* [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements
@ 2019-08-07 1:44 Ricardo Neri
2019-08-07 1:44 ` [PATCH 1/5] ovmf: Update to version edk2-stable201905 Ricardo Neri
` (6 more replies)
0 siblings, 7 replies; 10+ messages in thread
From: Ricardo Neri @ 2019-08-07 1:44 UTC (permalink / raw)
To: openembedded-core
Hi,
Fixes [YOCTO #13438]
I have implemented this patchset to bump the OVMF recipe to the latest
stable release of OVMF: edk2-stable201905. I continued Ross Burton's
initial work to update the recipe [1].
The majority of the patches we were carrying with the recipe have been
taken upstream in EDK2 and I have removed them. Plus, EDK2 now adds
openssl as a git submodule and not a patching script. Thus, I removed
support for this script and switched to the gitsm bitbake fetcher.
Also, now the EnrollDefaultKeys EFI application requires a separate
Platform Key and first Key Exchange Key certificate instead of an
hard-coded certificate embedded in the application. The hypervisor shall
pass this certificated to EnrollDefaultKeys via the Type 11 SMBus table.
I have updated the ovmf recipe to create the needed certificate and
also updated runqemu to provide such certificate when using an OVMF
binary with support for Secure Boot.
Lastly, I defined the recipe's PV and took Ross' change to use python3
from HOSTTOOLS.
Thanks and BR,
Ricardo
[1]. http://git.yoctoproject.org/cgit.cgi/poky-contrib/commit/?h=ross/nopy2&id=f95649176b7916116251a092a82618dd08ff1961
Ricardo Neri (5):
ovmf: Update to version edk2-stable201905
ovmf: Set PV
ovmf: use HOSTTOOLS' python3
ovmf: Generate test Platform key and first Key Exchange Key
runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate
....makefile-add-Wno-stringop-truncatio.patch | 71 --
.../ovmf/ovmf/0001-ia32-Dont-use-pie.patch | 46 -
...ols-header.makefile-add-Wno-restrict.patch | 102 --
....makefile-revert-gcc-8-Wno-xxx-optio.patch | 53 -
...ile-adjust-to-build-in-under-bitbake.patch | 33 +-
...-silence-false-stringop-overflow-war.patch | 66 -
...faultKeys-application-for-enrolling-.patch | 1124 -----------------
.../ovmf/no-stack-protector-all-archs.patch | 26 +-
meta/recipes-core/ovmf/ovmf_git.bb | 40 +-
scripts/runqemu | 32 +
10 files changed, 90 insertions(+), 1503 deletions(-)
delete mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
--
2.20.1
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/5] ovmf: Update to version edk2-stable201905
2019-08-07 1:44 [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements Ricardo Neri
@ 2019-08-07 1:44 ` Ricardo Neri
2019-08-07 1:44 ` [PATCH 2/5] ovmf: Set PV Ricardo Neri
` (5 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: Ricardo Neri @ 2019-08-07 1:44 UTC (permalink / raw)
To: openembedded-core
Fixes [YOCTO #13438]
Update OVMF to edk2-stable201905. Since the last update, several things
have changed. Many of the patches we were carrying have now been taken
upstream in EDK2 or become obsolete. See below for details.
Also, as of commit 0c1ffb9504c3("CryptoPkg: Adding OpenSSL as one
submodule of EDKII repo"), openssl is not embedded into EDK2 using a
patching script but a git submodule. Then, use the gitsm bitbabke fetcher
and drop the extra SRC_URI from openssl when building with secureboot
enabled. Also remove all related variables.
Patches are updated as follows:
Drop 0001-ia32-Dont-use-pie.patch as it is implemented in upstream EDK2
in commits are 11d0cd23dd1b ("BaseTools/tools_def IA32: drop -no-pie linker
option for GCC49" and c25d3905523a ("BaseTools/tools_def IA32: disable PIE
code generation explicitly") for the applicable GCC versions.
Rebase 0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
to edk2-stable201905.
Drop VfrCompile-increase-path-length-limit.patch as it has been taken
upstream in EDK2 in commit ba78032bc8c9f("BaseTools/VfrCompile: Remove the
MAX_PATH limitation")
Rebase no-stack-protector-all-archs.patch to keep behavior on not using
stack protector on all archs.
Drop 0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch,
0002-BaseTools-header.makefile-add-Wno-restrict.patch, and
0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch. These
patches have been taken in upstream EDK2 in commits 9222154ae7b3("BaseTools
/header.makefile: add "-Wno-restrict"), 1d212a83df0e("BaseTools/
header.makefile: add "-Wno-stringop-truncation"), and 777f4aa083e9
("BaseTools/header.makefile: revert gcc-8 '-Wno-xxx' options on OSX"),
respectively.
Also, drop 0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch.
GenVtf has been removed from EDK2 in commit 64ab2c82e8f6("BaseTools:
Remove GenVtf"). Also, this patch had been taken in EDK2 upstream in
commit 9de306701312("BaseTools/GenVtf: silence false 'stringop-overflow'
warning with memcpy()").
Drop patch 0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
as it also has been taken by EDK2.
Patches 0002-ovmf-update-path-to-native-BaseTools.patch and
0004-ovmf-enable-long-path-file.patch did not need any update.
Lastly, add a needed dependency on bc.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
---
This is a rather large changeset with several changes in it. I implemented
in this manner (as opposed to a collection of smaller changes) to avoid
build breaks in intermediate commits in git bisections.
If needed, I can reimplement in several commits that makes sense
logically.
Also, I am not sure how maintainers will apply this patch. If
using git am, the --keep-cr should be used to accommodate the line
endings used in EDK2.
---
....makefile-add-Wno-stringop-truncatio.patch | 71 --
.../ovmf/ovmf/0001-ia32-Dont-use-pie.patch | 46 -
| 102 --
....makefile-revert-gcc-8-Wno-xxx-optio.patch | 53 -
...ile-adjust-to-build-in-under-bitbake.patch | 33 +-
...-silence-false-stringop-overflow-war.patch | 66 -
...faultKeys-application-for-enrolling-.patch | 1124 -----------------
.../ovmf/no-stack-protector-all-archs.patch | 26 +-
meta/recipes-core/ovmf/ovmf_git.bb | 28 +-
9 files changed, 47 insertions(+), 1502 deletions(-)
delete mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
diff --git a/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch b/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
deleted file mode 100644
index 342fcc6231..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 9fce4bab014b9aa618060eba13d6dd04b0fa1b70 Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 2 Mar 2018 17:11:52 +0100
-Subject: [PATCH 1/4] BaseTools/header.makefile: add "-Wno-stringop-truncation"
-
-gcc-8 (which is part of Fedora 28) enables the new warning
-"-Wstringop-truncation" in "-Wall". This warning is documented in detail
-at <https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
-introduction says
-
-> Warn for calls to bounded string manipulation functions such as strncat,
-> strncpy, and stpncpy that may either truncate the copied string or leave
-> the destination unchanged.
-
-It breaks the BaseTools build with:
-
-> EfiUtilityMsgs.c: In function 'PrintMessage':
-> EfiUtilityMsgs.c:484:9: error: 'strncat' output may be truncated copying
-> between 0 and 511 bytes from a string of length 511
-> [-Werror=stringop-truncation]
-> strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-> EfiUtilityMsgs.c:469:9: error: 'strncat' output may be truncated copying
-> between 0 and 511 bytes from a string of length 511
-> [-Werror=stringop-truncation]
-> strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-> EfiUtilityMsgs.c:511:5: error: 'strncat' output may be truncated copying
-> between 0 and 511 bytes from a string of length 511
-> [-Werror=stringop-truncation]
-> strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The right way to fix the warning would be to implement string concat with
-snprintf(). However, Microsoft does not appear to support snprintf()
-before VS2015
-<https://stackoverflow.com/questions/2915672/snprintf-and-visual-studio-2010>,
-so we just have to shut up the warning. The strncat() calls flagged above
-are valid BTW.
-
-Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Cc: Cole Robinson <crobinso@redhat.com>
-Cc: Liming Gao <liming.gao@intel.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Yonghong Zhu <yonghong.zhu@intel.com>
-Contributed-under: TianoCore Contribution Agreement 1.1
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Liming Gao <liming.gao@intel.com>
----
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Backport
-
- BaseTools/Source/C/Makefiles/header.makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-Index: git/BaseTools/Source/C/Makefiles/header.makefile
-===================================================================
---- git.orig/BaseTools/Source/C/Makefiles/header.makefile
-+++ git/BaseTools/Source/C/Makefiles/header.makefile
-@@ -47,9 +47,9 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
- BUILD_CPPFLAGS += $(INCLUDE) -O2
- ifeq ($(DARWIN),Darwin)
- # assume clang or clang compatible flags on OS X
--BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-self-assign -Wno-unused-result -nostdlib -c -g
- else
--BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-unused-result -nostdlib -c -g
- endif
- BUILD_LFLAGS = $(LDFLAGS)
- BUILD_CXXFLAGS += -Wno-unused-result
diff --git a/meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch b/meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch
deleted file mode 100644
index 5bb418b954..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From f65e9cc025278387b494c2383c5d9ff3bed98687 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sun, 11 Jun 2017 00:47:24 -0700
-Subject: [PATCH] ia32: Dont use -pie
-
-Upstream-Status: Pending
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- BaseTools/Conf/tools_def.template | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-Index: git/BaseTools/Conf/tools_def.template
-===================================================================
---- git.orig/BaseTools/Conf/tools_def.template
-+++ git/BaseTools/Conf/tools_def.template
-@@ -4336,7 +4336,7 @@ RELEASE_*_*_OBJCOPY_ADDDEBUGFLAG =
- NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --add-gnu-debuglink=$(DEBUG_DIR)/$(MODULE_NAME).debug
-
- DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
--DEFINE GCC_IA32_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -m32 -malign-double -freorder-blocks -freorder-blocks-and-partition -O2 -mno-stack-arg-probe
-+DEFINE GCC_IA32_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -m32 -malign-double -freorder-blocks -freorder-blocks-and-partition -O2 -mno-stack-arg-probe -fno-PIE -no-pie
- DEFINE GCC_X64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mno-red-zone -Wno-address -mno-stack-arg-probe
- DEFINE GCC_IPF_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -minline-int-divide-min-latency
- DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -mfloat-abi=soft -fno-pic -fno-pie
-@@ -4369,9 +4369,9 @@ DEFINE GCC_ARM_RC_FLAGS = -I
- DEFINE GCC_AARCH64_RC_FLAGS = -I binary -O elf64-littleaarch64 -B aarch64 --rename-section .data=.hii
-
- DEFINE GCC44_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
--DEFINE GCC44_IA32_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables
-+DEFINE GCC44_IA32_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -fno-PIE -no-pie
- DEFINE GCC44_X64_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables
--DEFINE GCC44_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
-+DEFINE GCC44_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 -no-pie
- DEFINE GCC44_IA32_X64_ASLDLINK_FLAGS = DEF(GCC44_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
- DEFINE GCC44_IA32_X64_DLINK_FLAGS = DEF(GCC44_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map
- DEFINE GCC44_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
-@@ -4451,7 +4451,7 @@ DEFINE GCC48_AARCH64_ASLDLINK_FLAGS = D
-
- DEFINE GCC49_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS)
- DEFINE GCC49_X64_CC_FLAGS = DEF(GCC48_X64_CC_FLAGS)
--DEFINE GCC49_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x40
-+DEFINE GCC49_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x40 -no-pie
- DEFINE GCC49_IA32_X64_ASLDLINK_FLAGS = DEF(GCC49_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
- DEFINE GCC49_IA32_X64_DLINK_FLAGS = DEF(GCC49_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map
- DEFINE GCC49_IA32_DLINK2_FLAGS = DEF(GCC48_IA32_DLINK2_FLAGS)
diff --git a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch b/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
deleted file mode 100644
index a076665c33..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 86dbdac5a25bd23deb4a0e0a97b527407e02184d Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 2 Mar 2018 17:11:52 +0100
-Subject: [PATCH 2/4] BaseTools/header.makefile: add "-Wno-restrict"
-
-gcc-8 (which is part of Fedora 28) enables the new warning
-"-Wrestrict" in "-Wall". This warning is documented in detail
-at <https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
-introduction says
-
-> Warn when an object referenced by a restrict-qualified parameter (or, in
-> C++, a __restrict-qualified parameter) is aliased by another argument,
-> or when copies between such objects overlap.
