SecurityPkg: Create library for enrolling Secure Boot variables.

This commits add library, which consist functions to
enrolll Secure Boot keys and initialize Secure Boot
default variables. Some of the functions was moved
 from SecureBootConfigImpl.c file.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h

@@ -0,0 +1,134 @@
+/** @file
+  Provides a functions to enroll keys based on default values.
+
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_
+#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_
+
+/**
+  Sets the content of the 'db' variable based on 'dbDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+  VOID
+);
+
+/**
+  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+  VOID
+);
+
+/**
+  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+  VOID
+);
+
+/**
+  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+  VOID
+);
+
+/**
+  Sets the content of the 'PK' variable based on 'PKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+  VOID
+);
+
+/**
+  Initializes PKDefault variable with data from FFS section.
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitPKDefault (
+  IN VOID
+  );
+
+/**
+  Initializes KEKDefault variable with data from FFS section.
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitKEKDefault (
+  IN VOID
+  );
+
+/**
+  Initializes dbDefault variable with data from FFS section.
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitDbDefault (
+  IN VOID
+  );
+
+/**
+  Initializes dbtDefault variable with data from FFS section.
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitDbtDefault (
+  IN VOID
+  );
+
+/**
+  Initializes dbxDefault variable with data from FFS section.
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitDbxDefault (
+  IN VOID
+  );
+#endif

SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c

@@ -0,0 +1,482 @@
+/** @file
+  This library provides functions to set/clear Secure Boot
+  keys and databases.
+
+  Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+  (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <Guid/GlobalVariable.h>
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+#include <Library/SecureBootVariableProvisionLib.h>
+
+/**
+  Enroll a key/certificate based on a default variable.
+
+  @param[in] VariableName        The name of the key/database.
+  @param[in] DefaultName         The name of the default variable.
+  @param[in] VendorGuid          The namespace (ie. vendor GUID) of the variable
+
+  @retval EFI_OUT_OF_RESOURCES   Out of memory while allocating AuthHeader.
+  @retval EFI_SUCCESS            Successful enrollment.
+  @return                        Error codes from GetTime () and SetVariable ().
+**/
+STATIC
+EFI_STATUS
+EnrollFromDefault (
+  IN CHAR16   *VariableName,
+  IN CHAR16   *DefaultName,
+  IN EFI_GUID *VendorGuid
+  )
+{
+  VOID       *Data;
+  UINTN       DataSize;
+  EFI_STATUS  Status;
+
+  Status = EFI_SUCCESS;
+
+  DataSize = 0;
+  Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);
+  if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));
+      return Status;
+  }
+
+  CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
+    return Status;
+  }
+
+  //
+  // Allocate memory for auth variable
+  //
+  Status = gRT->SetVariable (
+                  VariableName,
+                  VendorGuid,
+                  (EFI_VARIABLE_NON_VOLATILE |
+                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
+                   EFI_VARIABLE_RUNTIME_ACCESS |
+                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
+                  DataSize,
+                  Data
+                  );
+
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, VariableName,
+      VendorGuid, Status));
+  }
+
+  if (Data != NULL) {
+    FreePool (Data);
+  }
+
+  return Status;
+}
+
+/** Initializes PKDefault variable with data from FFS section.
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+**/
+EFI_STATUS
+SecureBootInitPKDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8               *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+    return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_PK_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes KEKDefault variable with data from FFS section.
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+**/
+EFI_STATUS
+SecureBootInitKEKDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+    return Status;
+  }
+
+
+  Status = gRT->SetVariable (
+                  EFI_KEK_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes dbDefault variable with data from FFS section.
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+**/
+EFI_STATUS
+SecureBootInitDbDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+      return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_DB_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes dbxDefault variable with data from FFS section.
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+**/
+EFI_STATUS
+SecureBootInitDbxDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+    return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_DBX_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes dbtDefault variable with data from FFS section.
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+**/
+EFI_STATUS
+SecureBootInitDbtDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+      return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_DBT_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Sets the content of the 'db' variable based on 'dbDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+**/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_IMAGE_SECURITY_DATABASE,
+             EFI_DB_DEFAULT_VARIABLE_NAME,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+**/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_IMAGE_SECURITY_DATABASE1,
+             EFI_DBX_DEFAULT_VARIABLE_NAME,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+**/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_IMAGE_SECURITY_DATABASE2,
+             EFI_DBT_DEFAULT_VARIABLE_NAME,
+             &gEfiImageSecurityDatabaseGuid);
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+**/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_KEY_EXCHANGE_KEY_NAME,
+             EFI_KEK_DEFAULT_VARIABLE_NAME,
+             &gEfiGlobalVariableGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+**/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_PLATFORM_KEY_NAME,
+             EFI_PK_DEFAULT_VARIABLE_NAME,
+             &gEfiGlobalVariableGuid
+             );
+
+  return Status;
+}

SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf

@@ -0,0 +1,79 @@
+## @file
+#  Provides initialization of Secure Boot keys and databases.
+#
+#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = SecureBootVariableLib
+  MODULE_UNI_FILE                = SecureBootVariableLib.uni
+  FILE_GUID                      = 18192DD0-9430-45F1-80C7-5C52061CD183
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = SecureBootVariableProvisionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
+#
+
+[Sources]
+  SecureBootVariableProvisionLib.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+  CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  MemoryAllocationLib
+  BaseCryptLib
+  DxeServicesLib
+  SecureBootVariableLib
+
+[Guids]
+  ## CONSUMES            ## Variable:L"SetupMode"
+  ## PRODUCES            ## Variable:L"SetupMode"
+  ## CONSUMES            ## Variable:L"SecureBoot"
+  ## PRODUCES            ## Variable:L"SecureBoot"
+  ## PRODUCES            ## Variable:L"PK"
+  ## PRODUCES            ## Variable:L"KEK"
+  ## CONSUMES            ## Variable:L"PKDefault"
+  ## CONSUMES            ## Variable:L"KEKDefault"
+  ## CONSUMES            ## Variable:L"dbDefault"
+  ## CONSUMES            ## Variable:L"dbxDefault"
+  ## CONSUMES            ## Variable:L"dbtDefault"
+  gEfiGlobalVariableGuid
+
+  ## SOMETIMES_CONSUMES  ## Variable:L"DB"
+  ## SOMETIMES_CONSUMES  ## Variable:L"DBX"
+  ## SOMETIMES_CONSUMES  ## Variable:L"DBT"
+  gEfiImageSecurityDatabaseGuid
+
+  ## CONSUMES            ## Variable:L"SecureBootEnable"
+  ## PRODUCES            ## Variable:L"SecureBootEnable"
+  gEfiSecureBootEnableDisableGuid
+
+  ## CONSUMES            ## Variable:L"CustomMode"
+  ## PRODUCES            ## Variable:L"CustomMode"
+  gEfiCustomModeEnableGuid
+
+  gEfiCertTypeRsa2048Sha256Guid  ## CONSUMES
+  gEfiCertX509Guid               ## CONSUMES
+  gEfiCertPkcs7Guid              ## CONSUMES
+
+  gDefaultPKFileGuid
+  gDefaultKEKFileGuid
+  gDefaultdbFileGuid
+  gDefaultdbxFileGuid
+  gDefaultdbtFileGuid

SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni

@@ -0,0 +1,15 @@
+// /** @file
+//
+// Provides initialization of Secure Boot keys and databases.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "Provides functions to initialize PK, KEK and databases based on default variables."
+
+#string STR_MODULE_DESCRIPTION          #language en-US "Provides functions to initialize PK, KEK and databases based on default variables."

SecurityPkg/SecurityPkg.dec

@@ -91,6 +91,10 @@
   ## @libraryclass  Provides helper functions related to creation/removal Secure Boot variables.
   #
   SecureBootVariableLib|Include/Library/SecureBootVariableLib.h
+
+  ## @libraryclass  Provides support to enroll Secure Boot keys.
+  #
+  SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h
 [Guids]
   ## Security package token space guid.
   # Include/Guid/SecurityPkgTokenSpace.h

SecurityPkg/SecurityPkg.dsc

@@ -71,6 +71,7 @@
   TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
   SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 
 [LibraryClasses.ARM]
   #