* [PATCH 1/5] ovmf: Update to version edk2-stable201905
2019-08-07 1:44 [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements Ricardo Neri
@ 2019-08-07 1:44 ` Ricardo Neri
2019-08-07 1:44 ` [PATCH 2/5] ovmf: Set PV Ricardo Neri
` (5 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: Ricardo Neri @ 2019-08-07 1:44 UTC (permalink / raw)
To: openembedded-core
Fixes [YOCTO #13438]
Update OVMF to edk2-stable201905. Since the last update, several things
have changed. Many of the patches we were carrying have now been taken
upstream in EDK2 or become obsolete. See below for details.
Also, as of commit 0c1ffb9504c3("CryptoPkg: Adding OpenSSL as one
submodule of EDKII repo"), openssl is not embedded into EDK2 using a
patching script but a git submodule. Then, use the gitsm bitbabke fetcher
and drop the extra SRC_URI from openssl when building with secureboot
enabled. Also remove all related variables.
Patches are updated as follows:
Drop 0001-ia32-Dont-use-pie.patch as it is implemented in upstream EDK2
in commits are 11d0cd23dd1b ("BaseTools/tools_def IA32: drop -no-pie linker
option for GCC49" and c25d3905523a ("BaseTools/tools_def IA32: disable PIE
code generation explicitly") for the applicable GCC versions.
Rebase 0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
to edk2-stable201905.
Drop VfrCompile-increase-path-length-limit.patch as it has been taken
upstream in EDK2 in commit ba78032bc8c9f("BaseTools/VfrCompile: Remove the
MAX_PATH limitation")
Rebase no-stack-protector-all-archs.patch to keep behavior on not using
stack protector on all archs.
Drop 0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch,
0002-BaseTools-header.makefile-add-Wno-restrict.patch, and
0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch. These
patches have been taken in upstream EDK2 in commits 9222154ae7b3("BaseTools
/header.makefile: add "-Wno-restrict"), 1d212a83df0e("BaseTools/
header.makefile: add "-Wno-stringop-truncation"), and 777f4aa083e9
("BaseTools/header.makefile: revert gcc-8 '-Wno-xxx' options on OSX"),
respectively.
Also, drop 0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch.
GenVtf has been removed from EDK2 in commit 64ab2c82e8f6("BaseTools:
Remove GenVtf"). Also, this patch had been taken in EDK2 upstream in
commit 9de306701312("BaseTools/GenVtf: silence false 'stringop-overflow'
warning with memcpy()").
Drop patch 0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
as it also has been taken by EDK2.
Patches 0002-ovmf-update-path-to-native-BaseTools.patch and
0004-ovmf-enable-long-path-file.patch did not need any update.
Lastly, add a needed dependency on bc.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
---
This is a rather large changeset with several changes in it. I implemented
in this manner (as opposed to a collection of smaller changes) to avoid
build breaks in intermediate commits in git bisections.
If needed, I can reimplement in several commits that makes sense
logically.
Also, I am not sure how maintainers will apply this patch. If
using git am, the --keep-cr should be used to accommodate the line
endings used in EDK2.
---
....makefile-add-Wno-stringop-truncatio.patch | 71 --
.../ovmf/ovmf/0001-ia32-Dont-use-pie.patch | 46 -
| 102 --
....makefile-revert-gcc-8-Wno-xxx-optio.patch | 53 -
...ile-adjust-to-build-in-under-bitbake.patch | 33 +-
...-silence-false-stringop-overflow-war.patch | 66 -
...faultKeys-application-for-enrolling-.patch | 1124 -----------------
.../ovmf/no-stack-protector-all-archs.patch | 26 +-
meta/recipes-core/ovmf/ovmf_git.bb | 28 +-
9 files changed, 47 insertions(+), 1502 deletions(-)
delete mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
diff --git a/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch b/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
deleted file mode 100644
index 342fcc6231..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 9fce4bab014b9aa618060eba13d6dd04b0fa1b70 Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 2 Mar 2018 17:11:52 +0100
-Subject: [PATCH 1/4] BaseTools/header.makefile: add "-Wno-stringop-truncation"
-
-gcc-8 (which is part of Fedora 28) enables the new warning
-"-Wstringop-truncation" in "-Wall". This warning is documented in detail
-at <https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
-introduction says
-
-> Warn for calls to bounded string manipulation functions such as strncat,
-> strncpy, and stpncpy that may either truncate the copied string or leave
-> the destination unchanged.
-
-It breaks the BaseTools build with:
-
-> EfiUtilityMsgs.c: In function 'PrintMessage':
-> EfiUtilityMsgs.c:484:9: error: 'strncat' output may be truncated copying
-> between 0 and 511 bytes from a string of length 511
-> [-Werror=stringop-truncation]
-> strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-> EfiUtilityMsgs.c:469:9: error: 'strncat' output may be truncated copying
-> between 0 and 511 bytes from a string of length 511
-> [-Werror=stringop-truncation]
-> strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-> EfiUtilityMsgs.c:511:5: error: 'strncat' output may be truncated copying
-> between 0 and 511 bytes from a string of length 511
-> [-Werror=stringop-truncation]
-> strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The right way to fix the warning would be to implement string concat with
-snprintf(). However, Microsoft does not appear to support snprintf()
-before VS2015
-<https://stackoverflow.com/questions/2915672/snprintf-and-visual-studio-2010>,
-so we just have to shut up the warning. The strncat() calls flagged above
-are valid BTW.