-
-It breaks the BaseTools build (in the Brotli compression library) with:
-
-> In function 'ProcessCommandsInternal',
-> inlined from 'ProcessCommands' at dec/decode.c:1828:10:
-> dec/decode.c:1781:9: error: 'memcpy' accessing between 17 and 2147483631
-> bytes at offsets 16 and 16 overlaps between 17 and 2147483631 bytes at
-> offset 16 [-Werror=restrict]
-> memcpy(copy_dst + 16, copy_src + 16, (size_t)(i - 16));
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-> In function 'ProcessCommandsInternal',
-> inlined from 'SafeProcessCommands' at dec/decode.c:1833:10:
-> dec/decode.c:1781:9: error: 'memcpy' accessing between 17 and 2147483631
-> bytes at offsets 16 and 16 overlaps between 17 and 2147483631 bytes at
-> offset 16 [-Werror=restrict]
-> memcpy(copy_dst + 16, copy_src + 16, (size_t)(i - 16));
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Paolo Bonzini <pbonzini@redhat.com> analyzed the Brotli source in detail,
-and concluded that the warning is a false positive:
-
-> This seems safe to me, because it's preceded by:
->
-> uint8_t* copy_dst = &s->ringbuffer[pos];
-> uint8_t* copy_src = &s->ringbuffer[src_start];
-> int dst_end = pos + i;
-> int src_end = src_start + i;
-> if (src_end > pos && dst_end > src_start) {
-> /* Regions intersect. */
-> goto CommandPostWrapCopy;
-> }
->
-> If [src_start, src_start + i) and [pos, pos + i) don't intersect, then
-> neither do [src_start + 16, src_start + i) and [pos + 16, pos + i).
->
-> The if seems okay:
->
-> (src_start + i > pos && pos + i > src_start)
->
-> which can be rewritten to:
->
-> (pos < src_start + i && src_start < pos + i)
->
-> Then the numbers are in one of these two orders:
->
-> pos <= src_start < pos + i <= src_start + i
-> src_start <= pos < src_start + i <= pos + i
->
-> These two would be allowed by the "if", but they can only happen if pos
-> == src_start so they degenerate to the same two orders above:
->
-> pos <= src_start < src_start + i <= pos + i
-> src_start <= pos < pos + i <= src_start + i
->
-> So it is a false positive in GCC.
-
-Disable the warning for now.
-
-Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Cc: Cole Robinson <crobinso@redhat.com>
-Cc: Liming Gao <liming.gao@intel.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Yonghong Zhu <yonghong.zhu@intel.com>
-Reported-by: Cole Robinson <crobinso@redhat.com>
-Contributed-under: TianoCore Contribution Agreement 1.1
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Liming Gao <liming.gao@intel.com>
----
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Backport
- BaseTools/Source/C/Makefiles/header.makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-Index: git/BaseTools/Source/C/Makefiles/header.makefile
-===================================================================
---- git.orig/BaseTools/Source/C/Makefiles/header.makefile
-+++ git/BaseTools/Source/C/Makefiles/header.makefile
-@@ -47,9 +47,9 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
- BUILD_CPPFLAGS += $(INCLUDE) -O2
- ifeq ($(DARWIN),Darwin)
- # assume clang or clang compatible flags on OS X
--BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-self-assign -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-self-assign -Wno-unused-result -nostdlib -c -g
- else
--BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -c -g
- endif
- BUILD_LFLAGS = $(LDFLAGS)
- BUILD_CXXFLAGS += -Wno-unused-result
diff --git a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
deleted file mode 100644
index 920723e326..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 6866325dd9c17412e555974dde41f9631224db52 Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Wed, 7 Mar 2018 10:17:28 +0100
-Subject: [PATCH 3/4] BaseTools/header.makefile: revert gcc-8 "-Wno-xxx"
- options on OSX
-
-I recently added the gcc-8 specific "-Wno-stringop-truncation" and
-"-Wno-restrict" options to BUILD_CFLAGS, both for "Darwin" (XCODE5 /
-clang, OSX) and otherwise (gcc, Linux / Cygwin).
-
-I also regression-tested the change with gcc-4.8 on Linux -- gcc-4.8 does
-not know either of the (gcc-8 specific) "-Wno-stringop-truncation" and
-"-Wno-restrict" options, yet the build completed fine (by GCC design).
-
-Regarding OSX, my expectation was that
-
-- XCODE5 / clang would either recognize these warnings options (because
- clang does recognize most -W options of gcc),
-
-- or, similarly to gcc, clang would simply ignore the "-Wno-xxx" flags
- that it didn't recognize.
-
-Neither is the case; the new flags have broken the BaseTools build on OSX.
-Revert them (for OSX only).
-
-Cc: Liming Gao <liming.gao@intel.com>
-Cc: Yonghong Zhu <yonghong.zhu@intel.com>
-Reported-by: Liming Gao <liming.gao@intel.com>
-Fixes: 1d212a83df0eaf32a6f5d4159beb2d77832e0231
-Fixes: 9222154ae7b3eef75ae88cdb56158256227cb929
-Contributed-under: TianoCore Contribution Agreement 1.1
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Liming Gao <liming.gao@intel.com>
-Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
----
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Backport
- BaseTools/Source/C/Makefiles/header.makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: git/BaseTools/Source/C/Makefiles/header.makefile
-===================================================================
---- git.orig/BaseTools/Source/C/Makefiles/header.makefile
-+++ git/BaseTools/Source/C/Makefiles/header.makefile
-@@ -47,7 +47,7 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
- BUILD_CPPFLAGS += $(INCLUDE) -O2
- ifeq ($(DARWIN),Darwin)
- # assume clang or clang compatible flags on OS X
--BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-self-assign -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
- else
- BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -c -g
- endif
diff --git a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
index 65b5c16dcb..070b0ac5a6 100644
--- a/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
+++ b/meta/recipes-core/ovmf/ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
@@ -1,6 +1,6 @@
From 2320650c6d381b914fe91b2dedaa5870279a8bcf Mon Sep 17 00:00:00 2001
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
-Date: Sun, 27 Nov 2016 18:42:55 -0800
+Date: Fri, 26 Jul 2019 17:34:26 -0400
Subject: [PATCH] BaseTools: makefile: adjust to build in under bitbake
Prepend the build flags with those of bitbake. This is to build
@@ -9,31 +9,42 @@ using the bitbake native sysroot include and library directories.
Signed-off-by: Ricardo Neri <ricardo.neri@linux.intel.com>
Upstream-Status: Pending
---
- BaseTools/Source/C/Makefiles/header.makefile | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
+ BaseTools/Source/C/Makefiles/header.makefile | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
Index: git/BaseTools/Source/C/Makefiles/header.makefile
===================================================================
--- git.orig/BaseTools/Source/C/Makefiles/header.makefile
+++ git/BaseTools/Source/C/Makefiles/header.makefile
-@@ -44,15 +44,15 @@ ARCH_INCLUDE = -I $(MAKEROOT)/Include/AA
+@@ -62,23 +62,23 @@ $(error Bad HOST_ARCH)
endif
INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)
--BUILD_CPPFLAGS = $(INCLUDE) -O2
-+BUILD_CPPFLAGS += $(INCLUDE) -O2
+-BUILD_CPPFLAGS = $(INCLUDE)
++BUILD_CPPFLAGS += $(INCLUDE)
+
+ # keep EXTRA_OPTFLAGS last
+ BUILD_OPTFLAGS = -O2 $(EXTRA_OPTFLAGS)
+
ifeq ($(DARWIN),Darwin)
# assume clang or clang compatible flags on OS X
--BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
++BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
+ -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
else
--BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
-+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
++BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
+ -fno-delete-null-pointer-checks -Wall -Werror \
+ -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
+ -Wno-unused-result -nostdlib -g
endif
-BUILD_LFLAGS =
-BUILD_CXXFLAGS = -Wno-unused-result
+BUILD_LFLAGS = $(LDFLAGS)
+BUILD_CXXFLAGS += -Wno-unused-result
- ifeq ($(ARCH), IA32)
+ ifeq ($(HOST_ARCH), IA32)
#
+--
+2.20.1
+
diff --git a/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch b/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
deleted file mode 100644
index 7ad7cdf0ce..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From dfb42a5bff78d9239a80731e337855234badef3e Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 2 Mar 2018 17:11:52 +0100
-Subject: [PATCH 4/4] BaseTools/GenVtf: silence false "stringop-overflow"
- warning with memcpy()
-
-gcc-8 (which is part of Fedora 28) enables the new warning
-"-Wstringop-overflow" in "-Wall". This warning is documented in detail at
-<https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
-introduction says
-
-> Warn for calls to string manipulation functions such as memcpy and
-> strcpy that are determined to overflow the destination buffer.
-
-It breaks the BaseTools build with:
-
-> GenVtf.c: In function 'ConvertVersionInfo':
-> GenVtf.c:132:7: error: 'strncpy' specified bound depends on the length
-> of the source argument [-Werror=stringop-overflow=]
-> strncpy (TemStr + 4 - Length, Str, Length);
-> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-> GenVtf.c:130:14: note: length computed here
-> Length = strlen(Str);
-> ^~~~~~~~~~~
-
-It is a false positive because, while the bound equals the length of the
-source argument, the destination pointer is moved back towards the
-beginning of the destination buffer by the same amount (and this amount is
-range-checked first, so we can't precede the start of the dest buffer).
-
-Replace both strncpy() calls with memcpy().
-
-Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Cc: Cole Robinson <crobinso@redhat.com>
-Cc: Liming Gao <liming.gao@intel.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Yonghong Zhu <yonghong.zhu@intel.com>
-Reported-by: Cole Robinson <crobinso@redhat.com>
-Contributed-under: TianoCore Contribution Agreement 1.1
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Liming Gao <liming.gao@intel.com>
----
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Backport
- BaseTools/Source/C/GenVtf/GenVtf.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/BaseTools/Source/C/GenVtf/GenVtf.c b/BaseTools/Source/C/GenVtf/GenVtf.c
-index 2ae9a7be2c..0cd33e71e9 100644
---- a/BaseTools/Source/C/GenVtf/GenVtf.c
-+++ b/BaseTools/Source/C/GenVtf/GenVtf.c
-@@ -129,9 +129,9 @@ Returns:
- } else {
- Length = strlen(Str);
- if (Length < 4) {
-- strncpy (TemStr + 4 - Length, Str, Length);
-+ memcpy (TemStr + 4 - Length, Str, Length);
- } else {
-- strncpy (TemStr, Str + Length - 4, 4);
-+ memcpy (TemStr, Str + Length - 4, 4);
- }
-
- sscanf (
---
-2.17.0
-
diff --git a/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch b/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
deleted file mode 100644
index 3aa6cc4acb..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
+++ /dev/null
@@ -1,1124 +0,0 @@
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Mon, 6 Jul 2015 20:22:02 +0200
-Subject: [PATCH] OvmfPkg: EnrollDefaultKeys: application for enrolling default
- keys
-
-(A port of the <https://bugzilla.redhat.com/show_bug.cgi?id=1148296> patch
-to Gerd's public RPMs.)
-
-This application is meant to be invoked by the management layer, after
-booting the UEFI shell and getting a shell prompt on the serial console.
-The app enrolls a number of certificates (see below), and then reports
-status to the serial console as well. The expected output is "info:
-success":
-
-> Shell> EnrollDefaultKeys.efi
-> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
-> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
-> info: success
-> Shell>
-
-In case of success, the management layer can force off or reboot the VM
-(for example with the "reset -s" or "reset -c" UEFI shell commands,
-respectively), and start the guest installation with SecureBoot enabled.
-
-PK:
-- A unique, static, ad-hoc certificate whose private half has been
- destroyed (more precisely, never saved) and is therefore unusable for
- signing. (The command for creating this certificate is saved in the
- source code.)
-
-KEK:
-- same ad-hoc certificate as used for the PK,
-- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
- package is signed (indirectly, through a chain) with this; enrolling
- such a KEK should allow guests to install those updates.
-
-DB:
-- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
- Server 2012 R2,
-- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
- oproms.
-
-Contributed-under: TianoCore Contribution Agreement 1.0
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Upstream-Status: Inappropriate [not author]
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 960 ++++++++++++++++++++++++
- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 51 ++
- OvmfPkg/OvmfPkgIa32.dsc | 4 +
- OvmfPkg/OvmfPkgIa32X64.dsc | 4 +
- OvmfPkg/OvmfPkgX64.dsc | 4 +
- 5 files changed, 1023 insertions(+)
- create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
- create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
-
-diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-new file mode 100644
-index 0000000..081212b
---- /dev/null
-+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-@@ -0,0 +1,960 @@
-+/** @file
-+ Enroll default PK, KEK, DB.
-+
-+ Copyright (C) 2014, Red Hat, Inc.
-+
-+ This program and the accompanying materials are licensed and made available
-+ under the terms and conditions of the BSD License which accompanies this
-+ distribution. The full text of the license may be found at
-+ http://opensource.org/licenses/bsd-license.
-+
-+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
-+ WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-+**/
-+#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
-+#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
-+#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
-+#include <Library/BaseMemoryLib.h> // CopyGuid()
-+#include <Library/DebugLib.h> // ASSERT()
-+#include <Library/MemoryAllocationLib.h> // FreePool()
-+#include <Library/ShellCEntryLib.h> // ShellAppMain()
-+#include <Library/UefiLib.h> // AsciiPrint()
-+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
-+
-+//
-+// The example self-signed certificate below, which we'll use for both Platform
-+// Key, and first Key Exchange Key, has been generated with the following
-+// non-interactive openssl command. The passphrase is read from /dev/urandom,
-+// and not saved, and the private key is written to /dev/null. In other words,
-+// we can't sign anything else against this certificate, which is our purpose.
-+//
-+/*
-+ openssl req \
-+ -passout file:<(head -c 16 /dev/urandom) \
-+ -x509 \
-+ -newkey rsa:2048 \
-+ -keyout /dev/null \
-+ -outform DER \
-+ -subj $(
-+ printf /C=US
-+ printf /ST=TestStateOrProvince
-+ printf /L=TestLocality
-+ printf /O=TestOrganization
-+ printf /OU=TestOrganizationalUnit
-+ printf /CN=TestCommonName
-+ printf /emailAddress=test@example.com
-+ ) \
-+ 2>/dev/null \
-+ | xxd -i
-+*/
-+STATIC CONST UINT8 ExampleCert[] = {
-+ 0x30, 0x82, 0x04, 0x45, 0x30, 0x82, 0x03, 0x2d, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+ 0x02, 0x09, 0x00, 0xcf, 0x9f, 0x51, 0xa3, 0x07, 0xdb, 0x54, 0xa1, 0x30, 0x0d,
-+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
-+ 0x30, 0x81, 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
-+ 0x02, 0x55, 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
-+ 0x13, 0x54, 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50,
-+ 0x72, 0x6f, 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
-+ 0x55, 0x04, 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61,
-+ 0x6c, 0x69, 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+ 0x0c, 0x10, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a,
-+ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
-+ 0x0b, 0x0c, 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69,
-+ 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31,
-+ 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73,
-+ 0x74, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f,
-+ 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01,
-+ 0x16, 0x10, 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
-+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
-+ 0x30, 0x39, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x34,
-+ 0x31, 0x31, 0x30, 0x38, 0x31, 0x33, 0x32, 0x38, 0x32, 0x32, 0x5a, 0x30, 0x81,
-+ 0xb8, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
-+ 0x53, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x13, 0x54,
-+ 0x65, 0x73, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x4f, 0x72, 0x50, 0x72, 0x6f,
-+ 0x76, 0x69, 0x6e, 0x63, 0x65, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
-+ 0x07, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69,
-+ 0x74, 0x79, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x10,
-+ 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74,
-+ 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
-+ 0x16, 0x54, 0x65, 0x73, 0x74, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61,
-+ 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x55, 0x6e, 0x69, 0x74, 0x31, 0x17, 0x30,
-+ 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x54, 0x65, 0x73, 0x74, 0x43,
-+ 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x31, 0x1f, 0x30, 0x1d,
-+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10,
-+ 0x74, 0x65, 0x73, 0x74, 0x40, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
-+ 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
-+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
-+ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0xf1, 0xce,
-+ 0x17, 0x32, 0xac, 0xc4, 0x4b, 0xb2, 0xed, 0x84, 0x76, 0xe5, 0xd0, 0xf8, 0x21,
-+ 0xac, 0x10, 0xf8, 0x18, 0x09, 0x0e, 0x07, 0x13, 0x76, 0x21, 0x5c, 0xc4, 0xcc,
-+ 0xd5, 0xe6, 0x25, 0xa7, 0x26, 0x53, 0x79, 0x2f, 0x16, 0x4b, 0x85, 0xbd, 0xae,
-+ 0x42, 0x64, 0x58, 0xcb, 0x5e, 0xe8, 0x6e, 0x5a, 0xd0, 0xc4, 0x0f, 0x38, 0x16,
-+ 0xbe, 0xd3, 0x22, 0xa7, 0x3c, 0x9b, 0x8b, 0x5e, 0xcb, 0x62, 0x35, 0xc5, 0x9b,
-+ 0xe2, 0x8e, 0x4c, 0x65, 0x57, 0x4f, 0xcb, 0x27, 0xad, 0xe7, 0x63, 0xa7, 0x77,
-+ 0x2b, 0xd5, 0x02, 0x42, 0x70, 0x46, 0xac, 0xba, 0xb6, 0x60, 0x57, 0xd9, 0xce,
-+ 0x31, 0xc5, 0x12, 0x03, 0x4a, 0xf7, 0x2a, 0x2b, 0x40, 0x06, 0xb4, 0xdb, 0x31,
-+ 0xb7, 0x83, 0x6c, 0x67, 0x87, 0x98, 0x8b, 0xce, 0x1b, 0x30, 0x7a, 0xfa, 0x35,
-+ 0x6c, 0x86, 0x20, 0x74, 0xc5, 0x7d, 0x32, 0x31, 0x18, 0xeb, 0x69, 0xf7, 0x2d,
-+ 0x20, 0xc4, 0xf0, 0xd2, 0xfa, 0x67, 0x81, 0xc1, 0xbb, 0x23, 0xbb, 0x75, 0x1a,
-+ 0xe4, 0xb4, 0x49, 0x99, 0xdf, 0x12, 0x4c, 0xe3, 0x6d, 0x76, 0x24, 0x85, 0x24,
-+ 0xae, 0x5a, 0x9e, 0xbd, 0x54, 0x1c, 0xf9, 0x0e, 0xed, 0x96, 0xb5, 0xd8, 0xa2,
-+ 0x0d, 0x2a, 0x38, 0x5d, 0x12, 0x97, 0xb0, 0x4d, 0x75, 0x85, 0x1e, 0x47, 0x6d,
-+ 0xe1, 0x25, 0x59, 0xcb, 0xe9, 0x33, 0x86, 0x6a, 0xef, 0x98, 0x24, 0xa0, 0x2b,
-+ 0x02, 0x7b, 0xc0, 0x9f, 0x88, 0x03, 0xb0, 0xbe, 0x22, 0x65, 0x83, 0x77, 0xb3,
-+ 0x30, 0xba, 0xe0, 0x3b, 0x54, 0x31, 0x3a, 0x45, 0x81, 0x9c, 0x48, 0xaf, 0xc1,
-+ 0x11, 0x5b, 0xf2, 0x3a, 0x1e, 0x33, 0x1b, 0x8f, 0x0e, 0x04, 0xa4, 0x16, 0xd4,
-+ 0x6b, 0x57, 0xee, 0xe7, 0xba, 0xf5, 0xee, 0xaf, 0xe2, 0x4c, 0x50, 0xf8, 0x68,
-+ 0x57, 0x88, 0xfb, 0x7f, 0xa3, 0xcf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50,
-+ 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
-+ 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e, 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3,
-+ 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29, 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
-+ 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x1e, 0x44, 0xe5, 0xef, 0xcd, 0x6e,
-+ 0x1f, 0xdb, 0xcb, 0x4f, 0x94, 0x8f, 0xe3, 0x3b, 0x1a, 0x8c, 0xe6, 0x95, 0x29,
-+ 0x61, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
-+ 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
-+ 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x12, 0x9c, 0x3e, 0x38,
-+ 0xfc, 0x26, 0xea, 0x6d, 0xb7, 0x5c, 0x29, 0x3c, 0x76, 0x20, 0x0c, 0xb2, 0xa9,
-+ 0x0f, 0xdf, 0xc0, 0x85, 0xfe, 0xeb, 0xec, 0x1d, 0x5d, 0x73, 0x84, 0xac, 0x8a,
-+ 0xb4, 0x2a, 0x86, 0x38, 0x30, 0xaf, 0xd2, 0x2d, 0x2a, 0xde, 0x54, 0xc8, 0x5c,
-+ 0x29, 0x90, 0x24, 0xf2, 0x39, 0xc1, 0xa5, 0x00, 0xb4, 0xb7, 0xd8, 0xdc, 0x59,
-+ 0x64, 0x50, 0x62, 0x5f, 0x54, 0xf1, 0x73, 0x02, 0x4d, 0x43, 0xc5, 0xc3, 0xc4,
-+ 0x0e, 0x62, 0x60, 0x8c, 0x53, 0x66, 0x57, 0x77, 0xb5, 0x81, 0xda, 0x1f, 0x81,
-+ 0xda, 0xe9, 0xd6, 0x5e, 0x82, 0xce, 0xa7, 0x5c, 0xc0, 0xa6, 0xbe, 0x9c, 0x5c,
-+ 0x7b, 0xa5, 0x15, 0xc8, 0xd7, 0x14, 0x53, 0xd3, 0x5c, 0x1c, 0x9f, 0x8a, 0x9f,
-+ 0x66, 0x15, 0xd5, 0xd3, 0x2a, 0x27, 0x0c, 0xee, 0x9f, 0x80, 0x39, 0x88, 0x7b,
-+ 0x24, 0xde, 0x0c, 0x61, 0xa3, 0x44, 0xd8, 0x8d, 0x2e, 0x79, 0xf8, 0x1e, 0x04,
-+ 0x5a, 0xcb, 0xd6, 0x9c, 0xa3, 0x22, 0x8f, 0x09, 0x32, 0x1e, 0xe1, 0x65, 0x8f,
-+ 0x10, 0x5f, 0xd8, 0x52, 0x56, 0xd5, 0x77, 0xac, 0x58, 0x46, 0x60, 0xba, 0x2e,
-+ 0xe2, 0x3f, 0x58, 0x7d, 0x60, 0xfc, 0x31, 0x4a, 0x3a, 0xaf, 0x61, 0x55, 0x5f,
-+ 0xfb, 0x68, 0x14, 0x74, 0xda, 0xdc, 0x42, 0x78, 0xcc, 0xee, 0xff, 0x5c, 0x03,
-+ 0x24, 0x26, 0x2c, 0xb8, 0x3a, 0x81, 0xad, 0xdb, 0xe7, 0xed, 0xe1, 0x62, 0x84,
-+ 0x07, 0x1a, 0xc8, 0xa4, 0x4e, 0xb0, 0x87, 0xf7, 0x96, 0xd8, 0x33, 0x9b, 0x0d,
-+ 0xa7, 0x77, 0xae, 0x5b, 0xaf, 0xad, 0xe6, 0x5a, 0xc9, 0xfa, 0xa4, 0xe4, 0xe5,
-+ 0x57, 0xbb, 0x97, 0xdd, 0x92, 0x85, 0xd8, 0x03, 0x45, 0xfe, 0xd8, 0x6b, 0xb1,
-+ 0xdb, 0x85, 0x36, 0xb9, 0xd9, 0x28, 0xbf, 0x17, 0xae, 0x11, 0xde, 0x10, 0x19,
-+ 0x26, 0x5b, 0xc0, 0x3d, 0xc7
-+};
-+
-+//
-+// Second KEK: "Microsoft Corporation KEK CA 2011".
-+// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
-+//
-+// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
-+//
-+STATIC CONST UINT8 MicrosoftKEK[] = {
-+ 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+ 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
-+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-+ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
-+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
-+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
-+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
-+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
-+ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
-+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
-+ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
-+ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
-+ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
-+ 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
-+ 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
-+ 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-+ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
-+ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
-+ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
-+ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
-+ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
-+ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
-+ 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
-+ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
-+ 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
-+ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-+ 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
-+ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
-+ 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
-+ 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
-+ 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
-+ 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
-+ 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
-+ 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
-+ 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
-+ 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
-+ 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
-+ 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
-+ 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
-+ 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
-+ 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
-+ 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
-+ 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
-+ 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
-+ 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
-+ 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
-+ 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
-+ 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
-+ 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
-+ 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
-+ 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
-+ 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
-+ 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
-+ 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
-+ 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
-+ 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
-+ 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
-+ 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
-+ 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
-+ 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
-+ 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
-+ 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
-+ 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
-+ 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
-+ 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
-+ 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
-+ 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
-+ 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
-+ 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
-+ 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
-+ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
-+ 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
-+ 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
-+ 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
-+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
-+ 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
-+ 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
-+ 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
-+ 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
-+ 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
-+ 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
-+ 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
-+ 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
-+ 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
-+ 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
-+ 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
-+ 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
-+ 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
-+ 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
-+ 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
-+ 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
-+ 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
-+ 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
-+ 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
-+ 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
-+ 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
-+ 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
-+ 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
-+ 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
-+ 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
-+ 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
-+ 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
-+ 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
-+ 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
-+ 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
-+ 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
-+ 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
-+ 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
-+ 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
-+ 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
-+ 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
-+ 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
-+ 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
-+ 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
-+ 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
-+};
-+
-+//
-+// First DB entry: "Microsoft Windows Production PCA 2011"
-+// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
-+//
-+// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
-+// rooted in this certificate.
-+//
-+STATIC CONST UINT8 MicrosoftPCA[] = {
-+ 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+ 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
-+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-+ 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
-+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
-+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
-+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
-+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
-+ 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
-+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
-+ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
-+ 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
-+ 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
-+ 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
-+ 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
-+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
-+ 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
-+ 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
-+ 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
-+ 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
-+ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
-+ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
-+ 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
-+ 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
-+ 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
-+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
-+ 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
-+ 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
-+ 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
-+ 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
-+ 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
-+ 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
-+ 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
-+ 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
-+ 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
-+ 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
-+ 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
-+ 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
-+ 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
-+ 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
-+ 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
-+ 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
-+ 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
-+ 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
-+ 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
-+ 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
-+ 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
-+ 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
-+ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
-+ 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
-+ 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
-+ 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
-+ 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
-+ 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
-+ 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
-+ 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
-+ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
-+ 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
-+ 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
-+ 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
-+ 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
-+ 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
-+ 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
-+ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
-+ 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
-+ 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
-+ 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
-+ 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
-+ 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
-+ 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
-+ 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
-+ 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
-+ 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-+ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
-+ 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
-+ 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
-+ 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
-+ 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
-+ 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
-+ 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
-+ 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
-+ 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
-+ 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
-+ 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
-+ 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
-+ 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
-+ 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
-+ 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
-+ 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
-+ 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
-+ 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
-+ 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
-+ 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
-+ 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
-+ 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
-+ 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
-+ 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
-+ 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
-+ 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
-+ 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
-+ 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
-+ 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
-+ 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
-+ 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
-+ 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
-+ 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
-+ 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
-+ 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
-+ 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
-+ 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
-+ 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
-+ 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
-+ 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
-+ 0x62, 0x1c, 0x59, 0x7e
-+};
-+
-+//
-+// Second DB entry: "Microsoft Corporation UEFI CA 2011"
-+// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
-+//
-+// To verify the "shim" binary and PCI expansion ROMs with.
-+//
-+STATIC CONST UINT8 MicrosoftUefiCA[] = {
-+ 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+ 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
-+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-+ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
-+ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
-+ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
-+ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
-+ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
-+ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
-+ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
-+ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
-+ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
-+ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
-+ 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
-+ 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
-+ 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-+ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
-+ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
-+ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
-+ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
-+ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
-+ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
-+ 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
-+ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
-+ 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
-+ 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-+ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
-+ 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
-+ 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
-+ 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
-+ 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
-+ 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
-+ 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
-+ 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
-+ 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
-+ 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
-+ 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
-+ 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
-+ 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
-+ 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
-+ 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
-+ 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
-+ 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
-+ 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
-+ 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
-+ 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
-+ 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
-+ 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
-+ 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
-+ 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
-+ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
-+ 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
-+ 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
-+ 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
-+ 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
-+ 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
-+ 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
-+ 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
-+ 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
-+ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
-+ 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
-+ 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
-+ 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
-+ 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
-+ 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
-+ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
-+ 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
-+ 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
-+ 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
-+ 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
-+ 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
-+ 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
-+ 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
-+ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
-+ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
-+ 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
-+ 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
-+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
-+ 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
-+ 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
-+ 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
-+ 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
-+ 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
-+ 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
-+ 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
-+ 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
-+ 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
-+ 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
-+ 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
-+ 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
-+ 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
-+ 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
-+ 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
-+ 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
-+ 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
-+ 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
-+ 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
-+ 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
-+ 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
-+ 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
-+ 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
-+ 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
-+ 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
-+ 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
-+ 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
-+ 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
-+ 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
-+ 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
-+ 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
-+ 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
-+ 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
-+ 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
-+ 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
-+ 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
-+ 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
-+ 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
-+ 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
-+ 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
-+};
-+
-+//
-+// The most important thing about the variable payload is that it is a list of
-+// lists, where the element size of any given *inner* list is constant.
-+//
-+// Since X509 certificates vary in size, each of our *inner* lists will contain
-+// one element only (one X.509 certificate). This is explicitly mentioned in
-+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
-+//
-+// The list structure looks as follows:
-+//
-+// struct EFI_VARIABLE_AUTHENTICATION_2 { |
-+// struct EFI_TIME { |
-+// UINT16 Year; |
-+// UINT8 Month; |
-+// UINT8 Day; |
-+// UINT8 Hour; |
-+// UINT8 Minute; |
-+// UINT8 Second; |
-+// UINT8 Pad1; |
-+// UINT32 Nanosecond; |
-+// INT16 TimeZone; |
-+// UINT8 Daylight; |
-+// UINT8 Pad2; |
-+// } TimeStamp; |
-+// |
-+// struct WIN_CERTIFICATE_UEFI_GUID { | |
-+// struct WIN_CERTIFICATE { | |
-+// UINT32 dwLength; ----------------------------------------+ |
-+// UINT16 wRevision; | |
-+// UINT16 wCertificateType; | |
-+// } Hdr; | +- DataSize
-+// | |
-+// EFI_GUID CertType; | |
-+// UINT8 CertData[1] = { <--- "struct hack" | |
-+// struct EFI_SIGNATURE_LIST { | | |
-+// EFI_GUID SignatureType; | | |
-+// UINT32 SignatureListSize; -------------------------+ | |
-+// UINT32 SignatureHeaderSize; | | |
-+// UINT32 SignatureSize; ---------------------------+ | | |
-+// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
-+// v | | |
-+// struct EFI_SIGNATURE_DATA { | | | |
-+// EFI_GUID SignatureOwner; | | | |
-+// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
-+// X.509 payload | | | |
-+// } | | | |
-+// } Signatures[]; | | |
-+// } SigLists[]; | |
-+// }; | |
-+// } AuthInfo; | |
-+// }; |
-+//
-+// Given that the "struct hack" invokes undefined behavior (which is why C99
-+// introduced the flexible array member), and because subtracting those pesky
-+// sizes of 1 is annoying, and because the format is fully specified in the
-+// UEFI specification, we'll introduce two matching convenience structures that
-+// are customized for our X.509 purposes.
-+//
-+#pragma pack(1)
-+typedef struct {
-+ EFI_TIME TimeStamp;
-+
-+ //
-+ // dwLength covers data below
-+ //
-+ UINT32 dwLength;
-+ UINT16 wRevision;
-+ UINT16 wCertificateType;
-+ EFI_GUID CertType;
-+} SINGLE_HEADER;
-+
-+typedef struct {
-+ //
-+ // SignatureListSize covers data below
-+ //
-+ EFI_GUID SignatureType;
-+ UINT32 SignatureListSize;
-+ UINT32 SignatureHeaderSize; // constant 0
-+ UINT32 SignatureSize;
-+
-+ //
-+ // SignatureSize covers data below
-+ //
-+ EFI_GUID SignatureOwner;
-+
-+ //
-+ // X.509 certificate follows
-+ //
-+} REPEATING_HEADER;
-+#pragma pack()
-+
-+/**
-+ Enroll a set of DER-formatted X.509 certificates in a global variable,
-+ overwriting it.
-+
-+ The variable will be rewritten with NV+BS+RT+AT attributes.
-+
-+ @param[in] VariableName The name of the variable to overwrite.
-+
-+ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
-+ overwrite.
-+
-+ @param[in] ... A list of
-+
-+ IN CONST UINT8 *Cert,
-+ IN UINTN CertSize,
-+ IN CONST EFI_GUID *OwnerGuid
-+
-+ triplets. If the first component of a triplet is
-+ NULL, then the other two components are not
-+ accessed, and processing is terminated. The list of
-+ X.509 certificates is enrolled in the variable
-+ specified, overwriting it. The OwnerGuid component
-+ identifies the agent installing the certificate.
-+
-+ @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert
-+ value is NULL), or one of the CertSize values
-+ is 0, or one of the CertSize values would
-+ overflow the accumulated UINT32 data size.
-+
-+ @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable
-+ payload.
-+
-+ @retval EFI_SUCCESS Enrollment successful; the variable has been
-+ overwritten (or created).
-+
-+ @return Error codes from gRT->GetTime() and
-+ gRT->SetVariable().
-+**/
-+STATIC
-+EFI_STATUS
-+EFIAPI
-+EnrollListOfX509Certs (
-+ IN CHAR16 *VariableName,
-+ IN EFI_GUID *VendorGuid,
-+ ...
-+ )
-+{
-+ UINTN DataSize;
-+ SINGLE_HEADER *SingleHeader;
-+ REPEATING_HEADER *RepeatingHeader;
-+ VA_LIST Marker;
-+ CONST UINT8 *Cert;
-+ EFI_STATUS Status = EFI_SUCCESS;
-+ UINT8 *Data;
-+ UINT8 *Position;
-+
-+ //
-+ // compute total size first, for UINT32 range check, and allocation
-+ //
-+ DataSize = sizeof *SingleHeader;
-+ VA_START (Marker, VendorGuid);
-+ for (Cert = VA_ARG (Marker, CONST UINT8 *);
-+ Cert != NULL;
-+ Cert = VA_ARG (Marker, CONST UINT8 *)) {
-+ UINTN CertSize;
-+
-+ CertSize = VA_ARG (Marker, UINTN);
-+ (VOID)VA_ARG (Marker, CONST EFI_GUID *);
-+
-+ if (CertSize == 0 ||
-+ CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
-+ DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
-+ Status = EFI_INVALID_PARAMETER;
-+ break;
-+ }
-+ DataSize += sizeof *RepeatingHeader + CertSize;
-+ }
-+ VA_END (Marker);
-+
-+ if (DataSize == sizeof *SingleHeader) {
-+ Status = EFI_INVALID_PARAMETER;
-+ }
-+ if (EFI_ERROR (Status)) {
-+ goto Out;
-+ }
-+
-+ Data = AllocatePool (DataSize);
-+ if (Data == NULL) {
-+ Status = EFI_OUT_OF_RESOURCES;
-+ goto Out;
-+ }
-+
-+ Position = Data;
-+
-+ SingleHeader = (SINGLE_HEADER *)Position;
-+ Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
-+ if (EFI_ERROR (Status)) {
-+ goto FreeData;
-+ }
-+ SingleHeader->TimeStamp.Pad1 = 0;
-+ SingleHeader->TimeStamp.Nanosecond = 0;
-+ SingleHeader->TimeStamp.TimeZone = 0;
-+ SingleHeader->TimeStamp.Daylight = 0;
-+ SingleHeader->TimeStamp.Pad2 = 0;
-+#if 0
-+ SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp;
-+#else
-+ //
-+ // This looks like a bug in edk2. According to the UEFI specification,
-+ // dwLength is "The length of the entire certificate, including the length of
-+ // the header, in bytes". That shouldn't stop right after CertType -- it
-+ // should include everything below it.
-+ //
-+ SingleHeader->dwLength = sizeof *SingleHeader
-+ - sizeof SingleHeader->TimeStamp;
-+#endif
-+ SingleHeader->wRevision = 0x0200;
-+ SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
-+ CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
-+ Position += sizeof *SingleHeader;
-+
-+ VA_START (Marker, VendorGuid);
-+ for (Cert = VA_ARG (Marker, CONST UINT8 *);
-+ Cert != NULL;
-+ Cert = VA_ARG (Marker, CONST UINT8 *)) {
-+ UINTN CertSize;
-+ CONST EFI_GUID *OwnerGuid;
-+
-+ CertSize = VA_ARG (Marker, UINTN);
-+ OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
-+
-+ RepeatingHeader = (REPEATING_HEADER *)Position;
-+ CopyGuid (&RepeatingHeader->SignatureType, &gEfiCertX509Guid);
-+ RepeatingHeader->SignatureListSize = sizeof *RepeatingHeader + CertSize;
-+ RepeatingHeader->SignatureHeaderSize = 0;
-+ RepeatingHeader->SignatureSize =
-+ sizeof RepeatingHeader->SignatureOwner + CertSize;
-+ CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
-+ Position += sizeof *RepeatingHeader;
-+
-+ CopyMem (Position, Cert, CertSize);
-+ Position += CertSize;
-+ }
-+ VA_END (Marker);
-+
-+ ASSERT (Data + DataSize == Position);
-+
-+ Status = gRT->SetVariable (VariableName, VendorGuid,
-+ (EFI_VARIABLE_NON_VOLATILE |
-+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
-+ EFI_VARIABLE_RUNTIME_ACCESS |
-+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
-+ DataSize, Data);
-+
-+FreeData:
-+ FreePool (Data);
-+
-+Out:
-+ if (EFI_ERROR (Status)) {
-+ AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
-+ VendorGuid, Status);
-+ }
-+ return Status;
-+}
-+
-+
-+STATIC
-+EFI_STATUS
-+EFIAPI
-+GetExact (
-+ IN CHAR16 *VariableName,
-+ IN EFI_GUID *VendorGuid,
-+ OUT VOID *Data,
-+ IN UINTN DataSize,
-+ IN BOOLEAN AllowMissing
-+ )
-+{
-+ UINTN Size;
-+ EFI_STATUS Status;
-+
-+ Size = DataSize;
-+ Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
-+ if (EFI_ERROR (Status)) {
-+ if (Status == EFI_NOT_FOUND && AllowMissing) {
-+ ZeroMem (Data, DataSize);
-+ return EFI_SUCCESS;
-+ }
-+
-+ AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
-+ VendorGuid, Status);
-+ return Status;
-+ }
-+
-+ if (Size != DataSize) {
-+ AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
-+ "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
-+ return EFI_PROTOCOL_ERROR;
-+ }
-+
-+ return EFI_SUCCESS;
-+}
-+
-+typedef struct {
-+ UINT8 SetupMode;
-+ UINT8 SecureBoot;
-+ UINT8 SecureBootEnable;
-+ UINT8 CustomMode;
-+ UINT8 VendorKeys;
-+} SETTINGS;
-+
-+STATIC
-+EFI_STATUS
-+EFIAPI
-+GetSettings (
-+ OUT SETTINGS *Settings
-+ )
-+{
-+ EFI_STATUS Status;
-+
-+ Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
-+ &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
-+ if (EFI_ERROR (Status)) {
-+ return Status;
-+ }
-+
-+ Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
-+ &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
-+ if (EFI_ERROR (Status)) {
-+ return Status;
-+ }
-+
-+ Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
-+ &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
-+ sizeof Settings->SecureBootEnable, TRUE);
-+ if (EFI_ERROR (Status)) {
-+ return Status;
-+ }
-+
-+ Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
-+ &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
-+ if (EFI_ERROR (Status)) {
-+ return Status;
-+ }
-+
-+ Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
-+ &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
-+ return Status;
-+}
-+
-+STATIC
-+VOID
-+EFIAPI
-+PrintSettings (
-+ IN CONST SETTINGS *Settings
-+ )
-+{
-+ AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
-+ "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
-+ Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
-+}
-+
-+
-+INTN
-+EFIAPI
-+ShellAppMain (
-+ IN UINTN Argc,
-+ IN CHAR16 **Argv
-+ )
-+{
-+ EFI_STATUS Status;
-+ SETTINGS Settings;
-+
-+ Status = GetSettings (&Settings);
-+ if (EFI_ERROR (Status)) {
-+ return 1;
-+ }
-+ PrintSettings (&Settings);
-+
-+ if (Settings.SetupMode != 1) {
-+ AsciiPrint ("error: already in User Mode\n");
-+ return 1;
-+ }
-+
-+ if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
-+ Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
-+ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
-+ (EFI_VARIABLE_NON_VOLATILE |
-+ EFI_VARIABLE_BOOTSERVICE_ACCESS),
-+ sizeof Settings.CustomMode, &Settings.CustomMode);
-+ if (EFI_ERROR (Status)) {
-+ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
-+ &gEfiCustomModeEnableGuid, Status);
-+ return 1;
-+ }
-+ }
-+
-+ Status = EnrollListOfX509Certs (
-+ EFI_IMAGE_SECURITY_DATABASE,
-+ &gEfiImageSecurityDatabaseGuid,
-+ MicrosoftPCA, sizeof MicrosoftPCA, &gEfiCallerIdGuid,
-+ MicrosoftUefiCA, sizeof MicrosoftUefiCA, &gEfiCallerIdGuid,
-+ NULL);
-+ if (EFI_ERROR (Status)) {
-+ return 1;
-+ }
-+
-+ Status = EnrollListOfX509Certs (
-+ EFI_KEY_EXCHANGE_KEY_NAME,
-+ &gEfiGlobalVariableGuid,
-+ ExampleCert, sizeof ExampleCert, &gEfiCallerIdGuid,
-+ MicrosoftKEK, sizeof MicrosoftKEK, &gEfiCallerIdGuid,
-+ NULL);
-+ if (EFI_ERROR (Status)) {
-+ return 1;
-+ }
-+
-+ Status = EnrollListOfX509Certs (
-+ EFI_PLATFORM_KEY_NAME,
-+ &gEfiGlobalVariableGuid,
-+ ExampleCert, sizeof ExampleCert, &gEfiGlobalVariableGuid,
-+ NULL);
-+ if (EFI_ERROR (Status)) {
-+ return 1;
-+ }
-+
-+ Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
-+ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
-+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-+ sizeof Settings.CustomMode, &Settings.CustomMode);
-+ if (EFI_ERROR (Status)) {
-+ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
-+ &gEfiCustomModeEnableGuid, Status);
-+ return 1;
-+ }
-+
-+ Status = GetSettings (&Settings);
-+ if (EFI_ERROR (Status)) {
-+ return 1;
-+ }
-+ PrintSettings (&Settings);
-+
-+ if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
-+ Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
-+ Settings.VendorKeys != 0) {
-+ AsciiPrint ("error: unexpected\n");
-+ return 1;
-+ }
-+
-+ AsciiPrint ("info: success\n");
-+ return 0;
-+}
-diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
-new file mode 100644
-index 0000000..ac919bb
---- /dev/null
-+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
-@@ -0,0 +1,51 @@
-+## @file
-+# Enroll default PK, KEK, DB.
-+#
-+# Copyright (C) 2014, Red Hat, Inc.
-+#
-+# This program and the accompanying materials are licensed and made available
-+# under the terms and conditions of the BSD License which accompanies this
-+# distribution. The full text of the license may be found at
-+# http://opensource.org/licenses/bsd-license.
-+#
-+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
-+# IMPLIED.
-+##
-+
-+[Defines]
-+ INF_VERSION = 0x00010006
-+ BASE_NAME = EnrollDefaultKeys
-+ FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
-+ MODULE_TYPE = UEFI_APPLICATION
-+ VERSION_STRING = 0.1
-+ ENTRY_POINT = ShellCEntryLib
-+
-+#
-+# VALID_ARCHITECTURES = IA32 X64
-+#
-+
-+[Sources]
-+ EnrollDefaultKeys.c
-+
-+[Packages]
-+ MdePkg/MdePkg.dec
-+ MdeModulePkg/MdeModulePkg.dec
-+ SecurityPkg/SecurityPkg.dec
-+ ShellPkg/ShellPkg.dec
-+
-+[Guids]
-+ gEfiCertPkcs7Guid
-+ gEfiCertX509Guid
-+ gEfiCustomModeEnableGuid
-+ gEfiGlobalVariableGuid
-+ gEfiImageSecurityDatabaseGuid
-+ gEfiSecureBootEnableDisableGuid
-+
-+[LibraryClasses]
-+ BaseMemoryLib
-+ DebugLib
-+ MemoryAllocationLib
-+ ShellCEntryLib
-+ UefiLib
-+ UefiRuntimeServicesTableLib
-diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
-index fa9661c..e2e6ba3 100644
---- a/OvmfPkg/OvmfPkgIa32.dsc
-+++ b/OvmfPkg/OvmfPkgIa32.dsc
-@@ -764,6 +764,10 @@
-
- !if $(SECURE_BOOT_ENABLE) == TRUE
- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
-+ <LibraryClasses>
-+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
-+ }
- !endif
-
- OvmfPkg/PlatformDxe/Platform.inf
-diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
-index 667584a..a0ae1aa 100644
---- a/OvmfPkg/OvmfPkgIa32X64.dsc
-+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
-@@ -773,6 +773,10 @@
-
- !if $(SECURE_BOOT_ENABLE) == TRUE
- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
-+ <LibraryClasses>
-+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
-+ }
- !endif
-
- OvmfPkg/PlatformDxe/Platform.inf
-diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
-index 5ae8469..87cee52 100644
---- a/OvmfPkg/OvmfPkgX64.dsc
-+++ b/OvmfPkg/OvmfPkgX64.dsc
-@@ -771,6 +771,10 @@
-
- !if $(SECURE_BOOT_ENABLE) == TRUE
- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
-+ <LibraryClasses>
-+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
-+ }
- !endif
-
- OvmfPkg/PlatformDxe/Platform.inf
diff --git a/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch b/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch
index 25e5b58e70..1b65348e84 100644
--- a/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch
+++ b/meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch
@@ -9,12 +9,26 @@ Index: git/BaseTools/Conf/tools_def.template
===================================================================
--- git.orig/BaseTools/Conf/tools_def.template
+++ git/BaseTools/Conf/tools_def.template
-@@ -4368,7 +4368,7 @@ DEFINE GCC_IPF_RC_FLAGS = -I
+@@ -1736,10 +1736,10 @@ DEFINE GCC_X64_RC_FLAGS = -I binary -O elf64-x86-64 -B i386
DEFINE GCC_ARM_RC_FLAGS = -I binary -O elf32-littlearm -B arm --rename-section .data=.hii
DEFINE GCC_AARCH64_RC_FLAGS = -I binary -O elf64-littleaarch64 -B aarch64 --rename-section .data=.hii
--DEFINE GCC44_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
-+DEFINE GCC44_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -fno-stack-protector -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
- DEFINE GCC44_IA32_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -fno-PIE -no-pie
- DEFINE GCC44_X64_CC_FLAGS = DEF(GCC44_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables
- DEFINE GCC44_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 -no-pie
+-DEFINE GCC48_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
++DEFINE GCC48_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -fno-stack-protector -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
+ DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
+-DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address
+-DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address
++DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -D EFI32 -fno-asynchronous-unwind-tables -Wno-address
++DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address
+ DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
+ DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive
+ DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
+@@ -1748,7 +1748,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x228 DEF
+ DEFINE GCC48_ASM_FLAGS = DEF(GCC_ASM_FLAGS)
+ DEFINE GCC48_ARM_ASM_FLAGS = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
+ DEFINE GCC48_AARCH64_ASM_FLAGS = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
+-DEFINE GCC48_ARM_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ARM_CC_FLAGS) -fstack-protector -mword-relocations
++DEFINE GCC48_ARM_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ARM_CC_FLAGS) -mword-relocations
+ DEFINE GCC48_ARM_CC_XIPFLAGS = DEF(GCC_ARM_CC_XIPFLAGS)
+ DEFINE GCC48_AARCH64_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) -mcmodel=large DEF(GCC_AARCH64_CC_FLAGS)
+ DEFINE GCC48_AARCH64_CC_XIPFLAGS = DEF(GCC_AARCH64_CC_XIPFLAGS)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 71828d8d8d..11793f0d1a 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -4,7 +4,7 @@ Virtual Machines. OVMF contains sample UEFI firmware for QEMU and KVM"
HOMEPAGE = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF"
LICENSE = "BSD"
LICENSE_class-target = "${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'BSD & OpenSSL', 'BSD', d)}"
-LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3496"
+LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=06357ddc23f46577c2aeaeaf7b776d65"
# Enabling Secure Boot adds a dependency on OpenSSL and implies
# compiling OVMF twice, so it is disabled by default. Distros
@@ -12,30 +12,15 @@ LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=343dc88e82ff33d042074f62050c3
PACKAGECONFIG ??= ""
PACKAGECONFIG[secureboot] = ",,,"
-SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
- file://0001-ia32-Dont-use-pie.patch \
+SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=git \
file://0002-ovmf-update-path-to-native-BaseTools.patch \
file://0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
file://0004-ovmf-enable-long-path-file.patch \
- file://VfrCompile-increase-path-length-limit.patch \
file://no-stack-protector-all-archs.patch \
- file://0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch \
- file://0002-BaseTools-header.makefile-add-Wno-restrict.patch \
- file://0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch \
- file://0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch \
"
UPSTREAM_VERSION_UNKNOWN = "1"
-OPENSSL_RELEASE = "openssl-1.1.0e"
-
-SRC_URI_append_class-target = " \
- ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/${OPENSSL_RELEASE}.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
- file://0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch \
-"
-
-SRCREV="ec4910cd3336565fdb61dafdd9ec4ae7a6160ba3"
-SRC_URI[openssl.md5sum] = "51c42d152122e474754aea96f66928c6"
-SRC_URI[openssl.sha256sum] = "57be8618979d80c910728cfc99369bf97b2a1abd8f366ab6ebdee8975ad3874c"
+SRCREV="20d2e5a125e34fc8501026613a71549b2a1a3e54"
inherit deploy
@@ -44,7 +29,7 @@ PARALLEL_MAKE = ""
S = "${WORKDIR}/git"
DEPENDS_class-native="util-linux-native iasl-native"
-DEPENDS_class-target="ovmf-native"
+DEPENDS_class-target="ovmf-native bc-native"
DEPENDS_append = " nasm-native"
@@ -191,12 +176,9 @@ do_compile_class-target() {
ln ${build_dir}/${OVMF_ARCH}/Shell.efi ${WORKDIR}/ovmf/
if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
- # See CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt and
- # https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/ for
- # building with Secure Boot enabled.
+ # Repeat build with the Secure Boot flags.
bbnote "Building with Secure Boot."
rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
- ln -sf ${OPENSSL_RELEASE} ${S}/CryptoPkg/Library/OpensslLib/openssl
${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd
ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/5] ovmf: Set PV
2019-08-07 1:44 [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements Ricardo Neri
2019-08-07 1:44 ` [PATCH 1/5] ovmf: Update to version edk2-stable201905 Ricardo Neri
@ 2019-08-07 1:44 ` Ricardo Neri
2019-08-07 1:44 ` [PATCH 3/5] ovmf: use HOSTTOOLS' python3 Ricardo Neri
` (4 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: Ricardo Neri @ 2019-08-07 1:44 UTC (permalink / raw)
To: openembedded-core
Now that EDK2 has been tagging stable releases, we can also set PV
and drop UPSTREAM_VERSION_UNKNOWN.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 11793f0d1a..c66b751a94 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -18,8 +18,8 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=git \
file://0004-ovmf-enable-long-path-file.patch \
file://no-stack-protector-all-archs.patch \
"
-UPSTREAM_VERSION_UNKNOWN = "1"
+PV = "edk2-stable201905"
SRCREV="20d2e5a125e34fc8501026613a71549b2a1a3e54"
inherit deploy
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 3/5] ovmf: use HOSTTOOLS' python3
2019-08-07 1:44 [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements Ricardo Neri
2019-08-07 1:44 ` [PATCH 1/5] ovmf: Update to version edk2-stable201905 Ricardo Neri
2019-08-07 1:44 ` [PATCH 2/5] ovmf: Set PV Ricardo Neri
@ 2019-08-07 1:44 ` Ricardo Neri
2019-08-07 1:44 ` [PATCH 4/5] ovmf: Generate test Platform key and first Key Exchange Key Ricardo Neri
` (3 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: Ricardo Neri @ 2019-08-07 1:44 UTC (permalink / raw)
To: openembedded-core
Use the variable PYTHON_COMMAND to let know EDK2 base tools that python3
in the host shall be used.
In order build successfully, the host must have installed the
python3-distutils package or equivalent.
Based on an original patch by Ross Burton.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index c66b751a94..834ee32466 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -46,6 +46,8 @@ COMPATIBLE_HOST='(i.86|x86_64).*'
OVMF_SECURE_BOOT_EXTRA_FLAGS ??= ""
OVMF_SECURE_BOOT_FLAGS = "-DSECURE_BOOT_ENABLE=TRUE ${OVMF_SECURE_BOOT_EXTRA_FLAGS}"
+export PYTHON_COMMAND = "${HOSTTOOLS_DIR}/python3"
+
do_patch[postfuncs] += "fix_basetools_location"
fix_basetools_location () {
}
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 4/5] ovmf: Generate test Platform key and first Key Exchange Key
2019-08-07 1:44 [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements Ricardo Neri
` (2 preceding siblings ...)
2019-08-07 1:44 ` [PATCH 3/5] ovmf: use HOSTTOOLS' python3 Ricardo Neri
@ 2019-08-07 1:44 ` Ricardo Neri
2019-08-07 1:44 ` [PATCH 5/5] runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate Ricardo Neri
` (2 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: Ricardo Neri @ 2019-08-07 1:44 UTC (permalink / raw)
To: openembedded-core
Commit from EDK2 be9470b3c91f ("OvmfPkg/EnrollDefaultKeys: enroll
PK/KEK1 from the Type 11 SMBIOS table") mandates that a Platform Key
and first Key Exchange Key certificate is provided to the
EnrollDefaultKeys application.
Previously, the application was using a hard-coded certificate
from Red Hat embedded in the application.
Create a certificate that QEMU can subsequently pass to
EnrollDefaultKeys when running qemu-shell-image.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
Cc: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 834ee32466..7944ee97d4 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -217,6 +217,7 @@ FILES_ovmf-shell-efi = " \
DEPLOYDEP = ""
DEPLOYDEP_class-target = "qemu-system-native:do_populate_sysroot"
+DEPLOYDEP_class-target += " ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'openssl-native:do_populate_sysroot', '', d)}"
do_deploy[depends] += "${DEPLOYDEP}"
do_deploy() {
@@ -232,6 +233,13 @@ do_deploy_class-target() {
; do
qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/$i.qcow2
done
+
+ if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
+ # Create a test Platform Key and first Key Exchange Key to use with EnrollDefaultKeys
+ openssl req -new -x509 -newkey rsa:2048 -keyout ${DEPLOYDIR}/OvmfPkKek1.key \
+ -out ${DEPLOYDIR}/OvmfPkKek1.crt -nodes -days 20 -subj "/CN=OVMFSecBootTest"
+ openssl x509 -in ${DEPLOYDIR}/OvmfPkKek1.crt -out ${DEPLOYDIR}/OvmfPkKek1.pem -outform PEM
+ fi
}
addtask do_deploy after do_compile before do_build
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 5/5] runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate
2019-08-07 1:44 [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements Ricardo Neri
` (3 preceding siblings ...)
2019-08-07 1:44 ` [PATCH 4/5] ovmf: Generate test Platform key and first Key Exchange Key Ricardo Neri
@ 2019-08-07 1:44 ` Ricardo Neri
2019-08-07 2:02 ` ✗ patchtest: failure for ovmf: Bump to edk2-stable201905 and add improvements Patchwork
2019-08-07 18:36 ` [PATCH 0/5] " Richard Purdie
6 siblings, 0 replies; 10+ messages in thread
From: Ricardo Neri @ 2019-08-07 1:44 UTC (permalink / raw)
To: openembedded-core
The EnrollDefaultKeys.efi application (distributed in ovmf-shell-image)
expects the hypervisor to provide a Platform Key and first Key Exchange
Key certificate.
For QEMU, this is done by adding an OEM string in the Type 11 SMBIOS
table. The string contains the EnrollDefaultKeys application GUID followed
by the certificate string. For now, the string is passed in the command
line until QEMU understands OEM strings from regular files (please see
https://bugs.launchpad.net/qemu/+bug/1826200).
If runqemu detects it is given an OVMF binary with support for Secure Boot
(i.e., ovmf.secboot* binaries), extract the certificate string from the
OvmfPkKek1.pem certificate and modify the command-line parameters to
provide the key. Such certificate is created when building OVMF with
support for Secure Boot.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
---
scripts/runqemu | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/scripts/runqemu b/scripts/runqemu
index 9d6a2e86d4..df3c8aad08 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -148,6 +148,10 @@ class BaseConfig(object):
# Setting one also adds "-vga std" because that is all that
# OVMF supports.
self.ovmf_bios = []
+ # When enrolling default Secure Boot keys, the hypervisor
+ # must provide the Platform Key and the first Key Exchange Key
+ # certificate in the Type 11 SMBIOS table.
+ self.ovmf_secboot_pkkek1 = ''
self.qemuboot = ''
self.qbconfload = False
self.kernel = ''
@@ -638,6 +642,23 @@ class BaseConfig(object):
if not os.path.exists(self.rootfs):
raise RunQemuError("Can't find rootfs: %s" % self.rootfs)
+ def setup_pkkek1(self):
+ """
+ Extract from PEM certificate the Platform Key and first Key
+ Exchange Key certificate string. The hypervisor needs to provide
+ it in the Type 11 SMBIOS table
+ """
+ pemcert = '%s/%s' % (self.get('DEPLOY_DIR_IMAGE'), 'OvmfPkKek1.pem')
+ try:
+ with open(pemcert, 'r') as pemfile:
+ key = pemfile.read().replace('\n', ''). \
+ replace('-----BEGIN CERTIFICATE-----', ''). \
+ replace('-----END CERTIFICATE-----', '')
+ self.ovmf_secboot_pkkek1 = key
+
+ except FileNotFoundError:
+ raise RunQemuError("Can't open PEM certificate %s " % pemcert)
+
def check_ovmf(self):
"""Check and set full path for OVMF firmware and variable file(s)."""
@@ -648,6 +669,8 @@ class BaseConfig(object):
path = '%s/%s.%s' % (self.get('DEPLOY_DIR_IMAGE'), ovmf, suffix)
if os.path.exists(path):
self.ovmf_bios[index] = path
+ if ovmf.endswith('secboot'):
+ self.setup_pkkek1()
break
else:
raise RunQemuError("Can't find OVMF firmware: %s" % ovmf)
@@ -914,6 +937,8 @@ class BaseConfig(object):
print('ROOTFS: [%s]' % self.rootfs)
if self.ovmf_bios:
print('OVMF: %s' % self.ovmf_bios)
+ if (self.ovmf_secboot_pkkek1):
+ print('SECBOOT PKKEK1: [%s...]' % self.ovmf_secboot_pkkek1[0:100])
print('CONFFILE: [%s]' % self.qemuboot)
print('')
@@ -1262,6 +1287,13 @@ class BaseConfig(object):
self.qemu_opt += ' ' + self.qemu_opt_script
+ if self.ovmf_secboot_pkkek1:
+ # Provide the Platform Key and first Key Exchange Key certificate as an
+ # OEM string in the SMBIOS Type 11 table. Prepend the certificate string
+ # with "application prefix" of the EnrollDefaultKeys.efi application
+ self.qemu_opt += ' -smbios type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:' \
+ + self.ovmf_secboot_pkkek1
+
# Append qemuparams to override previous settings
if self.qemuparams:
self.qemu_opt += ' ' + self.qemuparams
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* ✗ patchtest: failure for ovmf: Bump to edk2-stable201905 and add improvements
2019-08-07 1:44 [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements Ricardo Neri
` (4 preceding siblings ...)
2019-08-07 1:44 ` [PATCH 5/5] runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate Ricardo Neri
@ 2019-08-07 2:02 ` Patchwork
2019-08-07 19:45 ` Ricardo Neri
2019-08-07 18:36 ` [PATCH 0/5] " Richard Purdie
6 siblings, 1 reply; 10+ messages in thread
From: Patchwork @ 2019-08-07 2:02 UTC (permalink / raw)
To: Ricardo Neri; +Cc: openembedded-core
== Series Details ==
Series: ovmf: Bump to edk2-stable201905 and add improvements
Revision: 1
URL : https://patchwork.openembedded.org/series/19138/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch master (currently at f03ab9b21c)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements
2019-08-07 1:44 [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements Ricardo Neri
` (5 preceding siblings ...)
2019-08-07 2:02 ` ✗ patchtest: failure for ovmf: Bump to edk2-stable201905 and add improvements Patchwork
@ 2019-08-07 18:36 ` Richard Purdie
2019-08-07 20:18 ` Ricardo Neri
6 siblings, 1 reply; 10+ messages in thread
From: Richard Purdie @ 2019-08-07 18:36 UTC (permalink / raw)
To: Ricardo Neri, openembedded-core
On Tue, 2019-08-06 at 18:44 -0700, Ricardo Neri wrote:
> Hi,
>
> Fixes [YOCTO #13438]
>
> I have implemented this patchset to bump the OVMF recipe to the
> latest
> stable release of OVMF: edk2-stable201905. I continued Ross Burton's
> initial work to update the recipe [1].
>
> The majority of the patches we were carrying with the recipe have
> been
> taken upstream in EDK2 and I have removed them. Plus, EDK2 now adds
> openssl as a git submodule and not a patching script. Thus, I removed
> support for this script and switched to the gitsm bitbake fetcher.
>
> Also, now the EnrollDefaultKeys EFI application requires a separate
> Platform Key and first Key Exchange Key certificate instead of an
> hard-coded certificate embedded in the application. The hypervisor
> shall
> pass this certificated to EnrollDefaultKeys via the Type 11 SMBus
> table.
> I have updated the ovmf recipe to create the needed certificate and
> also updated runqemu to provide such certificate when using an OVMF
> binary with support for Secure Boot.
>
> Lastly, I defined the recipe's PV and took Ross' change to use
> python3
> from HOSTTOOLS.
Thanks for the patches. I can't get the to apply at all. I know we have
problems due to the line endings in ovmf and the mailing list is
probably messing them up. Could you share a git tree with the patches
in somewhere please?
Cheers,
Richard
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: ✗ patchtest: failure for ovmf: Bump to edk2-stable201905 and add improvements
2019-08-07 2:02 ` ✗ patchtest: failure for ovmf: Bump to edk2-stable201905 and add improvements Patchwork
@ 2019-08-07 19:45 ` Ricardo Neri
0 siblings, 0 replies; 10+ messages in thread
From: Ricardo Neri @ 2019-08-07 19:45 UTC (permalink / raw)
To: openembedded-core; +Cc: Paul bluelightning Eggleton
On Wed, Aug 07, 2019 at 02:02:07AM -0000, Patchwork wrote:
> == Series Details ==
>
> Series: ovmf: Bump to edk2-stable201905 and add improvements
> Revision: 1
> URL : https://patchwork.openembedded.org/series/19138/
> State : failure
>
> == Summary ==
>
>
> Thank you for submitting this patch series to OpenEmbedded Core. This is
> an automated response. Several tests have been executed on the proposed
> series by patchtest resulting in the following failures:
>
>
>
> * Issue Series does not apply on top of target branch [test_series_merge_on_head]
> Suggested fix Rebase your series on top of targeted branch
> Targeted branch master (currently at f03ab9b21c)
It looks like patchtest thinks the patchset does not apply because of
the line endings EDK2 uses. If patchest used git am --keep-cr the
patches would apply cleanly.
Also the Patch class in lib/patchestpatch.py in the patch test repo
reads the patch using f.read() with the newline parameter implicitly set
to None and this causes newlines to be translated from \r\n into \n.
Hence, when applying the patch with git am it fails; even when using
--keep-cr.
I was able to pass the patchtest tests with this change:
diff --git a/lib/patchtestpatch.py b/lib/patchtestpatch.py
index e05d22f..4583b5c 100644
--- a/lib/patchtestpatch.py
+++ b/lib/patchtestpatch.py
@@ -47,7 +47,7 @@ class Patch(object):
if self._forcereload or (not self._contents):
logger.debug('Reading %s contents' % self._path)
try:
- with open(self._path) as _f:
+ with open(self._path, newline='') as _f:
self._contents = _f.read()
except IOError:
logger.warn("Reading the mbox %s failed" % self.resource)
diff --git a/lib/patchtestrepo.py b/lib/patchtestrepo.py
index edc17d4..3c38b9c 100644
--- a/lib/patchtestrepo.py
+++ b/lib/patchtestrepo.py
@@ -71,7 +71,7 @@ class Repo(object):
# Check if patch can be merged using git-am
self._patchcanbemerged = True
try:
- self._exec({'cmd': ['git', 'am'], 'input': self._patch.contents})
+ self._exec({'cmd': ['git', 'am', '--keep-cr'], 'input': self._patch.contents})
except utils.CmdException as ce:
self._exec({'cmd': ['git', 'am', '--abort']})
self._patchcanbemerged = False
@@ -174,7 +174,7 @@ class Repo(object):
def merge(self):
if self._patchcanbemerged:
- self._exec({'cmd': ['git', 'am'],
+ self._exec({'cmd': ['git', 'am', '--keep-cr'],
'input': self._patch.contents,
'updateenv': {'PTRESOURCE':self._patch.path}})
self._patchmerged = True
diff --git a/scripts/test-mboxes b/scripts/test-mboxes
index 9137ba4..1d0c6f7 100755
--- a/scripts/test-mboxes
+++ b/scripts/test-mboxes
@@ -116,13 +116,13 @@ function testpatch() {
# try patch merge
if git apply --check $patch 2> /dev/null; then
if [ -n "$mergeall" ]; then
- git am --quiet $patch 2>/dev/null && gitnotes
+ git am --quiet --keep-cr $patch 2>/dev/null && gitnotes
echo -e "\tPatch merged into '${assemblebranch}' including all test results"
else
- if [ "$(echo "$PTRESULTS" | any-fail)" == "yes"]; then
+ if [ "$(echo "$PTRESULTS" | any-fail)" == "yes" ]; then
echo -e "\tPatch has test failures, skipping"
else
- git am --quiet $patch 2>/dev/null && gitnotes
+ git am --quiet --keep-cr $patch 2>/dev/null && gitnotes
echo -e "\tPatch merged into '${assemblebranch}' with no test failures"
fi
fi
Thanks and BR,
Ricardo
>
>
>
> If you believe any of these test results are incorrect, please reply to the
> mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
> Otherwise we would appreciate you correcting the issues and submitting a new
> version of the patchset if applicable. Please ensure you add/increment the
> version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
> [PATCH v3] -> ...).
>
> ---
> Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
> Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
> Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
>
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements
2019-08-07 18:36 ` [PATCH 0/5] " Richard Purdie
@ 2019-08-07 20:18 ` Ricardo Neri
0 siblings, 0 replies; 10+ messages in thread
From: Ricardo Neri @ 2019-08-07 20:18 UTC (permalink / raw)
To: Richard Purdie; +Cc: openembedded-core
On Wed, Aug 07, 2019 at 07:36:26PM +0100, Richard Purdie wrote:
> On Tue, 2019-08-06 at 18:44 -0700, Ricardo Neri wrote:
> > Hi,
> >
> > Fixes [YOCTO #13438]
> >
> > I have implemented this patchset to bump the OVMF recipe to the
> > latest
> > stable release of OVMF: edk2-stable201905. I continued Ross Burton's
> > initial work to update the recipe [1].
> >
> > The majority of the patches we were carrying with the recipe have
> > been
> > taken upstream in EDK2 and I have removed them. Plus, EDK2 now adds
> > openssl as a git submodule and not a patching script. Thus, I removed
> > support for this script and switched to the gitsm bitbake fetcher.
> >
> > Also, now the EnrollDefaultKeys EFI application requires a separate
> > Platform Key and first Key Exchange Key certificate instead of an
> > hard-coded certificate embedded in the application. The hypervisor
> > shall
> > pass this certificated to EnrollDefaultKeys via the Type 11 SMBus
> > table.
> > I have updated the ovmf recipe to create the needed certificate and
> > also updated runqemu to provide such certificate when using an OVMF
> > binary with support for Secure Boot.
> >
> > Lastly, I defined the recipe's PV and took Ross' change to use
> > python3
> > from HOSTTOOLS.
>
> Thanks for the patches. I can't get the to apply at all. I know we have
> problems due to the line endings in ovmf and the mailing list is
> probably messing them up. Could you share a git tree with the patches
> in somewhere please?
Thanks for considering the patches, Richard! You can pull the patches
from here:
The following changes since commit 96decf673992b1cd1eebac45a5cd534eef27ebd7:
waffle: upgrade 1.5.2 -> 1.6.0 (2019-08-07 16:08:08 +0100)
are available in the Git repository at:
https://github.com/ricardon/openembedded-core.git rneri/ovmf_updates
for you to fetch changes up to e81cf432b29056dda5496a5454fdfb9cc15dc2fa:
runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate (2019-08-07 13:09:32 -0700)
----------------------------------------------------------------
Ricardo Neri (5):
ovmf: Update to version edk2-stable201905
ovmf: Set PV
ovmf: Use HOSTTOOLS' python3
ovmf: Generate test Platform key and first Key Exchange Key
runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate
.../ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch | 71 ---
meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch | 46 --
.../ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch | 102 ---
.../ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch | 53 --
.../ovmf/0003-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch | 33 +-
.../ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch | 66 --
.../ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch | 1124 ---------------------------------
meta/recipes-core/ovmf/ovmf/no-stack-protector-all-archs.patch | 26 +-
meta/recipes-core/ovmf/ovmf_git.bb | 40 +-
scripts/runqemu | 32 +
10 files changed, 90 insertions(+), 1503 deletions(-)
delete mode 100644 meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0001-ia32-Dont-use-pie.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
delete mode 100644 meta/recipes-core/ovmf/ovmf/0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
Thanks and BR,
Ricardo
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2019-08-07 22:02 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-08-07 1:44 [PATCH 0/5] ovmf: Bump to edk2-stable201905 and add improvements Ricardo Neri
2019-08-07 1:44 ` [PATCH 1/5] ovmf: Update to version edk2-stable201905 Ricardo Neri
2019-08-07 1:44 ` [PATCH 2/5] ovmf: Set PV Ricardo Neri
2019-08-07 1:44 ` [PATCH 3/5] ovmf: use HOSTTOOLS' python3 Ricardo Neri
2019-08-07 1:44 ` [PATCH 4/5] ovmf: Generate test Platform key and first Key Exchange Key Ricardo Neri
2019-08-07 1:44 ` [PATCH 5/5] runqemu: Add support to handle EnrollDefaultKeys PK/KEK1 certificate Ricardo Neri
2019-08-07 2:02 ` ✗ patchtest: failure for ovmf: Bump to edk2-stable201905 and add improvements Patchwork
2019-08-07 19:45 ` Ricardo Neri
2019-08-07 18:36 ` [PATCH 0/5] " Richard Purdie
2019-08-07 20:18 ` Ricardo Neri
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox