shell commands,
respectively), and start the guest installation with SecureBoot enabled.

PK:
- A unique, static, ad-hoc certificate whose private half has been
  destroyed (more precisely, never saved) and is therefore unusable for
  signing. (The command for creating this certificate is saved in the
  source code.)

KEK:
- same ad-hoc certificate as used for the PK,
- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
  package is signed (indirectly, through a chain) with this; enrolling
  such a KEK should allow guests to install those updates.

DB:
- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
  Server 2012 R2,
- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
  oproms.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c   | 961 ++++++++++++++++++++++++
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf |  51 ++
 OvmfPkg/OvmfPkgIa32.dsc                         |   4 +
 OvmfPkg/OvmfPkgIa32X64.dsc                      |   4 +
 OvmfPkg/OvmfPkgX64.dsc                          |   4 +
 5 files changed, 1024 insertions(+)
 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
 create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf

diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
new file mode 100644
index 000000000000..0c434ace791b
--- /dev/null
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -0,0 +1,961 @@ 
+/** @file
+  Enroll default PK, KEK, DB.
+
+  Copyright (C) 2014, Red Hat, Inc.
+
+  This program and the accompanying materials are licensed and made available
+  under the terms and conditions of the BSD License which accompanies this
+  distribution. The full text of the license may be found at
+  http://opensource.org/licenses/bsd-license.
+
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
+  WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+**/
+#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
+#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
+#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
+#include <Library/BaseMemoryLib.h>               // CopyGuid()
+#include <Library/DebugLib.h>                    // ASSERT()
+#include <Library/MemoryAllocationLib.h>         // FreePool()
+#include <Library/ShellCEntryLib.h>              // ShellAppMain()
+#include <Library/UefiLib.h>                     // AsciiPrint()
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+
+//
+// The example self-signed certificate below, which we'll use for both Platform
+// Key, and first Key Exchange Key, has been generated with the following
+// non-interactive openssl command. The passphrase is read from /dev/urandom,
+// and not saved, and the private key is written to /dev/null. In other words,
+// we can't sign anything else against this certificate, which is our purpose.
+//
+/*
+   openssl req \
+     -passout file:<(head -c 16 /dev/urandom) \
+     -x509 \
+     -newkey rsa:2048 \
+     -keyout /dev/null \
+     -outform DER \
+     -subj $(
+       printf /C=US
+       printf /ST=TestStateOrProvince
+       printf /L=TestLocality
+       printf /O=TestOrganization
+       printf /OU=TestOrganizationalUnit
+       printf /CN=TestCommonName
+       printf /emailAddress=test@example.com
+     ) \
+     2>/dev/null \
+   | xxd -i
+*/
+STATIC CONST UINT8 ExampleCert[] = {
+  0x30, 0x82, 0x04, 0x45, 0x30, 0x82, 0x03, 0x2d, 0xa0, 0x03, 0x02, 0x01, 0x02,
+  0x02, 0x09, 0x00, 0xcf, 0x9f, 0x51, 0xa3, 0x07, 0xdb, 0x54, 0xa1, 0x30, 0x0d,
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
+  0x30, 0x81, 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+  0x02, 0x55, 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
+  0x13, 0x54, 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50,
+  0x72, 0x6f, 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
+  0x55, 0x04, 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61,
+  0x6c, 0x69, 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a,
+  0x0c, 0x10, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a,
+  0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
+  0x0b, 0x0c, 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69,
+  0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31,
+  0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73,
+  0x74, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f,
+  0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01,
+  0x16, 0x10, 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
+  0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
+  0x30, 0x39, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x34,
+  0x31, 0x31, 0x30, 0x38, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x30, 0x81,
+  0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+  0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x13, 0x54,
+  0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50, 0x72, 0x6f,
+  0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
+  0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69,
+  0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x10,
+  0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74,
+  0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
+  0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61,
+  0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31, 0x17, 0x30,
+  0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73, 0x74, 0x43,
+  0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f, 0x30, 0x1d,
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10,
+  0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
+  0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
+  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
+  0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0xf1, 0xce,
+  0x17, 0x32, 0xac, 0xc4, 0x4b, 0xb2, 0xed, 0x84, 0x76, 0xe5, 0xd0, 0xf8, 0x21,
+  0xac, 0x10, 0xf8, 0x18, 0x09, 0x0e, 0x07, 0x13, 0x76, 0x21, 0x5c, 0xc4, 0xcc,
+  0xd5, 0xe6, 0x25, 0xa7, 0x26, 0x53, 0x79, 0x2f, 0x16, 0x4b, 0x85, 0xbd, 0xae,
+  0x42, 0x64, 0x58, 0xcb, 0x5e, 0xe8, 0x6e, 0x5a, 0xd0, 0xc4, 0x0f, 0x38, 0x16,
+  0xbe, 0xd3, 0x22, 0xa7, 0x3c, 0x9b, 0x8b, 0x5e, 0xcb, 0x62, 0x35, 0xc5, 0x9b,
+  0xe2, 0x8e, 0x4c, 0x65, 0x57, 0x4f, 0xcb, 0x27, 0xad, 0xe7, 0x63, 0xa7, 0x77,
+  0x2b, 0xd5, 0x02, 0x42, 0x70, 0x46, 0xac, 0xba, 0xb6, 0x60, 0x57, 0xd9, 0xce,
+  0x31, 0xc5, 0x12, 0x03, 0x4a, 0xf7, 0x2a, 0x2b, 0x40, 0x06, 0xb4, 0xdb, 0x31,
+  0xb7, 0x83, 0x6c, 0x67, 0x87, 0x98, 0x8b, 0xce, 0x1b, 0x30, 0x7a, 0xfa, 0x35,
+  0x6c, 0x86, 0x20, 0x74, 0xc5, 0x7d, 0x32, 0x31, 0x18, 0xeb, 0x69, 0xf7, 0x2d,
+  0x20, 0xc4, 0xf0, 0xd2, 0xfa, 0x67, 0x81, 0xc1, 0xbb, 0x23, 0xbb, 0x75, 0x1a,
+  0xe4, 0xb4, 0x49, 0x99, 0xdf, 0x12, 0x4c, 0xe3, 0x6d, 0x76, 0x24, 0x85, 0x24,
+  0xae, 0x5a, 0x9e, 0xbd, 0x54, 0x1c, 0xf9, 0x0e, 0xed, 0x96, 0xb5, 0xd8, 0xa2,
+  0x0d, 0x2a, 0x38, 0x5d, 0x12, 0x97, 0xb0, 0x4d, 0x75, 0x85, 0x1e, 0x47, 0x6d,
+  0xe1, 0x25, 0x59, 0xcb, 0xe9, 0x33, 0x86, 0x6a, 0xef, 0x98, 0x24, 0xa0, 0x2b,
+  0x02, 0x7b, 0xc0, 0x9f, 0x88, 0x03, 0xb0, 0xbe, 0x22, 0x65, 0x83, 0x77, 0xb3,
+  0x30, 0xba, 0xe0, 0x3b, 0x54, 0x31, 0x3a, 0x45, 0x81, 0x9c, 0x48, 0xaf, 0xc1,
+  0x11, 0x5b, 0xf2, 0x3a, 0x1e, 0x33, 0x1b, 0x8f, 0x0e, 0x04, 0xa4, 0x16, 0xd4,
+  0x6b, 0x57, 0xee, 0xe7, 0xba, 0xf5, 0xee, 0xaf, 0xe2, 0x4c, 0x50, 0xf8, 0x68,
+  0x57, 0x88, 0xfb, 0x7f, 0xa3, 0xcf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50,
+  0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
+  0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e, 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3,
+  0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29, 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
+  0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e,
+  0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3, 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29,
+  0x61, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
+  0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+  0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x12, 0x9c, 0x3e, 0x38,
+  0xfc, 0x26, 0xea, 0x6d, 0xb7, 0x5c, 0x29, 0x3c, 0x76, 0x20, 0x0c, 0xb2, 0xa9,
+  0x0f, 0xdf, 0xc0, 0x85, 0xfe, 0xeb, 0xec, 0x1d, 0x5d, 0x73, 0x84, 0xac, 0x8a,
+  0xb4, 0x2a, 0x86, 0x38, 0x30, 0xaf, 0xd2, 0x2d, 0x2a, 0xde, 0x54, 0xc8, 0x5c,
+  0x29, 0x90, 0x24, 0xf2, 0x39, 0xc1, 0xa5, 0x00, 0xb4, 0xb7, 0xd8, 0xdc, 0x59,
+  0x64, 0x50, 0x62, 0x5f, 0x54, 0xf1, 0x73, 0x02, 0x4d, 0x43, 0xc5, 0xc3, 0xc4,
+  0x0e, 0x62, 0x60, 0x8c, 0x53, 0x66, 0x57, 0x77, 0xb5, 0x81, 0xda, 0x1f, 0x81,
+  0xda, 0xe9, 0xd6, 0x5e, 0x82, 0xce, 0xa7, 0x5c, 0xc0, 0xa6, 0xbe, 0x9c, 0x5c,
+  0x7b, 0xa5, 0x15, 0xc8, 0xd7, 0x14, 0x53, 0xd3, 0x5c, 0x1c, 0x9f, 0x8a, 0x9f,
+  0x66, 0x15, 0xd5, 0xd3, 0x2a, 0x27, 0x0c, 0xee, 0x9f, 0x80, 0x39, 0x88, 0x7b,
+  0x24, 0xde, 0x0c, 0x61, 0xa3, 0x44, 0xd8, 0x8d, 0x2e, 0x79, 0xf8, 0x1e, 0x04,
+  0x5a, 0xcb, 0xd6, 0x9c, 0xa3, 0x22, 0x8f, 0x09, 0x32, 0x1e, 0xe1, 0x65, 0x8f,
+  0x10, 0x5f, 0xd8, 0x52, 0x56, 0xd5, 0x77, 0xac, 0x58, 0x46, 0x60, 0xba, 0x2e,
+  0xe2, 0x3f, 0x58, 0x7d, 0x60, 0xfc, 0x31, 0x4a, 0x3a, 0xaf, 0x61, 0x55, 0x5f,
+  0xfb, 0x68, 0x14, 0x74, 0xda, 0xdc, 0x42, 0x78, 0xcc, 0xee, 0xff, 0x5c, 0x03,
+  0x24, 0x26, 0x2c, 0xb8, 0x3a, 0x81, 0xad, 0xdb, 0xe7, 0xed, 0xe1, 0x62, 0x84,
+  0x07, 0x1a, 0xc8, 0xa4, 0x4e, 0xb0, 0x87, 0xf7, 0x96, 0xd8, 0x33, 0x9b, 0x0d,
+  0xa7, 0x77, 0xae, 0x5b, 0xaf, 0xad, 0xe6, 0x5a, 0xc9, 0xfa, 0xa4, 0xe4, 0xe5,
+  0x57, 0xbb, 0x97, 0xdd, 0x92, 0x85, 0xd8, 0x03, 0x45, 0xfe, 0xd8, 0x6b, 0xb1,
+  0xdb, 0x85, 0x36, 0xb9, 0xd9, 0x28, 0xbf, 0x17, 0xae, 0x11, 0xde, 0x10, 0x19,
+  0x26, 0x5b, 0xc0, 0x3d, 0xc7
+};
+
+//
+// Second KEK: "Microsoft Corporation KEK CA 2011".
+// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
+//
+// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
+//
+STATIC CONST UINT8 MicrosoftKEK[] = {
+  0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
+  0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
+  0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
+  0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
+  0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
+  0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
+  0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
+  0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
+  0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
+  0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
+  0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
+  0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
+  0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
+  0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
+  0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
+  0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
+  0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
+  0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
+  0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
+  0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
+  0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
+  0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
+  0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
+  0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
+  0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
+  0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
+  0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
+  0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
+  0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
+  0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
+  0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
+  0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
+  0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
+  0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
+  0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
+  0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
+  0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
+  0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
+  0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
+  0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
+  0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
+  0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
+  0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
+  0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
+  0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
+  0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
+  0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
+  0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
+  0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
+  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
+  0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
+  0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
+  0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
+  0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
+  0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
+  0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
+  0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
+  0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
+  0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
+  0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
+  0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
+  0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
+  0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
+  0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
+  0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
+  0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
+  0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
+  0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
+  0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
+  0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
+  0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
+  0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
+  0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
+  0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
+  0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
+  0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
+  0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
+  0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
+  0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
+  0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
+  0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
+  0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
+  0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
+  0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
+  0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
+  0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
+  0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
+  0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
+  0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
+  0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
+};
+
+//
+// First DB entry: "Microsoft Windows Production PCA 2011"
+// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
+//
+// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
+// rooted in this certificate.
+//
+STATIC CONST UINT8 MicrosoftPCA[] = {
+  0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
+  0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+  0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
+  0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
+  0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
+  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
+  0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
+  0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
+  0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+  0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+  0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
+  0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
+  0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
+  0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
+  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
+  0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
+  0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
+  0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
+  0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+  0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
+  0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
+  0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
+  0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
+  0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
+  0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
+  0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
+  0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
+  0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
+  0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
+  0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
+  0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
+  0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
+  0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
+  0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
+  0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
+  0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
+  0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
+  0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
+  0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
+  0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
+  0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
+  0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
+  0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
+  0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
+  0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
+  0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
+  0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
+  0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
+  0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
+  0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
+  0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
+  0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
+  0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
+  0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
+  0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
+  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
+  0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
+  0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
+  0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
+  0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
+  0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
+  0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
+  0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
+  0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
+  0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
+  0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
+  0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
+  0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
+  0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
+  0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
+  0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
+  0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
+  0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
+  0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
+  0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
+  0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
+  0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
+  0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
+  0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
+  0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
+  0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
+  0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
+  0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
+  0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
+  0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
+  0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
+  0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
+  0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
+  0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
+  0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
+  0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
+  0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
+  0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
+  0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
+  0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
+  0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
+  0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
+  0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
+  0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
+  0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
+  0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
+  0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
+  0x62, 0x1c, 0x59, 0x7e
+};
+
+//
+// Second DB entry: "Microsoft Corporation UEFI CA 2011"
+// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
+//
+// To verify the "shim" binary and PCI expansion ROMs with.
+//
+STATIC CONST UINT8 MicrosoftUefiCA[] = {
+  0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
+  0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
+  0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
+  0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
+  0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
+  0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
+  0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
+  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
+  0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
+  0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
+  0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
+  0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
+  0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
+  0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
+  0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
+  0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
+  0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
+  0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
+  0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
+  0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
+  0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
+  0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
+  0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
+  0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
+  0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
+  0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
+  0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
+  0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
+  0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
+  0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
+  0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
+  0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
+  0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
+  0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
+  0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
+  0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
+  0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
+  0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
+  0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
+  0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
+  0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
+  0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
+  0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
+  0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
+  0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
+  0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
+  0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
+  0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
+  0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
+  0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
+  0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
+  0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
+  0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
+  0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
+  0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
+  0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
+  0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
+  0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
+  0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
+  0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
+  0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
+  0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
+  0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
+  0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
+  0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
+  0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
+  0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
+  0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
+  0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
+  0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
+  0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
+  0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
+  0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
+  0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
+  0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
+  0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
+  0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
+  0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
+  0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
+  0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
+  0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
+  0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
+  0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
+  0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
+  0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
+  0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
+  0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
+  0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
+  0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
+  0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
+  0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
+  0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
+  0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
+};
+
+//
+// The most important thing about the variable payload is that it is a list of
+// lists, where the element size of any given *inner* list is constant.
+//
+// Since X509 certificates vary in size, each of our *inner* lists will contain
+// one element only (one X.509 certificate). This is explicitly mentioned in
+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
+//
+// The list structure looks as follows:
+//
+// struct EFI_VARIABLE_AUTHENTICATION_2 {                           |
+//   struct EFI_TIME {                                              |
+//     UINT16 Year;                                                 |
+//     UINT8  Month;                                                |
+//     UINT8  Day;                                                  |
+//     UINT8  Hour;                                                 |
+//     UINT8  Minute;                                               |
+//     UINT8  Second;                                               |
+//     UINT8  Pad1;                                                 |
+//     UINT32 Nanosecond;                                           |
+//     INT16  TimeZone;                                             |
+//     UINT8  Daylight;                                             |
+//     UINT8  Pad2;                                                 |
+//   } TimeStamp;                                                   |
+//                                                                  |
+//   struct WIN_CERTIFICATE_UEFI_GUID {                           | |
+//     struct WIN_CERTIFICATE {                                   | |
+//       UINT32 dwLength; ----------------------------------------+ |
+//       UINT16 wRevision;                                        | |
+//       UINT16 wCertificateType;                                 | |
+//     } Hdr;                                                     | +- DataSize
+//                                                                | |
+//     EFI_GUID CertType;                                         | |
+//     UINT8    CertData[1] = { <--- "struct hack"                | |
+//       struct EFI_SIGNATURE_LIST {                            | | |
+//         EFI_GUID SignatureType;                              | | |
+//         UINT32   SignatureListSize; -------------------------+ | |
+//         UINT32   SignatureHeaderSize;                        | | |
+//         UINT32   SignatureSize; ---------------------------+ | | |
+//         UINT8    SignatureHeader[SignatureHeaderSize];     | | | |
+//                                                            v | | |
+//         struct EFI_SIGNATURE_DATA {                        | | | |
+//           EFI_GUID SignatureOwner;                         | | | |
+//           UINT8    SignatureData[1] = { <--- "struct hack" | | | |
+//             X.509 payload                                  | | | |
+//           }                                                | | | |
+//         } Signatures[];                                      | | |
+//       } SigLists[];                                            | |
+//     };                                                         | |
+//   } AuthInfo;                                                  | |
+// };                                                               |
+//
+// Given that the "struct hack" invokes undefined behavior (which is why C99
+// introduced the flexible array member), and because subtracting those pesky
+// sizes of 1 is annoying, and because the format is fully specified in the
+// UEFI specification, we'll introduce two matching convenience structures that
+// are customized for our X.509 purposes.
+//
+#pragma pack(1)
+typedef struct {
+  EFI_TIME TimeStamp;
+
+  //
+  // dwLength covers data below
+  //
+  UINT32   dwLength;
+  UINT16   wRevision;
+  UINT16   wCertificateType;
+  EFI_GUID CertType;
+} SINGLE_HEADER;
+
+typedef struct {
+  //
+  // SignatureListSize covers data below
+  //
+  EFI_GUID SignatureType;
+  UINT32   SignatureListSize;
+  UINT32   SignatureHeaderSize; // constant 0
+  UINT32   SignatureSize;
+
+  //
+  // SignatureSize covers data below
+  //
+  EFI_GUID SignatureOwner;
+
+  //
+  // X.509 certificate follows
+  //
+} REPEATING_HEADER;
+#pragma pack()
+
+/**
+  Enroll a set of DER-formatted X.509 certificates in a global variable,
+  overwriting it.
+
+  The variable will be rewritten with NV+BS+RT+AT attributes.
+
+  @param[in] VariableName  The name of the variable to overwrite.
+
+  @param[in] VendorGuid    The namespace (ie. vendor GUID) of the variable to
+                           overwrite.
+
+  @param[in] ...           A list of
+
+                             IN CONST UINT8    *Cert,
+                             IN UINTN          CertSize,
+                             IN CONST EFI_GUID *OwnerGuid
+
+                           triplets. If the first component of a triplet is
+                           NULL, then the other two components are not
+                           accessed, and processing is terminated. The list of
+                           X.509 certificates is enrolled in the variable
+                           specified, overwriting it. The OwnerGuid component
+                           identifies the agent installing the certificate.
+
+  @retval EFI_INVALID_PARAMETER  The triplet list is empty (ie. the first Cert
+                                 value is NULL), or one of the CertSize values
+                                 is 0, or one of the CertSize values would
+                                 overflow the accumulated UINT32 data size.
+
+  @retval EFI_OUT_OF_RESOURCES   Out of memory while formatting variable
+                                 payload.
+
+  @retval EFI_SUCCESS            Enrollment successful; the variable has been
+                                 overwritten (or created).
+
+  @return                        Error codes from gRT->GetTime() and
+                                 gRT->SetVariable().
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+EnrollListOfX509Certs (
+  IN CHAR16   *VariableName,
+  IN EFI_GUID *VendorGuid,
+  ...
+  )
+{
+  UINTN            DataSize;
+  SINGLE_HEADER    *SingleHeader;
+  REPEATING_HEADER *RepeatingHeader;
+  VA_LIST          Marker;
+  CONST UINT8      *Cert;
+  EFI_STATUS       Status;
+  UINT8            *Data;
+  UINT8            *Position;
+
+  //
+  // compute total size first, for UINT32 range check, and allocation
+  //
+  DataSize = sizeof *SingleHeader;
+  VA_START (Marker, VendorGuid);
+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
+       Cert != NULL;
+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
+    UINTN          CertSize;
+    CONST EFI_GUID *OwnerGuid;
+
+    CertSize  = VA_ARG (Marker, UINTN);
+    OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
+
+    if (CertSize == 0 ||
+        CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
+        DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
+      Status = EFI_INVALID_PARAMETER;
+      break;
+    }
+    DataSize += sizeof *RepeatingHeader + CertSize;
+  }
+  VA_END (Marker);
+
+  if (DataSize == sizeof *SingleHeader) {
+    Status = EFI_INVALID_PARAMETER;
+  }
+  if (EFI_ERROR (Status)) {
+    goto Out;
+  }
+
+  Data = AllocatePool (DataSize);
+  if (Data == NULL) {
+    Status = EFI_OUT_OF_RESOURCES;
+    goto Out;
+  }
+
+  Position = Data;
+
+  SingleHeader = (SINGLE_HEADER *)Position;
+  Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
+  if (EFI_ERROR (Status)) {
+    goto FreeData;
+  }
+  SingleHeader->TimeStamp.Pad1       = 0;
+  SingleHeader->TimeStamp.Nanosecond = 0;
+  SingleHeader->TimeStamp.TimeZone   = 0;
+  SingleHeader->TimeStamp.Daylight   = 0;
+  SingleHeader->TimeStamp.Pad2       = 0;
+#if 0
+  SingleHeader->dwLength         = DataSize - sizeof SingleHeader->TimeStamp;
+#else
+  //
+  // This looks like a bug in edk2. According to the UEFI specification,
+  // dwLength is "The length of the entire certificate, including the length of
+  // the header, in bytes". That shouldn't stop right after CertType -- it
+  // should include everything below it.
+  //
+  SingleHeader->dwLength         = sizeof *SingleHeader
+                                     - sizeof SingleHeader->TimeStamp;
+#endif
+  SingleHeader->wRevision        = 0x0200;
+  SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+  CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
+  Position += sizeof *SingleHeader;
+
+  VA_START (Marker, VendorGuid);
+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
+       Cert != NULL;
+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
+    UINTN            CertSize;
+    CONST EFI_GUID   *OwnerGuid;
+
+    CertSize  = VA_ARG (Marker, UINTN);
+    OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
+
+    RepeatingHeader = (REPEATING_HEADER *)Position;
+    CopyGuid (&RepeatingHeader->SignatureType, &gEfiCertX509Guid);
+    RepeatingHeader->SignatureListSize   = sizeof *RepeatingHeader + CertSize;
+    RepeatingHeader->SignatureHeaderSize = 0;
+    RepeatingHeader->SignatureSize       =
+      sizeof RepeatingHeader->SignatureOwner + CertSize;
+    CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
+    Position += sizeof *RepeatingHeader;
+
+    CopyMem (Position, Cert, CertSize);
+    Position += CertSize;
+  }
+  VA_END (Marker);
+
+  ASSERT (Data + DataSize == Position);
+
+  Status = gRT->SetVariable (VariableName, VendorGuid,
+                  (EFI_VARIABLE_NON_VOLATILE |
+                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
+                   EFI_VARIABLE_RUNTIME_ACCESS |
+                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
+                  DataSize, Data);
+
+FreeData:
+  FreePool (Data);
+
+Out:
+  if (EFI_ERROR (Status)) {
+    AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
+      VendorGuid, Status);
+  }
+  return Status;
+}
+
+
+STATIC
+EFI_STATUS
+EFIAPI
+GetExact (
+  IN CHAR16   *VariableName,
+  IN EFI_GUID *VendorGuid,
+  OUT VOID    *Data,
+  IN UINTN    DataSize,
+  IN BOOLEAN  AllowMissing
+  )
+{
+  UINTN      Size;
+  EFI_STATUS Status;
+
+  Size = DataSize;
+  Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
+  if (EFI_ERROR (Status)) {
+    if (Status == EFI_NOT_FOUND && AllowMissing) {
+      ZeroMem (Data, DataSize);
+      return EFI_SUCCESS;
+    }
+
+    AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
+      VendorGuid, Status);
+    return Status;
+  }
+
+  if (Size != DataSize) {
+    AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
+      "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
+    return EFI_PROTOCOL_ERROR;
+  }
+
+  return EFI_SUCCESS;
+}
+
+typedef struct {
+  UINT8 SetupMode;
+  UINT8 SecureBoot;
+  UINT8 SecureBootEnable;
+  UINT8 CustomMode;
+  UINT8 VendorKeys;
+} SETTINGS;
+
+STATIC
+EFI_STATUS
+EFIAPI
+GetSettings (
+  OUT SETTINGS *Settings
+  )
+{
+  EFI_STATUS Status;
+
+  Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
+             &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
+             &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
+             &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
+             sizeof Settings->SecureBootEnable, TRUE);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
+             &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
+             &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
+  return Status;
+}
+
+STATIC
+VOID
+EFIAPI
+PrintSettings (
+  IN CONST SETTINGS *Settings
+  )
+{
+  AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
+    "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
+    Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
+}
+
+
+INTN
+EFIAPI
+ShellAppMain (
+  IN UINTN  Argc,
+  IN CHAR16 **Argv
+  )
+{
+  EFI_STATUS Status;
+  SETTINGS   Settings;
+
+  Status = GetSettings (&Settings);
+  if (EFI_ERROR (Status)) {
+    return 1;
+  }
+  PrintSettings (&Settings);
+
+  if (Settings.SetupMode != 1) {
+    AsciiPrint ("error: already in User Mode\n");
+    return 1;
+  }
+
+  if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
+    Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
+    Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
+                    (EFI_VARIABLE_NON_VOLATILE |
+                     EFI_VARIABLE_BOOTSERVICE_ACCESS),
+                    sizeof Settings.CustomMode, &Settings.CustomMode);
+    if (EFI_ERROR (Status)) {
+      AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
+        &gEfiCustomModeEnableGuid, Status);
+      return 1;
+    }
+  }
+
+  Status = EnrollListOfX509Certs (
+             EFI_IMAGE_SECURITY_DATABASE,
+             &gEfiImageSecurityDatabaseGuid,
+             MicrosoftPCA,    sizeof MicrosoftPCA,    &gEfiCallerIdGuid,
+             MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid,
+             NULL);
+  if (EFI_ERROR (Status)) {
+    return 1;
+  }
+
+  Status = EnrollListOfX509Certs (
+             EFI_KEY_EXCHANGE_KEY_NAME,
+             &gEfiGlobalVariableGuid,
+             ExampleCert,  sizeof ExampleCert,  &gEfiCallerIdGuid,
+             MicrosoftKEK, sizeof MicrosoftKEK, &gEfiCallerIdGuid,
+             NULL);
+  if (EFI_ERROR (Status)) {
+    return 1;
+  }
+
+  Status = EnrollListOfX509Certs (
+             EFI_PLATFORM_KEY_NAME,
+             &gEfiGlobalVariableGuid,
+             ExampleCert, sizeof ExampleCert, &gEfiGlobalVariableGuid,
+             NULL);
+  if (EFI_ERROR (Status)) {
+    return 1;
+  }
+
+  Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
+  Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
+                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  sizeof Settings.CustomMode, &Settings.CustomMode);
+  if (EFI_ERROR (Status)) {
+    AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
+      &gEfiCustomModeEnableGuid, Status);
+    return 1;
+  }
+
+  Status = GetSettings (&Settings);
+  if (EFI_ERROR (Status)) {
+    return 1;
+  }
+  PrintSettings (&Settings);
+
+  if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
+      Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
+      Settings.VendorKeys != 0) {
+    AsciiPrint ("error: unexpected\n");
+    return 1;
+  }
+
+  AsciiPrint ("info: success\n");
+  return 0;
+}
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
new file mode 100644
index 000000000000..30c127f2ecb4
--- /dev/null
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
@@ -0,0 +1,51 @@ 
+## @file
+#  Enroll default PK, KEK, DB.
+#
+#  Copyright (C) 2014, Red Hat, Inc.
+#
+#  This program and the accompanying materials are licensed and made available
+#  under the terms and conditions of the BSD License which accompanies this
+#  distribution. The full text of the license may be found at
+#  http://opensource.org/licenses/bsd-license.
+#
+#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
+#  IMPLIED.
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010006
+  BASE_NAME                      = EnrollDefaultKeys
+  FILE_GUID                      = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
+  MODULE_TYPE                    = UEFI_APPLICATION
+  VERSION_STRING                 = 0.1
+  ENTRY_POINT                    = ShellCEntryLib
+
+#
+#  VALID_ARCHITECTURES           = IA32 X64
+#
+
+[Sources]
+  EnrollDefaultKeys.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+  ShellPkg/ShellPkg.dec
+
+[Guids]
+  gEfiCertPkcs7Guid
+  gEfiCertX509Guid
+  gEfiCustomModeEnableGuid
+  gEfiGlobalVariableGuid
+  gEfiImageSecurityDatabaseGuid
+  gEfiSecureBootEnableDisableGuid
+
+[LibraryClasses]
+  BaseMemoryLib
+  DebugLib
+  MemoryAllocationLib
+  ShellCEntryLib
+  UefiLib
+  UefiRuntimeServicesTableLib
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 4ce5570a8fd2..3de5a25b1b73 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -695,6 +695,10 @@  [Components]
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
+    <LibraryClasses>
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
+  }
 !endif
 
   OvmfPkg/PlatformDxe/Platform.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index e26d0d1a822f..feeb26964ac8 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -702,6 +702,10 @@  [Components.X64]
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
+    <LibraryClasses>
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
+  }
 !endif
 
   OvmfPkg/PlatformDxe/Platform.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 13f3b4a43649..fb5fe956a972 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -700,6 +700,10 @@  [Components]
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
+    <LibraryClasses>
+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
+  }
 !endif
 
   OvmfPkg/PlatformDxe/Platform.inf
-- 
1.8.3.1