* [pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys
@ 2025-11-06 15:42 Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches Fiona Ebner
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Fiona Ebner @ 2025-11-06 15:42 UTC (permalink / raw)
To: pve-devel
This fixes the issue with the Microsoft UEFI CA 2011 expiring in June
2026 for new EFI disks. What still needs to be done is giving users a
way for (or automatically) enrolling the new keys to existing EFI
disks. I will look at that part of the issue in the coming days.
To update an existing EFI disk, it should be enough to do something
like:
virt-fw-vars --inplace vm-103-disk-0.raw --distro-keys ms-uefi
AFAICS, virt-fw-vars can only deal with raw images, so we can use FUSE
exports of differently formatted EFI disks which requires [0].
[0]: https://lore.proxmox.com/pve-devel/20251020141335.124077-1-f.ebner@proxmox.com/
pve-edk2-firmware:
Fiona Ebner (6):
update edk2 to edk2-stable202505 tag and refresh patches
d/patches: pick up CVE fix from Debian tag debian/2025.05-1
d/rules: pick up some improvements from Debian
Use virt-firmware to enroll default keys.
Initialize the Secure Boot dbx in *.ms.fd with the latest revocations
partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys
debian/DBXUpdate-2025-02-24.arm64.bin | Bin 0 -> 4613 bytes
debian/DBXUpdate-2025-10-16.amd64.bin | Bin 0 -> 24053 bytes
debian/control | 1 +
debian/edk2-vars-generator.py | 140 ----
...nrollDefaultKeys-with-Microsoft-2023.patch | 613 ++++++++++++++++++
...tLib-Fix-split-lock-violation-from-M.patch | 10 +-
...CpuDxeSmm-Safe-handling-of-IDT-regis.patch | 45 ++
debian/patches/series | 2 +
debian/rules | 99 +--
debian/source/include-binaries | 2 +
edk2 | 2 +-
11 files changed, 721 insertions(+), 193 deletions(-)
create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin
delete mode 100755 debian/edk2-vars-generator.py
create mode 100644 debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
create mode 100644 debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
Summary over all repositories:
11 files changed, 721 insertions(+), 193 deletions(-)
--
Generated by git-murpp 0.5.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches
2025-11-06 15:42 [pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
@ 2025-11-06 15:42 ` Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 2/6] d/patches: pick up CVE fix from Debian tag debian/2025.05-1 Fiona Ebner
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Fiona Ebner @ 2025-11-06 15:42 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...Pkg-MpInitLib-Fix-split-lock-violation-from-M.patch | 10 ++++++----
edk2 | 2 +-
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch b/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
index e68278add2..dc086324b4 100644
--- a/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
+++ b/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
@@ -34,6 +34,8 @@ Signed-off-by: Aaron Young <aaron.young@oracle.com>
(cherry picked from commit b0bc23d1f246dac977b639470a51bcef1bcd6e1d)
Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+[FE: rebase for edk2-stable202505]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 15 ++++++++++++---
UefiCpuPkg/Library/MpInitLib/MpLib.c | 15 ++++++++++-----
@@ -41,7 +43,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
-index 317e627b58..ded603f8f8 100644
+index d8ba9ea124..7e4afbcaa5 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
+++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
@@ -74,18 +74,18 @@ struc MP_CPU_EXCHANGE_INFO
@@ -65,8 +67,8 @@ index 317e627b58..ded603f8f8 100644
.CpuMpData: CTYPE_UINTN 1
.InitializeFloatingPointUnits: CTYPE_UINTN 1
.ModeTransitionMemory: CTYPE_UINT32 1
-@@ -99,5 +99,14 @@ struc MP_CPU_EXCHANGE_INFO
- .ExtTopoAvail: CTYPE_BOOLEAN 1
+@@ -100,5 +100,14 @@ struc MP_CPU_EXCHANGE_INFO
+ .SevSnpKnownInitApicId: CTYPE_BOOLEAN 1
endstruc
-MP_CPU_EXCHANGE_INFO_OFFSET equ (Flat32Start - RendezvousFunnelProcStart)
@@ -130,7 +132,7 @@ index fdcc21d794..ffaff1855f 100644
// The AP reset stack is only used by SEV-ES guests. Do not allocate it
// if SEV-ES is not enabled. An SEV-SNP guest is also considered
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h
-index 145538b6ee..fc08ae2ce6 100644
+index a63bb81bef..b30dcb3828 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.h
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h
@@ -213,18 +213,23 @@ typedef struct {
diff --git a/edk2 b/edk2
index fbe0805b20..6951dfe7d5 160000
--- a/edk2
+++ b/edk2
@@ -1 +1 @@
-Subproject commit fbe0805b2091393406952e84724188f8c1941837
+Subproject commit 6951dfe7d59d144a3a980bd7eda699db2d8554ac
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pve-devel] [PATCH edk2-firmware 2/6] d/patches: pick up CVE fix from Debian tag debian/2025.05-1
2025-11-06 15:42 [pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches Fiona Ebner
@ 2025-11-06 15:42 ` Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 3/6] d/rules: pick up some improvements from Debian Fiona Ebner
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Fiona Ebner @ 2025-11-06 15:42 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...CpuDxeSmm-Safe-handling-of-IDT-regis.patch | 45 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 46 insertions(+)
create mode 100644 debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
diff --git a/debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch b/debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
new file mode 100644
index 0000000000..2c4378c873
--- /dev/null
+++ b/debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: John Mathews <john.mathews@intel.com>
+Date: Fri, 30 May 2025 11:06:49 -0700
+Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on
+ SMM entry
+
+Mitigates CVE-2025-3770
+
+Do not assume that IDT.limit is loaded with a zero value upon SMM entry.
+Delay enabling Machine Check Exceptions in SMM until after the SMM IDT
+has been reloaded.
+
+Signed-off-by: John Mathews <john.mathews@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38
+Last-Updated: 2025-08-18
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110533
+
+diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+index 644366ba19..6e1cd45c04 100644
+--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+@@ -113,7 +113,7 @@ ProtFlatMode:
+ mov eax, strict dword 0 ; source operand will be patched
+ ASM_PFX(gPatchSmiCr3):
+ mov cr3, rax
+- mov eax, 0x668 ; as cr4.PGE is not set here, refresh cr3
++ mov eax, 0x628 ; as cr4.PGE is not set here, refresh cr3
+
+ mov cl, strict byte 0 ; source operand will be patched
+ ASM_PFX(gPatch5LevelPagingNeeded):
+@@ -204,6 +204,10 @@ SmiHandlerIdtrAbsAddr:
+ mov ax, [rbx + DSC_SS]
+ mov ss, eax
+
++ mov rax, cr4 ; enable MCE
++ bts rax, 6
++ mov cr4, rax
++
+ mov rbx, [rsp + 0x8] ; rbx <- CpuIndex
+
+ ; enable CET if supported
+--
+2.47.2
+
diff --git a/debian/patches/series b/debian/patches/series
index f9e35827ae..e74582c057 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch
Revert-UefiCpuPkg-Produce-EFI-memory-attributes-prot.patch
UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
+UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pve-devel] [PATCH edk2-firmware 3/6] d/rules: pick up some improvements from Debian
2025-11-06 15:42 [pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 2/6] d/patches: pick up CVE fix from Debian tag debian/2025.05-1 Fiona Ebner
@ 2025-11-06 15:42 ` Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys Fiona Ebner
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Fiona Ebner @ 2025-11-06 15:42 UTC (permalink / raw)
To: pve-devel
Debian commits:
bb42fb89cb debian/rules: Remove unused variable
16bb13da3d debian/rules: Define *_BUILD_ROOT variables
341ac9dcda debian/rules: Delete the correct ovmf build tree between builds
Also define OVMF_CVM_BUILD_ROOT for the downstream CVM variant.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
debian/rules | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/debian/rules b/debian/rules
index 494f162e30..c640833092 100755
--- a/debian/rules
+++ b/debian/rules
@@ -66,8 +66,8 @@ debian/setup-build-stamp:
touch $@
OVMF_INSTALL_DIR = debian/ovmf-install
-OVMF_BUILD_DIR = Build/OvmfX64/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
-OVMF3264_BUILD_DIR = Build/Ovmf3264/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+OVMF3264_BUILD_ROOT = Build/Ovmf3264
+OVMF3264_BUILD_DIR = $(OVMF3264_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
OVMF_ENROLL = $(OVMF3264_BUILD_DIR)/X64/EnrollDefaultKeys.efi
OVMF_SHELL = $(OVMF3264_BUILD_DIR)/X64/Shell.efi
OVMF_BINARIES = $(OVMF_ENROLL) $(OVMF_SHELL)
@@ -75,19 +75,23 @@ OVMF_IMAGES := $(addprefix $(OVMF_INSTALL_DIR)/,OVMF_CODE_4M.fd OVMF_CODE_4M.sec
OVMF_PREENROLLED_VARS := $(addprefix $(OVMF_INSTALL_DIR)/,OVMF_VARS_4M.ms.fd OVMF_VARS_4M.snakeoil.fd)
OVMF32_INSTALL_DIR = debian/ovmf32-install
-OVMF32_BUILD_DIR = Build/OvmfIa32/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+OVMF32_BUILD_ROOT = Build/OvmfIa32
+OVMF32_BUILD_DIR = $(OVMF32_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
OVMF32_SHELL = $(OVMF32_BUILD_DIR)/IA32/Shell.efi
OVMF32_BINARIES = $(OVMF32_SHELL)
OVMF32_IMAGES := $(addprefix $(OVMF32_INSTALL_DIR)/,OVMF32_CODE_4M.secboot.fd OVMF32_VARS_4M.fd)
OVMF_CVM_INSTALL_DIR = debian/ovmf-cvm-install
-OVMF_CVM_BUILD_DIR = Build/OvmfX64/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+OVMF_CVM_BUILD_ROOT = Build/OvmfX64
+OVMF_CVM_BUILD_DIR = $(OVMF_CVM_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
OVMF_CVM_SHELL = $(OVMF_CVM_BUILD_DIR)/X64/Shell.efi
OVMF_CVM_BINARIES = $(OVMF_CVM_SHELL)
OVMF_CVM_IMAGES := $(addprefix $(OVMF_CVM_INSTALL_DIR)/,OVMF_CVM_CODE_4M.fd OVMF_CVM_VARS_4M.fd)
-QEMU_EFI_BUILD_DIR = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
-AAVMF_BUILD_DIR = Build/ArmVirtQemu-AARCH64/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+QEMU_EFI_BUILD_ROOT = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)
+QEMU_EFI_BUILD_DIR = $(QEMU_EFI_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+AAVMF_BUILD_ROOT = Build/ArmVirtQemu-AARCH64
+AAVMF_BUILD_DIR = $(AAVMF_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
AAVMF_ENROLL = $(AAVMF_BUILD_DIR)/AARCH64/EnrollDefaultKeys.efi
AAVMF_SHELL = $(AAVMF_BUILD_DIR)/AARCH64/Shell.efi
AAVMF_BINARIES = $(AAVMF_ENROLL) $(AAVMF_SHELL)
@@ -96,7 +100,8 @@ AAVMF_VARS = $(AAVMF_BUILD_DIR)/FV/AAVMF_VARS.fd
AAVMF_IMAGES = $(AAVMF_CODE) $(AAVMF_VARS)
AAVMF_PREENROLLED_VARS = $(addprefix $(AAVMF_BUILD_DIR)/FV/,AAVMF_VARS.ms.fd AAVMF_VARS.snakeoil.fd)
-RISCV64_BUILD_DIR = Build/RiscVVirtQemu/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+RISCV64_BUILD_ROOT = Build/RiscVVirtQemu
+RISCV64_BUILD_DIR = $(RISCV64_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
RISCV64_IMAGES = $(addprefix $(RISCV64_BUILD_DIR)/FV/,RISCV_VIRT_CODE.fd RISCV_VIRT_VARS.fd)
build-ovmf32: $(OVMF32_BINARIES) $(OVMF32_IMAGES)
@@ -134,7 +139,7 @@ build-ovmf: $(OVMF_BINARIES) $(OVMF_IMAGES) $(OVMF_PREENROLLED_VARS)
$(OVMF_BINARIES) $(OVMF_IMAGES): debian/setup-build-stamp
rm -rf $(OVMF_INSTALL_DIR)
mkdir $(OVMF_INSTALL_DIR)
- rm -rf Build/OvmfX64
+ rm -rf $(OVMF3264_BUILD_ROOT)
set -e; . ./edksetup.sh; \
build -a IA32 -a X64 \
-t $(EDK2_TOOLCHAIN) \
@@ -144,7 +149,7 @@ $(OVMF_BINARIES) $(OVMF_IMAGES): debian/setup-build-stamp
$(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd
cp $(OVMF3264_BUILD_DIR)/FV/OVMF_VARS.fd \
$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd
- rm -rf Build/OvmfX64
+ rm -rf $(OVMF3264_BUILD_ROOT)
set -e; . ./edksetup.sh; \
build -a IA32 -a X64 \
-t $(EDK2_TOOLCHAIN) \
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys.
2025-11-06 15:42 [pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
` (2 preceding siblings ...)
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 3/6] d/rules: pick up some improvements from Debian Fiona Ebner
@ 2025-11-06 15:42 ` Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 6/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
5 siblings, 0 replies; 7+ messages in thread
From: Fiona Ebner @ 2025-11-06 15:42 UTC (permalink / raw)
To: pve-devel
Follow Debian commit 6b7533cc86 ("Use virt-firmware to enroll default
keys.").
Path to the AAVMF variables image is different than in Debian's
upstream.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
debian/control | 1 +
debian/edk2-vars-generator.py | 140 ----------------------------------
debian/rules | 59 +++++---------
3 files changed, 22 insertions(+), 178 deletions(-)
delete mode 100755 debian/edk2-vars-generator.py
diff --git a/debian/control b/debian/control
index 632cea53bd..5624a3b5a1 100644
--- a/debian/control
+++ b/debian/control
@@ -16,6 +16,7 @@ Build-Depends: bc,
pve-qemu-kvm | qemu-system-x86 (>= 1:2.12+dfsg),
python3,
python3-pexpect,
+ python3-virt-firmware,
qemu-utils,
uuid-dev,
xorriso,
diff --git a/debian/edk2-vars-generator.py b/debian/edk2-vars-generator.py
deleted file mode 100755
index 351e556211..0000000000
--- a/debian/edk2-vars-generator.py
+++ /dev/null
@@ -1,140 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright 2021 Canonical Ltd.
-# Authors:
-# - dann frazier <dann.frazier@canonical.com>
-#
-# This program is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 3, as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
-# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-import argparse
-import os.path
-import pexpect
-import shutil
-import sys
-from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage
-from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize
-from UEFI import Qemu
-
-if __name__ == '__main__':
- parser = argparse.ArgumentParser()
- parser.add_argument(
- "-f", "--flavor", help="UEFI Flavor",
- choices=['AAVMF', 'OVMF', 'OVMF_4M'],
- required=True,
- )
- parser.add_argument(
- "-e", "--enrolldefaultkeys",
- help='Path to "EnrollDefaultKeys" EFI binary',
- required=True,
- )
- parser.add_argument(
- "-s", "--shell",
- help='Path to "Shell" EFI binary',
- required=True,
- )
- parser.add_argument(
- "-C", "--certificate",
- help='base64-encoded PK/KEK1 certificate',
- required=True,
- )
- parser.add_argument(
- "-c", "--code",
- help='UEFI code image',
- required=True,
- )
- parser.add_argument(
- "--no-default",
- action="store_true",
- help='Do not enroll the default keys, just the PK/KEK1 certificate',
- )
- parser.add_argument(
- "-V", "--vars-template",
- help='UEFI vars template',
- required=True,
- )
- parser.add_argument(
- "-o", "--out-file",
- help="Output file for generated vars template",
- required=True,
- )
- parser.add_argument("-d", "--debug", action="store_true",
- help="Emit debug messages")
- args = parser.parse_args()
-
- FlavorConfig = {
- 'AAVMF': {
- 'EfiArch': 'AA64',
- 'QemuCommand': Qemu.QemuCommand(
- QemuEfiMachine.AAVMF,
- code_path=args.code,
- vars_template_path=args.vars_template,
- ),
- },
- 'OVMF': {
- 'EfiArch': 'X64',
- 'QemuCommand': Qemu.QemuCommand(
- QemuEfiMachine.OVMF_Q35,
- variant=QemuEfiVariant.SECBOOT,
- flash_size=QemuEfiFlashSize.SIZE_4MB,
- code_path=args.code,
- vars_template_path=args.vars_template,
- ),
- },
- 'OVMF_4M': {
- 'EfiArch': 'X64',
- 'QemuCommand': Qemu.QemuCommand(
- QemuEfiMachine.OVMF_Q35,
- variant=QemuEfiVariant.SECBOOT,
- flash_size=QemuEfiFlashSize.SIZE_4MB,
- code_path=args.code,
- vars_template_path=args.vars_template,
- ),
- },
- }
-
- eltorito = FatFsImage(64)
- eltorito.makedirs(os.path.join('EFI', 'BOOT'))
- removable_media_path = os.path.join(
- 'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI"
- )
- eltorito.insert_file(args.shell, removable_media_path)
- eltorito.insert_file(
- args.enrolldefaultkeys,
- args.enrolldefaultkeys.split(os.path.sep)[-1]
- )
- iso = EfiBootableIsoImage(eltorito)
-
- q = FlavorConfig[args.flavor]['QemuCommand']
- q.add_disk(iso.path)
- q.add_oem_string(11, args.certificate)
-
- child = pexpect.spawn(' '.join(q.command))
- if args.debug:
- child.logfile = sys.stdout.buffer
- child.expect(['Press .* or any other key to continue'], timeout=None)
- child.sendline('\x1b')
- child.expect(['Shell> '], timeout=None)
- child.sendline('FS0:\r')
- child.expect(['FS0:\\\\> '], timeout=None)
- enrollcmd = ['EnrollDefaultKeys.efi']
- if args.no_default:
- enrollcmd.append("--no-default")
- child.sendline(f'{" ".join(enrollcmd)}\r')
- child.expect(['FS0:\\\\> '], timeout=None)
- # Clear the BootOrder. See #1015759
- child.sendline('setvar BootOrder =\r')
- child.expect(['FS0:\\\\> '], timeout=None)
- child.sendline('reset -s\r')
- child.wait()
- shutil.copy(q.pflash.varfile_path, args.out_file)
diff --git a/debian/rules b/debian/rules
index c640833092..316a7b7727 100755
--- a/debian/rules
+++ b/debian/rules
@@ -165,49 +165,32 @@ debian/PkKek-1-vendor.pem: debian/PkKek-1-Debian.pem
endif
ln -sf `basename $<` $@
-debian/oem-string-%: debian/PkKek-1-%.pem
- tr -d '\n' < $< | \
- sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@
+# Usage: $(call enroll_vendor,<var-template>,<output-file>,<uefi-arch>)
+enroll_vendor = virt-fw-vars --input $(1) --output $(2) \
+ --enroll-cert debian/PkKek-1-vendor.pem
+# Usage: $(call enroll_snakeoil,<var-template>,<output-file>)
+enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
+ --set-pk OvmfEnrollDefaultKeys \
+ debian/PkKek-1-snakeoil.pem \
+ --add-kek OvmfEnrollDefaultKeys \
+ debian/PkKek-1-snakeoil.pem \
+ --add-db OvmfEnrollDefaultKeys \
+ debian/PkKek-1-snakeoil.pem
-%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-vendor $(AAVMF_ENROLL) $(AAVMF_SHELL)
- PYTHONPATH=$(CURDIR)/debian/python \
- python3 ./debian/edk2-vars-generator.py \
- -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
- -c $(AAVMF_CODE) -V $(AAVMF_VARS) \
- -C `< debian/oem-string-vendor` -o $@
+%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-vendor.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+ $(call enroll_vendor,$(AAVMF_VARS),$@,arm64)
-%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-snakeoil $(AAVMF_ENROLL) $(AAVMF_SHELL)
- PYTHONPATH=$(CURDIR)/debian/python \
- python3 ./debian/edk2-vars-generator.py \
- -f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
- -c $(AAVMF_CODE) -V $(AAVMF_VARS) \
- --no-default \
- -C `< debian/oem-string-snakeoil` -o $@
+%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-snakeoil.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+ $(call enroll_snakeoil,$(AAVMF_VARS),$@)
-%/OVMF_VARS.ms.fd: %/OVMF_CODE.fd %/OVMF_VARS.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
- PYTHONPATH=$(CURDIR)/debian/python \
- python3 ./debian/edk2-vars-generator.py \
- -f OVMF -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
- -c $(OVMF_INSTALL_DIR)/OVMF_CODE.fd \
- -V $(OVMF_INSTALL_DIR)/OVMF_VARS.fd \
- -C `< debian/oem-string-vendor` -o $@
+%/OVMF_VARS.ms.fd: %/OVMF_CODE.secboot.fd %/OVMF_VARS.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+ $(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS.fd,$@,amd64)
-%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
- PYTHONPATH=$(CURDIR)/debian/python \
- python3 ./debian/edk2-vars-generator.py \
- -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
- -c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \
- -V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \
- -C `< debian/oem-string-vendor` -o $@
+%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.secboot.fd %/OVMF_VARS_4M.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+ $(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@,amd64)
-%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-snakeoil $(OVMF_ENROLL) $(OVMF_SHELL)
- PYTHONPATH=$(CURDIR)/debian/python \
- python3 ./debian/edk2-vars-generator.py \
- -f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
- -c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \
- -V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \
- --no-default \
- -C `< debian/oem-string-snakeoil` -o $@
+%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+ $(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@)
BaseTools/Bin/GccLto/liblto-aarch64.a: BaseTools/Bin/GccLto/liblto-aarch64.s
$($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations
2025-11-06 15:42 [pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
` (3 preceding siblings ...)
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys Fiona Ebner
@ 2025-11-06 15:42 ` Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 6/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
5 siblings, 0 replies; 7+ messages in thread
From: Fiona Ebner @ 2025-11-06 15:42 UTC (permalink / raw)
To: pve-devel
Follow Debian commit 45c101a4b5 ("Initialize the Secure Boot dbx in
*.ms.fd with the latest revocations") and pick up the latest
revocation DBX files from Debian's debian/2025.05-1 tag.
Adapt how entries in debian/source/include-binaries are handled,
because it already contains different entries in Proxmox VE's
downstream.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
debian/DBXUpdate-2025-02-24.arm64.bin | Bin 0 -> 4613 bytes
debian/DBXUpdate-2025-10-16.amd64.bin | Bin 0 -> 24053 bytes
debian/rules | 19 +++++++++++++++++--
debian/source/include-binaries | 2 ++
4 files changed, 19 insertions(+), 2 deletions(-)
create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin
diff --git a/debian/DBXUpdate-2025-02-24.arm64.bin b/debian/DBXUpdate-2025-02-24.arm64.bin
new file mode 100644
index 0000000000000000000000000000000000000000..33520068f2602fbd2c739b7f71e8946f5ba6ccd4
GIT binary patch
literal 4613
zcmd6p2{hDeAIE328|x5lhN4pV&y1Z!6N!+0DZ9ZKjK<grV~wjsH%rolEM;qv<;q@H
zM3F3&glt)&NcQ(X-P^srbKm>E=e*~<=e%?NXJ&rS^L>8L^Z)(7&*%TVVuP~^@(V$}
ze^$7`f3O9fYu#mfL+*1Y5{l%*lq?7Z0F8SP28CjH0VFGjL#!^807t-}ED(T;l|wpK
zH+C5bWrNabobvz;Y^1>_>2Men1{1`A=`h4*?xex6tS8?l!7wuXJ_O1IiX$U1TmT0v
z+#JCw2s1au2m<_!fL)N&($UwQ=<P-&dt>+j9!4XZAe#xn#f$9ig4qr1WVCP!3K<Zc
zDP&)=D;13=Q+&u2M=B8<Ar0(j^uq<k|7AZ~Ut1rI*Fs|f3<lV}4T+Tpl(ATh3J$<3
z+kl}07y`eCKxFLyWQhPE``Z%t{kcR-qPGh<z!z<<t#bmcPY6P52Rgeudb<%A0YHOF
z{8&El0l;ZcUa;U$P8baeh14HB`pBApL&RxhmZy!7oN1nzYBZ0u?=Y<UkUufOm%yQ#
z?G%iU*F?NYLqlwzT~IXmdTzl@`(u5P(Xn?=UxdmVhXtJX2HGg%?aTXIgYOrqu-(?D
z#V<!!P8K-ZR!FZ6Tdkpsa<{xJTPqL`R3&AHM%g7WI~D{R@-%tE^CGG2Yp-{)Bkg{s
z^fv{b3ds<4`of81#hJ~i&)rWNFnF8T70vhL)-TVe2{WCPHKmG`<i{aj6ONObcitTo
z2>7Ix9mOR_E!1^e($i73989U0%#l97e8VCfm~xx~b`fDzvD^Xguw(X)mD`gm)R#}N
z<Khqn<yN9mDw+M!h9=W6I1~cSr9p{cMF;>2tnMyJ1d?IWgRD>ll%`|^1$Hr7c@V+~
zl-%~lss%5b;+x~L)35zHr?yAo`2lT4H$OrHP|s5Zl)u}I>+ftP{B0Hliy#t<RZ&sI
z98>_XN-7vYjFDy!LIe<wKsl}BJLnpD?QR0yrw7c7L!LfJum>y{0x^UUU;yaTPtcFY
zYP(aZKB{tZ0RaKBUf(S(>rD2N^C1z*KE86!6i+$OD4@wf@8Y!>&b4QJ$pDHnSb15n
zTM`QZ4y^3py|S>dL7@mUzyvt;JqBR0$Nu9K1Payn-%mmXxEU)KghICvFaYwS9l_lU
z+7SwoARoHv7oU;k4I`)(%sWgpTm=r~1Y28gcYIjrZY7s{Ou8gxOvq=?PyR^F3){@t
z()iK+-o3TDGxuSmOXH%7o%nVfT`O6AK%20QR$TvjT7;@!9IWQvX3`Ut?J*P+J*hQ)
z$QgY_P23S0b0Nf_hjf*&pJ-+6@#{cEOqDLBARW<HHP(Hh^)yMmT4^$JN@0E0GC?5Z
z4tK4^kjx2}&(qf$K6ut7Mm*BUXs1qY!J{=YUuQbiumbm-Mf_hzeMYL+S4l@M@7+ZU
zeNc8Ww8-jUMgNz)AV=*PQeB<T?j2=-@x_Frz8g(3rLKDU_R^{}d%xQe#3&n*r-&!#
z1CW7}AOoNO#z0O-&aU`x=z}vA3y8e*KjDfRpaMQ35PjG`x$*-V(Pr*MiVOObBZV4-
zHgKen2vi?WM`r@sgiNL~SO^kP5i5@c<S|$k1`8E`3l$jQ{{yc769ro)D-!BUETzh&
znm<geSq2}2*|H&D>5WmP$IE$VyryTut4D2|v7!9ijCe-53Y3LXFFam)7kwx5>Y<6H
z%1gZ*!y^rd!eU_OknU&JQ<*LW#^J3oMi<esottvQ*SBa5vr`?Ni>4k<s$BT$5y_2B
zmX)3s)NTHeJ?E2rD)V+3%#@C0tqM2wHMaLmw#bcT%<WBt&m?_H{LrkohUXXHI#+Q#
z#q-TL;{5ay4l&IKl|DPR5+$g<CCMS@?ys{|V^sI1<gB#Stu>zRpu_L464ag^kiNc7
zvCf$;P5JmmK``PmZ05cF(`)`6ADvSg%YrncgW|$RO$sNkg|HDX3Vo-b5lBIOfbS3Z
z2|*FyTN&~L0skeLME@9of+4tfb3#lZeh?=J9-;+;6x{l}2u7M%fcFm$umErn2mi!8
zZC4Zg@Hs2~`d-8AJ?89csuCWBz!}B}F@!l_3K-Lk=mxR+zXJ(m*I$|U4R}5jvWuVd
zA5a3V3;Gr`E$CGS`~Vs70u&hV`|rso=llcq{(c53)Aohaz+(19$1kBSi@@5X)z_p`
zc5?U8yA~!*Tnp!ND*S?zA-81m{B1r2RaPr`7>Dq=d>MB61aqrfF5D6Lu%<KK%7wev
zvQ;$Ko~8Ho<LAUqU43ljv~4%A)UZ@l6Udf(aP#VGd5h>7T3e}>q)!%UYBQO)?~2&i
z#AUI&(%eb<Tl)|2g)H}l-t6+PW@!zY<xNh>YT6tkpY!Am>1os+lsCSj!aHVX(J#Vs
zWsxoa=skMC2D|8|vldUU$L`6CYtP@XI@d#V6S{OR@>96r7&0+IJuZ5BwDTc;tVAX{
z^@7Jio6uvcCbuG6Wp@7Z&SVI}|26Y)qeJ;Ht|B+Siy+FmeWExtuaOpKsC-8b`3Mz9
z-bj+IRe3Nm-u&);$G+%~mydotkeIBar53rvt$zh?O=w5fZa`9u7X8!;iuSIb($Wli
zCu79vvCrSzWcCU%q>Ohtj^(*_Q;8`mQfv)C+)`3>e5FU+A>Z#l+Y5W<d71mgGf#=2
zk~{OY@Eje7q87F$aoWPhr^z6!Lw$eoO$n5KTVucebl4F~g}dWMe)r2A;1Z^#mx6Zn
zUeyv4iZ%1O`xdFd8(J<;sY!ECn-7}Kxx3RgN4P5P(bSGF6={-W<?ExDRuh8Kn~6M?
zxjWG;X<yq=rI5as&kZO(KaxCsM@5Fi=QHJxEDaUAvC;L}7#g$%+-40hC=`fH|39GP
z-=4XDJhlID1P9NM2pSZE;vcIEj;dvy%CGj(BjCb313n_#4E1~jv0W=KpmrpT@51`t
z$Ko9<@};+BSiPjmhaJvrduEI$&p}Ww5R0hYKGqXM%i*714%fHgNQk$i9wLo+lKd&c
zK9&MGsh=PZ+_Gx#4xg32)@0nB-4|)$vOn^%Y}RJHluaa|c1cH@?aUcZkvnq1!BWV#
z?35x-JaCw_zMbPOg>#%$rC057!ZnSmJ5M>^s4osGs71B@sw`B!D*ManLj1h#jdI%~
zk7AUX%~4!%rFWz#Lqx&6bworVhrX>K%X_=qn@U>}<7~Z-l7}lY-(!D06nUA{P!$ms
zZtD7hI%3;(I56BRtw2h+rSasc6wTrytrf*o{Qh;sw^ud<0Dm54t_E1cu?7zv_AgFc
z4Af_{`@qU_-Yk*saCdW-@0B|G*UhWjI$)&Bllf6q{3goGdX6D`Lt_E<nZRl<f#;Eu
z8xP>INu$@vl$1ad>#Kw;DP}zqS=UBBFheKfwue#P$LkAlgx}LmSCvN5`;Hj#p?LqI
zfAV=P<BGU$b6b=m)-Oq;XFZ7v!d876Gj4KGy5saZvt9%ze_)HnY4&;=T!UZt&D@ww
zo$LuOGro#vy{#_YU4O~1$Ua-MRKly3hq@6ETrXE<=LVN|vun<<BP!6cxo>qd=l6^^
zJD&8?dL-4jN~*!Ls{Z4_%OwiR3UQRK)UUE#ZT!so#6|i0*^sBpLa>~UWOhP3bVltk
zU0tE>l>Jc1OXnqVW_^BzkeH(Ri<~m#@qN}or1yDf9<!ed`iXugb#-H?>;=sFvJp7v
zTG*jif-9>yRoJMJn{n9;e>valj$>j&CpBUBnDtfjfdf%FdM!9{=hS!wR7dI|T$#wk
zpilfsn!@5fOGRdVZCt+lq^PTIRt5W9gmF}3wnxX_XWN3Z=uX|E(XV*^vYvKQOrqus
zdb+=rP(@0kvEB&>qq1Ih(O2<(1>R|ao6F4kJJnX}tb0Qzi<36=gqK@1R+{!2AE_l+
zTlOie9$3=sWYz}^it^?n<G1Y8pxZgecRO(eatm^q+O@}x&&MZlk>r^5t?GAFBuX-t
z9H=^egGx^?zbUa1YtKI}Hz&`3c0gq^npy8udHp_J(`5aAdQrGUu7&^6p4#JGO<S3)
zn4Ld4>Q1pS>v35JpCPns3gm5I9b+uRl<t#HI&(5prss~RK#51XTbcEFiFTOdVL7_)
zoaYs~#>Rp1jS-1}6=&Om-sP2B+eY=6^%}GbOOp|sPWKKgR$i1)Sja^QDQ6T%==_{^
zASClzw+yrX4({#ITwnjC0hCJFVaFFV=mI>T*{gV<$&uIOmVn+RX8qzD8_n*b*RSsK
z)x3Me{?4>C-P0gX#@(M&*t~bGw85BJf8%CWQ{YjZ5~A9!1!HZUqgcc9t?3pX*2(Ud
z79-BjOfl;lOu0&0p1Zzmsj4=IX=Ja4SL4pLpA$%*Xum<}cSpo9>w5^jYVha<4`IIY
zLQh-YdmcES^!;xyj(F8Pe&f9g31imZ#_aYzEAak>UcH%>Vy&C7lB-6l?@u3dsVw3r
JC!a`L{R6gwL0kX;
literal 0
HcmV?d00001
diff --git a/debian/DBXUpdate-2025-10-16.amd64.bin b/debian/DBXUpdate-2025-10-16.amd64.bin
new file mode 100644
index 0000000000000000000000000000000000000000..07a95e2b09cc8c0e3ec40e035ca4c3cc30fadfc4
GIT binary patch
literal 24053
zcmd731yCJ*x8{qxdvFQCVM8FeLvRQd+}+*X-Q5Wm+=9EihaiFA?hZl1&HK$cXTIBe
z&Yh}THC2<MlJwrc{p{7<tDpZ`tDB$j&~Vt8xDfyO=QqmV|3O`%<;>McubZDqMV7Jq
zaDF!V3JOH|1qBJoiVi}BL(~tIgfxMMfr5mE03pL6(uYch-lIaoL*@q}U4R1rz8DC7
zkPi(72?d4y{;wQ6T-$2!+^aeNzrKY1ABF$;2qf}fIKZD38H5N2tqKE&4W+8giVed2
zX9EEnNzK5?+``t(+0K>~1BCX^i}2X+N+!lOcDBZ>q#)vdUO~dfm9sE%v~#jEbtV_J
zbF{Z}G;p@~`w4mw?LY5BV^jPu-zS$5mmwDwCT9b&vVutQQQ0^^9IPCyT<lyRZq2`&
zAO39<6cGA<Bt#I1`G15+^FKpWv#>R`b8{kB75^wjE@R?BF79q*ZeVL>^3Mh+5R&rW
z58vMt038U4{`Y`GB0&X0LPGpvXAFr@@7kMibtn1Eov|WLaZy<8w3>BO!eVhu+g?ZW
zVEJxfPGzHe<DO8WC^lZGwX<ryWyl>3ZSQ=){z5>wX(3aZ8uSE{PBD06{+U-Kgzxdw
z&^odfUqonw()QA%{n2*cZMK~mh7^5MyGU+s4VMZGGOduL+rxP<dh@jzD>{v9t%8d8
za>M{mtG4!3Qjy4e%DZ|(l($&kP*JQ5u2bXCuIzKIW1$|Wjdn{eHK|{CU6|<7XmmTY
zQb~8vhjaJ_<BLzM5zmd+hR0RZ_k<KK*Ys$=ucq#mwyFGtik!K6>tWq!&>@alLv`T(
zH>V=-;N{<)*Z7Y%y(OoCf`){EEDVIS_<KZ5KsbMoE(tXZ>OV=!00#*J8OW&s2_pID
zRWukp7#tbsfQYd^Mk5tclf1WE(r!6x`zRpsf8NG~5diTO@qoDgGtH3yyEMc5*SEmH
zVxzLLadUrQW#9m@bAMn5k^Lh>1w#PB^T#oK7M;u&C>l4zn$ucVt@N5`iqr#r{s$m~
zQ2@z-Wb&o*B|^o`ot^D@SXkWL+?Z|tGo_i0>}*)<tt{;9omh+<ty%si%HJgao4caI
z|75P-KYuZSJ}|MdGyi>?nhgZfheP<guduN2kdQDcASKYJ|J(*ag^K-ezrw`P+3ElL
zOPoO{|3r=r3Hb^G1%mkZbo_fY|4m0o2vIxHFH3SBL^(J)q7Of#aw8G*39-?Q-Ys6C
zT4Us|ni0gvhTpKVUGP7Am_5F;D146{kUmS~fcvt^vlc9Uy)t23sj7{c+PO`Uz#lsx
ziS;OSS9s*cm6X<!4(WlNE}F<fcrrK|4|-?k7QhLgFngHSu{?8At{LrAFt~8Y%O}i5
zbLK?_%52zy{PIHoGya=yIkWkEr=KCId4LkWjycpp@SV0!@(^;TPgtOp4g>A9<XN07
zHNmy|zNy4!YeM4Yj%|V@zjF5M9)j5MKFo6Rt;z|ytA^W`$G}I<x)hteR(QqIc&tBe
zc8i@N69+s=m&abN{EF_a14sJ{E2e)v@Zhfp&ioG#L^42{4gZ(*K?4pJC?Mhgh_CR1
zxc{D_zt+e0KYiujtdU&B+``eA{F8yBvj@4Hfuog)v%R%}kqNnyot^VPUijA$Kd`a0
zf!JBu{=*CZwaM|%=Kl?L{l9a;frG}#?kcr+weR|m_Mg-|#h`THQGZJBI@9mfqMz6t
zpZK+IYZ|e6W8y2IZ6kl>!cB@Dy4?t_%gkcjzim!fK-}Ewfhny75wA;L!+pv${;KFV
z5~2`C9y;}hWi#(Ju;=t}a_UCe(vSyPv~`R6<qz!d`2m~?%q^;j82jcT61kJ=-Rwua
zzQx}0`GWzL-HfxhQP3wbS5Zg((odq8SjfJO5{cHUdoU5lx9?$&F(Bz3c7F$9^Sx3d
zvY5Mmd~H+cTCH-RS1*4;oAcn`$ui-cprg-wcGM_1u1-9^<G}VGf;!pJo5*pUJU2@0
zt?>{F_6YOaRw_Nn@q)LA!~IVeRQT(HG9ZlqGCy2Mn7^ws#J@S<|I(S>{MQF?pkPo)
zksy>ITp$b~L?ML#8tLClA06f&nNSe=fB66`2>P!b{J%U;+*C<)(^nm{dqF;zN)>^Z
zhtjeXr2Wq)$Y4}K${@vjg?zbCng1}PzupDzdH*szdq+EC7o-0&rN62BH*fzY?cZGe
z$NWG{e}6z6|CrzZf9GQ{`ZwGA@4vwraQQ+9{ymuU!Qr<!$plbi^n6eBiNq+2`LmY?
zN~Wb}1&uDA@et)qMXs7h9?h+smWo~&#&?^>S5RhM_oYPcoo!R$>c%JwY9nt7^<WoP
zhGs0LBxTr|k9Foiw>`HlZSL@e41cm#*gprK1dde;Q`=`-9sY?&UrZ(2-A^W~r$>pA
zd8MVp@Va00E}nI5g&pxYMUPL+?)$TD=WC7bHQy`#i(N658+}*z^AZ7U>J5B}$hUmA
z7lb!g4xcCTLaB<v#!Ft*edjIAa1(q3uKcifQKKUH!h(;tr#eM<tC)h5Vl5doy~Q4t
z$^%B2h}$=m)*&z-GWmP;Yd7CF7KYE7yg?$|uk<eJ4Gfd#s$)SN#0j%|iDB;GZrb1L
z-`JU?2|iC2Ij4(?|0v8GKxDS`TU5hj9JS*GB2nSSh4*XO+viWhLLM7T3P_eTuC_|2
zsTN)}==Wi;Gva+!$~XaJPav3b&JPAZr7eiqm&{KWpr);pQNB-GQ+ia@U35SfeAF)+
zfbXLSynMMj@L<#LUaBmn#E}{6U6MKW5me)--&1gDsMUw2RIX0&AX&%~Cc_O?v9Di4
z<v{nYWp`{#)91bLI4-Cs)+xYi2^%~lx@%0Mw&Tj%PI!#;Nbk2mYc3=vhfRAJ!>NW?
z9Jubm!Emu+&nIfk(7)EM9aNM5Fvk|$oy!^sIq>%~>-k$8g96h3FL1~Iw&wo#s{P+e
z@V_-AOduqL_#~I}1XFv)44WC;=E@K$jwJb>|Mz!^w=!anFnql^zgAA$%V#RlQLWnV
zDDEZHu2(r%RPbbt_`c~D`U?qt<l06Dk=m8_t7RV6MIL<2AK`gu;3%1pcYJ5NY*E$q
z5Y|ocXAd!_FX(_LZM1Uc1d6bH^C)?}mGbipjXb{+3oB>arqt38=NvnxRC$`~U$5Wg
zW?jgwQZrx6tnUmBCOXg7$?Ic&^-2;J{iMVnY|svZ;BFEdTz;(L9Zn>s_+l(^vW5=d
zRgu#(%X7QSthN$fjL?P5`-|=?`DX_{_drS3T_L^a!>Pjy!^W46RQdF;)7Vj+Xs?<b
zkh5)`vDokM26|;bB??uR3IG0(Buabo>0e7W1nBQSotckr8qjQVo%*yl`*H3v{te3(
ztlg+kF9{{2Z)O!pij?+j>V=|9_2q=g5>4`ufcz~>P~l_t(?TM;BkkLj9cXd(Ijs=*
zw^qC<K9#maQ=UM6aCzxV=++1mVof={ogcGP7^;BrJ)=CrxtWJ$FgkiCkS9C|ZjrGz
zDaIl%>v9N4RRU3<8ZLb2lg!ArqSItRf&=pXWtksQi;VNt`qgcMrfzSl5t=c$Jx(Lo
zoS808l~GKAy!ulz;dx4dhUm8^J!*{nb-^83^-*1<7ML(P7xRiV2OzJU&|mO`NdZ+-
zPP$56?Y5bxV~042cvk-@gR*;4Bk>5xFTBI`C9!mf>U~=gQ{dfh0?(Mw<7Gwd(>dO$
zf2Vsr3*={vPH69Z+mtVjnYw*m-wzei{|e31$Nq!I%*b{*zH0;I>4uJ#8u)m=L@_R%
z+Lr2jpYuI#w*A30anZio!wHra1M=}t`)C#m?}cIn@KMa!R_f;vH)yD7)|>dH=29F>
zZe)QxhF#^+^vR1nh}ZeXKi@xnYsQ};$u4%-d5Yp1FVs96$m7fNAZv*ZmB6=u7gB&_
zC*_~!HZ+?`erQBvrYifHhyvspGN#{&Fem=`pw}(ak4l4Jox3UHY4<Aj#9|c>X_3JV
z<eBXg%tA}<ofOHw5|CA(lh`+^4Y4toQPr1zZ)H%d@d5IJQ(1ZI0v9<dO0~arcLMsF
zFKnE7oID&<W9_jmrv#jUyu<{80nHX%X6Ocw)j8ul#>1edjn&Er3iEy<#%+4dbs+C>
z6>m33DdnqD_|dT9ZQAn)2DuyhEw=gL_Hy_5i;)YE4_x7$YPdrXoytk;pADPL(h#2H
zKfpj!w`2JEnNv;A49G_=NNQZBG~UM4lqVxw8kkisc!t}?eM~aOccd895N`$YF|h>^
z)B8xo@D)xb<Fsdrr{DRmKG__EKUFQDb^A*a1NrLXYF0%WET_|ya%MA3?o-yX5Hk?Z
zd&=|&PQ<bwnqPqY0AgpQgiF=ZN@6)>V>7{1bn=&vjAVyJc&$2-@5B3^f&37DZ)x2b
zeE>0SV=0kr(Bf#6777h5i2)S+@m^wIsvnRaMSpLK-?INZC`|=>H0=`E>G+-B(ifE0
z?auBYvx=1{AaAUuwT$JS$&6F=`Hr1TsmAI7<+m7wyN1i*g*=n-qBxKjA0DZ8L7Hxt
zeCAa0F~<63ELXjhz&9EBc2q9J!fZVj$OkMv$>uV922z_?$pktzj~CSnTpb>hZ{*YA
zy*>HT77FBB>95jP5n!_1hn*7_REZo=7U`=B7rk~rBJQxcpWDg-`OTc_pdMyBT5R?C
z<5?0ns)pMmG!75=A7cC`gTMJmbAUYeN*`_Pjf`H(d&XwBZA|C`p_LMUBk5AO+tE4*
zI07gj&vu)PQjoKRRnRNG_Z(qtO8YwD?I|+0i}l_ohHd~E%x^K~^~MWRtFLhd4(?8>
z)oTtUENPL*-#t6rQTR+twXp#8M_~2&6!N*;Y(=h&hF}_UQiGu>HxrpY!<E&xH+KKA
z1M*Ard%x~>n4C+BKO7mpVBzo3A>(N0YJW&6BoaAqye$IqS8g>5S*r<=2YH3sz2D^7
z(`8|*(@fYH`D&%q<UV`?^B?oGk8HzT#HJ$x5x<g-&ajekGrPqb`i7Z&hNUtK@<oCA
zIB}bC4w`w>n?+(%=&ybup}7r|?@@bXSY^@abZoxn0{JT5-H09u`Ls2y`tJA2Qj*P9
zEzqv(tLk-s7R?&JXo2PbhGKL0N!w{L=;JV&<sEEX3MC_qfm+KzZ)@N5klx2#p#FeT
zMX<ipy5<!1M2Vc0C*m?3D3Z|RSV?Gm;CQTT0?a>o5-xu4()tx-$oeE9GZN}<${uWv
zfTVX)ss^J6#QDH@qWA>d(s`#{Y}!(Hs!l`VJ=OJUl}Cn0$Cn<uP|SrEU_8;#Qi}*`
zguCSwz1T*QRBZ5UX-no;@#+aCbmxQQ=k`GUY;oiK>QptC-s9{8S%zT^FKI>s>o#)p
z3%rV5HIgHkzqPI3?p*x&ifK<=`b4=iz(ui5N`Z3AM55sQ>(k{7cLz{^DHC(nS~6z-
zsY8WC2LAEE4Am4dSu$={hOGO_US1>|$X|W2;b>H`5Dxo_Dl}$Jr*U(w&A4&Y@?v~n
zN#A<gCk^Da-o_^IJB0A_7gzs^$&?xNOmKLo#)bc+H_jAVa5(~Yz57=Bm*I}c&exn6
zMZhe}*O`~9dMFnC;I4H5(W)|7MFaKs&B<_CDUL|Z?qxb^CkJ<->=}uo2lbkC?3td*
zBpYvlyuUn$tdV&;O&NN1tW=~LECU@o0d*#1wt{j2grkZSI*@M_gv-!~iz0tSt?Xrd
zekP+f_Ykyo%Z2gKwehA@Mh9Duj$Wff`ViXWw5<F;-Yy{EODuY{{d6<mlbVru%_1`e
z%b(E`4j8yATh+|h258i+<24lySXqv;bbYP3X_z#o7*$|A?5Kqd>hFnT89o!$fKbZT
z7g~wuXwWvc3Z>NRhNyExfV?*M#qP%bBk#ti_yAt)S%b<NNhyUj!}kqJ19)@Uzq)|@
zFO8bd2x4&C(MC@jA?Tp|Ni4UI^c0C2=(SpX8hcn^>pOa3LFSAiXz`EM&76jb(c~#f
zm{4l@1ObLc5<Rn&VkS_3r6w2FhF^=TDMT40-4Pz>+X3-_(mK4EHrb(0Imv1b<WV*#
zAnv?<AN1r;Kg2<G+b41%@llN>y!gElMNO_nc?0AbDASJ$ta1j5R3i_Wy=r$Jw6A3z
zBwy}6^z@Q-4Wy?5c}|l>iyp1tQ6gR(nDM+6oCif&b|E=Pml~&*q3)I?>_FbV;dHEG
zWEoL_d<);7vAW?Rm#UCkR(irV?BH5Cg%vD+GE}~l<)|LiMN|-t3Ckqh<>S90vlc3~
zvJ<#A{}l?s3e>-BxKrdsRgpH2!LI5{I4>Q{6G16ntrtMngnRTwMc@bHLj^{fZv>O8
zaGsE(q%EX8qfJga=v6n`MbO+BqE{1uygR-z21R&jL!Hxn>Fr7K60NbrXGFgY4o`Jb
zLm5sNL?FKxVu$VLk-;>oP;kSRcEUEd{MF8D&j4rWi@-DQ<n0KM4=Al4bs;<^tN6OI
zrh8~X(sOi1&)Oe_lTeCd_PL}P%-`~gen1J%3yi&rK(zVBh$>U(F!<^^HX_=-`qM1f
zV1TVJ-yM5qZeB)jnRCggo<E;C3QOZ(f0~&p>9gc0>8J3-2F8Q<JF*Nt<V`fH(?ix*
z->?%q4QnavPfu}CZT=-J?FlkK9>)#Tz=HWlO7IY>iJCNRlEIGsyX9>X=#m7gh$R^n
z9>~*86sgD;f);QShJ!7%ak8yoASf%nv?9hAX(472guwb2rs>$20DG$0gH3Tle)EMB
z&~n$ZY)6aVn_s;Xka(4ZKz$ws=dPM+hNPgXK-{_aCDZ({e&2?-un*F@&P7xo&%o*#
z;gCQwn+mN`b}#n=2E9xq7yB{oq_1)kkska(Z3F4BKz;ErE4d|uc`cq~e|TpoPn`x$
z$@;H!!iWe>!Yq+thdMxBJ^qo>fnwMu{xsKU#Fxk9{aOCq#g_s>vH@}Itf3CDdR~V#
zbG%*J2TI0VX&p+#ersyM?vC;dGJEFKZ%KHf3aq}eIhtitTkoG3D*9%R*OuU-cersv
zCj1GM%&gfVap4WN9(CQD^6nnVbuXFQzO^TXwv&Z^@|!d(88kgjo<bZD1IxE*>;lo=
zNoKz2V_$m==&-5rryyAB_TMwjC>~YU2g0<#{auGDZwLx2+ngU#qD9DVs@O~&x%rkl
zywl#FvW9Kpb_d2MRECr(OrksmsCIgHJyznh44yfq{b3x@2o}#}{vr?Lw{4ysawu^6
zwlj~ygL7%cE7<Jp{PyM1l(T$QmdHMU`NNhBtEMWRgCu`cywf+PO(MC?W9AA9!WX7&
z*1TI?gc+dzw_P}P^lmG)(6skS@Of{WtcpzFw{;UpYCq7^PafJ!0eP>{aTTK}bV#yB
z1l^W4x7o_MpaDT?HGRHb>?_9OK@T9GkVcG?)*Y)g6wF;Y5My-Q@>ucWDmQ+>!dvDx
zHZpAq<U3q`W4yAVYd2=(nzqkFD@gBh7O||KbKnsxOKzKP;Q@J*>z;g~V5skgt&Ys;
z_qw_nq}BwsNeW&J%vO7ABM>J*{+)*j`nK@ZG-+wjM`VuA<uz_!QLSPIf=59lM9$Xt
zjX-|C51FSS;3QlX@}!uKGhj(Zldw-A{GFAO{r*WqIW-rMmv|*IsuOB@hB@`X#%A49
z{Hevvf{(6KeS^#2_cX{>2jnB<+_^u*v87KWXdXB-UxOA4OfzmYB%-ev8La9<Ai?G*
zWO(q=QxG|K%qzJL_IuXld-fgsL~)7V1N{dr3mu_Jfcl(8{+x0(hEP);D6EkTE#;hP
ztXKwkNU<Q*D4!$u;SwM(6cxpPTTv^jL@32U4aMqGfn`v)Mgb>hbtN%{L!k`T|EeHB
z{$khZ?H9OV{ib!(vlsRKO`}_D#b(*`<#>OdN*qu>;(GROC#0W!5;g}hWqb0a2iBo3
zI9(;!Q*2dLa%=So$mbClovPvYCpR!(BALS1iIr%5A!}00`7IM$e=#tr-wWj1NoH-7
zArOr0sHmX7mfG>Zrsf5Q<Myb@VD&AA{TUSm@=$vemSg9}kV0g|swZ8`LUqMgpEFMr
zQw%t()g_rPn}NLTpFhZ2kP=Z|$+8&VODhW|ipaymw_x)k;l|b9F1FPIdDK2xmt(^7
z&#jj{t!w&QCtn5>A=tO#+rL@gA*p0h$pZNx^?<8lH70wF#u1}W1gf-&hvJ5In0ljQ
z@Rj$S2Wnvbn!psz__q@=u8Cc$R+@ney;W@u9!}GhbXi?dPr<t{RzQ6e#l?8Lfh0^R
zSDn((KoKj(Ke?7gSB}a@4G@?(Y};Rfyb&3KS_6Uj2gdlJbYvNffhO85{;s!8ht^n;
z+pD!dDuH~mz58!(gVfY$p2O@+9d%RR&~V1Pk<lL!W<{y(o;Q3zzU=Myv4x)^&D>e3
z`6>B!1b1~6#Vt;?Kd$r7D4ZIi!0Npem^?IL&f)mlIai02T{|a#A1t2Lhr9i5Cb<j}
zkX{5(AMRMIYR*=n+T?c;mHOJbH^DArk6ydqu$k*#4pBNi4v<Hry%37Jr`{tmTXNtk
zJ?l_PWule1wB-oH<HbW0ZmI(EBvI<UFD*Z#-cOv7>ZS4AvoE7v<8KS<)T!|?<cF7{
z0C^ge;QE}<OCzjW%krJ$mi31<9|Y7ut#IyFd{Y|vR|z1`N=QGb^{FQd^lc)kHTlaM
zT!FJnmGcOe0g3j`R189}c@bL`TWVm|fX#HJ?yvEjZbs5mZOjK=N{s1jTm9kmd9d^Q
z!IO12D4ey55&ok@xTW>_75-jbTLSWH$f{>pb(U^AFdm+LYw<DrLjn|BjdU^*L#8>!
zjxSGpt&oGvy?9Qw9AL+j_hA2+J%*z<G49Q<MX*_T2A=Tj-87=2>=!7DBn2l8puPb2
zyNi}Dnm@h>o3$Hz2J`WYQf%vVh^-!sa0>e|(SluHLP$e48qKxIW!uP*C7qBwuOuKf
z^q_qW77>yzy_+^L|M_UvO^veHn{O5DJcK=2w{9Hir|x9etu~`$=b}?#2G$R%?IrL$
zPAE}!x=z-xKAeU}s2Ec#JD($Z1}@%aeosjS#&1%;KS8hz-Osv?skH7ihC0eNmxrI>
z9584H3akIc3U+?ogMx~N-?xX&bt{_j4+|u&<5u`6t~z|Csdh8BiJ=1P$Ni)xz9F*l
z5_{GWCylDM42xY9G;6bxN$C>A>)U^VpaI4cSlK4|gUWjP-X!xGM?>x`o?!uj`LYlR
zIqOp>?KC^s{>CINpjf=oFu`%%UHvGtNgwj4<ll7rcK%EM^XQD^G+6$p1vQ?DB_19m
z45?n;_;aM>REhJU8S-5G@w)0Mb`RMG#*<b$*oL`4cHXXI3HwtXw@rd+U}#dx@tF`>
zXPbhZWe3P-(30<+L<|3{mRYKhybUxz6fLp;u3fy<IVs>Ro1E_m<g=;s#z7={!`!|<
zTr!L{&aFP|kgL5o!Pr{OMB(JQ5Ci#~xz%PCU1vO+tHTYRx)A6>A-=mZm?Dp&71(88
z%1>oLzH<ii-QkiN#`ixiHN?I4^mG>i4R<eh1@+k4P-$gTgFwDZROfz@ww&HOrr|lj
zNkYqQx8geS-pbqcQP3i~nGmf1?f;~8eS%R;Qn`aaY!x+&$enL8doAzMQV6HJO+1tZ
zmT%+i5STT`sLlh$;oofAiiA_~5Dw-Z{Z~tSxg1A6d4T!<MC^%eD+ObBgs0||Z)DfW
zCVU>D%{h{LO2Rm<#N|aWF#ew$`Y$MKjj}=WSFfS*&~pe$7L`{csR$1>Uq!7RKZ4C4
zw$l@CqB;hXT24c!0;f#vdU3S!#$OoV+h$6$Zic(Nf%<1b#imjQh+h>fhjuX5A=>E*
z;y0jh@v3<vsc2(;nZeHQHQBtu;9&}ekl?5{Nx@Rt_?Eqf4_n)M+=7*xlwM3SQ2!>@
zX2~Hog;&2ofw8LuDTQLK+H8edM9YU~icisJ8Ek!*2{kXCH|hBG_jY^C^Q#Dq!uU+}
z6x*{sW~o4e{y`pC|C<9*Ej#ZiJRGztc`ef8+ShBxj(sz?{%JN~jJL5W1g!r;ayddK
zu|F#Me(n6$rcq(ILBLPLlH)yMYrmDkvWufGF#gn?PsyLY`~U1We2t}3jlhZ|Bi>aH
znL~}}^C~EtK?IAZXxY7ap!16g#}9;uRt@I9;;JXCBd;nPOOBI9P_i)#P@l`jLVKM_
z+;xL!Y~pq&*ZrqrO@?Yu%cCnCCohCY@;4xF|3w_>s)}3Hq6+Cx-EuEAoBSct33s1*
zI3)Xg1e0O~kk?j+ePbDN$QdDSk3awW*qpZ2TX;OH<ohbw1g4&nCs_WNmSg9i_Pybf
z%NEh$rrA4{)_Ef|xIZaZ8Gh>q34L`5)L)(8+w4KxsjY(v`|g<kC~@0or&g%Z<wfI9
ziX&gyHUQ)gAh>n9&|uU84j>fW8`^FQ)Glms6DUf&HS{dEsNr6KJaNP7*wqNu^w)-@
zSZs$s45<m|JMa{C%PO>HOxC_mVEqV`+N%RPJ>E{lH|L}tSD3GpWd?Lhr7z}lO*KZ`
zFsxwxvXnA}2by)(l_F|Ian83NzBvpbi;KoE>?ba5g(1YwVDsu&<?~hC2c@aql0!Py
z4v{@PzVGOFQWIYf9F_WuG*Xd)@n<k`WPUBakC-!WmBnn8)U+br6E&<oZ4e`#An@ik
z_5$+IchYppk>OphE6}>gh+jETrcsustfpg)Q7GV9<0`^{JnWJ$t^>P@ft?oGVsK_-
zuLFIH0u+0)`w2bQZ~Gn`uzC!koigI^kVuaFRS?%u(X!SzEsN3me5=BKXubDMUQ97i
zpA0`C^n6|SY7H__ybY~7fIT!6vJI8vl|S92SK0eC3CMq7{!T((w*j3<i^W=IhlDh}
z24xVTyq7Y1&RpBp@A3)A3(ua_x%IHg<Nq>IyAIxETSK`egv=DPf;|7G*g>7+2ILK<
z1`6G}HK2O_RBzj}cc=a6u!Y0j;vrsd+uOc<;seVcbEmmGV!BSHLzS~v4Y%?jGtrE+
z07Ao83dZDs_d_vY^G2KYqd9@-P?U!TKj)|CVsg3dt*CHp>~<2;iB$=SB(V8_W1n51
z_i<u+T6!wcP_=Um4k_&S<LM@yc;R}}QSz=pVEpk$w@-t+o=t1k$>BKq<eQFlu0JZ&
z=120-_0jPEFl_<(1QW}mb17b~xB1QQ*d%wh7SxJIBxAx+nzSID5ZRuTfqYsqA)=U=
zA?kJX(vTu!WqhW~i>T-3&Kw<`zpDXN09bvJRiog#Xmz_#n%3Q^CzAC=4rU`tvi~f`
zH3=y&?v)E{KAHPn5WRx{xrgl`KD%I`f}P;BpGUkHm71ckG0d{?h!Gf1%R=LRh?jT}
z8l<<^_R{C7<FsKqv|3Y5ehD6#W5v~LAm0x86Z(C-QMNC!zfJ9DlF>+IyepP-jQFP*
z<Q<!8DX{gr?_-)qZ?Z4WO_QEu+3mNQC_7t6FY|WP1TO7v5q!%?p#A_8<}k{%ZuIq2
z!pjv&xDZ8EkabDqI%B&>N-y$l_&ksw$}ui(;oc$oVkV;Giw|o_FvUk>H)qQpPe?R8
zvrP#$-(EJ2Y@`W6FbnNvZ`|ozxqqt^z-!?|nb}JJrC5%f=oY9CgUs8{ec1H7a*4Jj
zjy<rr|4!a)_bW~tN$FP@<!{n=Kps;hf5JN+X8lf9LsC-C(zjnx9^X#8r1NYsKPeeG
zX#&X8hPz)fM`c@&-$4%Z>&d5USE64(*Y?Sa;Uq8!w36WhdFG;VOES{B@2dw)Dlc0$
zr*C-+H)HmP<}l;wH57Kuz~*~G3u7B}PVVvk)3Q97vqYLma#3w!TotKXt`qKJDr@^d
zeFZ3-=bgv!w3!j4j|)E=uq58iet3SHcs@h)XT31oGaJZj)Bj=bjPyKi7tN+7d9oBy
zfY{}zl)EGCO%rdrM2p}7@)?U&`3t^E?=fOJUF}(9@chH32Tn|+<g808O4a|g{RHwQ
z2&I0Co%hNNGX9S#N9*fE54Gcskv`nqqnE^3`@|tYzH=VI8Zu9ZD_D7Gncd}krkaUk
z+pCKKBOB4jLQQ2lu=&z>hKvwwe3Nyz>a!__>e$8n<<vW8;~8;ADuWH(%}FpnTsVtq
z4&1h`d6LTugpY>_TT4Q!m>_v$SETy%V#i6t4~*wmJ{HL|o=@GDArr=piah~mrR6nD
zzCe!^h$dbtd=RYu+@W@?sdPlwktX&me}KA3{yEhYcymY-RNpR`k6>5>_I$z~l}+y%
zyez!8Cvg_HNwPC2*lUyezPgzt;R`J`&k-1Z9@Z66gl*z;;E0p1%J_TZy7!)Fi0RR&
z^-8P5^uQRbKD<3h{AD}PxArJ4rHx3DWr*$3Bv&|Fzb(BkqlXFA$qn4!`L~$ylbRoL
zqS<9l(cWG|`L*oBDO9|7LrZ#e)qBEa2J%!m%s3(n-(KaPU1pGtLfvSB3EMuw;>6pZ
zy~SUTY|a4k366wc4NV){S^N<%2|_RmZB=T1*rqy#9r++*%DIz+t*5JzuYTn@gb;<>
z%;((^Ss;z^Z`egqfsffSNn}6bnsR{p85*bZu)C6tc@#+qMXE+eA?=j1gv&N3XsJE>
zWY3cUKwjb-A+fueu?+J8A}^C(7sVEtTd#p9BSHX+TIEIvS{{&p?BL9~PT9MC>)4=B
zjKGqIhFau*p_o2oj?)aQ1%2}o$Zz{yKcl^pclY+_7j=IQ*Cl;XEj^s#)04CildXKM
z0;^|ae{LrtDKcim(nm?R#iyobAwi}!;Xsqh8W%66k0Z7M^|c}{%inV3^AjxBL(lp(
zJQY3M!dqYdZdq7vc}Gdf0X9E`@RLo!Qp2vpLKL7d6=0&;?yb(=X<S29FGzb&^`T%1
zsK25A6Y(?Q2I_R3YmRMfu(|n{!%USr>EaplJX)ctp>-fHd8013Ie21%LcKRcWu(0c
z*%@fyHvln@i;i?grP?qC<ZC?YgpBoxdeVI)Bx*<#q$#6e7bvHGLN^!P+2j1#Hv{s6
zS~~?Lm1@#CA1^ltWh?3Cawfgvg}8DZ)Y{nwG>Bz^{Na+*_|)15_Kl)%#xjbVBl-D~
zG<1o>T#5o6sgnZl^?|(UjK2W&r{(?lz|76Y2V9AXtf##!#Q=Nrlg6Lzo)OPLo>o|S
ze?~fwz*n2Ud(-QkV--v1?3*jE6Zd5N=7e<R6Ci&&H?Hbvi&1fUl5;Sob4r`Jm{h@Q
z@n+U&#N|&fdG-$=A74E<kn!2MRH}EDOU&rHmO-<Gy11YGSz&*<UA=?~Y<@LnQdXa!
zlL@OS<ke#l@qs-PW_!hg6hHXQ(^tsyr8TgA1V4O9x`cGijyZLD6rzf_f>`Uog!9S~
z>!2@Tp=!JC5EzdoTHr^OW{CtP*yww%Lias7NiOH6l?7ka==U`B&y~hNp0s*_QM#jE
z>7(eTqo8Hg1nXDnn>kt?UhHs`0a?m5uz3Q-l~2UgzR#KW{Cis-p0&SsX{z(;&$r-{
z6N(A0e~_I5^{J6I+CounK1PToEP#GQ5$7Y^rHnFeAxP7ygx-^-YXN!gyquD0&9I<U
z&PF}McE+JH!QvXf{VLan8uV}Equ})$FQ|X7jB31j+N6;iN)M}U1Y=Rm|4O@iJk#sN
zNDvMz9>K$hS<=<QXMzk2nBX<pzM*#&-=dt-HN}X$c~H5>RDkh_C#wy_5{aY6QHI1l
zakGrMx7*2;a)#1IRCq+Kc3yzZ_cRIQo#E8B2o^Z-0z)tEksHmJ<yYJtTs{rMh4!%>
zf$gs@Lvu$I-bU-MR~LO#^SvC`8mu?H4*uszT3K9z5UnY|c>I3-fg6w;05KJdyK(Rl
zymVnU5P#c)lke@tJHuev@CWh<!bgPiR+l%6jI>{7X5W_4{`mUc3g_9^SNU9wO8*ti
z|C4U11TyTuu8_)R7OcI6F*2jwAF_tNYTuV3s7Fd_1DpR;lZ-`Hc+32v7%YENNOham
zN$^Qb$JIi+J^^K-@zSUT7*F?D5svs3vPyNyrx|{4?q=^LdQY4{xk1h1uz{X?kwPHf
zPv^_gUv@swqiAng;Wn4~ZjULGYmM6G_1G={Y{V4o{@sX6b!1GV7@?YjV`!%Q&^}4!
zeyPh1JxhC0BMTjS#u`w6g;d)>sUSw6sjlXzO3L}#M0)6{%QYtqsonW>kF6D~|6OT#
zJ0AI6cQ524;ydvH^BjGeGQZR7!J1%(6vs;%3$T7_lW66sQsP5Gw3J)=!YO2&Qrf$c
zx(JyKlNh3uH_B0zz<BmJA*kO`67@4nIIGsNges8NdyAQ6GP~~%+I)GPiV_C$H%mtg
z{nXH~T(fBH+!yDoEUKKzz0$hkzg4y0YfvwL2lBT>JuT0hZTm#7<2-A$%~+;6@=0;u
zz4O!^rFbT&A2)&gi+DoS+-|L@sF5RzgA`rhk9w*v!X<A5KTc8w-1#P219@!Y=2q$Y
zG69ddwBx%eB+z|^uLj)?!Z|9hj>?d{S3Ho%#Ym6gpV%b7dY4*u;03k+xbVUEraJ0H
zWwMdBcpw%mKe_aqhhObvCe=-Xd6`4&Pl{g^Y8^82DCp*gU3mTN*n#>I_r=$NSfOP@
zZg<vy=!1WZC6C+n9v^I`+a{d;i0*n1<dq7?<XWkEj3aww4y-qrIxKn0M_8#$>)^<B
zPHY(qmVvyQ1xsHGs(&W$4q}6t%db;M>S4QIdKbC!i{C-TVei4_3GN?0YOO!+o1a&&
zwv{%zd(|k`d(cCn`ELssKD>Pm1Y3VSp_1F+3#zw`BcD-gm|v7EwOrYAN8ujc^zioK
zQ@e5j;|ZZwgNQ(69c(6aTEECG#?oGdIx@M@5>n~?C;)*kxC-QBl-a(0QuA!COZQ89
z`2tgqh;C`PWk?}ne5=xgC*TiOpT{nhL%+${{~<il4ni!bdsS0<W6Bgo_4M`S6>15o
zlMbk##4-BI9<ty>o{he#V3yQccK#estOwNyr@2k@-S1-`AfNf0T6j;OvO_JnU2Mhl
zcN6?Od<FSl_n|4aqdSSSjshTG^zF~~+c|CJC+&t%(5nA0-~DL9%IKK0G8%4+v~Aug
zAYT@=FQC?Wfiqf=#7c*D;B)PlHbT-dz-OH#xJ90g47R>EkblZSwWv=v5?rii{7~O0
zHLqzIDsX8o`UTSx6U*;2P=6{~Y%}Ds96BZYij7X+UFF=D)po{>-*mA{7fBM11k6tk
z5DGa@EilhN6Vr^fjdjbHENr1SqpM)oQB+bBcJ!hE^$&-Mynhs}BNxRm7R6eBj5Tpo
zyB9Qt^x4rRICHjL1dIO#WXKVVMl#S}0_}fJv_3ybCg#+lkI1=9u`a>Von->lH!;-2
z;ip9V61?(b@`)%nn|IknB>AYIHI%l4MxcYB5y<<)P)#-OxTI2)Fgj*cjFA0(Kq}?l
zSdCJ80aAs*>)kw%ho-&%h1IBZ{<Ul)$O-y=i=Lo-(D$UUXJrDT2FiPFu;;a)*To@d
z_(Ta3Q!jFyq})aV^AVn5?L_+#Tjw~)SUte{9XOrj)*}dRPx@cY5}O-ov2uIe_{!XF
zajmtk=qLQV2Ecd_?=4bUdt++**%OXs_)J=^JgB1e2DdAai)lDlI^TiKXOQ^F9nTdy
zyJ2(*Tn|*+BY*rtK)kb@6{F<-`ggh$9}Cn+GK7b(yyB6!Ughw_$=H-sYJy!pHV74A
zQJYuaqgm(y@^~7t+gT2_%R8=`VigY-aHI9w)D?HE6YeK__Y_3XVCM_Jud&rMX|gYc
zIO5ly@T>$LoS@!_hxYLh2WONMjC>SO|IN)XG}59F$886E<yJ_i3)dCvoLZQRjw3wj
zT3EJ)JCJ{?n-##$EWX)x^RNV(js5y~`0@%X<rsftEHZG8{-_4zS(U$S!>XxpCwzom
zcAd7Z()@&`GSgHsS^hjV+aa-`0OUV3Pd0s)RUcQ0(6V84dWfMz=;*ZIeWB(S?_}LR
z3+Mpy+!d#E91*1FsawtO+lNv}YN`ljtv;bLWzqJlb7)$E)f>{1PK9p@3)eV~*wh@>
zpW9haa8!}xp|UUjv`(5^MJEFFKZRimi)T_iw(+;$@fVkmgbEfel|_&dFfTImI5#PP
z`KQY8a$l(97m%&!so&Z6C_25^6PiTD->Hvug67ZGPgp>G-TGm3(R$^|j+6FaSJyPG
zI0zI1j%fG6wo8uU3~Okxd4fsc>Ub1L_YZP=&Fb)6N=a!q$pyDBVdU_KL&QjWW3c=&
z1C3(tEn^^xppvsRT_=Bzgey-wycPrvAJUgQyk{~8#$%^Esdd9%mnDxghUKkcrUajp
zo;Q)+?&E!p`}xfYJD5K^G(nzme*Ed+=4jKRpe5{`MxoBn6kZkLb!}d(aBuYp)OVYl
z9yL~o^M4icUSqZF<M=gORo35BT%IDf!erc>2UeeZBQCWfJ2v-CToz$(bM(y?=(x0p
z2><TDYZ%zF`f08T)b~r308KZyOcexg9bizf{H{GCp!72q@kG=y50&Dt1-t(eyr}0H
zfxTeU`tj&e60K^jAC8}<<c|76r~%F)vZGQAs2_%JiMwyw38xghOlTlU%*(fCa+ZRr
z0{#1S=zD>U=nRmLZg{B<zqv`Qv<`DHh5BG~Ss6?z6H>v%Ep=PHpM8D|<l~Eil&nO!
z2DJv)<{}n*zq?{&<>(0{Ddqlj8JJg80-Nt8d_tU^&M|M@1sSge&Nm~g&t2f;bHPps
z8Pj~HT7KpL>gQv4ewI&4&sKv`n2jveI>u7RAnaeh+eE%(BsOvCU;y%kpqD*uI8Qxf
zml0GX5WHDG<gv@fbe8;<(8U5W{~$Dwuam0J4aD4%q<PxFivf+ldo%goq|+|IY5yzh
z;62nTSiRKhf%`KLmd3Bx+%H-fo9Qk=Nzsp?Kxy8TTT5vEY8LGLwu`+)&q#Ohs_af2
zrJV=tqkm80W2cRY3cWjNxIQHVtLJ-FynjQfLBW?<$XLa42=3s#S+V4Tq9j?zc!~>6
zc83ARKXtD|QhJzBnfl!>66Z6m6uDo{5A-1rZCenHk2cK=*!<^52j-JO*7K?H+pHuM
zcik$zF>acRDL&m7L6Xc18P0B?{?80i8VBc8WK<tPR1*W&Ye#{(3!ZqzsAE2Ba)$5;
z93X#`?btgNs;e(n@v3IGh&8`1sEETFrhGnqerkWFZXOKeFUP)DLTITiY%v#m<#v%C
z?!q$sD$2OM>ir;!zZUj28OYyDNoXL2<-<Y=<UVAtqi`+#2pki3dLSo09uPhEFaxX4
zpO8DKEswN+^Ot2`83#;=-0Zhmv8@=j&=?}X@8|k!1NBi*+=KkSnjOPv1!Qb)AuX8x
zMx_0D)^fW`%^&OT_S^vE(Znbis&4*10=dmfYD6y12^+pq&+93P*0_qXVlvzC4aj4!
z6a-7Wbn!*L{j+@>ZWO(_^xJzr@zdv?Dzt<#MJh1AA}JQ+Ve}Rr1!Xunnl>8b-Qg9z
zf8q^;VmD;+tf|QK1nN^gFLZ-~r}oNzhwCbFQz0Y$+8D7{&)qRlB_S@oIRNY5-^q5U
znK(ouPt@LLqyNI@i3o&#vQr>e8i$j3x`RLi^M`lVICLYcT*(370%ZDY!l+hg&!%eI
zp{&|Z^CyJATlE9uVIaz#xDBZzR-`l`@k&;fsbeko4wI)egpLYX5jYT#1M+MZX2Y+&
zEjBIR7+~!WA|obn*{7#L$mu<9J5Imr;=Ta+_isN%pl8Ru`u1uoClXyb(p2Q;TcHsL
z*aYOoQcO4M0eN26)OAD8HBdWl=irneAI)2owD-yfs-#}f*6}k~{-Z!%1&-_%HG$5K
zMQrICSM}*rSLnLbiq1iiVnTTt>um?v{T+4l^dXd2<t*1Z{%*#^9Sl877pYA_<+&vL
zC=b3eR3@OlrbKNW3Cr>%_YlqOUbpn0WqragI+i-YPZ-x}s&n6|fV{3*_giEV*t<J|
z_;B;0<Uu4*1+^BOL0&;H=J7jpGie}ipsZbvBVq6?Ig#TTr1N+|-e__9>{mkjJLpFw
zPoEw=khdTz6qa{4qz>p%%&I{i$9sCm#M8cHlqY~TMo;%U84k!>Z(gO_p?oyw&G(_R
zK?)X&opv3{sSEl;*Kd0o7aIrmyoB}3iXrrs%J)dE$$5N!MPpA%@2^Pp*zYRy^Lf9`
zwSm<GPL@wPSGl7jA#7dQhG-9nklj@KEKKa-&1yB5zE09${gLyxY;v2CFT}H{KQdzI
zQk$wId>oG+Y~K{F;+&vWppydQ_jYnDL3P-W^k_*!!IKhOw&7IXC`goMr6M8GYjqF2
z0`h)z3{x?qUize$M~<EM%a&NBZh`GY#43IvgW6t#7hvmG0CVjl(<M)Mij-q^RX09)
zQ=D}!MT(kmGcA+`(q$u9zZ{^GUcHk(P4i+ZIlRI6j3gai?nLF?PNnpRi%Z(koF5oZ
zBuHDY%lq^1Z3;Qhl{kDO;TtG)Dg{2AT`G=LPo@uG`JYIj{Z1srne6Lj`q<Jn{18Gy
zRT5J!A3ee{^~YEH46u48@j?AApJ5L2BSEc>o5r@hTR@#Q`$&LH(J1H}`NIk#FrH+b
z+edZfv}pKet2$5OvXAIHqOW66WW|i3j%8x{H(>R1ZfBXQ^pEyje(imT`w<%jEmU`g
z%av;+OGkF+Or0P2K>aGbHByEGhg5FGx8}V5=e?n4zKZkg53gp+PB*r(`e6C?_py_?
zR|q1fbJpGVt}YUrcAxa{vZq~YLZ#wUNK>V0pnj82%MZRpz2mByDbdg5)*<%-l;XD4
z@(X8fcV(M|@X<hiz#fkfZm&U!n#YjiL!y+&<SYT#Mog^Sh@C4Z+nx;A`a9v2I@=Fd
z^}Lg7zxeZ-36Up`<#?+S*0n8!(|(gk04(382!B6MS<YrdEKyle)$%>?Y48~Y=LeeZ
z#vN)~m&;)T<C(|rfl<=-YILCrGIXEXB!4l*@d#>jimZerecR=-2ljlz)^s@Wg+q$C
zI4q2ha{$_6<`(J;I&M-;`$eFAQD_g?d}e>SvtuYq>r?}Uu9<0!A=ND_%Dj$VVr|B`
z<?<U#To*8&%d{^J`I${Z<&gugKI<bvZl!rE-~MdiRJ0=cB&unF-G6yqG>`RRh~{Gz
zYQWv6ZQnQLQ`zF33x8$2F>vQVh~oz8i=(}c(2OZ-di)r86(AHekS)Wq;!OOV_B||N
z%qfEnZ2l0t=Eg=VS0P;(tZ$v~wUz7ma*8OP_KuLn*hxw{atsNmKkb+6gNQ-(<xBtV
z`2DZS`?@&jq8Sf^dtA6bIX7IfXF#5T0xB>6y^;;dWNuhhc+&62{D`oA8luQh2Xm7(
z<z;mskNxG^>-0$lzp0sXt1!Si?nl_7T#yA$ef{a^i*+Fy7+-OwM4R}CQBR4`FslL?
zY~VE-rkxAD%fYK~<ErM95Czn~QbBP0_|mw%e6+VN9vtGraEv}pr~P5hNs&nWUJ@z{
z$Y)rSsHW&VeMk?@TBWx~vzl;yYwlpB-T9SH`**l7CD`$?QjzleouFyqCK9zCCtioQ
z<UH_D`k}G&nUf#(rso_?-v(c<*G$m+$&U1^j)PO?%T{yn7S0ag-fcPPj<N^>tlt?=
zDVp2Zpx635qcM6#)yHP0d=xD<xBX}>7HXKa9aaX6f7N?rb`^6QrefXJkR~XOqn@hS
z{{pn;#ZDStcvoluR=<VAO`~}ISoejTCBHRe$K*Z4+YEA1b?cObvZh{n7YcSiV#=g1
zg<>)|{c+iF_a0Ss5JuGW1aa7)1Z8-j00Q5&2pA7tB3!J3fgO{h^5KsFyfQz^L_xXU
z=1BD}v5eNhlPh~5zvPa8Z-iL4L$2bEFs{aPgc9qsDNN<TBf=FDNFWm04CE)snd4}b
zPh3XN%7?UbxX(%+Pu1Xz4?)`j8m^P?nZTa^@k+k<q{ms8B}(6h(8VkO0pjXmJXR*f
z%lU}fgu;O*1=OFOE4||F*cVZdwxwCSHox>juzRF5p^Zn+Pjs@i*ZmFTFTTyp4~o0{
zZ!I@F#x}{!g*VO@*p38U_au`<Ugac%{XWh?K&WZ+22RsXAkt&0oM!N&$hgisqY=sP
z>h%e1&TSMxeF{}MGTz^}Onh@`b3V6*xIHfj`Q2t*=GRL@J;tk_!PcXP>u81J!=)Wv
zha!!^?n?(3ZT1*FgFHUlYb3$A8HQP)e!JA0rR$iscwB{4K8dcNCKGsT+lG43x2Z!?
z88^5Iuz3jXFP1xDb9E0SCE<RKI~NuBPj{G@NIFbr4T?Sp?~uTbPhE%Z&F%2PU64K&
zz6rX>{zC3EM0y{+RK#!wvYSJn8!#U3{htwI=@~6!j4kgLUlP!iG)MQ`<y4kfZ6Qn`
zKNkuEd2$2>1IUNPpKIiH3TxlY3>h&W5C^82D0G6v^zn1AegSz>r{AkrtayA`8KXuF
zD4bcz<XLdBKO@9b$gp&OSx)2ud4yRW%{mVqiNYZCZ`)#=;nX-AucIAjSd=vVDsy=+
zBtSk_nFIr=Cz>`$u!^tvdy7#gHr3oE!2^FzeLW8RSgtXUcXDT@3m7<?MajoUow1@{
zSE*|{RK$ALUok+z;NDIm1oGkrrQwbOw@V%kGEg|e)T5tm6o!YK&oph>KJJP8@q-=z
z753?ZTdLI0=f{f5p1zf>ktZ0Z3_|4D=$}@<uUmbZ1nR@ZAFa%R=+wGBu=+xX-+$x_
z(Z;Bvw8U(G8Cl4Q!~yH?9#NBU9hBl}?8Mc7_I-$2qIJ&`p-@nRFJs#sB-qUZ^OG!@
z2m94p10?nx;qUJ(R;TE@bS=Eing`e-Be2tMR>0P;8<MYUtpzxH%J*FDH>(NeLvZ_~
z{we!Epm1wf`=%Yh?mtR)Jw{j9bU7!T?gVjLH4v4}n<VQSI5$6y@uA{xHI)PR*Luw5
z2u_QmwS3efW0gllWpbAQJHcY06AwP^VNZY#tUkoZPVi@vKPip6gCBpiG!x4n6126=
zn(4A4KbtcWL4g74Zy5}SV1D&=_9vs^ep4I5a3jsy0S7S~KFF~YwO^611mtJw-l}^0
z(%_U0`x!4xa+CcsL43xJp4>FSI;XV3ee?tJ)&@j#bnlkj;*hM65H*8xtU82#R8ie(
z<%Q@QI~lwV19=1_Ltoa;Q3&BGP@}%w;nBf}W@i&cW1|lBB=#u*6Ij0!X=}cuS&P1y
z7S!FUI-Q<1n-mANs<!R$1b<9ceyafq)Tb3@$)|-XOv<#+Qw&QN5)XXUCpA0DR$+8c
z6=bd^cm?uj`gR4A<~Gf$vKa&IoJ+pO4++ZW?;56W2-tr*AIlO0d2IcN3Lc-K=r@<#
zs&Q~)t7_kwvyVL%cI9%66RVi^z~(cz#lo6n7}iGRCMiF{4IUN`97Nl)otc?w-)sw$
zn5%%@A77hRTR^;^Z@~W}m%nVg!xa!vIHUmzs#Y6ZhrRtx0Cs<YG~rqBOsJhf-|hae
zknCOGLD*D61F4evnTOV{ASPQDF#cD|=}rwpsl1k8o0_neAo5<^MF-Ln@isG&1C7{l
znI#|}O}b(!_;HqRXgAJ=(f1`Kw#TC!D%riQEwk*Fzx84p$m<HX<oQVuz-=b@zRU=v
z@b$3>eqi=;5D~mbQ*Di00jr;*4?_*)?KvqT4OSFeT-gcI1KfnG4irC6t8^02dSsLU
z^_Sl|eW*mm8taBxUkd!&!VC4RYB**6_%?>W9{=q<F)xrmX^!Z1+I*DPSGdtsE7GDh
zU#hH|GO&p}yNJ=HW}LJG^3uf@d7miHp3XQ>QBNIB<S5GiKD;uJciy0pY#+6W4-Moi
zmurKddLFaGW~Iox&KzYDaU`5q5j82#bmE`{{1?F17tfx~&&gioEmY83H$IZCDu@wb
z%>6kCKW~kcgc{F$!Tg^|qc00KZ&zA@B5Jqp+KsA<u1#X%*M;BO9?Z$0m!Kgqo*f#v
zxHeC*Q4`z&-*g9$z~FqNwD}QppO=~$C;xZ9+JXFJ^C&7$OAx>E+uJ2Y8{x+c<m|5$
ze~blRtAE4#<mE~N`9WzR{cm6G^2M8*(5gFvBHW=}+XOD}_=UZ`G-_?<Cjt5KNBU44
z`FawQk~&B6w)uOIx~R2dV%O(Y+qU|g5<IZ$J;&F<xi4Ty$x3X9t*x}54e1w(+iJX9
zbgyJmINgn|E>J&<j02YOS+CZnLO0G!;v(QD?IPuhM%9*b>vm-0mvjjrzdg9C8_Y=}
z$kI{pmh{4b>;b{`_@1Z&eraz<vph<?2FRZwa${F?^2@g97Gk^LXGW<Oq;v2=*X+V-
z79AYVqV)m!hRtvo>iZBcXQD(Bn3qIXY($#r_#&DCl~()xg4h<Yeql1dp*Si2n=O%v
z<R_8nb}d;iT~Vn6&&fl-Mo}N*<!7M&i0=!mbJ}lciUoR$Z<q-T2j`J6dWVC1o!Zfa
z!VC2&KtA`)FJmPRc0yI1k{%NcanWj0Zi18VK37bCx)Sz@c{G5$(VhF-m$Gz^2;<lH
zEzZIrK4mOCvD+KMrf2=Qd-~{L^&9fQg*#V_a0PT;SatAp3^#~z{FnVe)dr=}@$=r=
z#Vt^OtGdsjRm1WlY10q6DEyF}ogv)mDm`(Sj-Em~QJyrg^JOJUdpy2lyNnrkH7~)m
zO}B_#3c_3WwEOf>lgJg+p#s$3lnq~%e4h=gYHlu7wEd87qZ(^6@EpoRs6Zkl5jF4q
F{{XMjn*RU*
literal 0
HcmV?d00001
diff --git a/debian/rules b/debian/rules
index 316a7b7727..0f217730ea 100755
--- a/debian/rules
+++ b/debian/rules
@@ -167,7 +167,8 @@ endif
# Usage: $(call enroll_vendor,<var-template>,<output-file>,<uefi-arch>)
enroll_vendor = virt-fw-vars --input $(1) --output $(2) \
- --enroll-cert debian/PkKek-1-vendor.pem
+ --enroll-cert debian/PkKek-1-vendor.pem \
+ --set-dbx ./debian/DBXUpdate-*.$(3).bin
# Usage: $(call enroll_snakeoil,<var-template>,<output-file>)
enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
--set-pk OvmfEnrollDefaultKeys \
@@ -262,4 +263,18 @@ get-orig-source:
edk2-$(DEB_VERSION_UPSTREAM)
rm -rf edk2.tmp edk2-$(DEB_VERSION_UPSTREAM)
-.PHONY: build-ovmf build-ovmf32 build-ovmf-cvm build-qemu-efi build-qemu-efi-aarch64 build-qemu-efi-riscv64
+update-dbx:
+ rm -rf debian/DBXUpdate-*.bin
+ set -ex; \
+ tmpdir="$$(mktemp -d)"; \
+ git clone https://github.com/microsoft/secureboot_objects $$tmpdir; \
+ for arch in amd64 arm64; do \
+ bin=PostSignedObjects/DBX/$$arch/DBXUpdate.bin; \
+ date=$$(cd $$tmpdir && git log -1 --pretty=format:"%cs" $$bin); \
+ cp $$tmpdir/$$bin debian/DBXUpdate-$${date}.$${arch}.bin; \
+ done; \
+ rm -rf "$$tmpdir"
+ sed -i -e '/DBXUpdate-/d' debian/source/include-binaries
+ ls debian/DBXUpdate-*.bin >> debian/source/include-binaries
+
+.PHONY: build-ovmf build-ovmf32 build-ovmf-cvm build-qemu-efi build-qemu-efi-aarch64 build-qemu-efi-riscv64 update-dbx
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index 2d863865bd..862b8adda0 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -3,3 +3,5 @@ debian/legacy-2M-builds/OVMF_VARS.ms.fd
debian/legacy-2M-builds/OVMF_VARS.fd
debian/legacy-2M-builds/OVMF_CODE.secboot.fd
debian/legacy-2M-builds/OVMF_CODE.fd
+debian/DBXUpdate-2025-02-24.arm64.bin
+debian/DBXUpdate-2025-10-16.amd64.bin
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [pve-devel] [PATCH edk2-firmware 6/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys
2025-11-06 15:42 [pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
` (4 preceding siblings ...)
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations Fiona Ebner
@ 2025-11-06 15:42 ` Fiona Ebner
5 siblings, 0 replies; 7+ messages in thread
From: Fiona Ebner @ 2025-11-06 15:42 UTC (permalink / raw)
To: pve-devel
This fixes the issue with the Microsoft UEFI CA 2011 expiring in June
2026 for new EFI disks. What still needs to be done is giving users a
way for (or automatically) enrolling the new keys to existing EFI
disks.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...nrollDefaultKeys-with-Microsoft-2023.patch | 613 ++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 614 insertions(+)
create mode 100644 debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
diff --git a/debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch b/debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
new file mode 100644
index 0000000000..2d0fcd2bcc
--- /dev/null
+++ b/debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
@@ -0,0 +1,613 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alex Haydock <alex@alexhaydock.co.uk>
+Date: Thu, 30 Oct 2025 14:25:57 +0000
+Subject: [PATCH] OvmfPkg: Expand EnrollDefaultKeys with Microsoft 2023 keys
+
+Expand EnrollDefaultKeys by adding the 2023 Microsoft Secure Boot
+keys to the existing keys already being enrolled.
+
+Signed-off-by: Alex Haydock <alex@alexhaydock.co.uk>
+(cherry picked from commit 05429cbe91118e9123d9556652635d47ebec7d08)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ OvmfPkg/EnrollDefaultKeys/AuthData.c | 519 ++++++++++++++++++
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 12 +
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 12 +
+ 3 files changed, 543 insertions(+)
+
+diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c
+index 53ee7f7003..8a215bc29c 100644
+--- a/OvmfPkg/EnrollDefaultKeys/AuthData.c
++++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
+@@ -136,6 +136,136 @@ CONST UINT8 mMicrosoftKek[] = {
+
+ CONST UINTN mSizeOfMicrosoftKek = sizeof mMicrosoftKek;
+
++//
++// Third KEK: "Microsoft Corporation KEK 2K CA 2023".
++//
++CONST UINT8 mMicrosoftKek2023[] = {
++ 0x30, 0x82, 0x05, 0xb2, 0x30, 0x82, 0x03, 0x9a, 0xa0, 0x03, 0x02, 0x01,
++ 0x02, 0x02, 0x13, 0x33, 0x00, 0x00, 0x00, 0x13, 0x14, 0x16, 0xb8, 0x61,
++ 0x6d, 0x82, 0x82, 0x4b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x30, 0x0d,
++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x30, 0x5a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04,
++ 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
++ 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d,
++ 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x53, 0x41,
++ 0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x20, 0x52, 0x6f, 0x6f,
++ 0x74, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x31, 0x30, 0x1e, 0x17,
++ 0x0d, 0x32, 0x33, 0x30, 0x33, 0x30, 0x32, 0x32, 0x30, 0x32, 0x31, 0x33,
++ 0x35, 0x5a, 0x17, 0x0d, 0x33, 0x38, 0x30, 0x33, 0x30, 0x32, 0x32, 0x30,
++ 0x33, 0x31, 0x33, 0x35, 0x5a, 0x30, 0x5c, 0x31, 0x0b, 0x30, 0x09, 0x06,
++ 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c,
++ 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61,
++ 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2d, 0x30, 0x2b, 0x06, 0x03, 0x55, 0x04,
++ 0x03, 0x13, 0x24, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
++ 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x32, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32,
++ 0x30, 0x32, 0x33, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
++ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82,
++ 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
++ 0xe3, 0x5e, 0x88, 0x8b, 0x73, 0x2c, 0xc3, 0x0a, 0xc4, 0xe9, 0xf5, 0xce,
++ 0x81, 0x2d, 0xf1, 0x0f, 0xf1, 0x26, 0x35, 0x37, 0xd1, 0x49, 0x53, 0x71,
++ 0xb1, 0x5b, 0x93, 0x52, 0xaf, 0xe1, 0x15, 0xdf, 0xde, 0x8b, 0x39, 0xbd,
++ 0xaf, 0x4c, 0x65, 0x75, 0x53, 0xe5, 0xda, 0x0a, 0x32, 0x98, 0x2f, 0x33,
++ 0x26, 0xb6, 0x2b, 0xbe, 0x94, 0x99, 0x9f, 0xec, 0xda, 0xc2, 0x8e, 0x05,
++ 0x34, 0x92, 0x13, 0x0f, 0x63, 0xbf, 0x74, 0xa2, 0x72, 0xa8, 0x29, 0x7e,
++ 0x9f, 0x32, 0x21, 0x29, 0x08, 0x59, 0xc4, 0x77, 0xc4, 0x2a, 0x92, 0x4c,
++ 0x87, 0xb6, 0x03, 0x37, 0xeb, 0x9a, 0xe2, 0xc3, 0xc9, 0xb4, 0x48, 0x21,
++ 0xc3, 0x61, 0x94, 0xea, 0x17, 0x51, 0xb1, 0xe7, 0x14, 0xe2, 0x24, 0x63,
++ 0x2e, 0xd5, 0xf2, 0xc6, 0xa5, 0xf2, 0xa2, 0x5e, 0x1f, 0x69, 0xc6, 0x51,
++ 0x0d, 0xa7, 0x29, 0xfb, 0x52, 0x0a, 0x9b, 0xe3, 0x88, 0xe8, 0x68, 0xff,
++ 0xbb, 0xfa, 0x92, 0x69, 0xaf, 0xc4, 0x16, 0xff, 0x5d, 0xe5, 0x5f, 0xe0,
++ 0xdf, 0xec, 0x66, 0x55, 0x0b, 0x61, 0xc2, 0xac, 0x3b, 0x20, 0x6e, 0xdf,
++ 0xb4, 0x0d, 0xeb, 0x2b, 0xc8, 0xd0, 0xc2, 0x34, 0x4e, 0x82, 0x96, 0x39,
++ 0xee, 0xf1, 0x31, 0x85, 0x04, 0x3d, 0xef, 0xd6, 0x76, 0xfb, 0xc3, 0xca,
++ 0xc1, 0xd5, 0x8c, 0x2f, 0x0b, 0x10, 0x28, 0x9b, 0x48, 0x9a, 0xb0, 0x10,
++ 0x14, 0xa4, 0xd9, 0x94, 0xe5, 0x68, 0x5b, 0xcd, 0x6e, 0xe7, 0x7a, 0xec,
++ 0xbc, 0xa0, 0x49, 0xb8, 0xa9, 0x53, 0xd8, 0x4d, 0x2f, 0xb2, 0x7b, 0xc8,
++ 0xda, 0xbc, 0xb2, 0xe7, 0xfc, 0xab, 0x70, 0x10, 0x77, 0x95, 0x45, 0x49,
++ 0xfd, 0xad, 0xd2, 0x3f, 0x17, 0xcb, 0x66, 0x9a, 0xf2, 0x7d, 0x36, 0xdd,
++ 0x0a, 0x2c, 0xe2, 0xc0, 0x87, 0x21, 0x2d, 0x93, 0xdb, 0x08, 0x96, 0xd2,
++ 0xe8, 0x5c, 0x54, 0xe1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
++ 0x6d, 0x30, 0x82, 0x01, 0x69, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f,
++ 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x10, 0x06,
++ 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
++ 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
++ 0x04, 0x14, 0xe0, 0xab, 0x72, 0xbc, 0x96, 0x3e, 0xff, 0xb8, 0x66, 0x9b,
++ 0x7d, 0x10, 0x5a, 0x43, 0x3e, 0x5c, 0x42, 0x54, 0x87, 0x5f, 0x30, 0x19,
++ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04,
++ 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
++ 0x41, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
++ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
++ 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x84, 0x44, 0x86, 0x06, 0x00,
++ 0x98, 0x3f, 0x2c, 0xaa, 0xb3, 0xc5, 0x89, 0xf3, 0xac, 0x2e, 0xc9, 0xe6,
++ 0x9d, 0x09, 0x03, 0x30, 0x65, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x5e,
++ 0x30, 0x5c, 0x30, 0x5a, 0xa0, 0x58, 0xa0, 0x56, 0x86, 0x54, 0x68, 0x74,
++ 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63,
++ 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
++ 0x6b, 0x69, 0x6f, 0x70, 0x73, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x69,
++ 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x25, 0x32, 0x30, 0x52, 0x53,
++ 0x41, 0x25, 0x32, 0x30, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25,
++ 0x32, 0x30, 0x52, 0x6f, 0x6f, 0x74, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25,
++ 0x32, 0x30, 0x32, 0x30, 0x32, 0x31, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x72,
++ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x66,
++ 0x30, 0x64, 0x30, 0x62, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
++ 0x30, 0x02, 0x86, 0x56, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77,
++ 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x6f, 0x70, 0x73, 0x2f,
++ 0x63, 0x65, 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73,
++ 0x6f, 0x66, 0x74, 0x25, 0x32, 0x30, 0x52, 0x53, 0x41, 0x25, 0x32, 0x30,
++ 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30, 0x52, 0x6f,
++ 0x6f, 0x74, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32, 0x30,
++ 0x32, 0x31, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02,
++ 0x01, 0x00, 0x85, 0x02, 0x06, 0x12, 0xfa, 0x67, 0xae, 0x4f, 0x39, 0xa9,
++ 0xb8, 0x34, 0xdc, 0x5d, 0x2a, 0x78, 0x19, 0x7b, 0x38, 0xee, 0x9c, 0x82,
++ 0x8f, 0x1b, 0xe2, 0x3c, 0x3d, 0x32, 0x0a, 0x5e, 0xbf, 0x58, 0x06, 0xe7,
++ 0x6f, 0xf8, 0x8d, 0x18, 0xa8, 0x1b, 0x84, 0xf5, 0x9b, 0xca, 0xad, 0x8b,
++ 0x08, 0x44, 0x0e, 0x26, 0x8d, 0x2c, 0xd8, 0x5f, 0x6e, 0x23, 0x25, 0x07,
++ 0xfa, 0x5b, 0x4c, 0x26, 0x2e, 0x76, 0x31, 0x43, 0x2e, 0x6e, 0xe8, 0xc8,
++ 0x31, 0xc1, 0x4a, 0xd2, 0xf2, 0x02, 0xb7, 0xa6, 0xf1, 0x75, 0xe4, 0x96,
++ 0xed, 0x06, 0xe2, 0xca, 0x95, 0x78, 0x44, 0xa8, 0x33, 0x76, 0xd4, 0x2b,
++ 0x4d, 0xd7, 0xbc, 0xdc, 0x87, 0x3b, 0xab, 0x4d, 0x29, 0xad, 0x96, 0x89,
++ 0xb7, 0xd5, 0xc2, 0x8f, 0xab, 0x46, 0xc3, 0x5d, 0xb3, 0xfd, 0xed, 0xa5,
++ 0x9e, 0xf5, 0x76, 0xb7, 0x2b, 0x85, 0xff, 0x98, 0xa1, 0x9f, 0x6b, 0x1c,
++ 0x9b, 0x3e, 0xf7, 0xee, 0x0e, 0x17, 0xa3, 0xfd, 0x36, 0x2f, 0xe1, 0xcd,
++ 0x28, 0x98, 0x1c, 0x40, 0x99, 0x26, 0xca, 0x03, 0x8d, 0xa6, 0x35, 0xea,
++ 0xd2, 0x0a, 0xa7, 0x8b, 0x16, 0xae, 0x21, 0x01, 0x00, 0x1e, 0x27, 0x0f,
++ 0xb7, 0x0e, 0xb2, 0x42, 0x31, 0x56, 0x2e, 0xe6, 0xf8, 0x8e, 0xea, 0x0c,
++ 0x34, 0xf0, 0x4e, 0xdf, 0x70, 0x30, 0x69, 0x04, 0xd1, 0xcf, 0xd3, 0x9c,
++ 0x64, 0x46, 0x6f, 0xcc, 0x21, 0xcd, 0xcb, 0xef, 0x05, 0x32, 0xbb, 0x08,
++ 0xa6, 0xd8, 0x9f, 0x45, 0x38, 0x5d, 0x4e, 0xd2, 0x9c, 0x92, 0x89, 0xe9,
++ 0x73, 0xe4, 0x7a, 0x08, 0x35, 0x1e, 0x4f, 0xa6, 0xc2, 0xba, 0x6b, 0x3e,
++ 0xb7, 0x1f, 0x54, 0x34, 0x49, 0xfa, 0xb4, 0x7a, 0xcb, 0xda, 0xa0, 0x1f,
++ 0x59, 0x81, 0x2b, 0x2a, 0xf6, 0x88, 0x26, 0xb0, 0xfa, 0x6c, 0xf2, 0xeb,
++ 0xc1, 0xd8, 0xae, 0x41, 0xe1, 0x6f, 0xfc, 0xbf, 0x13, 0xe8, 0x6e, 0x14,
++ 0xe7, 0xe7, 0xc7, 0x03, 0x8b, 0x40, 0x99, 0x10, 0x38, 0x06, 0x6d, 0x70,
++ 0xbd, 0x01, 0xc8, 0xde, 0x8d, 0x56, 0x1d, 0x38, 0x0f, 0x4f, 0x23, 0xa8,
++ 0x25, 0x40, 0xde, 0xbb, 0x28, 0x2d, 0x43, 0xaf, 0xa4, 0xbc, 0x20, 0x83,
++ 0xb5, 0x06, 0xf9, 0x05, 0x21, 0x9f, 0x3b, 0xb9, 0x79, 0x0d, 0x70, 0x6b,
++ 0x53, 0xc0, 0x75, 0xc2, 0x1b, 0x10, 0x13, 0xb3, 0xe4, 0x6f, 0x09, 0xa8,
++ 0xcf, 0xd1, 0xb7, 0x0e, 0x71, 0x5c, 0xb7, 0xc9, 0x8f, 0xe5, 0x1c, 0xf0,
++ 0x13, 0x55, 0xd9, 0x93, 0xb9, 0xae, 0x5d, 0x3f, 0xca, 0x0b, 0xb0, 0x59,
++ 0x6a, 0x45, 0x4a, 0xc3, 0xe1, 0xe3, 0x27, 0x78, 0x0d, 0x16, 0x81, 0xfc,
++ 0x58, 0x2d, 0xb1, 0x41, 0xba, 0x18, 0x0d, 0xcf, 0xf0, 0xef, 0xab, 0x08,
++ 0x1e, 0x4f, 0xf8, 0xfc, 0xc6, 0xfd, 0x4b, 0xdd, 0x1d, 0xef, 0x30, 0x25,
++ 0x50, 0x39, 0xa3, 0xdf, 0xfe, 0x3f, 0xb9, 0xfa, 0xeb, 0x96, 0x97, 0xd0,
++ 0xcd, 0xf9, 0x04, 0x26, 0xfb, 0x0d, 0x48, 0x19, 0x08, 0xd8, 0xe1, 0x93,
++ 0xc1, 0x50, 0xc7, 0x6e, 0x6d, 0xd8, 0xd0, 0x6b, 0x8e, 0x95, 0x72, 0x64,
++ 0x50, 0xc9, 0xed, 0x55, 0x89, 0x6e, 0xc1, 0x4b, 0xa2, 0x06, 0xd4, 0x32,
++ 0xb5, 0xa9, 0x6d, 0x65, 0x01, 0x7a, 0xf1, 0x52, 0x57, 0x18, 0x05, 0x30,
++ 0x5c, 0xb8, 0x28, 0x66, 0x11, 0xb7, 0x7a, 0xf0, 0x71, 0x4e, 0x86, 0x61,
++ 0x60, 0x7a, 0x6d, 0x56, 0xc7, 0x5b, 0x09, 0x3e, 0xa2, 0xef, 0xd4, 0x0e,
++ 0x9e, 0x92, 0xd3, 0x1f, 0x99, 0xf6, 0x9d, 0xb1, 0x1d, 0x78, 0x78, 0x6b,
++ 0xff, 0xe8, 0x2a, 0x04, 0xaf, 0x78, 0x67, 0x3e, 0xf0, 0x2a, 0x0b, 0xa7,
++ 0xe0, 0x5d, 0x01, 0xe9, 0x87, 0x99, 0x35, 0x30, 0x90, 0xed, 0xd7, 0x45,
++ 0x6b, 0x9c, 0xcc, 0xe6, 0xa2, 0xe4, 0xe6, 0x17, 0xa7, 0xdd
++};
++
++CONST UINTN mSizeOfMicrosoftKek2023 = sizeof mMicrosoftKek2023;
++
+ //
+ // First DB entry: "Microsoft Windows Production PCA 2011"
+ // SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
+@@ -395,6 +525,395 @@ CONST UINT8 mMicrosoftUefiCa[] = {
+
+ CONST UINTN mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa;
+
++//
++// Third DB entry: "Microsoft UEFI CA 2023"
++//
++CONST UINT8 mMicrosoftUefiCa2023[] = {
++ 0x30, 0x82, 0x05, 0xa4, 0x30, 0x82, 0x03, 0x8c, 0xa0, 0x03, 0x02, 0x01,
++ 0x02, 0x02, 0x13, 0x33, 0x00, 0x00, 0x00, 0x16, 0x36, 0xbf, 0x36, 0x89,
++ 0x9f, 0x15, 0x75, 0xcc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x30, 0x0d,
++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x30, 0x5a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04,
++ 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
++ 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d,
++ 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x53, 0x41,
++ 0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x20, 0x52, 0x6f, 0x6f,
++ 0x74, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x31, 0x30, 0x1e, 0x17,
++ 0x0d, 0x32, 0x33, 0x30, 0x36, 0x31, 0x33, 0x31, 0x39, 0x32, 0x31, 0x34,
++ 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x38, 0x30, 0x36, 0x31, 0x33, 0x31, 0x39,
++ 0x33, 0x31, 0x34, 0x37, 0x5a, 0x30, 0x4e, 0x31, 0x0b, 0x30, 0x09, 0x06,
++ 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c,
++ 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61,
++ 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
++ 0x03, 0x13, 0x16, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32,
++ 0x33, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
++ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
++ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbd, 0x22,
++ 0x2a, 0xae, 0xef, 0x1a, 0x31, 0x85, 0x13, 0x78, 0x51, 0xa7, 0x9b, 0xfd,
++ 0xfc, 0x78, 0xd1, 0x63, 0xb8, 0x1a, 0x9b, 0x63, 0xf5, 0x12, 0x06, 0xdb,
++ 0x4b, 0x41, 0x35, 0x6a, 0x6f, 0xab, 0xf5, 0x6a, 0x04, 0xcc, 0x97, 0xcf,
++ 0xbb, 0xd4, 0x08, 0x09, 0x1a, 0x61, 0x3a, 0x0d, 0xe6, 0xb3, 0xa0, 0x46,
++ 0xff, 0x09, 0xad, 0xde, 0x80, 0x24, 0xdc, 0x12, 0x80, 0xf2, 0x5f, 0xd9,
++ 0x16, 0xed, 0xe2, 0x42, 0x9d, 0xcd, 0x2f, 0x4d, 0x61, 0x02, 0x61, 0x8a,
++ 0x1c, 0x4b, 0x1d, 0x18, 0x62, 0x39, 0x86, 0x97, 0x71, 0xad, 0x3e, 0x7f,
++ 0x5d, 0x71, 0x13, 0x4b, 0xe9, 0x2a, 0x00, 0xc1, 0xbe, 0xd5, 0xb7, 0x00,
++ 0x9f, 0x5e, 0x65, 0xb2, 0x2c, 0x1a, 0xff, 0x74, 0xed, 0xea, 0x83, 0xd2,
++ 0x39, 0x89, 0x33, 0x35, 0x73, 0x7d, 0xa0, 0xa2, 0xfa, 0x40, 0xe4, 0x66,
++ 0x50, 0x58, 0xaa, 0xfc, 0x87, 0xe8, 0x5c, 0x20, 0x83, 0x34, 0xec, 0xab,
++ 0xe2, 0x0b, 0xc5, 0x5f, 0x3e, 0xff, 0x48, 0x2b, 0x11, 0x91, 0x26, 0xef,
++ 0x18, 0x6e, 0x57, 0xc5, 0x9f, 0x18, 0x73, 0x99, 0xef, 0xe1, 0x6a, 0x74,
++ 0x2b, 0xbb, 0x2f, 0x7f, 0x50, 0x8e, 0x1d, 0xda, 0x3d, 0x76, 0xb6, 0x04,
++ 0xe5, 0xcc, 0x2e, 0x10, 0xc7, 0x83, 0x1b, 0x83, 0xa3, 0xe4, 0xa5, 0x13,
++ 0x13, 0x71, 0x6e, 0x33, 0x78, 0xa3, 0xa8, 0x3c, 0xec, 0x48, 0x26, 0x5e,
++ 0xc7, 0xc6, 0x5e, 0x0d, 0x87, 0x9a, 0xaa, 0xcc, 0x55, 0x34, 0x81, 0xad,
++ 0x9d, 0x90, 0xf5, 0xe6, 0x96, 0x63, 0xa6, 0xe8, 0x07, 0x20, 0x17, 0xc8,
++ 0x93, 0x1e, 0xd2, 0xae, 0xa4, 0xdc, 0xae, 0x7d, 0x59, 0xbf, 0x88, 0x5e,
++ 0x62, 0x0c, 0xae, 0x5b, 0xf2, 0x29, 0x40, 0x56, 0x1d, 0x26, 0x40, 0xde,
++ 0x85, 0xa6, 0xad, 0x56, 0xd1, 0xcf, 0x55, 0x47, 0x76, 0x5f, 0x9c, 0x39,
++ 0xdb, 0x03, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x6d, 0x30,
++ 0x82, 0x01, 0x69, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01,
++ 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x10, 0x06, 0x09, 0x2b,
++ 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01,
++ 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
++ 0x81, 0xaa, 0x6b, 0x32, 0x44, 0xc9, 0x35, 0xbc, 0xe0, 0xd6, 0x62, 0x8a,
++ 0xf3, 0x98, 0x27, 0x42, 0x1e, 0x32, 0x49, 0x7d, 0x30, 0x19, 0x06, 0x09,
++ 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e,
++ 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30,
++ 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30,
++ 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
++ 0x18, 0x30, 0x16, 0x80, 0x14, 0x84, 0x44, 0x86, 0x06, 0x00, 0x98, 0x3f,
++ 0x2c, 0xaa, 0xb3, 0xc5, 0x89, 0xf3, 0xac, 0x2e, 0xc9, 0xe6, 0x9d, 0x09,
++ 0x03, 0x30, 0x65, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x5e, 0x30, 0x5c,
++ 0x30, 0x5a, 0xa0, 0x58, 0xa0, 0x56, 0x86, 0x54, 0x68, 0x74, 0x74, 0x70,
++ 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69,
++ 0x6f, 0x70, 0x73, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x69, 0x63, 0x72,
++ 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x25, 0x32, 0x30, 0x52, 0x53, 0x41, 0x25,
++ 0x32, 0x30, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30,
++ 0x52, 0x6f, 0x6f, 0x74, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30,
++ 0x32, 0x30, 0x32, 0x31, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x72, 0x06, 0x08,
++ 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x66, 0x30, 0x64,
++ 0x30, 0x62, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02,
++ 0x86, 0x56, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
++ 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63,
++ 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x6f, 0x70, 0x73, 0x2f, 0x63, 0x65,
++ 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
++ 0x74, 0x25, 0x32, 0x30, 0x52, 0x53, 0x41, 0x25, 0x32, 0x30, 0x44, 0x65,
++ 0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30, 0x52, 0x6f, 0x6f, 0x74,
++ 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32, 0x30, 0x32, 0x31,
++ 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00,
++ 0x07, 0x60, 0x13, 0x2a, 0x53, 0x87, 0x12, 0x0f, 0x1a, 0xf3, 0x5a, 0x14,
++ 0x95, 0x17, 0xe5, 0xd8, 0xd7, 0x95, 0x54, 0x9b, 0x8b, 0x0e, 0xdd, 0x91,
++ 0xa5, 0xed, 0xc7, 0x5d, 0x47, 0x50, 0x93, 0x45, 0xb7, 0x95, 0x88, 0x5f,
++ 0x17, 0x19, 0x41, 0x63, 0x76, 0xb5, 0x82, 0xb0, 0xa8, 0xc5, 0x9d, 0x99,
++ 0x15, 0x36, 0x89, 0x49, 0xbe, 0x12, 0xc2, 0x66, 0xfb, 0x83, 0x0c, 0xb0,
++ 0x81, 0xce, 0xe5, 0xa4, 0xab, 0xc2, 0xa0, 0x9a, 0xeb, 0xf5, 0x07, 0x3c,
++ 0xfe, 0x21, 0xf8, 0x9a, 0xdc, 0x19, 0x21, 0x0c, 0x9e, 0x24, 0x2c, 0xd1,
++ 0x5c, 0xa2, 0x16, 0x0a, 0x4b, 0xeb, 0xec, 0x48, 0x9c, 0xb1, 0x5b, 0x74,
++ 0xdb, 0x01, 0x64, 0xc2, 0xe3, 0x80, 0x6a, 0xab, 0x1a, 0xcd, 0x77, 0x1b,
++ 0x6a, 0x39, 0x9a, 0xb7, 0xba, 0x70, 0x44, 0xff, 0x67, 0x94, 0xc5, 0x81,
++ 0x06, 0xf0, 0xcb, 0x81, 0x04, 0x93, 0x27, 0x21, 0x99, 0xbd, 0x87, 0x88,
++ 0x14, 0x9c, 0x22, 0x71, 0x0e, 0x0b, 0x2f, 0x5c, 0xbe, 0xb8, 0x90, 0x54,
++ 0x7c, 0xc0, 0x1e, 0xbc, 0x2b, 0x9b, 0xa3, 0x56, 0x17, 0x4b, 0x97, 0xe7,
++ 0xe3, 0x7f, 0x13, 0x34, 0xfa, 0xb0, 0x34, 0x6b, 0x9b, 0xf6, 0xb2, 0x2d,
++ 0xf7, 0xd8, 0x7b, 0xd8, 0x20, 0xd3, 0x5c, 0xa7, 0x95, 0x4c, 0x4f, 0x2a,
++ 0xf9, 0xe7, 0x1e, 0x68, 0xaf, 0xfc, 0x6c, 0x8f, 0xc8, 0x86, 0x3d, 0x9f,
++ 0xc8, 0xd1, 0xef, 0x4d, 0x1a, 0xc8, 0xd1, 0xf6, 0xfd, 0x2d, 0x7c, 0xe3,
++ 0xe8, 0x41, 0xc1, 0xea, 0x27, 0xc1, 0xfb, 0x8e, 0x25, 0x86, 0x5a, 0x89,
++ 0xa6, 0x10, 0xbe, 0xce, 0xe3, 0x8f, 0xa5, 0x7b, 0xc4, 0x1a, 0xa0, 0xe8,
++ 0x75, 0x90, 0xfd, 0x21, 0xb0, 0xc1, 0xa3, 0xc5, 0x16, 0x23, 0x5e, 0x3c,
++ 0xce, 0x2f, 0xfe, 0x8c, 0x98, 0xbf, 0x08, 0x5c, 0xf6, 0xb9, 0xc5, 0xb2,
++ 0x3c, 0xb6, 0xcc, 0xc8, 0xec, 0x7f, 0xd2, 0x77, 0x74, 0xcb, 0xed, 0xf3,
++ 0x96, 0xc9, 0x8b, 0x8d, 0x1c, 0x2a, 0x89, 0x0f, 0xa3, 0x8f, 0xbd, 0xce,
++ 0x2a, 0x85, 0x46, 0x9a, 0x23, 0xa2, 0x8f, 0x42, 0xc0, 0x99, 0xd6, 0xea,
++ 0x85, 0x1f, 0x61, 0x19, 0xbe, 0x16, 0x35, 0xb7, 0x75, 0xa0, 0x95, 0x80,
++ 0x65, 0x06, 0x87, 0xd4, 0x0b, 0x35, 0xc8, 0xc4, 0xaa, 0x0e, 0xce, 0xa2,
++ 0x0a, 0x63, 0x60, 0xca, 0x4b, 0x2b, 0x5c, 0x27, 0x04, 0x82, 0xaf, 0x3e,
++ 0x58, 0x83, 0x7a, 0x5a, 0xd8, 0x67, 0x3f, 0x10, 0x53, 0xf5, 0x0c, 0x16,
++ 0xf7, 0x26, 0x4b, 0x8a, 0x80, 0xb9, 0xc5, 0x1f, 0xa0, 0xde, 0xd8, 0xd3,
++ 0x61, 0x44, 0x14, 0x45, 0xa7, 0xf5, 0xab, 0x9a, 0x88, 0x17, 0xfd, 0xb7,
++ 0x94, 0x54, 0x02, 0x8b, 0xe4, 0xb7, 0x53, 0xa1, 0x3e, 0x8d, 0x9e, 0x50,
++ 0x82, 0xa8, 0x00, 0xe0, 0x78, 0x94, 0x1b, 0xbe, 0xb3, 0xc4, 0x30, 0x1f,
++ 0xb2, 0x0e, 0xdb, 0xf0, 0x46, 0x90, 0xc1, 0xe6, 0x57, 0xfe, 0x7c, 0xc1,
++ 0x70, 0xb2, 0x1c, 0x4b, 0x64, 0xd9, 0x10, 0x03, 0x1b, 0x34, 0xfb, 0x66,
++ 0xcf, 0x82, 0x6e, 0x9e, 0x40, 0xa8, 0x11, 0x37, 0xf2, 0x65, 0x8b, 0x21,
++ 0x09, 0xaf, 0x3c, 0x93, 0x62, 0x3d, 0xf3, 0xbc, 0x83, 0xdd, 0x3f, 0x55,
++ 0x90, 0x15, 0xd2, 0x31, 0xaf, 0x11, 0xe7, 0xf8, 0xca, 0xa0, 0x82, 0xe1,
++ 0xb9, 0xcf, 0xb3, 0x57, 0x93, 0xc7, 0x55, 0x37, 0xac, 0x7f, 0x41, 0xbf,
++ 0x1f, 0x96, 0x3c, 0xf3, 0x26, 0x94, 0xf9, 0xd8, 0xd2, 0x55, 0x24, 0x8a,
++ 0x8a, 0xb6, 0x41, 0xf0, 0xe0, 0x16, 0xc0, 0x23, 0x92, 0x8c, 0x71, 0x0a,
++ 0x4c, 0x6a, 0x0d, 0x19, 0x55, 0xf7, 0x3a, 0x9c, 0x92, 0x21, 0x96, 0xa1,
++ 0xd5, 0xf8, 0x0a, 0x8c, 0x9d, 0xbf, 0xc9, 0xeb, 0xca, 0x88, 0x42, 0xfc,
++ 0x4b, 0xb4, 0xef, 0xff, 0x27, 0x30, 0x21, 0x61
++};
++
++CONST UINTN mSizeOfMicrosoftUefiCa2023 = sizeof mMicrosoftUefiCa2023;
++
++//
++// Fourth DB entry: "Microsoft Option ROM UEFI CA 2023"
++//
++CONST UINT8 mMicrosoftUefiOpRom2023[] = {
++ 0x30, 0x82, 0x05, 0xaf, 0x30, 0x82, 0x03, 0x97, 0xa0, 0x03, 0x02, 0x01,
++ 0x02, 0x02, 0x13, 0x33, 0x00, 0x00, 0x00, 0x17, 0xb3, 0xec, 0x4d, 0x8f,
++ 0x01, 0xe2, 0x70, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x30, 0x0d,
++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x30, 0x5a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04,
++ 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
++ 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d,
++ 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x53, 0x41,
++ 0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x20, 0x52, 0x6f, 0x6f,
++ 0x74, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x31, 0x30, 0x1e, 0x17,
++ 0x0d, 0x32, 0x33, 0x31, 0x30, 0x32, 0x36, 0x31, 0x39, 0x30, 0x32, 0x32,
++ 0x30, 0x5a, 0x17, 0x0d, 0x33, 0x38, 0x31, 0x30, 0x32, 0x36, 0x31, 0x39,
++ 0x31, 0x32, 0x32, 0x30, 0x5a, 0x30, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06,
++ 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c,
++ 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61,
++ 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06, 0x03, 0x55, 0x04,
++ 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x20, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x52, 0x4f, 0x4d, 0x20,
++ 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x33,
++ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
++ 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd3, 0x0b, 0xfe,
++ 0x89, 0xcd, 0xcd, 0xb6, 0xee, 0xdc, 0xe5, 0x1a, 0x8d, 0xdc, 0xca, 0x21,
++ 0x1a, 0x0f, 0x22, 0x2f, 0x0b, 0xb5, 0x32, 0x84, 0x35, 0xc0, 0xbe, 0x6f,
++ 0x70, 0x93, 0x55, 0xb4, 0x47, 0xcc, 0x49, 0x03, 0xc2, 0xfe, 0xcf, 0xba,
++ 0x32, 0x65, 0x64, 0xb7, 0x35, 0xbd, 0x04, 0x3b, 0x44, 0x64, 0x2f, 0xa0,
++ 0xf2, 0xdd, 0xe1, 0x5d, 0xba, 0xe7, 0xbd, 0x39, 0x9a, 0xbd, 0xcb, 0x4b,
++ 0xe1, 0x83, 0xaa, 0x1b, 0xe8, 0x6f, 0x4e, 0x4c, 0x91, 0x52, 0x43, 0xa5,
++ 0xc4, 0x50, 0x55, 0x68, 0xf5, 0xda, 0xac, 0x48, 0xa2, 0x9c, 0xec, 0x35,
++ 0xa7, 0x04, 0x56, 0x68, 0x19, 0xe2, 0xb1, 0x62, 0xd4, 0x92, 0xf4, 0x85,
++ 0x3f, 0x34, 0xa1, 0x15, 0x67, 0x87, 0x21, 0x6e, 0x1f, 0xc9, 0xd8, 0x35,
++ 0x32, 0xb8, 0x3d, 0xcb, 0x58, 0xca, 0x29, 0x43, 0x54, 0x4a, 0x7e, 0x8b,
++ 0x55, 0x7b, 0x23, 0x7a, 0x3a, 0xb6, 0x9d, 0x43, 0x07, 0x04, 0x6b, 0x9a,
++ 0x6b, 0xf4, 0xf0, 0x20, 0xff, 0xfa, 0xa6, 0xdf, 0xa2, 0x9e, 0x49, 0xe8,
++ 0x55, 0xc5, 0x75, 0x88, 0x44, 0xac, 0xa4, 0x41, 0x3a, 0x03, 0x7c, 0xbb,
++ 0xe9, 0x93, 0xe4, 0x6c, 0xf1, 0xed, 0x79, 0x26, 0xc7, 0x8b, 0x32, 0xf7,
++ 0x59, 0x49, 0x25, 0x31, 0x00, 0x67, 0x18, 0x0c, 0x67, 0xfb, 0x40, 0xc5,
++ 0x5d, 0x76, 0x3d, 0x09, 0x87, 0xc2, 0x2d, 0x8c, 0x5f, 0x2b, 0x5a, 0x1e,
++ 0x01, 0x0f, 0x33, 0xaf, 0x65, 0x08, 0x90, 0x4f, 0xfc, 0x64, 0x5b, 0x9c,
++ 0xa3, 0x5c, 0xd6, 0x53, 0x1b, 0x51, 0x01, 0x9f, 0x98, 0xcf, 0xc4, 0x53,
++ 0xc5, 0xb1, 0xdf, 0xb3, 0x68, 0x6f, 0x45, 0x4b, 0xc8, 0x45, 0x85, 0xc8,
++ 0x1d, 0xb8, 0x9e, 0xd1, 0x77, 0x71, 0xa0, 0xd5, 0xa2, 0x77, 0x87, 0xec,
++ 0x67, 0x2e, 0xb9, 0x87, 0x06, 0x46, 0xdd, 0x41, 0x43, 0x40, 0x6a, 0x5f,
++ 0x2f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x6d, 0x30, 0x82,
++ 0x01, 0x69, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff,
++ 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06,
++ 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00,
++ 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x51,
++ 0x4f, 0xbf, 0x93, 0x7f, 0xa4, 0x6f, 0xb5, 0x7b, 0xf0, 0x7a, 0xf8, 0xbe,
++ 0xd8, 0x4b, 0x3b, 0x86, 0x4b, 0x17, 0x11, 0x30, 0x19, 0x06, 0x09, 0x2b,
++ 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a,
++ 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0f,
++ 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03,
++ 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18,
++ 0x30, 0x16, 0x80, 0x14, 0x84, 0x44, 0x86, 0x06, 0x00, 0x98, 0x3f, 0x2c,
++ 0xaa, 0xb3, 0xc5, 0x89, 0xf3, 0xac, 0x2e, 0xc9, 0xe6, 0x9d, 0x09, 0x03,
++ 0x30, 0x65, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x5e, 0x30, 0x5c, 0x30,
++ 0x5a, 0xa0, 0x58, 0xa0, 0x56, 0x86, 0x54, 0x68, 0x74, 0x74, 0x70, 0x3a,
++ 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73,
++ 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x6f,
++ 0x70, 0x73, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x25, 0x32, 0x30, 0x52, 0x53, 0x41, 0x25, 0x32,
++ 0x30, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30, 0x52,
++ 0x6f, 0x6f, 0x74, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32,
++ 0x30, 0x32, 0x31, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x72, 0x06, 0x08, 0x2b,
++ 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x66, 0x30, 0x64, 0x30,
++ 0x62, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86,
++ 0x56, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e,
++ 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f,
++ 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x6f, 0x70, 0x73, 0x2f, 0x63, 0x65, 0x72,
++ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x25, 0x32, 0x30, 0x52, 0x53, 0x41, 0x25, 0x32, 0x30, 0x44, 0x65, 0x76,
++ 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30, 0x52, 0x6f, 0x6f, 0x74, 0x25,
++ 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32, 0x30, 0x32, 0x31, 0x2e,
++ 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
++ 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x4a,
++ 0x4b, 0x80, 0xfc, 0x71, 0xb1, 0x87, 0xdd, 0x06, 0x8b, 0x24, 0x10, 0xd1,
++ 0x76, 0xf8, 0x10, 0xe4, 0x65, 0x34, 0xa1, 0xbb, 0x81, 0x08, 0x7d, 0x70,
++ 0xd4, 0x15, 0x24, 0xf9, 0x90, 0x3b, 0x48, 0x6f, 0x6e, 0x4e, 0x23, 0xfe,
++ 0x85, 0x53, 0xec, 0xa2, 0x99, 0x1f, 0x89, 0xe4, 0x34, 0xbe, 0xd0, 0x98,
++ 0xaf, 0xf1, 0xf8, 0x2d, 0xf3, 0x47, 0xd1, 0xb5, 0x32, 0x64, 0x9e, 0xde,
++ 0x72, 0xc0, 0x17, 0x7e, 0x81, 0x20, 0x7a, 0xc1, 0x5f, 0x91, 0xf5, 0x4e,
++ 0x3a, 0xa6, 0x7b, 0x69, 0xd9, 0xd0, 0xd6, 0xf0, 0xfa, 0x80, 0x63, 0xc5,
++ 0xc0, 0x44, 0x67, 0xd3, 0x8b, 0x27, 0x61, 0xc1, 0xe5, 0xdc, 0x51, 0x99,
++ 0x6e, 0x23, 0xc9, 0x29, 0x18, 0xfe, 0x35, 0xbd, 0x45, 0x21, 0xac, 0x0f,
++ 0xf9, 0x60, 0xe2, 0x0f, 0xd1, 0x5f, 0x70, 0x0f, 0x92, 0x2b, 0x58, 0x4e,
++ 0xcf, 0xac, 0x64, 0x2f, 0x09, 0x73, 0xed, 0x50, 0x08, 0xc8, 0xe1, 0x85,
++ 0x73, 0x40, 0x2c, 0x31, 0xa9, 0xb4, 0xb6, 0x23, 0x4b, 0xc0, 0x19, 0x3b,
++ 0xfd, 0x15, 0xf8, 0xd3, 0xcb, 0x74, 0x54, 0xcd, 0xda, 0xbb, 0x7d, 0x04,
++ 0x85, 0x9f, 0x70, 0x15, 0x75, 0xf9, 0xb7, 0xf4, 0x61, 0x4b, 0xfe, 0xe4,
++ 0x9f, 0x45, 0x0e, 0xf5, 0x82, 0xe9, 0xc5, 0xf3, 0x78, 0xbb, 0xaa, 0x6a,
++ 0xe1, 0xf7, 0xbb, 0x85, 0x92, 0x2b, 0xaf, 0x4b, 0xb5, 0x27, 0x4e, 0x9a,
++ 0xc9, 0x29, 0x6f, 0x0e, 0xc8, 0xd2, 0x64, 0x63, 0x9b, 0x5d, 0x14, 0x06,
++ 0xcc, 0x78, 0x7f, 0xe4, 0x12, 0xdd, 0x96, 0xe3, 0x9c, 0x04, 0x42, 0xec,
++ 0x17, 0xfa, 0x92, 0x21, 0xa7, 0xde, 0xf5, 0x69, 0x8f, 0x20, 0xb2, 0x64,
++ 0xf3, 0x3f, 0x15, 0xa3, 0x51, 0xaf, 0x27, 0x6f, 0xb7, 0x62, 0x57, 0xaf,
++ 0x74, 0x17, 0xec, 0xab, 0xb1, 0xee, 0xa8, 0x50, 0xef, 0xaf, 0x83, 0x82,
++ 0xab, 0x61, 0x04, 0x79, 0x3f, 0x49, 0x8c, 0x40, 0x56, 0xc0, 0x3c, 0xaf,
++ 0xfb, 0x2a, 0x5a, 0x19, 0x1e, 0xaa, 0xe6, 0x2e, 0x67, 0x24, 0x21, 0xac,
++ 0x33, 0xf0, 0xd7, 0x4a, 0x8b, 0x0a, 0x24, 0x30, 0x10, 0xa6, 0x52, 0x3e,
++ 0x1d, 0xc8, 0xfc, 0x91, 0x9c, 0x87, 0x1b, 0xfa, 0x86, 0xe1, 0x9e, 0x6b,
++ 0xe5, 0x09, 0x61, 0x75, 0xa8, 0xa3, 0x39, 0x5f, 0xe2, 0x9f, 0x6c, 0x0e,
++ 0x85, 0x21, 0xe6, 0xbd, 0x76, 0xa5, 0xea, 0x45, 0x83, 0x68, 0x1e, 0x2f,
++ 0x36, 0xbf, 0xe0, 0x68, 0x8a, 0x42, 0xce, 0x1f, 0xb8, 0x8d, 0xe1, 0x60,
++ 0xe6, 0x93, 0x8a, 0xee, 0xba, 0x4a, 0xad, 0xb3, 0x49, 0x4c, 0xee, 0xa3,
++ 0x03, 0xc9, 0xa7, 0xa2, 0x86, 0x71, 0x9c, 0x81, 0x01, 0x67, 0x69, 0x0f,
++ 0xde, 0x80, 0x55, 0xd6, 0xc0, 0xde, 0x72, 0x85, 0xc0, 0x46, 0x60, 0xf0,
++ 0xce, 0x60, 0x2a, 0x88, 0x08, 0x8d, 0x9c, 0x30, 0xeb, 0xa9, 0x8b, 0x40,
++ 0xf3, 0x61, 0x25, 0x09, 0xe1, 0xe1, 0x82, 0x32, 0x04, 0xa5, 0x29, 0xf8,
++ 0x59, 0xec, 0x26, 0xb6, 0xc8, 0xd7, 0x23, 0xf0, 0x0b, 0xd3, 0x6c, 0x63,
++ 0x6a, 0xda, 0x2f, 0xd2, 0xd3, 0xa5, 0x25, 0x9a, 0x9a, 0x5e, 0xa5, 0xfd,
++ 0x02, 0xa5, 0xec, 0xa2, 0x90, 0x81, 0x68, 0x3e, 0x3d, 0x45, 0x8e, 0x7c,
++ 0x05, 0xb2, 0x2e, 0xea, 0x99, 0x01, 0x45, 0xfd, 0x09, 0x30, 0x94, 0x26,
++ 0xd7, 0x4a, 0x2c, 0xfe, 0x7d, 0x82, 0x44, 0x33, 0x43, 0x55, 0xcb, 0x5a,
++ 0x43, 0xd2, 0x92, 0x92, 0xfe, 0x4e, 0x47, 0xc6, 0x49, 0x3f, 0x35, 0x1b,
++ 0x21, 0x9c, 0x6a, 0xda, 0x82, 0xfc, 0x64, 0x37, 0xfb, 0x27, 0xea, 0xf4,
++ 0x30, 0xdf, 0x65, 0xec, 0xd0, 0xfc, 0x50, 0x01, 0x38, 0x6a, 0xec, 0xdc,
++ 0x51, 0xf6, 0xf5, 0xee, 0x9b, 0x26, 0xcc, 0xee, 0x6d, 0xfe, 0x2f, 0x56,
++ 0x0e, 0x3a, 0xe8, 0x38, 0x22, 0x8e, 0xaa
++};
++
++CONST UINTN mSizeOfMicrosoftUefiOpRom2023 = sizeof mMicrosoftUefiOpRom2023;
++
++//
++// Fifth DB entry: "Windows UEFI CA 2023"
++//
++CONST UINT8 mWindowsUefi2023[] = {
++ 0x30, 0x82, 0x05, 0xaa, 0x30, 0x82, 0x03, 0x92, 0xa0, 0x03, 0x02, 0x01,
++ 0x02, 0x02, 0x13, 0x33, 0x00, 0x00, 0x00, 0x1a, 0x88, 0x8b, 0x98, 0x00,
++ 0x56, 0x22, 0x84, 0xc1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x30, 0x0d,
++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
++ 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
++ 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74,
++ 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
++ 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c,
++ 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61,
++ 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30, 0x30, 0x06, 0x03, 0x55, 0x04,
++ 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
++ 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
++ 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17, 0x0d,
++ 0x32, 0x33, 0x30, 0x36, 0x31, 0x33, 0x31, 0x38, 0x35, 0x38, 0x32, 0x39,
++ 0x5a, 0x17, 0x0d, 0x33, 0x35, 0x30, 0x36, 0x31, 0x33, 0x31, 0x39, 0x30,
++ 0x38, 0x32, 0x39, 0x5a, 0x30, 0x4c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
++ 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c, 0x06,
++ 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73,
++ 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
++ 0x69, 0x6f, 0x6e, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x04, 0x03,
++ 0x13, 0x14, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x55, 0x45,
++ 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x33, 0x30, 0x82,
++ 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
++ 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
++ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbc, 0xb2, 0x35, 0xd1, 0x54,
++ 0x79, 0xb4, 0x8f, 0xcc, 0x81, 0x2a, 0x6e, 0xb3, 0x12, 0xd6, 0x93, 0x97,
++ 0x30, 0x7c, 0x38, 0x5c, 0xbf, 0x79, 0x92, 0x19, 0x0a, 0x0f, 0x2d, 0x0a,
++ 0xfe, 0xbf, 0xe0, 0xa8, 0xd8, 0x32, 0x3f, 0xd2, 0xab, 0x6f, 0x6f, 0x81,
++ 0xc1, 0x4d, 0x17, 0x69, 0x45, 0xcf, 0x85, 0x80, 0x27, 0xa3, 0x7c, 0xb3,
++ 0x31, 0xcc, 0xa5, 0xa7, 0x4d, 0xf9, 0x43, 0xd0, 0x5a, 0x2f, 0xd7, 0x18,
++ 0x1b, 0xd2, 0x58, 0x96, 0x05, 0x39, 0xa3, 0x95, 0xb7, 0xbc, 0xdd, 0x79,
++ 0xc1, 0xa0, 0xcf, 0x8f, 0xe2, 0x53, 0x1e, 0x2b, 0x26, 0x62, 0xa8, 0x1c,
++ 0xae, 0x36, 0x1e, 0x4f, 0xa1, 0xdf, 0xb9, 0x13, 0xba, 0x0c, 0x25, 0xbb,
++ 0x24, 0x65, 0x67, 0x01, 0xaa, 0x1d, 0x41, 0x10, 0xb7, 0x36, 0xc1, 0x6b,
++ 0x2e, 0xb5, 0x6c, 0x10, 0xd3, 0x4e, 0x96, 0xd0, 0x9f, 0x2a, 0xa1, 0xf1,
++ 0xed, 0xa1, 0x15, 0x0b, 0x82, 0x95, 0xc5, 0xff, 0x63, 0x8a, 0x13, 0xb5,
++ 0x92, 0x34, 0x1e, 0x31, 0x5e, 0x61, 0x11, 0xae, 0x5d, 0xcc, 0xf1, 0x10,
++ 0xe6, 0x4c, 0x79, 0xc9, 0x72, 0xb2, 0x34, 0x8a, 0x82, 0x56, 0x2d, 0xab,
++ 0x0f, 0x7c, 0xc0, 0x4f, 0x93, 0x8e, 0x59, 0x75, 0x41, 0x86, 0xac, 0x09,
++ 0x10, 0x09, 0xf2, 0x51, 0x65, 0x50, 0xb5, 0xf5, 0x21, 0xb3, 0x26, 0x39,
++ 0x8d, 0xaa, 0xc4, 0x91, 0xb3, 0xdc, 0xac, 0x64, 0x23, 0x06, 0xcd, 0x35,
++ 0x5f, 0x0d, 0x42, 0x49, 0x9c, 0x4f, 0x0d, 0xce, 0x80, 0x83, 0x82, 0x59,
++ 0xfe, 0xdf, 0x4b, 0x44, 0xe1, 0x40, 0xc8, 0x3d, 0x63, 0xb6, 0xcf, 0xb4,
++ 0x42, 0x0d, 0x39, 0x5c, 0xd2, 0x42, 0x10, 0x0c, 0x08, 0xc2, 0x74, 0xeb,
++ 0x1c, 0xdc, 0x6e, 0xbc, 0x0a, 0xac, 0x98, 0xbb, 0xcc, 0xfa, 0x1e, 0x3c,
++ 0xa7, 0x83, 0x16, 0xc5, 0xdb, 0x02, 0xda, 0xd9, 0x96, 0xdf, 0x6b, 0x02,
++ 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x46, 0x30, 0x82, 0x01, 0x42,
++ 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04,
++ 0x03, 0x02, 0x01, 0x86, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04,
++ 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d,
++ 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xae, 0xfc, 0x5f,
++ 0xbb, 0xbe, 0x05, 0x5d, 0x8f, 0x8d, 0xaa, 0x58, 0x54, 0x73, 0x49, 0x94,
++ 0x17, 0xab, 0x5a, 0x52, 0x72, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01,
++ 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53,
++ 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0f, 0x06, 0x03,
++ 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01,
++ 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
++ 0x80, 0x14, 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68,
++ 0xd1, 0x3d, 0x94, 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56,
++ 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0,
++ 0x49, 0xa0, 0x47, 0x86, 0x45, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
++ 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
++ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72,
++ 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d,
++ 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41, 0x75, 0x74, 0x5f,
++ 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33, 0x2e, 0x63,
++ 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
++ 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
++ 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70,
++ 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69,
++ 0x2f, 0x63, 0x65, 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f,
++ 0x6f, 0x43, 0x65, 0x72, 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30,
++ 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d,
++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x9f, 0xc9, 0xb6, 0xff, 0x6e, 0xe1,
++ 0x9c, 0x3b, 0x55, 0xf6, 0xfe, 0x8b, 0x39, 0xdd, 0x61, 0x04, 0x6f, 0xd0,
++ 0xad, 0x63, 0xcd, 0x17, 0x76, 0x4a, 0xa8, 0x43, 0x89, 0x8d, 0xf8, 0xc6,
++ 0xf2, 0x8c, 0x5e, 0x90, 0xe1, 0xe4, 0x68, 0xa5, 0x15, 0xec, 0xb8, 0xd3,
++ 0x60, 0x0c, 0x40, 0x57, 0x1f, 0xfb, 0x5e, 0x35, 0x72, 0x61, 0xde, 0x97,
++ 0x31, 0x6c, 0x79, 0xa0, 0xf5, 0x16, 0xae, 0x4b, 0x1c, 0xed, 0x01, 0x0c,
++ 0xef, 0xf7, 0x57, 0x0f, 0x42, 0x30, 0x18, 0x69, 0xf8, 0xa1, 0xa3, 0x2e,
++ 0x97, 0x92, 0xb8, 0xbe, 0x1b, 0xfe, 0x2b, 0x86, 0x5e, 0x42, 0x42, 0x11,
++ 0x8f, 0x8e, 0x70, 0x4d, 0x90, 0xa7, 0xfd, 0x01, 0x63, 0xf2, 0x64, 0xbf,
++ 0x9b, 0xe2, 0x7b, 0x08, 0x81, 0xcf, 0x49, 0xf2, 0x37, 0x17, 0xdf, 0xf1,
++ 0xf9, 0x72, 0xd3, 0xc3, 0x1d, 0xc3, 0x90, 0x45, 0x4d, 0xe6, 0x80, 0x06,
++ 0xbd, 0xfd, 0xe5, 0x6a, 0x69, 0xce, 0xb3, 0x7e, 0x4e, 0x31, 0x5b, 0x84,
++ 0x73, 0xa8, 0xe8, 0x72, 0x3f, 0x27, 0x35, 0xc9, 0x7c, 0x20, 0xce, 0x00,
++ 0x9b, 0x4f, 0xe0, 0x4c, 0xb4, 0x36, 0x69, 0xcb, 0xf7, 0x34, 0x11, 0x11,
++ 0x74, 0x12, 0x7a, 0xa8, 0x8c, 0x2e, 0x81, 0x6c, 0xa6, 0x50, 0xad, 0x19,
++ 0xfa, 0xa8, 0x46, 0x45, 0x6f, 0xb1, 0x67, 0x73, 0xc3, 0x6b, 0xe3, 0x40,
++ 0xe8, 0x2a, 0x69, 0x8f, 0x24, 0x10, 0xe1, 0x29, 0x6e, 0x8d, 0x16, 0x88,
++ 0xee, 0x8e, 0x7f, 0x66, 0x93, 0x02, 0x6f, 0x5b, 0x9e, 0x04, 0x8c, 0xcc,
++ 0x81, 0x1c, 0xad, 0x97, 0x54, 0xf1, 0x18, 0x2e, 0x7e, 0x52, 0x90, 0xbc,
++ 0x51, 0xde, 0x2a, 0x0e, 0xae, 0x66, 0xea, 0xbc, 0x64, 0x6e, 0xa0, 0x91,
++ 0x64, 0xe4, 0x2f, 0x12, 0xa8, 0xbc, 0xe7, 0x6b, 0xba, 0xc7, 0x1b, 0x9b,
++ 0x79, 0x1a, 0x64, 0x66, 0xf1, 0x43, 0xb4, 0xd1, 0xc3, 0x46, 0x21, 0x38,
++ 0x81, 0x79, 0x4c, 0xfa, 0xf0, 0x31, 0x0d, 0xd3, 0x79, 0xff, 0x7a, 0x12,
++ 0xa5, 0x1d, 0xd9, 0xdd, 0xac, 0xa2, 0x0f, 0x71, 0x82, 0xf7, 0x93, 0xff,
++ 0x5c, 0xa1, 0x61, 0xae, 0x65, 0xf2, 0x14, 0x81, 0xed, 0x79, 0x5a, 0x9a,
++ 0x87, 0xea, 0x60, 0x7b, 0xcb, 0xb3, 0x4f, 0x75, 0x34, 0xca, 0xba, 0xa1,
++ 0xef, 0xa2, 0xf6, 0xa2, 0x80, 0x45, 0xa1, 0x8b, 0x27, 0x81, 0xcd, 0xd5,
++ 0x77, 0x38, 0x3e, 0xca, 0x4e, 0xdd, 0x28, 0xea, 0x58, 0xba, 0xc5, 0xa0,
++ 0x29, 0xde, 0x86, 0x8c, 0x88, 0xfc, 0x95, 0x27, 0x51, 0xdd, 0xab, 0xd3,
++ 0xd0, 0x5b, 0x0d, 0x77, 0xc7, 0x6c, 0x8f, 0x55, 0xd7, 0xd4, 0xa2, 0x0e,
++ 0x5b, 0xe4, 0x34, 0x46, 0x14, 0x16, 0x1d, 0xe3, 0x1c, 0xd6, 0x6d, 0x99,
++ 0xad, 0x4c, 0xec, 0x71, 0x73, 0x2f, 0xab, 0xce, 0xb2, 0xb4, 0x29, 0xde,
++ 0x55, 0x30, 0x53, 0x39, 0x3a, 0x32, 0x8b, 0xf0, 0xea, 0x9c, 0x88, 0x12,
++ 0x3b, 0x05, 0x68, 0x19, 0xbf, 0xcf, 0x87, 0x52, 0x10, 0xfb, 0xd6, 0x13,
++ 0x60, 0xf3, 0x41, 0x64, 0xf4, 0x08, 0x57, 0x81, 0xcb, 0x9d, 0x11, 0xa5,
++ 0x8e, 0xf4, 0xe5, 0x27, 0xf5, 0xa3, 0x3a, 0xec, 0xe4, 0x3d, 0x4a, 0xb7,
++ 0xce, 0xf9, 0x88, 0x0d, 0x9f, 0xbd, 0xca, 0x6d, 0xd2, 0x4a, 0xbc, 0x58,
++ 0x76, 0x8e, 0x32, 0x04, 0x94, 0x6e, 0xdd, 0xf4, 0xcf, 0x6d, 0x47, 0x6d,
++ 0xc2, 0xd7, 0x6a, 0xdc, 0x87, 0x71, 0xea, 0xa4, 0xbf, 0xef, 0x67, 0x97,
++ 0x9c, 0xb8, 0xc7, 0x80, 0x36, 0x2a, 0x2a, 0x59, 0xc9, 0xc0, 0x0c, 0xa7,
++ 0x44, 0xa0, 0x73, 0xb5, 0x8c, 0xcf, 0x38, 0x5a, 0xae, 0xf8, 0xbb, 0x86,
++ 0x95, 0xf0, 0x44, 0xad, 0x66, 0x7a, 0x33, 0xed, 0x71, 0xe4, 0x45, 0x87,
++ 0x83, 0xe5, 0xa7, 0xce, 0xa2, 0x40, 0xd0, 0x72, 0xd2, 0x48, 0x00, 0xfa,
++ 0xf9, 0x1a
++};
++
++CONST UINTN mSizeOfWindowsUefi2023 = sizeof mWindowsUefi2023;
++
+ //
+ // The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
+ // of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+index 88b6bafee8..c19764256f 100644
+--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+@@ -702,6 +702,15 @@ ShellAppMain (
+ mMicrosoftUefiCa,
+ mSizeOfMicrosoftUefiCa,
+ &gMicrosoftVendorGuid,
++ mMicrosoftUefiCa2023,
++ mSizeOfMicrosoftUefiCa2023,
++ &gMicrosoftVendorGuid,
++ mMicrosoftUefiOpRom2023,
++ mSizeOfMicrosoftUefiOpRom2023,
++ &gMicrosoftVendorGuid,
++ mWindowsUefi2023,
++ mSizeOfWindowsUefi2023,
++ &gMicrosoftVendorGuid,
+ NULL
+ );
+ }
+@@ -750,6 +759,9 @@ ShellAppMain (
+ mMicrosoftKek,
+ mSizeOfMicrosoftKek,
+ &gMicrosoftVendorGuid,
++ mMicrosoftKek2023,
++ mSizeOfMicrosoftKek2023,
++ &gMicrosoftVendorGuid,
+ NULL
+ );
+ }
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
+index 56da9c71d6..07800ce571 100644
+--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
+@@ -124,12 +124,24 @@ typedef struct {
+ extern CONST UINT8 mMicrosoftKek[];
+ extern CONST UINTN mSizeOfMicrosoftKek;
+
++extern CONST UINT8 mMicrosoftKek2023[];
++extern CONST UINTN mSizeOfMicrosoftKek2023;
++
+ extern CONST UINT8 mMicrosoftPca[];
+ extern CONST UINTN mSizeOfMicrosoftPca;
+
+ extern CONST UINT8 mMicrosoftUefiCa[];
+ extern CONST UINTN mSizeOfMicrosoftUefiCa;
+
++extern CONST UINT8 mMicrosoftUefiCa2023[];
++extern CONST UINTN mSizeOfMicrosoftUefiCa2023;
++
++extern CONST UINT8 mMicrosoftUefiOpRom2023[];
++extern CONST UINTN mSizeOfMicrosoftUefiOpRom2023;
++
++extern CONST UINT8 mWindowsUefi2023[];
++extern CONST UINTN mSizeOfWindowsUefi2023;
++
+ extern CONST UINT8 mSha256OfDevNull[];
+ extern CONST UINTN mSizeOfSha256OfDevNull;
+
diff --git a/debian/patches/series b/debian/patches/series
index e74582c057..9f3c8910bf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch
Revert-UefiCpuPkg-Produce-EFI-memory-attributes-prot.patch
UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
+OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-11-06 15:43 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-11-06 15:42 [pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 2/6] d/patches: pick up CVE fix from Debian tag debian/2025.05-1 Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 3/6] d/rules: pick up some improvements from Debian Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations Fiona Ebner
2025-11-06 15:42 ` [pve-devel] [PATCH edk2-firmware 6/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys Fiona Ebner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.