-
-Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Cc: Cole Robinson <crobinso@redhat.com>
-Cc: Liming Gao <liming.gao@intel.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Yonghong Zhu <yonghong.zhu@intel.com>
-Contributed-under: TianoCore Contribution Agreement 1.1
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Liming Gao <liming.gao@intel.com>
----
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Backport
-
- BaseTools/Source/C/Makefiles/header.makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-Index: git/BaseTools/Source/C/Makefiles/header.makefile
-===================================================================
---- git.orig/BaseTools/Source/C/Makefiles/header.makefile
-+++ git/BaseTools/Source/C/Makefiles/header.makefile
-@@ -47,9 +47,9 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
- BUILD_CPPFLAGS += $(INCLUDE) -O2
- ifeq ($(DARWIN),Darwin)
- # assume clang or clang compatible flags on OS X
--BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-self-assign -Wno-unused-result -nostdlib -c -g
- else
--BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-unused-result -nostdlib -c -g
- endif
- BUILD_LFLAGS = $(LDFLAGS)
- BUILD_CXXFLAGS += -Wno-unused-result
diff --git a/meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch b/meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch
deleted file mode 100644
index 5bb418b954..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From f65e9cc025278387b494c2383c5d9ff3bed98687 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sun, 11 Jun 2017 00:47:24 -0700
-Subject: [PATCH] ia32: Dont use -pie
-
-Upstream-Status: Pending
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- BaseTools/Conf/tools_def.template | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-Index: git/BaseTools/Conf/tools_def.template
-===================================================================
---- git.orig/BaseTools/Conf/tools_def.template
-+++ git/BaseTools/Conf/tools_def.template
-@@ -4336,7 +4336,7 @@ RELEASE_*_*_OBJCOPY_ADDDEBUGFLAG =
- NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --add-gnu-debuglink=$(DEBUG_DIR)/$(MODULE_NAME).debug
-
- DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
--DEFINE GCC_IA32_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -m32 -malign-double -freorder-blocks -freorder-blocks-and-partition -O2 -mno-stack-arg-probe
-+DEFINE GCC_IA32_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -m32 -malign-double -freorder-blocks -freorder-blocks-and-partition -O2 -mno-stack-arg-probe -fno-PIE -no-pie
- DEFINE GCC_X64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mno-red-zone -Wno-address -mno-stack-arg-probe
- DEFINE GCC_IPF_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -minline-int-divide-min-latency
- DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -mfloat-abi=soft -fno-pic -fno-pie
-@@ -4369,9 +4369,9 @@ DEFINE GCC_ARM_RC_FLAGS = -I
- DEFINE GCC_AARCH64_RC_FLAGS = -I binary -O elf64-littleaarch64 -B aarch64 --rename-section .data=.hii
-
- DEFINE GCC44_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
--DEFINE GCC44_IA32_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables
-+DEFINE GCC44_IA32_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -fno-PIE -no-pie
- DEFINE GCC44_X64_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables
--DEFINE GCC44_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
-+DEFINE GCC44_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 -no-pie
- DEFINE GCC44_IA32_X64_ASLDLINK_FLAGS = DEF(GCC44_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
- DEFINE GCC44_IA32_X64_DLINK_FLAGS = DEF(GCC44_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map
- DEFINE GCC44_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
-@@ -4451,7 +4451,7 @@ DEFINE GCC48_AARCH64_ASLDLINK_FLAGS = D
-
- DEFINE GCC49_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS)
- DEFINE GCC49_X64_CC_FLAGS = DEF(GCC48_X64_CC_FLAGS)
--DEFINE GCC49_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x40
-+DEFINE GCC49_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x40 -no-pie
- DEFINE GCC49_IA32_X64_ASLDLINK_FLAGS = DEF(GCC49_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
- DEFINE GCC49_IA32_X64_DLINK_FLAGS = DEF(GCC49_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map
- DEFINE GCC49_IA32_DLINK2_FLAGS = DEF(GCC48_IA32_DLINK2_FLAGS)
diff --git a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch b/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
deleted file mode 100644
index a076665c33..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 86dbdac5a25bd23deb4a0e0a97b527407e02184d Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 2 Mar 2018 17:11:52 +0100
-Subject: [PATCH 2/4] BaseTools/header.makefile: add "-Wno-restrict"
-
-gcc-8 (which is part of Fedora 28) enables the new warning
-"-Wrestrict" in "-Wall". This warning is documented in detail
-at <https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
-introduction says
-
-> Warn when an object referenced by a restrict-qualified parameter (or, in
-> C++, a __restrict-qualified parameter) is aliased by another argument,
-> or when copies between such objects overlap.
-
-It breaks the BaseTools build (in the Brotli compression library) with:
-
-> In function 'ProcessCommandsInternal',
-> inlined from 'ProcessCommands' at dec/decode.c:1828:10:
-> dec/decode.c:1781:9: error: 'memcpy' accessing between 17 and 2147483631
-> bytes at offsets 16 and 16 overlaps between 17 and 2147483631 bytes at
-> offset 16 [-Werror=restrict]
-> memcpy(copy_dst + 16, copy_src + 16, (size_t)(i - 16));
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-> In function 'ProcessCommandsInternal',
-> inlined from 'SafeProcessCommands' at dec/decode.c:1833:10:
-> dec/decode.c:1781:9: error: 'memcpy' accessing between 17 and 2147483631
-> bytes at offsets 16 and 16 overlaps between 17 and 2147483631 bytes at
-> offset 16 [-Werror=restrict]
-> memcpy(copy_dst + 16, copy_src + 16, (size_t)(i - 16));
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Paolo Bonzini <pbonzini@redhat.com> analyzed the Brotli source in detail,
-and concluded that the warning is a false positive:
-
-> This seems safe to me, because it's preceded by:
->
-> uint8_t* copy_dst = &s->ringbuffer[pos];
-> uint8_t* copy_src = &s->ringbuffer[src_start];
-> int dst_end = pos + i;
-> int src_end = src_start + i;
-> if (src_end > pos && dst_end > src_start) {
-> /* Regions intersect. */
-> goto CommandPostWrapCopy;
-> }
->
-> If [src_start, src_start + i) and [pos, pos + i) don't intersect, then
-> neither do [src_start + 16, src_start + i) and [pos + 16, pos + i).
->
-> The if seems okay:
->
-> (src_start + i > pos && pos + i > src_start)
->
-> which can be rewritten to:
->
-> (pos < src_start + i && src_start < pos + i)
->
-> Then the numbers are in one of these two orders:
->
-> pos <= src_start < pos + i <= src_start + i
-> src_start <= pos < src_start + i <= pos + i
->
-> These two would be allowed by the "if", but they can only happen if pos
-> == src_start so they degenerate to the same two orders above:
->
-> pos <= src_start < src_start + i <= pos + i
-> src_start <= pos < pos + i <= src_start + i
->
-> So it is a false positive in GCC.
-
-Disable the warning for now.
-
-Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Cc: Cole Robinson <crobinso@redhat.com>
-Cc: Liming Gao <liming.gao@intel.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Yonghong Zhu <yonghong.zhu@intel.com>
-Reported-by: Cole Robinson <crobinso@redhat.com>
-Contributed-under: TianoCore Contribution Agreement 1.1
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Liming Gao <liming.gao@intel.com>
----
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Backport
- BaseTools/Source/C/Makefiles/header.makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-Index: git/BaseTools/Source/C/Makefiles/header.makefile
-===================================================================
---- git.orig/BaseTools/Source/C/Makefiles/header.makefile
-+++ git/BaseTools/Source/C/Makefiles/header.makefile
-@@ -47,9 +47,9 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
- BUILD_CPPFLAGS += $(INCLUDE) -O2
- ifeq ($(DARWIN),Darwin)
- # assume clang or clang compatible flags on OS X
--BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-self-assign -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-self-assign -Wno-unused-result -nostdlib -c -g
- else
--BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -c -g
- endif
- BUILD_LFLAGS = $(LDFLAGS)
- BUILD_CXXFLAGS += -Wno-unused-result
diff --git a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
deleted file mode 100644
index 920723e326..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 6866325dd9c17412e555974dde41f9631224db52 Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Wed, 7 Mar 2018 10:17:28 +0100
-Subject: [PATCH 3/4] BaseTools/header.makefile: revert gcc-8 "-Wno-xxx"
- options on OSX
-
-I recently added the gcc-8 specific "-Wno-stringop-truncation" and
-"-Wno-restrict" options to BUILD_CFLAGS, both for "Darwin" (XCODE5 /
-clang, OSX) and otherwise (gcc, Linux / Cygwin).
-
-I also regression-tested the change with gcc-4.8 on Linux -- gcc-4.8 does
-not know either of the (gcc-8 specific) "-Wno-stringop-truncation" and
-"-Wno-restrict" options, yet the build completed fine (by GCC design).
-
-Regarding OSX, my expectation was that
-
-- XCODE5 / clang would either recognize these warnings options (because
- clang does recognize most -W options of gcc),
-
-- or, similarly to gcc, clang would simply ignore the "-Wno-xxx" flags
- that it didn't recognize.
-
-Neither is the case; the new flags have broken the BaseTools build on OSX.
-Revert them (for OSX only).
-
-Cc: Liming Gao <liming.gao@intel.com>
-Cc: Yonghong Zhu <yonghong.zhu@intel.com>
-Reported-by: Liming Gao <liming.gao@intel.com>
-Fixes: 1d212a83df0eaf32a6f5d4159beb2d77832e0231
-Fixes: 9222154ae7b3eef75ae88cdb56158256227cb929
-Contributed-under: TianoCore Contribution Agreement 1.1
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Liming Gao <liming.gao@intel.com>
-Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
----
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Backport
- BaseTools/Source/C/Makefiles/header.makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: git/BaseTools/Source/C/Makefiles/header.makefile
-===================================================================
---- git.orig/BaseTools/Source/C/Makefiles/header.makefile
-+++ git/BaseTools/Source/C/Makefiles/header.makefile
-@@ -47,7 +47,7 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
- BUILD_CPPFLAGS += $(INCLUDE) -O2
- ifeq ($(DARWIN),Darwin)
- # assume clang or clang compatible flags on OS X
--BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-self-assign -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
- else
- BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -c -g
- endif
diff --git a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
index 65b5c16dcb..070b0ac5a6 100644
--- a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
+++ b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
@@ -1,6 +1,6 @@
From 2320650c6d381b914fe91b2dedaa5870279a8bcf Mon Sep 17 00:00:00 2001
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
-Date: Sun, 27 Nov 2016 18:42:55 -0800
+Date: Fri, 26 Jul 2019 17:34:26 -0400
Subject: [PATCH] BaseTools: makefile: adjust to build in under bitbake
Prepend the build flags with those of bitbake. This is to build
@@ -9,31 +9,42 @@ using the bitbake native sysroot include and library directories.
Signed-off-by: Ricardo Neri <ricardo.neri@linux.intel.com>
Upstream-Status: Pending
---
- BaseTools/Source/C/Makefiles/header.makefile | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
+ BaseTools/Source/C/Makefiles/header.makefile | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
Index: git/BaseTools/Source/C/Makefiles/header.makefile
===================================================================
--- git.orig/BaseTools/Source/C/Makefiles/header.makefile
+++ git/BaseTools/Source/C/Makefiles/header.makefile
-@@ -44,15 +44,15 @@ ARCH_INCLUDE = -I $(MAKEROOT)/Include/AA
+@@ -62,23 +62,23 @@ $(error Bad HOST_ARCH)
endif
INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)
--BUILD_CPPFLAGS = $(INCLUDE) -O2
-+BUILD_CPPFLAGS += $(INCLUDE) -O2
+-BUILD_CPPFLAGS = $(INCLUDE)
++BUILD_CPPFLAGS += $(INCLUDE)
+
+ # keep EXTRA_OPTFLAGS last
+ BUILD_OPTFLAGS = -O2 $(EXTRA_OPTFLAGS)
+
ifeq ($(DARWIN),Darwin)
# assume clang or clang compatible flags on OS X
--BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
++BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
+ -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
else
--BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
++BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
+ -fno-delete-null-pointer-checks -Wall -Werror \
+ -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
+ -Wno-unused-result -nostdlib -g
endif
-BUILD_LFLAGS =
-BUILD_CXXFLAGS = -Wno-unused-result
+BUILD_LFLAGS = $(LDFLAGS)
+BUILD_CXXFLAGS += -Wno-unused-result
- ifeq ($(ARCH), IA32)
+ ifeq ($(HOST_ARCH), IA32)
#
+--
+2.20.1
+
diff --git a/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch b/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
deleted file mode 100644
index 7ad7cdf0ce..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From dfb42a5bff78d9239a80731e337855234badef3e Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 2 Mar 2018 17:11:52 +0100
-Subject: [PATCH 4/4] BaseTools/GenVtf: silence false "stringop-overflow"
- warning with memcpy()
-
-gcc-8 (which is part of Fedora 28) enables the new warning
-"-Wstringop-overflow" in "-Wall". This warning is documented in detail at
-<https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
-introduction says
-
-> Warn for calls to string manipulation functions such as memcpy and
-> strcpy that are determined to overflow the destination buffer.
-
-It breaks the BaseTools build with:
-
-> GenVtf.c: In function 'ConvertVersionInfo':
-> GenVtf.c:132:7: error: 'strncpy' specified bound depends on the length
-> of the source argument [-Werror=stringop-overflow=]
-> strncpy (TemStr + 4 - Length, Str, Length);
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-> GenVtf.c:130:14: note: length computed here
-> Length = strlen(Str);
-> ^~~~~~~~~~~
-
-It is a false positive because, while the bound equals the length of the
-source argument, the destination pointer is moved back towards the
-beginning of the destination buffer by the same amount (and this amount is
-range-checked first, so we can't precede the start of the dest buffer).
-
-Replace both strncpy() calls with memcpy().
-
-Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Cc: Cole Robinson <crobinso@redhat.com>
-Cc: Liming Gao <liming.gao@intel.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Yonghong Zhu <yonghong.zhu@intel.com>
-Reported-by: Cole Robinson <crobinso@redhat.com>
-Contributed-under: TianoCore Contribution Agreement 1.1
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Liming Gao <liming.gao@intel.com>
----
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Backport
- BaseTools/Source/C/GenVtf/GenVtf.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/BaseTools/Source/C/GenVtf/GenVtf.c b/BaseTools/Source/C/GenVtf/GenVtf.c
-index 2ae9a7be2c..0cd33e71e9 100644
---- a/BaseTools/Source/C/GenVtf/GenVtf.c
-+++ b/BaseTools/Source/C/GenVtf/GenVtf.c
-@@ -129,9 +129,9 @@ Returns:
- } else {
- Length = strlen(Str);
- if (Length < 4) {
-- strncpy (TemStr + 4 - Length, Str, Length);
-+ memcpy (TemStr + 4 - Length, Str, Length);
- } else {
-- strncpy (TemStr, Str + Length - 4, 4);
-+ memcpy (TemStr, Str + Length - 4, 4);
- }
-
- sscanf (
---
-2.17.0
-
diff --git a/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch b/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
deleted file mode 100644
index 3aa6cc4acb..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
+++ /dev/null
@@ -1,1124 +0,0 @@
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Mon, 6 Jul 2015 20:22:02 +0200
-Subject: [PATCH] OvmfPkg: EnrollDefaultKeys: application for enrolling default
- keys
-
-(A port of the <https://bugzilla.redhat.com/show_bug.cgi?id=1148296> patch
-to Gerd's public RPMs.)
-
-This application is meant to be invoked by the management layer, after
-booting the UEFI shell and getting a shell prompt on the serial console.
-The app enrolls a number of certificates (see below), and then reports
-status to the serial console as well. The expected output is "info:
-success":
-
-> Shell> EnrollDefaultKeys.efi
-> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
-> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
-> info: success
-> Shell>
-
-In case of success, the management layer can force off or reboot the VM
-(for example with the "reset -s" or "reset -c" UEFI shell commands,
-respectively), and start the guest installation with SecureBoot enabled.
-
-PK:
-- A unique, static, ad-hoc certificate whose private half has been
- destroyed (more precisely, never saved) and is therefore unusable for
- signing. (The command for creating this certificate is saved in the
- source code.)
-
-KEK:
-- same ad-hoc certificate as used for the PK,
-- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
- package is signed (indirectly, through a chain) with this; enrolling
- such a KEK should allow guests to install those updates.
-
-DB:
-- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
- Server 2012 R2,
-- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
- oproms.
-
-Contributed-under: TianoCore Contribution Agreement 1.0
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Upstream-Status: Inappropriate [not author]
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 960 ++++++++++++++++++++++++
- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 51 ++
- OvmfPkg/OvmfPkgIa32.dsc | 4 +
- OvmfPkg/OvmfPkgIa32X64.dsc | 4 +
- OvmfPkg/OvmfPkgX64.dsc | 4 +
- 5 files changed, 1023 insertions(+)
- create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
- create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
-
-diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-new file mode 100644
-index 0000000..081212b
---- /dev/null
-+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-@@ -0,0 +1,960 @@
-+/** @file
-+ Enroll default PK, KEK, DB.
-+
-+ Copyright (C) 2014, Red Hat, Inc.
-+
-+ This program and the accompanying materials are licensed and made available
-+ under the terms and conditions of the BSD License which accompanies this
-+ distribution. The full text of the license may be found at
-+ http://opensource.org/licenses/bsd-license.
-+
-+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
-+ WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-+**/
-+#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
-+#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
-+#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
-+#include <Library/BaseMemoryLib.h> // CopyGuid()
-+#include <Library/DebugLib.h> // ASSERT()
-+#include <Library/MemoryAllocationLib.h> // FreePool()
-+#include <Library/ShellCEntryLib.h> // ShellAppMain()
-+#include <Library/UefiLib.h> // AsciiPrint()
-+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
-+
-+//
-+// The example self-signed certificate below, which we'll use for both Platform
-+// Key, and first Key Exchange Key, has been generated with the following
-+// non-interactive openssl command. The passphrase is read from /dev/urandom,
-+// and not saved, and the private key is written to /dev/null. In other words,
-+// we can't sign anything else against this certificate, which is our purpose.
-+//
-+/*
-+ openssl req \
-+ -passout file:<(head -c 16 /dev/urandom) \
-+ -x509 \
-+ -newkey rsa:2048 \
-+ -keyout /dev/null \
-+ -outform DER \
-+ -subj $(
-+ printf /C=US
-+ printf /ST=TestStateOrProvince
-+ printf /L=TestLocality
-+ printf /O=TestOrganization
-+ printf /OU=TestOrganizationalUnit
-+ printf /CN=TestCommonName
-+ printf /emailAddress=test@example.com
-+ ) \
-+ 2>/dev/null \
-+ | xxd -i
-+*/
-+STATIC CONST UINT8 ExampleCert[] = {
-+ 0x30, 0x82, 0x04, 0x45, 0x30, 0x82, 0x03, 0x2d, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+ 0x02, 0x09, 0x00, 0xcf, 0x9f, 0x51, 0xa3, 0x07, 0xdb, 0x54, 0xa1, 0x30, 0x0d,
-+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
-+ 0x30, 0x81, 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
-+ 0x02, 0x55, 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
-+ 0x13, 0x54, 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50,
-+ 0x72, 0x6f, 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
-+ 0x55, 0x04, 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61,
-+ 0x6c, 0x69, 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+ 0x0c, 0x10, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a,
-+ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
-+ 0x0b, 0x0c, 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69,
-+ 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31,
-+ 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73,
-+ 0x74, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f,
-+ 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01,
-+ 0x16, 0x10, 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
-+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
-+ 0x30, 0x39, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x34,
-+ 0x31, 0x31, 0x30, 0x38, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x30, 0x81,
-+ 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
-+ 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x13, 0x54,
-+ 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50, 0x72, 0x6f,
-+ 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
-+ 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69,
-+ 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x10,
-+ 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74,
-+ 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
-+ 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61,
-+ 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31, 0x17, 0x30,
-+ 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73, 0x74, 0x43,
-+ 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f, 0x30, 0x1d,
-+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10,
-+ 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
-+ 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
-+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
-+ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0xf1, 0xce,
-+ 0x17, 0x32, 0xac, 0xc4, 0x4b, 0xb2, 0xed, 0x84, 0x76, 0xe5, 0xd0, 0xf8, 0x21,
-+ 0xac, 0x10, 0xf8, 0x18, 0x09, 0x0e, 0x07, 0x13, 0x76, 0x21, 0x5c, 0xc4, 0xcc,
-+ 0xd5, 0xe6, 0x25, 0xa7, 0x26, 0x53, 0x79, 0x2f, 0x16, 0x4b, 0x85, 0xbd, 0xae,
-+ 0x42, 0x64, 0x58, 0xcb, 0x5e, 0xe8, 0x6e, 0x5a, 0xd0, 0xc4, 0x0f, 0x38, 0x16,
-+ 0xbe, 0xd3, 0x22, 0xa7, 0x3c, 0x9b, 0x8b, 0x5e, 0xcb, 0x62, 0x35, 0xc5, 0x9b,
-+ 0xe2, 0x8e, 0x4c, 0x65, 0x57, 0x4f, 0xcb, 0x27, 0xad, 0xe7, 0x63, 0xa7, 0x77,
-+ 0x2b, 0xd5, 0x02, 0x42, 0x70, 0x46, 0xac, 0xba, 0xb6, 0x60, 0x57, 0xd9, 0xce,
-+ 0x31, 0xc5, 0x12, 0x03, 0x4a, 0xf7, 0x2a, 0x2b, 0x40, 0x06, 0xb4, 0xdb, 0x31,
-+ 0xb7, 0x83, 0x6c, 0x67, 0x87, 0x98, 0x8b, 0xce, 0x1b, 0x30, 0x7a, 0xfa, 0x35,
-+ 0x6c, 0x86, 0x20, 0x74, 0xc5, 0x7d, 0x32, 0x31, 0x18, 0xeb, 0x69, 0xf7, 0x2d,
-+ 0x20, 0xc4, 0xf0, 0xd2, 0xfa, 0x67, 0x81, 0xc1, 0xbb, 0x23, 0xbb, 0x75, 0x1a,
-+ 0xe4, 0xb4, 0x49, 0x99, 0xdf, 0x12, 0x4c, 0xe3, 0x6d, 0x76, 0x24, 0x85, 0x24,
-+ 0xae, 0x5a, 0x9e, 0xbd, 0x54, 0x1c, 0xf9, 0x0e, 0xed, 0x96, 0xb5, 0xd8, 0xa2,
-+ 0x0d, 0x2a, 0x38, 0x5d, 0x12, 0x97, 0xb0, 0x4d, 0x75, 0x85, 0x1e, 0x47, 0x6d,
-+ 0xe1, 0x25, 0x59, 0xcb, 0xe9, 0x33, 0x86, 0x6a, 0xef, 0x98, 0x24, 0xa0, 0x2b,
-+ 0x02, 0x7b, 0xc0, 0x9f, 0x88, 0x03, 0xb0, 0xbe, 0x22, 0x65, 0x83, 0x77, 0xb3,
-+ 0x30, 0xba, 0xe0, 0x3b, 0x54, 0x31, 0x3a, 0x45, 0x81, 0x9c, 0x48, 0xaf, 0xc1,
-+ 0x11, 0x5b, 0xf2, 0x3a, 0x1e, 0x33, 0x1b, 0x8f, 0x0e, 0x04, 0xa4, 0x16, 0xd4,
-+ 0x6b, 0x57, 0xee, 0xe7, 0xba, 0xf5, 0xee, 0xaf, 0xe2, 0x4c, 0x50, 0xf8, 0x68,
-+ 0x57, 0x88, 0xfb, 0x7f, 0xa3, 0xcf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50,
-+ 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
-+ 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e, 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3,
-+ 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29, 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
-+ 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e,
-+ 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3, 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29,
-+ 0x61, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
-+ 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
-+ 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x12, 0x9c, 0x3e, 0x38,
-+ 0xfc, 0x26, 0xea, 0x6d, 0xb7, 0x5c, 0x29, 0x3c, 0x76, 0x20, 0x0c, 0xb2, 0xa9,
-+ 0x0f, 0xdf, 0xc0, 0x85, 0xfe, 0xeb, 0xec, 0x1d, 0x5d, 0x73, 0x84, 0xac, 0x8a,
-+ 0xb4, 0x2a, 0x86, 0x38, 0x30, 0xaf, 0xd2, 0x2d, 0x2a, 0xde, 0x54, 0xc8, 0x5c,
-+ 0x29, 0x90, 0x24, 0xf2, 0x39, 0xc1, 0xa5, 0x00, 0xb4, 0xb7, 0xd8, 0xdc, 0x59,
-+ 0x64, 0x50, 0x62, 0x5f, 0x54, 0xf1, 0x73, 0x02, 0x4d, 0x43, 0xc5, 0xc3, 0xc4,
-+ 0x0e, 0x62, 0x60, 0x8c, 0x53, 0x66, 0x57, 0x77, 0xb5, 0x81, 0xda, 0x1f, 0x81,
-+ 0xda, 0xe9, 0xd6, 0x5e, 0x82, 0xce, 0xa7, 0x5c, 0xc0, 0xa6, 0xbe, 0x9c, 0x5c,
-+ 0x7b, 0xa5, 0x15, 0xc8, 0xd7, 0x14, 0x53, 0xd3, 0x5c, 0x1c, 0x9f, 0x8a, 0x9f,
-+ 0x66, 0x15, 0xd5, 0xd3, 0x2a, 0x27, 0x0c, 0xee, 0x9f, 0x80, 0x39, 0x88, 0x7b,
-+ 0x24, 0xde, 0x0c, 0x61, 0xa3, 0x44, 0xd8, 0x8d, 0x2e, 0x79, 0xf8, 0x1e, 0x04,
-+ 0x5a, 0xcb, 0xd6, 0x9c, 0xa3, 0x22, 0x8f, 0x09, 0x32, 0x1e, 0xe1, 0x65, 0x8f,
-+ 0x10, 0x5f, 0xd8, 0x52, 0x56, 0xd5, 0x77, 0xac, 0x58, 0x46, 0x60, 0xba, 0x2e,
-+ 0xe2, 0x3f, 0x58, 0x7d, 0x60, 0xfc, 0x31, 0x4a, 0x3a, 0xaf, 0x61, 0x55, 0x5f,
-+ 0xfb, 0x68, 0x14, 0x74, 0xda, 0xdc, 0x42, 0x78, 0xcc, 0xee, 0xff, 0x5c, 0x03,
-+ 0x24, 0x26, 0x2c, 0xb8, 0x3a, 0x81, 0xad, 0xdb, 0xe7, 0xed, 0xe1, 0x62, 0x84,
-+ 0x07, 0x1a, 0xc8, 0xa4, 0x4e, 0xb0, 0x87, 0xf7, 0x96, 0xd8, 0x33, 0x9b, 0x0d,
-+ 0xa7, 0x77, 0xae, 0x5b, 0xaf, 0xad, 0xe6, 0x5a, 0xc9, 0xfa, 0xa4, 0xe4, 0xe5,
-+ 0x57, 0xbb, 0x97, 0xdd, 0x92, 0x85, 0xd8, 0x03, 0x45, 0xfe, 0xd8, 0x6b, 0xb1,
-+ 0xdb, 0x85, 0x36, 0xb9, 0xd9, 0x28, 0xbf, 0x17, 0xae, 0x11, 0xde, 0x10, 0x19,
-+ 0x26, 0x5b, 0xc0, 0x3d, 0xc7
-+};
-+
-+//
-+// Second KEK: "Microsoft Corporation KEK CA 2011".
-+// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
-+//
-+// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
-+//
-+STATIC CONST UINT8 MicrosoftKEK[] = {
-+ 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+ 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
-+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-+ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
-+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
-+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
-+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
-+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
-+ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
-+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
-+ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
-+ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
-+ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
-+ 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
-+ 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
-+ 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-+ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
-+ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
-+ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
-+ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
-+ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
-+ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
-+ 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
-+ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
-+ 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
-+ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-+ 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
-+ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
-+ 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
-+ 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
-+ 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
-+ 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
-+ 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
-+ 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
-+ 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
-+ 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
-+ 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
-+ 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
-+ 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
-+ 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
-+ 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
-+ 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
-+ 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
-+ 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
-+ 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
-+ 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
-+ 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
-+ 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
-+ 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
-+ 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
-+ 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
-+ 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
-+ 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
-+ 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
-+ 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
-+ 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
-+ 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
-+ 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
-+ 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
-+ 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
-+ 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
-+ 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
-+ 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
-+ 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
-+ 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
-+ 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
-+ 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
-+ 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
-+ 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
-+ 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
-+ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
-+ 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
-+ 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
-+ 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
-+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
-+ 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
-+ 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
-+ 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
-+ 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
-+ 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
-+ 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
-+ 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
-+ 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
-+ 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
-+ 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
-+ 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
-+ 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
-+ 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
-+ 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
-+ 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
-+ 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
-+ 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
-+ 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
-+ 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
-+ 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
-+ 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
-+ 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
-+ 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
-+ 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
-+ 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
-+ 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
-+ 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
-+ 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
-+ 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
-+ 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
-+ 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
-+ 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
-+ 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
-+ 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
-+ 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
-+ 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
-+ 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
-+ 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
-+ 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
-+ 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
-+};
-+
-+//
-+// First DB entry: "Microsoft Windows Production PCA 2011"
-+// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
-+//
-+// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
-+// rooted in this certificate.
-+//
-+STATIC CONST UINT8 MicrosoftPCA[] = {
-+ 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+ 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
-+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-+ 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
-+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
-+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
-+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
-+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
-+ 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
-+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
-+ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
-+ 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
-+ 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
-+ 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
-+ 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
-+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
-+ 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
-+ 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
-+ 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
-+ 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
-+ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
-+ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
-+ 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
-+ 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
-+ 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
-+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
-+ 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
-+ 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
-+ 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
-+ 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
-+ 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
-+ 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
-+ 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
-+ 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
-+ 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
-+ 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
-+ 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
-+ 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
-+ 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
-+ 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
-+ 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
-+ 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
-+ 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
-+ 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
-+ 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
-+ 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
-+ 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
-+ 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
-+ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
-+ 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
-+ 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
-+ 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
-+ 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
-+ 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
-+ 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
-+ 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
-+ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
-+ 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
-+ 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
-+ 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
-+ 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
-+ 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
-+ 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
-+ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
-+ 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
-+ 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
-+ 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
-+ 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
-+ 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
-+ 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
-+ 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
-+ 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
-+ 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-+ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
-+ 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
-+ 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
-+ 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
-+ 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
-+ 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
-+ 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
-+ 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
-+ 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
-+ 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
-+ 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
-+ 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
-+ 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
-+ 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
-+ 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
-+ 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
-+ 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
-+ 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
-+ 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
-+ 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
-+ 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
-+ 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
-+ 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
-+ 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
-+ 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
-+ 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
-+ 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
-+ 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
-+ 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
-+ 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
-+ 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
-+ 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
-+ 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
-+ 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
-+ 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
-+ 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
-+ 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
-+ 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
-+ 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
-+ 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
-+ 0x62, 0x1c, 0x59, 0x7e
-+};
-+
-+//
-+// Second DB entry: "Microsoft Corporation UEFI CA 2011"
-+// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
-+//
-+// To verify the "shim" binary and PCI expansion ROMs with.
-+//
-+STATIC CONST UINT8 MicrosoftUefiCA[] = {
-+ 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+ 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
-+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-+ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
-+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
-+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
-+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
-+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
-+ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
-+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
-+ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
-+ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
-+ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
-+ 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
-+ 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
-+ 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-+ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
-+ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
-+ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
-+ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
-+ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
-+ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
-+ 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
-+ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
-+ 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
-+ 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-+ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
-+ 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
-+ 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
-+ 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
-+ 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
-+ 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
-+ 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
-+ 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
-+ 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
-+ 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
-+ 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
-+ 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
-+ 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
-+ 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
-+ 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
-+ 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
-+ 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
-+ 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
-+ 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
-+ 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
-+ 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
-+ 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
-+ 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
-+ 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
-+ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
-+ 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
-+ 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
-+ 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
-+ 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
-+ 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
-+ 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
-+ 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
-+ 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
-+ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
-+ 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
-+ 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
-+ 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
-+ 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
-+ 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
-+ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
-+ 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
-+ 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
-+ 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
-+ 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
-+ 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
-+ 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
-+ 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
-+ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
-+ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
-+ 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
-+ 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
-+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
-+ 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
-+ 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
-+ 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
-+ 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
-+ 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
-+ 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
-+ 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
-+ 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
-+ 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
-+ 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
-+ 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
-+ 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
-+ 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
-+ 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
-+ 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
-+ 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
-+ 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
-+ 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
-+ 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
-+ 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
-+ 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
-+ 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
-+ 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
-+ 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
-+ 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
-+ 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
-+ 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
-+ 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
-+ 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
-+ 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
-+ 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
-+ 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
-+ 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
-+ 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
-+ 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
-+ 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
-+ 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
-+ 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
-+ 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
-+ 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
-+};
-+
-+//
-+// The most important thing about the variable payload is that it is a list of
-+// lists, where the element size of any given *inner* list is constant.
-+//
-+// Since X509 certificates vary in size, each of our *inner* lists will contain
-+// one element only (one X.509 certificate). This is explicitly mentioned in
-+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
-+//
-+// The list structure looks as follows:
-+//
-+// struct EFI_VARIABLE_AUTHENTICATION_2 { |
-+// struct EFI_TIME { |
-+// UINT16 Year; |
-+// UINT8 Month; |
-+// UINT8 Day; |
-+// UINT8 Hour; |
-+// UINT8 Minute; |
-+// UINT8 Second; |
-+// UINT8 Pad1; |
-+// UINT32 Nanosecond; |
-+// INT16 TimeZone; |
-+// UINT8 Daylight; |
-+// UINT8 Pad2; |
-+// } TimeStamp; |
-+// |
-+// struct WIN_CERTIFICATE_UEFI_GUID { | |
-+// struct WIN_CERTIFICATE { | |
-+// UINT32 dwLength; ----------------------------------------+ |
-+// UINT16 wRevision; | |
-+// UINT16 wCertificateType; | |
-+// } Hdr; | +- DataSize
-+// | |
-+// EFI_GUID CertType; | |
-+// UINT8 CertData[1] = { <--- "struct hack" | |
-+// struct EFI_SIGNATURE_LIST { | | |
-+// EFI_GUID SignatureType; | | |
-+// UINT32 SignatureListSize; -------------------------+ | |
-+// UINT32 SignatureHeaderSize; | | |
-+// UINT32 SignatureSize; ---------------------------+ | | |
-+// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
-+// v | | |
-+// struct EFI_SIGNATURE_DATA { | | | |
-+// EFI_GUID SignatureOwner; | | | |
-+// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
-+// X.509 payload | | | |
-+// } | | | |
-+// } Signatures[]; | | |
-+// } SigLists[]; | |
-+// }; | |
-+// } AuthInfo; | |
-+// }; |
-+//
-+// Given that the "struct hack" invokes undefined behavior (which is why C99
-+// introduced the flexible array member), and because subtracting those pesky
-+// sizes of 1 is annoying, and because the format is fully specified in the
-+// UEFI specification, we'll introduce two matching convenience structures that
-+// are customized for our X.509 purposes.
-+//
-+#pragma pack(1)
-+typedef struct {
-+ EFI_TIME TimeStamp;
-+
-+ //
-+ // dwLength covers data below
-+ //
-+ UINT32 dwLength;
-+ UINT16 wRevision;
-+ UINT16 wCertificateType;
-+ EFI_GUID CertType;
-+} SINGLE_HEADER;
-+
-+typedef struct {
-+ //
-+ // SignatureListSize covers data below
-+ //
-+ EFI_GUID SignatureType;
-+ UINT32 SignatureListSize;
-+ UINT32 SignatureHeaderSize; // constant 0
-+ UINT32 SignatureSize;
-+
-+ //
-+ // SignatureSize covers data below
-+ //
-+ EFI_GUID SignatureOwner;
-+
-+ //
-+ // X.509 certificate follows
-+ //
-+} REPEATING_HEADER;
-+#pragma pack()
-+
-+/**
-+ Enroll a set of DER-formatted X.509 certificates in a global variable,
-+ overwriting it.
-+
-+ The variable will be rewritten with NV+BS+RT+AT attributes.
-+
-+ @param[in] VariableName The name of the variable to overwrite.
-+
-+ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
-+ overwrite.
-+
-+ @param[in] ... A list of
-+
-+ IN CONST UINT8 *Cert,
-+ IN UINTN CertSize,
-+ IN CONST EFI_GUID *OwnerGuid
-+
-+ triplets. If the first component of a triplet is
-+ NULL, then the other two components are not
-+ accessed, and processing is terminated. The list of
-+ X.509 certificates is enrolled in the variable
-+ specified, overwriting it. The OwnerGuid component
-+ identifies the agent installing the certificate.
-+
-+ @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert
-+ value is NULL), or one of the CertSize values
-+ is 0, or one of the CertSize values would
-+ overflow the accumulated UINT32 data size.
-+
-+ @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable
-+ payload.
-+
-+ @retval EFI_SUCCESS Enrollment successful; the variable has been
-+ overwritten (or created).
-+
-+ @return Error codes from gRT->GetTime() and
-+ gRT->SetVariable().
-+**/
-+STATIC
-+EFI_STATUS
-+EFIAPI
-+EnrollListOfX509Certs (
-+ IN CHAR16 *VariableName,
-+ IN EFI_GUID *VendorGuid,
-+ ...
-+ )
-+{
-+ UINTN DataSize;
-+ SINGLE_HEADER *SingleHeader;
-+ REPEATING_HEADER *RepeatingHeader;
-+ VA_LIST Marker;
-+ CONST UINT8 *Cert;
-+ EFI_STATUS Status = EFI_SUCCESS;
-+ UINT8 *Data;
-+ UINT8 *Position;
-+
-+ //
-+ // compute total size first, for UINT32 range check, and allocation
-+ //
-+ DataSize = sizeof *SingleHeader;
-+ VA_START (Marker, VendorGuid);
-+ for (Cert = VA_ARG (Marker, CONST UINT8 *);
-+ Cert != NULL;
-+ Cert = VA_ARG (Marker, CONST UINT8 *)) {
-+ UINTN CertSize;
-+
-+ CertSize = VA_ARG (Marker, UINTN);
-+ (VOID)VA_ARG (Marker, CONST EFI_GUID *);
-+
-+ if (CertSize == 0 ||
-+ CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
-+ DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
-+ Status = EFI_INVALID_PARAMETER;
-+ break;
-+ }
-+ DataSize += sizeof *RepeatingHeader + CertSize;
-+ }
-+ VA_END (Marker);
-+
-+ if (DataSize == sizeof *SingleHeader) {
-+ Status = EFI_INVALID_PARAMETER;
-+ }
-+ if (EFI_ERROR (Status)) {
-+ goto Out;
-+ }
-+
-+ Data = AllocatePool (DataSize);
-+ if (Data == NULL) {
-+ Status = EFI_OUT_OF_RESOURCES;
-+ goto Out;
-+ }
-+
-+ Position = Data;
-+
-+ SingleHeader = (SINGLE_HEADER *)Position;
-+ Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
-+ if (EFI_ERROR (Status)) {
-+ goto FreeData;
-+ }
-+ SingleHeader->TimeStamp.Pad1 = 0;
-+ SingleHeader->TimeStamp.Nanosecond = 0;
-+ SingleHeader->TimeStamp.TimeZone = 0;
-+ SingleHeader->TimeStamp.Daylight = 0;
-+ SingleHeader->TimeStamp.Pad2 = 0;
-+#if 0
-+ SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp;
-+#else
-+ //
-+ // This looks like a bug in edk2. According to the UEFI specification,
-+ // dwLength is "The length of the entire certificate, including the length of
-+ // the header, in bytes". That shouldn't stop right after CertType -- it
-+ // should include everything below it.
-+ //
-+ SingleHeader->dwLength = sizeof *SingleHeader
-+ - sizeof SingleHeader->TimeStamp;
-+#endif
-+ SingleHeader->wRevision = 0x0200;
-+ SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
-+ CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
-+ Position += sizeof *SingleHeader;
-+
-+ VA_START (Marker, VendorGuid);
-+ for (Cert = VA_ARG (Marker, CONST UINT8 *);
-+ Cert != NULL;
-+ Cert = VA_ARG (Marker, CONST UINT8 *)) {
-+ UINTN CertSize;
-+ CONST EFI_GUID *OwnerGuid;
-+
-+ CertSize = VA_ARG (Marker, UINTN);
-+ OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
-+
-+ RepeatingHeader = (REPEATING_HEADER *)Position;
-+ CopyGuid (&RepeatingHeader->SignatureType, &gEfiCertX509Guid);
-+ RepeatingHeader->SignatureListSize = sizeof *RepeatingHeader + CertSize;
-+ RepeatingHeader->SignatureHeaderSize = 0;
-+ RepeatingHeader->SignatureSize =
-+ sizeof RepeatingHeader->SignatureOwner + CertSize;
-+ CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
-+ Position += sizeof *RepeatingHeader;
-+
-+ CopyMem (Position, Cert, CertSize);
-+ Position += CertSize;
-+ }
-+ VA_END (Marker);
-+
-+ ASSERT (Data + DataSize == Position);
-+
-+ Status = gRT->SetVariable (VariableName, VendorGuid,
-+ (EFI_VARIABLE_NON_VOLATILE |
-+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
-+ EFI_VARIABLE_RUNTIME_ACCESS |
-+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
-+ DataSize, Data);
-+
-+FreeData:
-+ FreePool (Data);
-+
-+Out:
-+ if (EFI_ERROR (Status)) {
-+ AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
-+ VendorGuid, Status);
-+ }
-+ return Status;
-+}
-+
-+
-+STATIC
-+EFI_STATUS
-+EFIAPI
-+GetExact (
-+ IN CHAR16 *VariableName,
-+ IN EFI_GUID *VendorGuid,
-+ OUT VOID *Data,
-+ IN UINTN DataSize,
-+ IN BOOLEAN AllowMissing
-+ )
-+{
-+ UINTN Size;
-+ EFI_STATUS Status;
-+
-+ Size = DataSize;
-+ Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
-+ if (EFI_ERROR (Status)) {
-+ if (Status == EFI_NOT_FOUND && AllowMissing) {
-+ ZeroMem (Data, DataSize);
-+ return EFI_SUCCESS;
-+ }
-+
-+ AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
-+ VendorGuid, Status);
-+ return Status;
-+ }
-+
-+ if (Size != DataSize) {
-+ AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
-+ "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
-+ return EFI_PROTOCOL_ERROR;
-+ }
-+
-+ return EFI_SUCCESS;
-+}
-+
-+typedef struct {
-+ UINT8 SetupMode;
-+ UINT8 SecureBoot;
-+ UINT8 SecureBootEnable;
-+ UINT8 CustomMode;
-+ UINT8 VendorKeys;
-+} SETTINGS;
-+
-+STATIC
-+EFI_STATUS
-+EFIAPI
-+GetSettings (
-+ OUT SETTINGS *Settings
-+ )
-+{
-+ EFI_STATUS Status;
-+
-+ Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
-+ &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
-+ if (EFI_ERROR (Status)) {
-+ return Status;
-+ }
-+
-+ Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
-+ &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
-+ if (EFI_ERROR (Status)) {
-+ return Status;
-+ }
-+
-+ Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
-+ &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
-+ sizeof Settings->SecureBootEnable, TRUE);
-+ if (EFI_ERROR (Status)) {
-+ return Status;
-+ }
-+
-+ Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
-+ &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
-+ if (EFI_ERROR (Status)) {
-+ return Status;
-+ }
-+
-+ Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
-+ &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
-+ return Status;
-+}
-+
-+STATIC
-+VOID
-+EFIAPI
-+PrintSettings (
-+ IN CONST SETTINGS *Settings
-+ )
-+{
-+ AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
-+ "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
-+ Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
-+}
-+
-+
-+INTN
-+EFIAPI
-+ShellAppMain (
-+ IN UINTN Argc,
-+ IN CHAR16 **Argv
-+ )
-+{
-+ EFI_STATUS Status;
-+ SETTINGS Settings;
-+
-+ Status = GetSettings (&Settings);
-+ if (EFI_ERROR (Status)) {
-+ return 1;
-+ }
-+ PrintSettings (&Settings);
-+
-+ if (Settings.SetupMode != 1) {
-+ AsciiPrint ("error: already in User Mode\n");
-+ return 1;
-+ }
-+
-+ if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
-+ Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
-+ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
-+ (EFI_VARIABLE_NON_VOLATILE |
-+ EFI_VARIABLE_BOOTSERVICE_ACCESS),
-+ sizeof Settings.CustomMode, &Settings.CustomMode);
-+ if (EFI_ERROR (Status)) {
-+ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
-+ &gEfiCustomModeEnableGuid, Status);
-+ return 1;
-+ }
-+ }
-+
-+ Status = EnrollListOfX509Certs (
-+ EFI_IMAGE_SECURITY_DATABASE,
-+ &gEfiImageSecurityDatabaseGuid,
-+ MicrosoftPCA, sizeof MicrosoftPCA, &gEfiCallerIdGuid,
-+ MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid,
-+ NULL);
-+ if (EFI_ERROR (Status)) {
-+ return 1;
-+ }
-+
-+ Status = EnrollListOfX509Certs (
-+ EFI_KEY_EXCHANGE_KEY_NAME,
-+ &gEfiGlobalVariableGuid,
-+ ExampleCert, sizeof ExampleCert, &gEfiCallerIdGuid,
-+ MicrosoftKEK, sizeof MicrosoftKEK, &gEfiCallerIdGuid,
-+ NULL);
-+ if (EFI_ERROR (Status)) {
-+ return 1;
-+ }
-+
-+ Status = EnrollListOfX509Certs (
-+ EFI_PLATFORM_KEY_NAME,
-+ &gEfiGlobalVariableGuid,
-+ ExampleCert, sizeof ExampleCert, &gEfiGlobalVariableGuid,
-+ NULL);
-+ if (EFI_ERROR (Status)) {
-+ return 1;
-+ }
-+
-+ Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
-+ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
-+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-+ sizeof Settings.CustomMode, &Settings.CustomMode);
-+ if (EFI_ERROR (Status)) {
-+ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
-+ &gEfiCustomModeEnableGuid, Status);
-+ return 1;
-+ }
-+
-+ Status = GetSettings (&Settings);
-+ if (EFI_ERROR (Status)) {
-+ return 1;
-+ }
-+ PrintSettings (&Settings);
-+
-+ if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
-+ Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
-+ Settings.VendorKeys != 0) {
-+ AsciiPrint ("error: unexpected\n");
-+ return 1;
-+ }
-+
-+ AsciiPrint ("info: success\n");
-+ return 0;
-+}
-diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
-new file mode 100644
-index 0000000..ac919bb
---- /dev/null
-+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
-@@ -0,0 +1,51 @@
-+## @file
-+# Enroll default PK, KEK, DB.
-+#
-+# Copyright (C) 2014, Red Hat, Inc.
-+#
-+# This program and the accompanying materials are licensed and made available
-+# under the terms and conditions of the BSD License which accompanies this
-+# distribution. The full text of the license may be found at
-+# http://opensource.org/licenses/bsd-license.
-+#
-+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
-+# IMPLIED.
-+##
-+
-+[Defines]
-+ INF_VERSION = 0x00010006
-+ BASE_NAME = EnrollDefaultKeys
-+ FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
-+ MODULE_TYPE = UEFI_APPLICATION
-+ VERSION_STRING = 0.1
-+ ENTRY_POINT = ShellCEntryLib
-+
-+#
-+# VALID_ARCHITECTURES = IA32 X64
-+#
-+
-+[Sources]
-+ EnrollDefaultKeys.c
-+
-+[Packages]
-+ MdePkg/MdePkg.dec
-+ MdeModulePkg/MdeModulePkg.dec
-+ SecurityPkg/SecurityPkg.dec
-+ ShellPkg/ShellPkg.dec
-+
-+[Guids]
-+ gEfiCertPkcs7Guid
-+ gEfiCertX509Guid
-+ gEfiCustomModeEnableGuid
-+ gEfiGlobalVariableGuid
-+ gEfiImageSecurityDatabaseGuid
-+ gEfiSecureBootEnableDisableGuid
-+
-+[LibraryClasses]
-+ BaseMemoryLib
-+ DebugLib
-+ MemoryAllocationLib
-+ ShellCEntryLib
-+ UefiLib
-+ UefiRuntimeServicesTableLib
-diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
-index fa9661c..e2e6ba3 100644
---- a/OvmfPkg/OvmfPkgIa32.dsc
-+++ b/OvmfPkg/OvmfPkgIa32.dsc
-@@ -764,6 +764,10 @@
-
- !if $(SECURE_BOOT_ENABLE) == TRUE
- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
-+ <LibraryClasses>
-+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
-+ }
- !endif
-
- OvmfPkg/PlatformDxe/Platform.inf
-diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
-index 667584a..a0ae1aa 100644
---- a/OvmfPkg/OvmfPkgIa32X64.dsc
-+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
-@@ -773,6 +773,10 @@
-
- !if $(SECURE_BOOT_ENABLE) == TRUE
- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
-+ <LibraryClasses>
-+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
-+ }
- !endif
-
- OvmfPkg/PlatformDxe/Platform.inf
-diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
-index 5ae8469..87cee52 100644
---- a/OvmfPkg/OvmfPkgX64.dsc
-+++ b/OvmfPkg/OvmfPkgX64.dsc
-@@ -771,6 +771,10 @@
-
- !if $(SECURE_BOOT_ENABLE) == TRUE
- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
-+ <LibraryClasses>
-+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
-+ }
- !endif
-
- OvmfPkg/PlatformDxe/Platform.inf
diff --git a/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch b/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch
index 25e5b58e70..1b65348e84 100644
--- a/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch
+++ b/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch
@@ -9,12 +9,26 @@ Index: git/BaseTools/Conf/tools_def.template
===================================================================
--- git.orig/BaseTools/Conf/tools_def.template
+++ git/BaseTools/Conf/tools_def.template
-@@ -4368,7 +4368,7 @@ DEFINE GCC_IPF_RC_FLAGS = -I
+@@ -1736,10 +1736,10 @@ DEFINE GCC_X64_RC_FLAGS = -I binary -O elf64-x86-64 -B i386
DEFINE GCC_ARM_RC_FLAGS = -I binary -O elf32-littlearm -B arm --rename-section .data=.hii
DEFINE GCC_AARCH64_RC_FLAGS = -I binary -O elf64-littleaarch64 -B aarch64 --rename-section .data=.hii
--DEFINE GCC44_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
-+DEFINE GCC44_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -fno-stack-protector -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
- DEFINE GCC44_IA32_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -fno-PIE -no-pie
- DEFINE GCC44_X64_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables
- DEFINE GCC44_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 -no-pie
+-DEFINE GCC48_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
++DEFINE GCC48_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -fno-stack-protector -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
+ DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
+-DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address
+-DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address
++DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -D EFI32 -fno-asynchronous-unwind-tables -Wno-address
++DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address
+ DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
+ DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive
+ DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
+@@ -1748,7 +1748,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x228 DEF
+ DEFINE GCC48_ASM_FLAGS = DEF(GCC_ASM_FLAGS)
+ DEFINE GCC48_ARM_ASM_FLAGS = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
+ DEFINE GCC48_AARCH64_ASM_FLAGS = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
+-DEFINE GCC48_ARM_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ARM_CC_FLAGS) -fstack-protector -mword-relocations
++DEFINE GCC48_ARM_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ARM_CC_FLAGS) -mword-relocations
+ DEFINE GCC48_ARM_CC_XIPFLAGS = DEF(GCC_ARM_CC_XIPFLAGS)
+ DEFINE GCC48_AARCH64_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) -mcmodel=large DEF(GCC_AARCH64_CC_FLAGS)
+ DEFINE GCC48_AARCH64_CC_XIPFLAGS = DEF(GCC_AARCH64_CC_XIPFLAGS)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 71828d8d8d..11793f0d1a 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -4,7 +4,7 @@ Virtual Machines. OVMF contains sample UEFI firmware for QEMU and KVM"
HOMEPAGE = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF"
LICENSE = "BSD"
LICENSE_class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD & OpenSSL', 'BSD', d)}"
-LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
+LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=06357ddc23f46577c2aeaeaf7b776d65"
# Enabling Secure Boot adds a dependency on OpenSSL and implies
# compiling OVMF twice, so it is disabled by default. Distros
@@ -12,30 +12,15 @@ LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3
PACKAGECONFIG ??= ""
PACKAGECONFIG[secureboot] = ",,,"
-SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
- file://0001-ia32-Dont-use-pie.patch \
+SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=git \
file://0002-ovmf-update-path-to-native-BaseTools.patch \
file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
file://0004-ovmf-enable-long-path-file.patch \
- file://VfrCompile-increase-path-length-limit.patch \
file://no-stack-protector-all-archs.patch \
- file://0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch \
- file://0002-BaseTools-header.makefile-add-Wno-restrict.patch \
- file://0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch \
- file://0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch \
"
UPSTREAM_VERSION_UNKNOWN = "1"
-OPENSSL_RELEASE = "openssl-1.1.0e"
-
-SRC_URI_append_class-target = " \
- ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/${OPENSSL_RELEASE}.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
- file://0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch \
-"
-
-SRCREV="ec4910cd3336565fdb61dafdd9ec4ae7a6160ba3"
-SRC_URI[openssl.md5sum] = "51c42d152122e474754aea96f66928c6"
-SRC_URI[openssl.sha256sum] = "57be8618979d80c910728cfc99369bf97b2a1abd8f366ab6ebdee8975ad3874c"
+SRCREV="20d2e5a125e34fc8501026613a71549b2a1a3e54"
inherit deploy
@@ -44,7 +29,7 @@ PARALLEL_MAKE = ""
S = "${WORKDIR}/git"
DEPENDS_class-native="util-linux-native iasl-native"
-DEPENDS_class-target="ovmf-native"
+DEPENDS_class-target="ovmf-native bc-native"
DEPENDS_append = " nasm-native"
@@ -191,12 +176,9 @@ do_compile_class-target() {
ln ${build_dir}/${OVMF_ARCH}/Shell.efi ${WORKDIR}/ovmf/
if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
- # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
- # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
- # building with Secure Boot enabled.
+ # Repeat build with the Secure Boot flags.
bbnote "Building with Secure Boot."
rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
- ln -sf ${OPENSSL_RELEASE} ${S}/CryptoPkg/Library/OpensslLib/openssl
${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd
ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread