[pve-devel] [PATCH-SERIES RESEND edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys

[pve-devel] [PATCH-SERIES RESEND edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys

[Fiona Ebner]

Re-sent with --transfer-encoding=base64. Also available at my staff
repo now: staff/f.ebner/pve-edk2-firmware, branch fix-6985

This fixes the issue with the Microsoft UEFI CA 2011 expiring in June
2026 for new EFI disks. What still needs to be done is giving users a
way for (or automatically) enrolling the new keys to existing EFI
disks. I will look at that part of the issue in the coming days.

To update an existing EFI disk, it should be enough to do something
like:
virt-fw-vars --inplace vm-103-disk-0.raw --distro-keys ms-uefi

AFAICS, virt-fw-vars can only deal with raw images, so we can use FUSE
exports of differently formatted EFI disks which requires [0].

[0]: https://lore.proxmox.com/pve-devel/20251020141335.124077-1-f.ebner@proxmox.com/


pve-edk2-firmware:

Fiona Ebner (6):
  update edk2 to edk2-stable202505 tag and refresh patches
  d/patches: pick up CVE fix from Debian tag debian/2025.05-1
  d/rules: pick up some improvements from Debian
  Use virt-firmware to enroll default keys.
  Initialize the Secure Boot dbx in *.ms.fd with the latest revocations
  partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys

 debian/DBXUpdate-2025-02-24.arm64.bin         | Bin 0 -> 4613 bytes
 debian/DBXUpdate-2025-10-16.amd64.bin         | Bin 0 -> 24053 bytes
 debian/control                                |   1 +
 debian/edk2-vars-generator.py                 | 140 ----
 ...nrollDefaultKeys-with-Microsoft-2023.patch | 613 ++++++++++++++++++
 ...tLib-Fix-split-lock-violation-from-M.patch |  10 +-
 ...CpuDxeSmm-Safe-handling-of-IDT-regis.patch |  45 ++
 debian/patches/series                         |   2 +
 debian/rules                                  |  99 +--
 debian/source/include-binaries                |   2 +
 edk2                                          |   2 +-
 11 files changed, 721 insertions(+), 193 deletions(-)
 create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
 create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin
 delete mode 100755 debian/edk2-vars-generator.py
 create mode 100644 debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
 create mode 100644 debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch


Summary over all repositories:
  11 files changed, 721 insertions(+), 193 deletions(-)

-- 
Generated by git-murpp 0.5.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...Pkg-MpInitLib-Fix-split-lock-violation-from-M.patch | 10 ++++++----
 edk2                                                   |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch b/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
index e68278add2..dc086324b4 100644
--- a/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
+++ b/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
@@ -34,6 +34,8 @@ Signed-off-by: Aaron Young <aaron.young@oracle.com>
 (cherry picked from commit b0bc23d1f246dac977b639470a51bcef1bcd6e1d)
 Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+[FE: rebase for edk2-stable202505]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 15 ++++++++++++---
  UefiCpuPkg/Library/MpInitLib/MpLib.c   | 15 ++++++++++-----
@@ -41,7 +43,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 29 insertions(+), 10 deletions(-)
 
 diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
-index 317e627b58..ded603f8f8 100644
+index d8ba9ea124..7e4afbcaa5 100644
 --- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
 +++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
 @@ -74,18 +74,18 @@ struc MP_CPU_EXCHANGE_INFO
@@ -65,8 +67,8 @@ index 317e627b58..ded603f8f8 100644
    .CpuMpData:                    CTYPE_UINTN 1
    .InitializeFloatingPointUnits: CTYPE_UINTN 1
    .ModeTransitionMemory:         CTYPE_UINT32 1
-@@ -99,5 +99,14 @@ struc MP_CPU_EXCHANGE_INFO
-   .ExtTopoAvail:                 CTYPE_BOOLEAN 1
+@@ -100,5 +100,14 @@ struc MP_CPU_EXCHANGE_INFO
+   .SevSnpKnownInitApicId:        CTYPE_BOOLEAN 1
  endstruc
  
 -MP_CPU_EXCHANGE_INFO_OFFSET equ (Flat32Start - RendezvousFunnelProcStart)
@@ -130,7 +132,7 @@ index fdcc21d794..ffaff1855f 100644
      // The AP reset stack is only used by SEV-ES guests. Do not allocate it
      // if SEV-ES is not enabled. An SEV-SNP guest is also considered
 diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h
-index 145538b6ee..fc08ae2ce6 100644
+index a63bb81bef..b30dcb3828 100644
 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h
 +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h
 @@ -213,18 +213,23 @@ typedef struct {
diff --git a/edk2 b/edk2
index fbe0805b20..6951dfe7d5 160000
--- a/edk2
+++ b/edk2
@@ -1 +1 @@
-Subproject commit fbe0805b2091393406952e84724188f8c1941837
+Subproject commit 6951dfe7d59d144a3a980bd7eda699db2d8554ac
-- 
2.47.3

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH edk2-firmware 2/6] d/patches: pick up CVE fix from Debian tag debian/2025.05-1

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...CpuDxeSmm-Safe-handling-of-IDT-regis.patch | 45 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch

diff --git a/debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch b/debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
new file mode 100644
index 0000000000..2c4378c873
--- /dev/null
+++ b/debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: John Mathews <john.mathews@intel.com>
+Date: Fri, 30 May 2025 11:06:49 -0700
+Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on
+ SMM entry
+
+Mitigates CVE-2025-3770
+
+Do not assume that IDT.limit is loaded with a zero value upon SMM entry.
+Delay enabling Machine Check Exceptions in SMM until after the SMM IDT
+has been reloaded.
+
+Signed-off-by: John Mathews <john.mathews@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38
+Last-Updated: 2025-08-18
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110533
+
+diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+index 644366ba19..6e1cd45c04 100644
+--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+@@ -113,7 +113,7 @@ ProtFlatMode:
+     mov eax, strict dword 0               ; source operand will be patched
+ ASM_PFX(gPatchSmiCr3):
+     mov     cr3, rax
+-    mov     eax, 0x668                   ; as cr4.PGE is not set here, refresh cr3
++    mov     eax, 0x628                   ; as cr4.PGE is not set here, refresh cr3
+ 
+     mov     cl, strict byte 0            ; source operand will be patched
+ ASM_PFX(gPatch5LevelPagingNeeded):
+@@ -204,6 +204,10 @@ SmiHandlerIdtrAbsAddr:
+     mov     ax, [rbx + DSC_SS]
+     mov     ss, eax
+ 
++    mov     rax, cr4                    ; enable MCE
++    bts     rax, 6
++    mov     cr4, rax
++
+     mov     rbx, [rsp + 0x8]             ; rbx <- CpuIndex
+ 
+ ; enable CET if supported
+-- 
+2.47.2
+
diff --git a/debian/patches/series b/debian/patches/series
index f9e35827ae..e74582c057 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
 ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch
 Revert-UefiCpuPkg-Produce-EFI-memory-attributes-prot.patch
 UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
+UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
-- 
2.47.3

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH edk2-firmware 3/6] d/rules: pick up some improvements from Debian

[Fiona Ebner]

Debian commits:
bb42fb89cb debian/rules: Remove unused variable
16bb13da3d debian/rules: Define *_BUILD_ROOT variables
341ac9dcda debian/rules: Delete the correct ovmf build tree between builds

Also define OVMF_CVM_BUILD_ROOT for the downstream CVM variant.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 debian/rules | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/debian/rules b/debian/rules
index 494f162e30..c640833092 100755
--- a/debian/rules
+++ b/debian/rules
@@ -66,8 +66,8 @@ debian/setup-build-stamp:
 	touch $@
 
 OVMF_INSTALL_DIR = debian/ovmf-install
-OVMF_BUILD_DIR = Build/OvmfX64/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
-OVMF3264_BUILD_DIR = Build/Ovmf3264/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+OVMF3264_BUILD_ROOT = Build/Ovmf3264
+OVMF3264_BUILD_DIR = $(OVMF3264_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
 OVMF_ENROLL = $(OVMF3264_BUILD_DIR)/X64/EnrollDefaultKeys.efi
 OVMF_SHELL =  $(OVMF3264_BUILD_DIR)/X64/Shell.efi
 OVMF_BINARIES = $(OVMF_ENROLL) $(OVMF_SHELL)
@@ -75,19 +75,23 @@ OVMF_IMAGES := $(addprefix $(OVMF_INSTALL_DIR)/,OVMF_CODE_4M.fd OVMF_CODE_4M.sec
 OVMF_PREENROLLED_VARS := $(addprefix $(OVMF_INSTALL_DIR)/,OVMF_VARS_4M.ms.fd OVMF_VARS_4M.snakeoil.fd)
 
 OVMF32_INSTALL_DIR = debian/ovmf32-install
-OVMF32_BUILD_DIR = Build/OvmfIa32/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+OVMF32_BUILD_ROOT = Build/OvmfIa32
+OVMF32_BUILD_DIR = $(OVMF32_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
 OVMF32_SHELL = $(OVMF32_BUILD_DIR)/IA32/Shell.efi
 OVMF32_BINARIES = $(OVMF32_SHELL)
 OVMF32_IMAGES  := $(addprefix $(OVMF32_INSTALL_DIR)/,OVMF32_CODE_4M.secboot.fd OVMF32_VARS_4M.fd)
 
 OVMF_CVM_INSTALL_DIR = debian/ovmf-cvm-install
-OVMF_CVM_BUILD_DIR = Build/OvmfX64/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+OVMF_CVM_BUILD_ROOT = Build/OvmfX64
+OVMF_CVM_BUILD_DIR = $(OVMF_CVM_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
 OVMF_CVM_SHELL = $(OVMF_CVM_BUILD_DIR)/X64/Shell.efi
 OVMF_CVM_BINARIES = $(OVMF_CVM_SHELL)
 OVMF_CVM_IMAGES  := $(addprefix $(OVMF_CVM_INSTALL_DIR)/,OVMF_CVM_CODE_4M.fd OVMF_CVM_VARS_4M.fd)
 
-QEMU_EFI_BUILD_DIR = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
-AAVMF_BUILD_DIR = Build/ArmVirtQemu-AARCH64/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+QEMU_EFI_BUILD_ROOT = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)
+QEMU_EFI_BUILD_DIR = $(QEMU_EFI_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+AAVMF_BUILD_ROOT = Build/ArmVirtQemu-AARCH64
+AAVMF_BUILD_DIR = $(AAVMF_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
 AAVMF_ENROLL    = $(AAVMF_BUILD_DIR)/AARCH64/EnrollDefaultKeys.efi
 AAVMF_SHELL     = $(AAVMF_BUILD_DIR)/AARCH64/Shell.efi
 AAVMF_BINARIES  = $(AAVMF_ENROLL) $(AAVMF_SHELL)
@@ -96,7 +100,8 @@ AAVMF_VARS      = $(AAVMF_BUILD_DIR)/FV/AAVMF_VARS.fd
 AAVMF_IMAGES    = $(AAVMF_CODE) $(AAVMF_VARS)
 AAVMF_PREENROLLED_VARS = $(addprefix $(AAVMF_BUILD_DIR)/FV/,AAVMF_VARS.ms.fd AAVMF_VARS.snakeoil.fd)
 
-RISCV64_BUILD_DIR = Build/RiscVVirtQemu/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
+RISCV64_BUILD_ROOT = Build/RiscVVirtQemu
+RISCV64_BUILD_DIR = $(RISCV64_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
 RISCV64_IMAGES    = $(addprefix $(RISCV64_BUILD_DIR)/FV/,RISCV_VIRT_CODE.fd RISCV_VIRT_VARS.fd)
 
 build-ovmf32: $(OVMF32_BINARIES) $(OVMF32_IMAGES)
@@ -134,7 +139,7 @@ build-ovmf: $(OVMF_BINARIES) $(OVMF_IMAGES) $(OVMF_PREENROLLED_VARS)
 $(OVMF_BINARIES) $(OVMF_IMAGES): debian/setup-build-stamp
 	rm -rf $(OVMF_INSTALL_DIR)
 	mkdir $(OVMF_INSTALL_DIR)
-	rm -rf Build/OvmfX64
+	rm -rf $(OVMF3264_BUILD_ROOT)
 	set -e; . ./edksetup.sh; \
 		build -a IA32 -a X64 \
 			-t $(EDK2_TOOLCHAIN) \
@@ -144,7 +149,7 @@ $(OVMF_BINARIES) $(OVMF_IMAGES): debian/setup-build-stamp
 		$(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd
 	cp $(OVMF3264_BUILD_DIR)/FV/OVMF_VARS.fd \
 		$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd
-	rm -rf Build/OvmfX64
+	rm -rf $(OVMF3264_BUILD_ROOT)
 	set -e; . ./edksetup.sh; \
 		build -a IA32 -a X64 \
 			-t $(EDK2_TOOLCHAIN) \
-- 
2.47.3

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH edk2-firmware 4/6] Use virt-firmware to enroll default keys.

[Fiona Ebner]

Follow Debian commit 6b7533cc86 ("Use virt-firmware to enroll default
keys.").

Path to the AAVMF variables image is different than in Debian's
upstream.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 debian/control                |   1 +
 debian/edk2-vars-generator.py | 140 ----------------------------------
 debian/rules                  |  59 +++++---------
 3 files changed, 22 insertions(+), 178 deletions(-)
 delete mode 100755 debian/edk2-vars-generator.py

diff --git a/debian/control b/debian/control
index 632cea53bd..5624a3b5a1 100644
--- a/debian/control
+++ b/debian/control
@@ -16,6 +16,7 @@ Build-Depends: bc,
                pve-qemu-kvm | qemu-system-x86 (>= 1:2.12+dfsg),
                python3,
                python3-pexpect,
+               python3-virt-firmware,
                qemu-utils,
                uuid-dev,
                xorriso,
diff --git a/debian/edk2-vars-generator.py b/debian/edk2-vars-generator.py
deleted file mode 100755
index 351e556211..0000000000
--- a/debian/edk2-vars-generator.py
+++ /dev/null
@@ -1,140 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright 2021 Canonical Ltd.
-# Authors:
-# - dann frazier <dann.frazier@canonical.com>
-#
-# This program is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 3, as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
-# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-import argparse
-import os.path
-import pexpect
-import shutil
-import sys
-from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage
-from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize
-from UEFI import Qemu
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser()
-    parser.add_argument(
-        "-f", "--flavor", help="UEFI Flavor",
-        choices=['AAVMF', 'OVMF', 'OVMF_4M'],
-        required=True,
-    )
-    parser.add_argument(
-        "-e", "--enrolldefaultkeys",
-        help='Path to "EnrollDefaultKeys" EFI binary',
-        required=True,
-    )
-    parser.add_argument(
-        "-s", "--shell",
-        help='Path to "Shell" EFI binary',
-        required=True,
-    )
-    parser.add_argument(
-        "-C", "--certificate",
-        help='base64-encoded PK/KEK1 certificate',
-        required=True,
-    )
-    parser.add_argument(
-        "-c", "--code",
-        help='UEFI code image',
-        required=True,
-    )
-    parser.add_argument(
-        "--no-default",
-        action="store_true",
-        help='Do not enroll the default keys, just the PK/KEK1 certificate',
-    )
-    parser.add_argument(
-        "-V", "--vars-template",
-        help='UEFI vars template',
-        required=True,
-    )
-    parser.add_argument(
-        "-o", "--out-file",
-        help="Output file for generated vars template",
-        required=True,
-    )
-    parser.add_argument("-d", "--debug", action="store_true",
-                        help="Emit debug messages")
-    args = parser.parse_args()
-
-    FlavorConfig = {
-        'AAVMF': {
-            'EfiArch': 'AA64',
-            'QemuCommand': Qemu.QemuCommand(
-                QemuEfiMachine.AAVMF,
-                code_path=args.code,
-                vars_template_path=args.vars_template,
-            ),
-        },
-        'OVMF': {
-            'EfiArch': 'X64',
-            'QemuCommand': Qemu.QemuCommand(
-                QemuEfiMachine.OVMF_Q35,
-                variant=QemuEfiVariant.SECBOOT,
-                flash_size=QemuEfiFlashSize.SIZE_4MB,
-                code_path=args.code,
-                vars_template_path=args.vars_template,
-            ),
-        },
-        'OVMF_4M': {
-            'EfiArch': 'X64',
-            'QemuCommand': Qemu.QemuCommand(
-                QemuEfiMachine.OVMF_Q35,
-                variant=QemuEfiVariant.SECBOOT,
-                flash_size=QemuEfiFlashSize.SIZE_4MB,
-                code_path=args.code,
-                vars_template_path=args.vars_template,
-            ),
-        },
-    }
-
-    eltorito = FatFsImage(64)
-    eltorito.makedirs(os.path.join('EFI', 'BOOT'))
-    removable_media_path = os.path.join(
-        'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI"
-    )
-    eltorito.insert_file(args.shell, removable_media_path)
-    eltorito.insert_file(
-        args.enrolldefaultkeys,
-        args.enrolldefaultkeys.split(os.path.sep)[-1]
-    )
-    iso = EfiBootableIsoImage(eltorito)
-
-    q = FlavorConfig[args.flavor]['QemuCommand']
-    q.add_disk(iso.path)
-    q.add_oem_string(11, args.certificate)
-
-    child = pexpect.spawn(' '.join(q.command))
-    if args.debug:
-        child.logfile = sys.stdout.buffer
-    child.expect(['Press .* or any other key to continue'], timeout=None)
-    child.sendline('\x1b')
-    child.expect(['Shell> '], timeout=None)
-    child.sendline('FS0:\r')
-    child.expect(['FS0:\\\\> '], timeout=None)
-    enrollcmd = ['EnrollDefaultKeys.efi']
-    if args.no_default:
-        enrollcmd.append("--no-default")
-    child.sendline(f'{" ".join(enrollcmd)}\r')
-    child.expect(['FS0:\\\\> '], timeout=None)
-    # Clear the BootOrder. See #1015759
-    child.sendline('setvar BootOrder =\r')
-    child.expect(['FS0:\\\\> '], timeout=None)
-    child.sendline('reset -s\r')
-    child.wait()
-    shutil.copy(q.pflash.varfile_path, args.out_file)
diff --git a/debian/rules b/debian/rules
index c640833092..316a7b7727 100755
--- a/debian/rules
+++ b/debian/rules
@@ -165,49 +165,32 @@ debian/PkKek-1-vendor.pem: debian/PkKek-1-Debian.pem
 endif
 	ln -sf `basename $<` $@
 
-debian/oem-string-%: debian/PkKek-1-%.pem
-	tr -d '\n' < $< | \
-		sed -e 's/.*-----BEGIN CERTIFICATE-----/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' -e 's/-----END CERTIFICATE-----//' > $@
+# Usage: $(call enroll_vendor,<var-template>,<output-file>,<uefi-arch>)
+enroll_vendor   = virt-fw-vars --input $(1) --output $(2) \
+                    --enroll-cert debian/PkKek-1-vendor.pem
+# Usage: $(call enroll_snakeoil,<var-template>,<output-file>)
+enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
+                    --set-pk OvmfEnrollDefaultKeys \
+                             debian/PkKek-1-snakeoil.pem \
+                    --add-kek OvmfEnrollDefaultKeys \
+                             debian/PkKek-1-snakeoil.pem \
+                    --add-db OvmfEnrollDefaultKeys \
+                             debian/PkKek-1-snakeoil.pem
 
-%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-vendor $(AAVMF_ENROLL) $(AAVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
-		-c $(AAVMF_CODE) -V $(AAVMF_VARS) \
-		-C `< debian/oem-string-vendor` -o $@
+%/AAVMF_VARS.ms.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-vendor.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+	$(call enroll_vendor,$(AAVMF_VARS),$@,arm64)
 
-%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/oem-string-snakeoil $(AAVMF_ENROLL) $(AAVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f AAVMF -e $(AAVMF_ENROLL) -s $(AAVMF_SHELL) \
-		-c $(AAVMF_CODE) -V $(AAVMF_VARS) \
-		--no-default \
-		-C `< debian/oem-string-snakeoil` -o $@
+%/AAVMF_VARS.snakeoil.fd: %/AAVMF_CODE.fd %/AAVMF_VARS.fd debian/PkKek-1-snakeoil.pem $(AAVMF_ENROLL) $(AAVMF_SHELL)
+	$(call enroll_snakeoil,$(AAVMF_VARS),$@)
 
-%/OVMF_VARS.ms.fd: %/OVMF_CODE.fd %/OVMF_VARS.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f OVMF -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
-		-c $(OVMF_INSTALL_DIR)/OVMF_CODE.fd \
-		-V $(OVMF_INSTALL_DIR)/OVMF_VARS.fd \
-		-C `< debian/oem-string-vendor` -o $@
+%/OVMF_VARS.ms.fd: %/OVMF_CODE.secboot.fd %/OVMF_VARS.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+	$(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS.fd,$@,amd64)
 
-%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-vendor $(OVMF_ENROLL) $(OVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
-		-c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \
-		-V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \
-		-C `< debian/oem-string-vendor` -o $@
+%/OVMF_VARS_4M.ms.fd: %/OVMF_CODE_4M.secboot.fd %/OVMF_VARS_4M.fd debian/PkKek-1-vendor.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+	$(call enroll_vendor,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@,amd64)
 
-%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/oem-string-snakeoil $(OVMF_ENROLL) $(OVMF_SHELL)
-	PYTHONPATH=$(CURDIR)/debian/python \
-	python3 ./debian/edk2-vars-generator.py \
-		-f OVMF_4M -e $(OVMF_ENROLL) -s $(OVMF_SHELL) \
-		-c $(OVMF_INSTALL_DIR)/OVMF_CODE_4M.fd \
-		-V $(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd \
-		--no-default \
-		-C `< debian/oem-string-snakeoil` -o $@
+%/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL)
+	$(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@)
 
 BaseTools/Bin/GccLto/liblto-aarch64.a:	BaseTools/Bin/GccLto/liblto-aarch64.s
 	$($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@
-- 
2.47.3

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations

[Fiona Ebner]

Follow Debian commit 45c101a4b5 ("Initialize the Secure Boot dbx in
*.ms.fd with the latest revocations") and pick up the latest
revocation DBX files from Debian's debian/2025.05-1 tag.

Adapt how entries in debian/source/include-binaries are handled,
because it already contains different entries in Proxmox VE's
downstream.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 debian/DBXUpdate-2025-02-24.arm64.bin | Bin 0 -> 4613 bytes
 debian/DBXUpdate-2025-10-16.amd64.bin | Bin 0 -> 24053 bytes
 debian/rules                          |  19 +++++++++++++++++--
 debian/source/include-binaries        |   2 ++
 4 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
 create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin

diff --git a/debian/DBXUpdate-2025-02-24.arm64.bin b/debian/DBXUpdate-2025-02-24.arm64.bin
new file mode 100644
index 0000000000000000000000000000000000000000..33520068f2602fbd2c739b7f71e8946f5ba6ccd4
GIT binary patch
literal 4613
zcmd6p2{hDeAIE328|x5lhN4pV&y1Z!6N!+0DZ9ZKjK<grV~wjsH%rolEM;qv<;q@H
zM3F3&glt)&NcQ(X-P^srbKm>E=e*~<=e%?NXJ&rS^L>8L^Z)(7&*%TVVuP~^@(V$}
ze^$7`f3O9fYu#mfL+*1Y5{l%*lq?7Z0F8SP28CjH0VFGjL#!^807t-}ED(T;l|wpK
zH+C5bWrNabobvz;Y^1>_>2Men1{1`A=`h4*?xex6tS8?l!7wuXJ_O1IiX$U1TmT0v
z+#JCw2s1au2m<_!fL)N&($UwQ=<P-&dt>+j9!4XZAe#xn#f$9ig4qr1WVCP!3K<Zc
zDP&)=D;13=Q+&u2M=B8<Ar0(j^uq<k|7AZ~Ut1rI*Fs|f3<lV}4T+Tpl(ATh3J$<3
z+kl}07y`eCKxFLyWQhPE``Z%t{kcR-qPGh<z!z<<t#bmcPY6P52Rgeudb<%A0YHOF
z{8&El0l;ZcUa;U$P8baeh14HB`pBApL&RxhmZy!7oN1nzYBZ0u?=Y<UkUufOm%yQ#
z?G%iU*F?NYLqlwzT~IXmdTzl@`(u5P(Xn?=UxdmVhXtJX2HGg%?aTXIgYOrqu-(?D
z#V<!!P8K-ZR!FZ6Tdkpsa<{xJTPqL`R3&AHM%g7WI~D{R@-%tE^CGG2Yp-{)Bkg{s
z^fv{b3ds<4`of81#hJ~i&)rWNFnF8T70vhL)-TVe2{WCPHKmG`<i{aj6ONObcitTo
z2>7Ix9mOR_E!1^e($i73989U0%#l97e8VCfm~xx~b`fDzvD^Xguw(X)mD`gm)R#}N
z<Khqn<yN9mDw+M!h9=W6I1~cSr9p{cMF;>2tnMyJ1d?IWgRD>ll%`|^1$Hr7c@V+~
zl-%~lss%5b;+x~L)35zHr?yAo`2lT4H$OrHP|s5Zl)u}I>+ftP{B0Hliy#t<RZ&sI
z98>_XN-7vYjFDy!LIe<wKsl}BJLnpD?QR0yrw7c7L!LfJum>y{0x^UUU;yaTPtcFY
zYP(aZKB{tZ0RaKBUf(S(>rD2N^C1z*KE86!6i+$OD4@wf@8Y!>&b4QJ$pDHnSb15n
zTM`QZ4y^3py|S>dL7@mUzyvt;JqBR0$Nu9K1Payn-%mmXxEU)KghICvFaYwS9l_lU
z+7SwoARoHv7oU;k4I`)(%sWgpTm=r~1Y28gcYIjrZY7s{Ou8gxOvq=?PyR^F3){@t
z()iK+-o3TDGxuSmOXH%7o%nVfT`O6AK%20QR$TvjT7;@!9IWQvX3`Ut?J*P+J*hQ)
z$QgY_P23S0b0Nf_hjf*&pJ-+6@#{cEOqDLBARW<HHP(Hh^)yMmT4^$JN@0E0GC?5Z
z4tK4^kjx2}&(qf$K6ut7Mm*BUXs1qY!J{=YUuQbiumbm-Mf_hzeMYL+S4l@M@7+ZU
zeNc8Ww8-jUMgNz)AV=*PQeB<T?j2=-@x_Frz8g(3rLKDU_R^{}d%xQe#3&n*r-&!#
z1CW7}AOoNO#z0O-&aU`x=z}vA3y8e*KjDfRpaMQ35PjG`x$*-V(Pr*MiVOObBZV4-
zHgKen2vi?WM`r@sgiNL~SO^kP5i5@c<S|$k1`8E`3l$jQ{{yc769ro)D-!BUETzh&
znm<geSq2}2*|H&D>5WmP$IE$VyryTut4D2|v7!9ijCe-53Y3LXFFam)7kwx5>Y<6H
z%1gZ*!y^rd!eU_OknU&JQ<*LW#^J3oMi<esottvQ*SBa5vr`?Ni>4k<s$BT$5y_2B
zmX)3s)NTHeJ?E2rD)V+3%#@C0tqM2wHMaLmw#bcT%<WBt&m?_H{LrkohUXXHI#+Q#
z#q-TL;{5ay4l&IKl|DPR5+$g<CCMS@?ys{|V^sI1<gB#Stu>zRpu_L464ag^kiNc7
zvCf$;P5JmmK``PmZ05cF(`)`6ADvSg%YrncgW|$RO$sNkg|HDX3Vo-b5lBIOfbS3Z
z2|*FyTN&~L0skeLME@9of+4tfb3#lZeh?=J9-;+;6x{l}2u7M%fcFm$umErn2mi!8
zZC4Zg@Hs2~`d-8AJ?89csuCWBz!}B}F@!l_3K-Lk=mxR+zXJ(m*I$|U4R}5jvWuVd
zA5a3V3;Gr`E$CGS`~Vs70u&hV`|rso=llcq{(c53)Aohaz+(19$1kBSi@@5X)z_p`
zc5?U8yA~!*Tnp!ND*S?zA-81m{B1r2RaPr`7>Dq=d>MB61aqrfF5D6Lu%<KK%7wev
zvQ;$Ko~8Ho<LAUqU43ljv~4%A)UZ@l6Udf(aP#VGd5h>7T3e}>q)!%UYBQO)?~2&i
z#AUI&(%eb<Tl)|2g)H}l-t6+PW@!zY<xNh>YT6tkpY!Am>1os+lsCSj!aHVX(J#Vs
zWsxoa=skMC2D|8|vldUU$L`6CYtP@XI@d#V6S{OR@>96r7&0+IJuZ5BwDTc;tVAX{
z^@7Jio6uvcCbuG6Wp@7Z&SVI}|26Y)qeJ;Ht|B+Siy+FmeWExtuaOpKsC-8b`3Mz9
z-bj+IRe3Nm-u&);$G+%~mydotkeIBar53rvt$zh?O=w5fZa`9u7X8!;iuSIb($Wli
zCu79vvCrSzWcCU%q>Ohtj^(*_Q;8`mQfv)C+)`3>e5FU+A>Z#l+Y5W<d71mgGf#=2
zk~{OY@Eje7q87F$aoWPhr^z6!Lw$eoO$n5KTVucebl4F~g}dWMe)r2A;1Z^#mx6Zn
zUeyv4iZ%1O`xdFd8(J<;sY!ECn-7}Kxx3RgN4P5P(bSGF6={-W<?ExDRuh8Kn~6M?
zxjWG;X<yq=rI5as&kZO(KaxCsM@5Fi=QHJxEDaUAvC;L}7#g$%+-40hC=`fH|39GP
z-=4XDJhlID1P9NM2pSZE;vcIEj;dvy%CGj(BjCb313n_#4E1~jv0W=KpmrpT@51`t
z$Ko9<@};+BSiPjmhaJvrduEI$&p}Ww5R0hYKGqXM%i*714%fHgNQk$i9wLo+lKd&c
zK9&MGsh=PZ+_Gx#4xg32)@0nB-4|)$vOn^%Y}RJHluaa|c1cH@?aUcZkvnq1!BWV#
z?35x-JaCw_zMbPOg>#%$rC057!ZnSmJ5M>^s4osGs71B@sw`B!D*ManLj1h#jdI%~
zk7AUX%~4!%rFWz#Lqx&6bworVhrX>K%X_=qn@U>}<7~Z-l7}lY-(!D06nUA{P!$ms
zZtD7hI%3;(I56BRtw2h+rSasc6wTrytrf*o{Qh;sw^ud<0Dm54t_E1cu?7zv_AgFc
z4Af_{`@qU_-Yk*saCdW-@0B|G*UhWjI$)&Bllf6q{3goGdX6D`Lt_E<nZRl<f#;Eu
z8xP>INu$@vl$1ad>#Kw;DP}zqS=UBBFheKfwue#P$LkAlgx}LmSCvN5`;Hj#p?LqI
zfAV=P<BGU$b6b=m)-Oq;XFZ7v!d876Gj4KGy5saZvt9%ze_)HnY4&;=T!UZt&D@ww
zo$LuOGro#vy{#_YU4O~1$Ua-MRKly3hq@6ETrXE<=LVN|vun<<BP!6cxo>qd=l6^^
zJD&8?dL-4jN~*!Ls{Z4_%OwiR3UQRK)UUE#ZT!so#6|i0*^sBpLa>~UWOhP3bVltk
zU0tE>l>Jc1OXnqVW_^BzkeH(Ri<~m#@qN}or1yDf9<!ed`iXugb#-H?>;=sFvJp7v
zTG*jif-9>yRoJMJn{n9;e>valj$>j&CpBUBnDtfjfdf%FdM!9{=hS!wR7dI|T$#wk
zpilfsn!@5fOGRdVZCt+lq^PTIRt5W9gmF}3wnxX_XWN3Z=uX|E(XV*^vYvKQOrqus
zdb+=rP(@0kvEB&>qq1Ih(O2<(1>R|ao6F4kJJnX}tb0Qzi<36=gqK@1R+{!2AE_l+
zTlOie9$3=sWYz}^it^?n<G1Y8pxZgecRO(eatm^q+O@}x&&MZlk>r^5t?GAFBuX-t
z9H=^egGx^?zbUa1YtKI}Hz&`3c0gq^npy8udHp_J(`5aAdQrGUu7&^6p4#JGO<S3)
zn4Ld4>Q1pS>v35JpCPns3gm5I9b+uRl<t#HI&(5prss~RK#51XTbcEFiFTOdVL7_)
zoaYs~#>Rp1jS-1}6=&Om-sP2B+eY=6^%}GbOOp|sPWKKgR$i1)Sja^QDQ6T%==_{^
zASClzw+yrX4({#ITwnjC0hCJFVaFFV=mI>T*{gV<$&uIOmVn+RX8qzD8_n*b*RSsK
z)x3Me{?4>C-P0gX#@(M&*t~bGw85BJf8%CWQ{YjZ5~A9!1!HZUqgcc9t?3pX*2(Ud
z79-BjOfl;lOu0&0p1Zzmsj4=IX=Ja4SL4pLpA$%*Xum<}cSpo9>w5^jYVha<4`IIY
zLQh-YdmcES^!;xyj(F8Pe&f9g31imZ#_aYzEAak>UcH%>Vy&C7lB-6l?@u3dsVw3r
JC!a`L{R6gwL0kX;

literal 0
HcmV?d00001

diff --git a/debian/DBXUpdate-2025-10-16.amd64.bin b/debian/DBXUpdate-2025-10-16.amd64.bin
new file mode 100644
index 0000000000000000000000000000000000000000..07a95e2b09cc8c0e3ec40e035ca4c3cc30fadfc4
GIT binary patch
literal 24053
zcmd731yCJ*x8{qxdvFQCVM8FeLvRQd+}+*X-Q5Wm+=9EihaiFA?hZl1&HK$cXTIBe
z&Yh}THC2<MlJwrc{p{7<tDpZ`tDB$j&~Vt8xDfyO=QqmV|3O`%<;>McubZDqMV7Jq
zaDF!V3JOH|1qBJoiVi}BL(~tIgfxMMfr5mE03pL6(uYch-lIaoL*@q}U4R1rz8DC7
zkPi(72?d4y{;wQ6T-$2!+^aeNzrKY1ABF$;2qf}fIKZD38H5N2tqKE&4W+8giVed2
zX9EEnNzK5?+``t(+0K>~1BCX^i}2X+N+!lOcDBZ>q#)vdUO~dfm9sE%v~#jEbtV_J
zbF{Z}G;p@~`w4mw?LY5BV^jPu-zS$5mmwDwCT9b&vVutQQQ0^^9IPCyT<lyRZq2`&
zAO39<6cGA<Bt#I1`G15+^FKpWv#>R`b8{kB75^wjE@R?BF79q*ZeVL>^3Mh+5R&rW
z58vMt038U4{`Y`GB0&X0LPGpvXAFr@@7kMibtn1Eov|WLaZy<8w3>BO!eVhu+g?ZW
zVEJxfPGzHe<DO8WC^lZGwX<ryWyl>3ZSQ=){z5>wX(3aZ8uSE{PBD06{+U-Kgzxdw
z&^odfUqonw()QA%{n2*cZMK~mh7^5MyGU+s4VMZGGOduL+rxP<dh@jzD>{v9t%8d8
za>M{mtG4!3Qjy4e%DZ|(l($&kP*JQ5u2bXCuIzKIW1$|Wjdn{eHK|{CU6|<7XmmTY
zQb~8vhjaJ_<BLzM5zmd+hR0RZ_k<KK*Ys$=ucq#mwyFGtik!K6>tWq!&>@alLv`T(
zH>V=-;N{<)*Z7Y%y(OoCf`){EEDVIS_<KZ5KsbMoE(tXZ>OV=!00#*J8OW&s2_pID
zRWukp7#tbsfQYd^Mk5tclf1WE(r!6x`zRpsf8NG~5diTO@qoDgGtH3yyEMc5*SEmH
zVxzLLadUrQW#9m@bAMn5k^Lh>1w#PB^T#oK7M;u&C>l4zn$ucVt@N5`iqr#r{s$m~
zQ2@z-Wb&o*B|^o`ot^D@SXkWL+?Z|tGo_i0>}*)<tt{;9omh+<ty%si%HJgao4caI
z|75P-KYuZSJ}|MdGyi>?nhgZfheP<guduN2kdQDcASKYJ|J(*ag^K-ezrw`P+3ElL
zOPoO{|3r=r3Hb^G1%mkZbo_fY|4m0o2vIxHFH3SBL^(J)q7Of#aw8G*39-?Q-Ys6C
zT4Us|ni0gvhTpKVUGP7Am_5F;D146{kUmS~fcvt^vlc9Uy)t23sj7{c+PO`Uz#lsx
ziS;OSS9s*cm6X<!4(WlNE}F<fcrrK|4|-?k7QhLgFngHSu{?8At{LrAFt~8Y%O}i5
zbLK?_%52zy{PIHoGya=yIkWkEr=KCId4LkWjycpp@SV0!@(^;TPgtOp4g>A9<XN07
zHNmy|zNy4!YeM4Yj%|V@zjF5M9)j5MKFo6Rt;z|ytA^W`$G}I<x)hteR(QqIc&tBe
zc8i@N69+s=m&abN{EF_a14sJ{E2e)v@Zhfp&ioG#L^42{4gZ(*K?4pJC?Mhgh_CR1
zxc{D_zt+e0KYiujtdU&B+``eA{F8yBvj@4Hfuog)v%R%}kqNnyot^VPUijA$Kd`a0
zf!JBu{=*CZwaM|%=Kl?L{l9a;frG}#?kcr+weR|m_Mg-|#h`THQGZJBI@9mfqMz6t
zpZK+IYZ|e6W8y2IZ6kl>!cB@Dy4?t_%gkcjzim!fK-}Ewfhny75wA;L!+pv${;KFV
z5~2`C9y;}hWi#(Ju;=t}a_UCe(vSyPv~`R6<qz!d`2m~?%q^;j82jcT61kJ=-Rwua
zzQx}0`GWzL-HfxhQP3wbS5Zg((odq8SjfJO5{cHUdoU5lx9?$&F(Bz3c7F$9^Sx3d
zvY5Mmd~H+cTCH-RS1*4;oAcn`$ui-cprg-wcGM_1u1-9^<G}VGf;!pJo5*pUJU2@0
zt?>{F_6YOaRw_Nn@q)LA!~IVeRQT(HG9ZlqGCy2Mn7^ws#J@S<|I(S>{MQF?pkPo)
zksy>ITp$b~L?ML#8tLClA06f&nNSe=fB66`2>P!b{J%U;+*C<)(^nm{dqF;zN)>^Z
zhtjeXr2Wq)$Y4}K${@vjg?zbCng1}PzupDzdH*szdq+EC7o-0&rN62BH*fzY?cZGe
z$NWG{e}6z6|CrzZf9GQ{`ZwGA@4vwraQQ+9{ymuU!Qr<!$plbi^n6eBiNq+2`LmY?
zN~Wb}1&uDA@et)qMXs7h9?h+smWo~&#&?^>S5RhM_oYPcoo!R$>c%JwY9nt7^<WoP
zhGs0LBxTr|k9Foiw>`HlZSL@e41cm#*gprK1dde;Q`=`-9sY?&UrZ(2-A^W~r$>pA
zd8MVp@Va00E}nI5g&pxYMUPL+?)$TD=WC7bHQy`#i(N658+}*z^AZ7U>J5B}$hUmA
z7lb!g4xcCTLaB<v#!Ft*edjIAa1(q3uKcifQKKUH!h(;tr#eM<tC)h5Vl5doy~Q4t
z$^%B2h}$=m)*&z-GWmP;Yd7CF7KYE7yg?$|uk<eJ4Gfd#s$)SN#0j%|iDB;GZrb1L
z-`JU?2|iC2Ij4(?|0v8GKxDS`TU5hj9JS*GB2nSSh4*XO+viWhLLM7T3P_eTuC_|2
zsTN)}==Wi;Gva+!$~XaJPav3b&JPAZr7eiqm&{KWpr);pQNB-GQ+ia@U35SfeAF)+
zfbXLSynMMj@L<#LUaBmn#E}{6U6MKW5me)--&1gDsMUw2RIX0&AX&%~Cc_O?v9Di4
z<v{nYWp`{#)91bLI4-Cs)+xYi2^%~lx@%0Mw&Tj%PI!#;Nbk2mYc3=vhfRAJ!>NW?
z9Jubm!Emu+&nIfk(7)EM9aNM5Fvk|$oy!^sIq>%~>-k$8g96h3FL1~Iw&wo#s{P+e
z@V_-AOduqL_#~I}1XFv)44WC;=E@K$jwJb>|Mz!^w=!anFnql^zgAA$%V#RlQLWnV
zDDEZHu2(r%RPbbt_`c~D`U?qt<l06Dk=m8_t7RV6MIL<2AK`gu;3%1pcYJ5NY*E$q
z5Y|ocXAd!_FX(_LZM1Uc1d6bH^C)?}mGbipjXb{+3oB>arqt38=NvnxRC$`~U$5Wg
zW?jgwQZrx6tnUmBCOXg7$?Ic&^-2;J{iMVnY|svZ;BFEdTz;(L9Zn>s_+l(^vW5=d
zRgu#(%X7QSthN$fjL?P5`-|=?`DX_{_drS3T_L^a!>Pjy!^W46RQdF;)7Vj+Xs?<b
zkh5)`vDokM26|;bB??uR3IG0(Buabo>0e7W1nBQSotckr8qjQVo%*yl`*H3v{te3(
ztlg+kF9{{2Z)O!pij?+j>V=|9_2q=g5>4`ufcz~>P~l_t(?TM;BkkLj9cXd(Ijs=*
zw^qC<K9#maQ=UM6aCzxV=++1mVof={ogcGP7^;BrJ)=CrxtWJ$FgkiCkS9C|ZjrGz
zDaIl%>v9N4RRU3<8ZLb2lg!ArqSItRf&=pXWtksQi;VNt`qgcMrfzSl5t=c$Jx(Lo
zoS808l~GKAy!ulz;dx4dhUm8^J!*{nb-^83^-*1<7ML(P7xRiV2OzJU&|mO`NdZ+-
zPP$56?Y5bxV~042cvk-@gR*;4Bk>5xFTBI`C9!mf>U~=gQ{dfh0?(Mw<7Gwd(>dO$
zf2Vsr3*={vPH69Z+mtVjnYw*m-wzei{|e31$Nq!I%*b{*zH0;I>4uJ#8u)m=L@_R%
z+Lr2jpYuI#w*A30anZio!wHra1M=}t`)C#m?}cIn@KMa!R_f;vH)yD7)|>dH=29F>
zZe)QxhF#^+^vR1nh}ZeXKi@xnYsQ};$u4%-d5Yp1FVs96$m7fNAZv*ZmB6=u7gB&_
zC*_~!HZ+?`erQBvrYifHhyvspGN#{&Fem=`pw}(ak4l4Jox3UHY4<Aj#9|c>X_3JV
z<eBXg%tA}<ofOHw5|CA(lh`+^4Y4toQPr1zZ)H%d@d5IJQ(1ZI0v9<dO0~arcLMsF
zFKnE7oID&<W9_jmrv#jUyu<{80nHX%X6Ocw)j8ul#>1edjn&Er3iEy<#%+4dbs+C>
z6>m33DdnqD_|dT9ZQAn)2DuyhEw=gL_Hy_5i;)YE4_x7$YPdrXoytk;pADPL(h#2H
zKfpj!w`2JEnNv;A49G_=NNQZBG~UM4lqVxw8kkisc!t}?eM~aOccd895N`$YF|h>^
z)B8xo@D)xb<Fsdrr{DRmKG__EKUFQDb^A*a1NrLXYF0%WET_|ya%MA3?o-yX5Hk?Z
zd&=|&PQ<bwnqPqY0AgpQgiF=ZN@6)>V>7{1bn=&vjAVyJc&$2-@5B3^f&37DZ)x2b
zeE>0SV=0kr(Bf#6777h5i2)S+@m^wIsvnRaMSpLK-?INZC`|=>H0=`E>G+-B(ifE0
z?auBYvx=1{AaAUuwT$JS$&6F=`Hr1TsmAI7<+m7wyN1i*g*=n-qBxKjA0DZ8L7Hxt
zeCAa0F~<63ELXjhz&9EBc2q9J!fZVj$OkMv$>uV922z_?$pktzj~CSnTpb>hZ{*YA
zy*>HT77FBB>95jP5n!_1hn*7_REZo=7U`=B7rk~rBJQxcpWDg-`OTc_pdMyBT5R?C
z<5?0ns)pMmG!75=A7cC`gTMJmbAUYeN*`_Pjf`H(d&XwBZA|C`p_LMUBk5AO+tE4*
zI07gj&vu)PQjoKRRnRNG_Z(qtO8YwD?I|+0i}l_ohHd~E%x^K~^~MWRtFLhd4(?8>
z)oTtUENPL*-#t6rQTR+twXp#8M_~2&6!N*;Y(=h&hF}_UQiGu>HxrpY!<E&xH+KKA
z1M*Ard%x~>n4C+BKO7mpVBzo3A>(N0YJW&6BoaAqye$IqS8g>5S*r<=2YH3sz2D^7
z(`8|*(@fYH`D&%q<UV`?^B?oGk8HzT#HJ$x5x<g-&ajekGrPqb`i7Z&hNUtK@<oCA
zIB}bC4w`w>n?+(%=&ybup}7r|?@@bXSY^@abZoxn0{JT5-H09u`Ls2y`tJA2Qj*P9
zEzqv(tLk-s7R?&JXo2PbhGKL0N!w{L=;JV&<sEEX3MC_qfm+KzZ)@N5klx2#p#FeT
zMX<ipy5<!1M2Vc0C*m?3D3Z|RSV?Gm;CQTT0?a>o5-xu4()tx-$oeE9GZN}<${uWv
zfTVX)ss^J6#QDH@qWA>d(s`#{Y}!(Hs!l`VJ=OJUl}Cn0$Cn<uP|SrEU_8;#Qi}*`
zguCSwz1T*QRBZ5UX-no;@#+aCbmxQQ=k`GUY;oiK>QptC-s9{8S%zT^FKI>s>o#)p
z3%rV5HIgHkzqPI3?p*x&ifK<=`b4=iz(ui5N`Z3AM55sQ>(k{7cLz{^DHC(nS~6z-
zsY8WC2LAEE4Am4dSu$={hOGO_US1>|$X|W2;b>H`5Dxo_Dl}$Jr*U(w&A4&Y@?v~n
zN#A<gCk^Da-o_^IJB0A_7gzs^$&?xNOmKLo#)bc+H_jAVa5(~Yz57=Bm*I}c&exn6
zMZhe}*O`~9dMFnC;I4H5(W)|7MFaKs&B<_CDUL|Z?qxb^CkJ<->=}uo2lbkC?3td*
zBpYvlyuUn$tdV&;O&NN1tW=~LECU@o0d*#1wt{j2grkZSI*@M_gv-!~iz0tSt?Xrd
zekP+f_Ykyo%Z2gKwehA@Mh9Duj$Wff`ViXWw5<F;-Yy{EODuY{{d6<mlbVru%_1`e
z%b(E`4j8yATh+|h258i+<24lySXqv;bbYP3X_z#o7*$|A?5Kqd>hFnT89o!$fKbZT
z7g~wuXwWvc3Z>NRhNyExfV?*M#qP%bBk#ti_yAt)S%b<NNhyUj!}kqJ19)@Uzq)|@
zFO8bd2x4&C(MC@jA?Tp|Ni4UI^c0C2=(SpX8hcn^>pOa3LFSAiXz`EM&76jb(c~#f
zm{4l@1ObLc5<Rn&VkS_3r6w2FhF^=TDMT40-4Pz>+X3-_(mK4EHrb(0Imv1b<WV*#
zAnv?<AN1r;Kg2<G+b41%@llN>y!gElMNO_nc?0AbDASJ$ta1j5R3i_Wy=r$Jw6A3z
zBwy}6^z@Q-4Wy?5c}|l>iyp1tQ6gR(nDM+6oCif&b|E=Pml~&*q3)I?>_FbV;dHEG
zWEoL_d<);7vAW?Rm#UCkR(irV?BH5Cg%vD+GE}~l<)|LiMN|-t3Ckqh<>S90vlc3~
zvJ<#A{}l?s3e>-BxKrdsRgpH2!LI5{I4>Q{6G16ntrtMngnRTwMc@bHLj^{fZv>O8
zaGsE(q%EX8qfJga=v6n`MbO+BqE{1uygR-z21R&jL!Hxn>Fr7K60NbrXGFgY4o`Jb
zLm5sNL?FKxVu$VLk-;>oP;kSRcEUEd{MF8D&j4rWi@-DQ<n0KM4=Al4bs;<^tN6OI
zrh8~X(sOi1&)Oe_lTeCd_PL}P%-`~gen1J%3yi&rK(zVBh$>U(F!<^^HX_=-`qM1f
zV1TVJ-yM5qZeB)jnRCggo<E;C3QOZ(f0~&p>9gc0>8J3-2F8Q<JF*Nt<V`fH(?ix*
z->?%q4QnavPfu}CZT=-J?FlkK9>)#Tz=HWlO7IY>iJCNRlEIGsyX9>X=#m7gh$R^n
z9>~*86sgD;f);QShJ!7%ak8yoASf%nv?9hAX(472guwb2rs>$20DG$0gH3Tle)EMB
z&~n$ZY)6aVn_s;Xka(4ZKz$ws=dPM+hNPgXK-{_aCDZ({e&2?-un*F@&P7xo&%o*#
z;gCQwn+mN`b}#n=2E9xq7yB{oq_1)kkska(Z3F4BKz;ErE4d|uc`cq~e|TpoPn`x$
z$@;H!!iWe>!Yq+thdMxBJ^qo>fnwMu{xsKU#Fxk9{aOCq#g_s>vH@}Itf3CDdR~V#
zbG%*J2TI0VX&p+#ersyM?vC;dGJEFKZ%KHf3aq}eIhtitTkoG3D*9%R*OuU-cersv
zCj1GM%&gfVap4WN9(CQD^6nnVbuXFQzO^TXwv&Z^@|!d(88kgjo<bZD1IxE*>;lo=
zNoKz2V_$m==&-5rryyAB_TMwjC>~YU2g0<#{auGDZwLx2+ngU#qD9DVs@O~&x%rkl
zywl#FvW9Kpb_d2MRECr(OrksmsCIgHJyznh44yfq{b3x@2o}#}{vr?Lw{4ysawu^6
zwlj~ygL7%cE7<Jp{PyM1l(T$QmdHMU`NNhBtEMWRgCu`cywf+PO(MC?W9AA9!WX7&
z*1TI?gc+dzw_P}P^lmG)(6skS@Of{WtcpzFw{;UpYCq7^PafJ!0eP>{aTTK}bV#yB
z1l^W4x7o_MpaDT?HGRHb>?_9OK@T9GkVcG?)*Y)g6wF;Y5My-Q@>ucWDmQ+>!dvDx
zHZpAq<U3q`W4yAVYd2=(nzqkFD@gBh7O||KbKnsxOKzKP;Q@J*>z;g~V5skgt&Ys;
z_qw_nq}BwsNeW&J%vO7ABM>J*{+)*j`nK@ZG-+wjM`VuA<uz_!QLSPIf=59lM9$Xt
zjX-|C51FSS;3QlX@}!uKGhj(Zldw-A{GFAO{r*WqIW-rMmv|*IsuOB@hB@`X#%A49
z{Hevvf{(6KeS^#2_cX{>2jnB<+_^u*v87KWXdXB-UxOA4OfzmYB%-ev8La9<Ai?G*
zWO(q=QxG|K%qzJL_IuXld-fgsL~)7V1N{dr3mu_Jfcl(8{+x0(hEP);D6EkTE#;hP
ztXKwkNU<Q*D4!$u;SwM(6cxpPTTv^jL@32U4aMqGfn`v)Mgb>hbtN%{L!k`T|EeHB
z{$khZ?H9OV{ib!(vlsRKO`}_D#b(*`<#>OdN*qu>;(GROC#0W!5;g}hWqb0a2iBo3
zI9(;!Q*2dLa%=So$mbClovPvYCpR!(BALS1iIr%5A!}00`7IM$e=#tr-wWj1NoH-7
zArOr0sHmX7mfG>Zrsf5Q<Myb@VD&AA{TUSm@=$vemSg9}kV0g|swZ8`LUqMgpEFMr
zQw%t()g_rPn}NLTpFhZ2kP=Z|$+8&VODhW|ipaymw_x)k;l|b9F1FPIdDK2xmt(^7
z&#jj{t!w&QCtn5>A=tO#+rL@gA*p0h$pZNx^?<8lH70wF#u1}W1gf-&hvJ5In0ljQ
z@Rj$S2Wnvbn!psz__q@=u8Cc$R+@ney;W@u9!}GhbXi?dPr<t{RzQ6e#l?8Lfh0^R
zSDn((KoKj(Ke?7gSB}a@4G@?(Y};Rfyb&3KS_6Uj2gdlJbYvNffhO85{;s!8ht^n;
z+pD!dDuH~mz58!(gVfY$p2O@+9d%RR&~V1Pk<lL!W<{y(o;Q3zzU=Myv4x)^&D>e3
z`6>B!1b1~6#Vt;?Kd$r7D4ZIi!0Npem^?IL&f)mlIai02T{|a#A1t2Lhr9i5Cb<j}
zkX{5(AMRMIYR*=n+T?c;mHOJbH^DArk6ydqu$k*#4pBNi4v<Hry%37Jr`{tmTXNtk
zJ?l_PWule1wB-oH<HbW0ZmI(EBvI<UFD*Z#-cOv7>ZS4AvoE7v<8KS<)T!|?<cF7{
z0C^ge;QE}<OCzjW%krJ$mi31<9|Y7ut#IyFd{Y|vR|z1`N=QGb^{FQd^lc)kHTlaM
zT!FJnmGcOe0g3j`R189}c@bL`TWVm|fX#HJ?yvEjZbs5mZOjK=N{s1jTm9kmd9d^Q
z!IO12D4ey55&ok@xTW>_75-jbTLSWH$f{>pb(U^AFdm+LYw<DrLjn|BjdU^*L#8>!
zjxSGpt&oGvy?9Qw9AL+j_hA2+J%*z<G49Q<MX*_T2A=Tj-87=2>=!7DBn2l8puPb2
zyNi}Dnm@h>o3$Hz2J`WYQf%vVh^-!sa0>e|(SluHLP$e48qKxIW!uP*C7qBwuOuKf
z^q_qW77>yzy_+^L|M_UvO^veHn{O5DJcK=2w{9Hir|x9etu~`$=b}?#2G$R%?IrL$
zPAE}!x=z-xKAeU}s2Ec#JD($Z1}@%aeosjS#&1%;KS8hz-Osv?skH7ihC0eNmxrI>
z9584H3akIc3U+?ogMx~N-?xX&bt{_j4+|u&<5u`6t~z|Csdh8BiJ=1P$Ni)xz9F*l
z5_{GWCylDM42xY9G;6bxN$C>A>)U^VpaI4cSlK4|gUWjP-X!xGM?>x`o?!uj`LYlR
zIqOp>?KC^s{>CINpjf=oFu`%%UHvGtNgwj4<ll7rcK%EM^XQD^G+6$p1vQ?DB_19m
z45?n;_;aM>REhJU8S-5G@w)0Mb`RMG#*<b$*oL`4cHXXI3HwtXw@rd+U}#dx@tF`>
zXPbhZWe3P-(30<+L<|3{mRYKhybUxz6fLp;u3fy<IVs>Ro1E_m<g=;s#z7={!`!|<
zTr!L{&aFP|kgL5o!Pr{OMB(JQ5Ci#~xz%PCU1vO+tHTYRx)A6>A-=mZm?Dp&71(88
z%1>oLzH<ii-QkiN#`ixiHN?I4^mG>i4R<eh1@+k4P-$gTgFwDZROfz@ww&HOrr|lj
zNkYqQx8geS-pbqcQP3i~nGmf1?f;~8eS%R;Qn`aaY!x+&$enL8doAzMQV6HJO+1tZ
zmT%+i5STT`sLlh$;oofAiiA_~5Dw-Z{Z~tSxg1A6d4T!<MC^%eD+ObBgs0||Z)DfW
zCVU>D%{h{LO2Rm<#N|aWF#ew$`Y$MKjj}=WSFfS*&~pe$7L`{csR$1>Uq!7RKZ4C4
zw$l@CqB;hXT24c!0;f#vdU3S!#$OoV+h$6$Zic(Nf%<1b#imjQh+h>fhjuX5A=>E*
z;y0jh@v3<vsc2(;nZeHQHQBtu;9&}ekl?5{Nx@Rt_?Eqf4_n)M+=7*xlwM3SQ2!>@
zX2~Hog;&2ofw8LuDTQLK+H8edM9YU~icisJ8Ek!*2{kXCH|hBG_jY^C^Q#Dq!uU+}
z6x*{sW~o4e{y`pC|C<9*Ej#ZiJRGztc`ef8+ShBxj(sz?{%JN~jJL5W1g!r;ayddK
zu|F#Me(n6$rcq(ILBLPLlH)yMYrmDkvWufGF#gn?PsyLY`~U1We2t}3jlhZ|Bi>aH
znL~}}^C~EtK?IAZXxY7ap!16g#}9;uRt@I9;;JXCBd;nPOOBI9P_i)#P@l`jLVKM_
z+;xL!Y~pq&*ZrqrO@?Yu%cCnCCohCY@;4xF|3w_>s)}3Hq6+Cx-EuEAoBSct33s1*
zI3)Xg1e0O~kk?j+ePbDN$QdDSk3awW*qpZ2TX;OH<ohbw1g4&nCs_WNmSg9i_Pybf
z%NEh$rrA4{)_Ef|xIZaZ8Gh>q34L`5)L)(8+w4KxsjY(v`|g<kC~@0or&g%Z<wfI9
ziX&gyHUQ)gAh>n9&|uU84j>fW8`^FQ)Glms6DUf&HS{dEsNr6KJaNP7*wqNu^w)-@
zSZs$s45<m|JMa{C%PO>HOxC_mVEqV`+N%RPJ>E{lH|L}tSD3GpWd?Lhr7z}lO*KZ`
zFsxwxvXnA}2by)(l_F|Ian83NzBvpbi;KoE>?ba5g(1YwVDsu&<?~hC2c@aql0!Py
z4v{@PzVGOFQWIYf9F_WuG*Xd)@n<k`WPUBakC-!WmBnn8)U+br6E&<oZ4e`#An@ik
z_5$+IchYppk>OphE6}>gh+jETrcsustfpg)Q7GV9<0`^{JnWJ$t^>P@ft?oGVsK_-
zuLFIH0u+0)`w2bQZ~Gn`uzC!koigI^kVuaFRS?%u(X!SzEsN3me5=BKXubDMUQ97i
zpA0`C^n6|SY7H__ybY~7fIT!6vJI8vl|S92SK0eC3CMq7{!T((w*j3<i^W=IhlDh}
z24xVTyq7Y1&RpBp@A3)A3(ua_x%IHg<Nq>IyAIxETSK`egv=DPf;|7G*g>7+2ILK<
z1`6G}HK2O_RBzj}cc=a6u!Y0j;vrsd+uOc<;seVcbEmmGV!BSHLzS~v4Y%?jGtrE+
z07Ao83dZDs_d_vY^G2KYqd9@-P?U!TKj)|CVsg3dt*CHp>~<2;iB$=SB(V8_W1n51
z_i<u+T6!wcP_=Um4k_&S<LM@yc;R}}QSz=pVEpk$w@-t+o=t1k$>BKq<eQFlu0JZ&
z=120-_0jPEFl_<(1QW}mb17b~xB1QQ*d%wh7SxJIBxAx+nzSID5ZRuTfqYsqA)=U=
zA?kJX(vTu!WqhW~i>T-3&Kw<`zpDXN09bvJRiog#Xmz_#n%3Q^CzAC=4rU`tvi~f`
zH3=y&?v)E{KAHPn5WRx{xrgl`KD%I`f}P;BpGUkHm71ckG0d{?h!Gf1%R=LRh?jT}
z8l<<^_R{C7<FsKqv|3Y5ehD6#W5v~LAm0x86Z(C-QMNC!zfJ9DlF>+IyepP-jQFP*
z<Q<!8DX{gr?_-)qZ?Z4WO_QEu+3mNQC_7t6FY|WP1TO7v5q!%?p#A_8<}k{%ZuIq2
z!pjv&xDZ8EkabDqI%B&>N-y$l_&ksw$}ui(;oc$oVkV;Giw|o_FvUk>H)qQpPe?R8
zvrP#$-(EJ2Y@`W6FbnNvZ`|ozxqqt^z-!?|nb}JJrC5%f=oY9CgUs8{ec1H7a*4Jj
zjy<rr|4!a)_bW~tN$FP@<!{n=Kps;hf5JN+X8lf9LsC-C(zjnx9^X#8r1NYsKPeeG
zX#&X8hPz)fM`c@&-$4%Z>&d5USE64(*Y?Sa;Uq8!w36WhdFG;VOES{B@2dw)Dlc0$
zr*C-+H)HmP<}l;wH57Kuz~*~G3u7B}PVVvk)3Q97vqYLma#3w!TotKXt`qKJDr@^d
zeFZ3-=bgv!w3!j4j|)E=uq58iet3SHcs@h)XT31oGaJZj)Bj=bjPyKi7tN+7d9oBy
zfY{}zl)EGCO%rdrM2p}7@)?U&`3t^E?=fOJUF}(9@chH32Tn|+<g808O4a|g{RHwQ
z2&I0Co%hNNGX9S#N9*fE54Gcskv`nqqnE^3`@|tYzH=VI8Zu9ZD_D7Gncd}krkaUk
z+pCKKBOB4jLQQ2lu=&z>hKvwwe3Nyz>a!__>e$8n<<vW8;~8;ADuWH(%}FpnTsVtq
z4&1h`d6LTugpY>_TT4Q!m>_v$SETy%V#i6t4~*wmJ{HL|o=@GDArr=piah~mrR6nD
zzCe!^h$dbtd=RYu+@W@?sdPlwktX&me}KA3{yEhYcymY-RNpR`k6>5>_I$z~l}+y%
zyez!8Cvg_HNwPC2*lUyezPgzt;R`J`&k-1Z9@Z66gl*z;;E0p1%J_TZy7!)Fi0RR&
z^-8P5^uQRbKD<3h{AD}PxArJ4rHx3DWr*$3Bv&|Fzb(BkqlXFA$qn4!`L~$ylbRoL
zqS<9l(cWG|`L*oBDO9|7LrZ#e)qBEa2J%!m%s3(n-(KaPU1pGtLfvSB3EMuw;>6pZ
zy~SUTY|a4k366wc4NV){S^N<%2|_RmZB=T1*rqy#9r++*%DIz+t*5JzuYTn@gb;<>
z%;((^Ss;z^Z`egqfsffSNn}6bnsR{p85*bZu)C6tc@#+qMXE+eA?=j1gv&N3XsJE>
zWY3cUKwjb-A+fueu?+J8A}^C(7sVEtTd#p9BSHX+TIEIvS{{&p?BL9~PT9MC>)4=B
zjKGqIhFau*p_o2oj?)aQ1%2}o$Zz{yKcl^pclY+_7j=IQ*Cl;XEj^s#)04CildXKM
z0;^|ae{LrtDKcim(nm?R#iyobAwi}!;Xsqh8W%66k0Z7M^|c}{%inV3^AjxBL(lp(
zJQY3M!dqYdZdq7vc}Gdf0X9E`@RLo!Qp2vpLKL7d6=0&;?yb(=X<S29FGzb&^`T%1
zsK25A6Y(?Q2I_R3YmRMfu(|n{!%USr>EaplJX)ctp>-fHd8013Ie21%LcKRcWu(0c
z*%@fyHvln@i;i?grP?qC<ZC?YgpBoxdeVI)Bx*<#q$#6e7bvHGLN^!P+2j1#Hv{s6
zS~~?Lm1@#CA1^ltWh?3Cawfgvg}8DZ)Y{nwG>Bz^{Na+*_|)15_Kl)%#xjbVBl-D~
zG<1o>T#5o6sgnZl^?|(UjK2W&r{(?lz|76Y2V9AXtf##!#Q=Nrlg6Lzo)OPLo>o|S
ze?~fwz*n2Ud(-QkV--v1?3*jE6Zd5N=7e<R6Ci&&H?Hbvi&1fUl5;Sob4r`Jm{h@Q
z@n+U&#N|&fdG-$=A74E<kn!2MRH}EDOU&rHmO-<Gy11YGSz&*<UA=?~Y<@LnQdXa!
zlL@OS<ke#l@qs-PW_!hg6hHXQ(^tsyr8TgA1V4O9x`cGijyZLD6rzf_f>`Uog!9S~
z>!2@Tp=!JC5EzdoTHr^OW{CtP*yww%Lias7NiOH6l?7ka==U`B&y~hNp0s*_QM#jE
z>7(eTqo8Hg1nXDnn>kt?UhHs`0a?m5uz3Q-l~2UgzR#KW{Cis-p0&SsX{z(;&$r-{
z6N(A0e~_I5^{J6I+CounK1PToEP#GQ5$7Y^rHnFeAxP7ygx-^-YXN!gyquD0&9I<U
z&PF}McE+JH!QvXf{VLan8uV}Equ})$FQ|X7jB31j+N6;iN)M}U1Y=Rm|4O@iJk#sN
zNDvMz9>K$hS<=<QXMzk2nBX<pzM*#&-=dt-HN}X$c~H5>RDkh_C#wy_5{aY6QHI1l
zakGrMx7*2;a)#1IRCq+Kc3yzZ_cRIQo#E8B2o^Z-0z)tEksHmJ<yYJtTs{rMh4!%>
zf$gs@Lvu$I-bU-MR~LO#^SvC`8mu?H4*uszT3K9z5UnY|c>I3-fg6w;05KJdyK(Rl
zymVnU5P#c)lke@tJHuev@CWh<!bgPiR+l%6jI>{7X5W_4{`mUc3g_9^SNU9wO8*ti
z|C4U11TyTuu8_)R7OcI6F*2jwAF_tNYTuV3s7Fd_1DpR;lZ-`Hc+32v7%YENNOham
zN$^Qb$JIi+J^^K-@zSUT7*F?D5svs3vPyNyrx|{4?q=^LdQY4{xk1h1uz{X?kwPHf
zPv^_gUv@swqiAng;Wn4~ZjULGYmM6G_1G={Y{V4o{@sX6b!1GV7@?YjV`!%Q&^}4!
zeyPh1JxhC0BMTjS#u`w6g;d)>sUSw6sjlXzO3L}#M0)6{%QYtqsonW>kF6D~|6OT#
zJ0AI6cQ524;ydvH^BjGeGQZR7!J1%(6vs;%3$T7_lW66sQsP5Gw3J)=!YO2&Qrf$c
zx(JyKlNh3uH_B0zz<BmJA*kO`67@4nIIGsNges8NdyAQ6GP~~%+I)GPiV_C$H%mtg
z{nXH~T(fBH+!yDoEUKKzz0$hkzg4y0YfvwL2lBT>JuT0hZTm#7<2-A$%~+;6@=0;u
zz4O!^rFbT&A2)&gi+DoS+-|L@sF5RzgA`rhk9w*v!X<A5KTc8w-1#P219@!Y=2q$Y
zG69ddwBx%eB+z|^uLj)?!Z|9hj>?d{S3Ho%#Ym6gpV%b7dY4*u;03k+xbVUEraJ0H
zWwMdBcpw%mKe_aqhhObvCe=-Xd6`4&Pl{g^Y8^82DCp*gU3mTN*n#>I_r=$NSfOP@
zZg<vy=!1WZC6C+n9v^I`+a{d;i0*n1<dq7?<XWkEj3aww4y-qrIxKn0M_8#$>)^<B
zPHY(qmVvyQ1xsHGs(&W$4q}6t%db;M>S4QIdKbC!i{C-TVei4_3GN?0YOO!+o1a&&
zwv{%zd(|k`d(cCn`ELssKD>Pm1Y3VSp_1F+3#zw`BcD-gm|v7EwOrYAN8ujc^zioK
zQ@e5j;|ZZwgNQ(69c(6aTEECG#?oGdIx@M@5>n~?C;)*kxC-QBl-a(0QuA!COZQ89
z`2tgqh;C`PWk?}ne5=xgC*TiOpT{nhL%+${{~<il4ni!bdsS0<W6Bgo_4M`S6>15o
zlMbk##4-BI9<ty>o{he#V3yQccK#estOwNyr@2k@-S1-`AfNf0T6j;OvO_JnU2Mhl
zcN6?Od<FSl_n|4aqdSSSjshTG^zF~~+c|CJC+&t%(5nA0-~DL9%IKK0G8%4+v~Aug
zAYT@=FQC?Wfiqf=#7c*D;B)PlHbT-dz-OH#xJ90g47R>EkblZSwWv=v5?rii{7~O0
zHLqzIDsX8o`UTSx6U*;2P=6{~Y%}Ds96BZYij7X+UFF=D)po{>-*mA{7fBM11k6tk
z5DGa@EilhN6Vr^fjdjbHENr1SqpM)oQB+bBcJ!hE^$&-Mynhs}BNxRm7R6eBj5Tpo
zyB9Qt^x4rRICHjL1dIO#WXKVVMl#S}0_}fJv_3ybCg#+lkI1=9u`a>Von->lH!;-2
z;ip9V61?(b@`)%nn|IknB>AYIHI%l4MxcYB5y<<)P)#-OxTI2)Fgj*cjFA0(Kq}?l
zSdCJ80aAs*>)kw%ho-&%h1IBZ{<Ul)$O-y=i=Lo-(D$UUXJrDT2FiPFu;;a)*To@d
z_(Ta3Q!jFyq})aV^AVn5?L_+#Tjw~)SUte{9XOrj)*}dRPx@cY5}O-ov2uIe_{!XF
zajmtk=qLQV2Ecd_?=4bUdt++**%OXs_)J=^JgB1e2DdAai)lDlI^TiKXOQ^F9nTdy
zyJ2(*Tn|*+BY*rtK)kb@6{F<-`ggh$9}Cn+GK7b(yyB6!Ughw_$=H-sYJy!pHV74A
zQJYuaqgm(y@^~7t+gT2_%R8=`VigY-aHI9w)D?HE6YeK__Y_3XVCM_Jud&rMX|gYc
zIO5ly@T>$LoS@!_hxYLh2WONMjC>SO|IN)XG}59F$886E<yJ_i3)dCvoLZQRjw3wj
zT3EJ)JCJ{?n-##$EWX)x^RNV(js5y~`0@%X<rsftEHZG8{-_4zS(U$S!>XxpCwzom
zcAd7Z()@&`GSgHsS^hjV+aa-`0OUV3Pd0s)RUcQ0(6V84dWfMz=;*ZIeWB(S?_}LR
z3+Mpy+!d#E91*1FsawtO+lNv}YN`ljtv;bLWzqJlb7)$E)f>{1PK9p@3)eV~*wh@>
zpW9haa8!}xp|UUjv`(5^MJEFFKZRimi)T_iw(+;$@fVkmgbEfel|_&dFfTImI5#PP
z`KQY8a$l(97m%&!so&Z6C_25^6PiTD->Hvug67ZGPgp>G-TGm3(R$^|j+6FaSJyPG
zI0zI1j%fG6wo8uU3~Okxd4fsc>Ub1L_YZP=&Fb)6N=a!q$pyDBVdU_KL&QjWW3c=&
z1C3(tEn^^xppvsRT_=Bzgey-wycPrvAJUgQyk{~8#$%^Esdd9%mnDxghUKkcrUajp
zo;Q)+?&E!p`}xfYJD5K^G(nzme*Ed+=4jKRpe5{`MxoBn6kZkLb!}d(aBuYp)OVYl
z9yL~o^M4icUSqZF<M=gORo35BT%IDf!erc>2UeeZBQCWfJ2v-CToz$(bM(y?=(x0p
z2><TDYZ%zF`f08T)b~r308KZyOcexg9bizf{H{GCp!72q@kG=y50&Dt1-t(eyr}0H
zfxTeU`tj&e60K^jAC8}<<c|76r~%F)vZGQAs2_%JiMwyw38xghOlTlU%*(fCa+ZRr
z0{#1S=zD>U=nRmLZg{B<zqv`Qv<`DHh5BG~Ss6?z6H>v%Ep=PHpM8D|<l~Eil&nO!
z2DJv)<{}n*zq?{&<>(0{Ddqlj8JJg80-Nt8d_tU^&M|M@1sSge&Nm~g&t2f;bHPps
z8Pj~HT7KpL>gQv4ewI&4&sKv`n2jveI>u7RAnaeh+eE%(BsOvCU;y%kpqD*uI8Qxf
zml0GX5WHDG<gv@fbe8;<(8U5W{~$Dwuam0J4aD4%q<PxFivf+ldo%goq|+|IY5yzh
z;62nTSiRKhf%`KLmd3Bx+%H-fo9Qk=Nzsp?Kxy8TTT5vEY8LGLwu`+)&q#Ohs_af2
zrJV=tqkm80W2cRY3cWjNxIQHVtLJ-FynjQfLBW?<$XLa42=3s#S+V4Tq9j?zc!~>6
zc83ARKXtD|QhJzBnfl!>66Z6m6uDo{5A-1rZCenHk2cK=*!<^52j-JO*7K?H+pHuM
zcik$zF>acRDL&m7L6Xc18P0B?{?80i8VBc8WK<tPR1*W&Ye#{(3!ZqzsAE2Ba)$5;
z93X#`?btgNs;e(n@v3IGh&8`1sEETFrhGnqerkWFZXOKeFUP)DLTITiY%v#m<#v%C
z?!q$sD$2OM>ir;!zZUj28OYyDNoXL2<-<Y=<UVAtqi`+#2pki3dLSo09uPhEFaxX4
zpO8DKEswN+^Ot2`83#;=-0Zhmv8@=j&=?}X@8|k!1NBi*+=KkSnjOPv1!Qb)AuX8x
zMx_0D)^fW`%^&OT_S^vE(Znbis&4*10=dmfYD6y12^+pq&+93P*0_qXVlvzC4aj4!
z6a-7Wbn!*L{j+@>ZWO(_^xJzr@zdv?Dzt<#MJh1AA}JQ+Ve}Rr1!Xunnl>8b-Qg9z
zf8q^;VmD;+tf|QK1nN^gFLZ-~r}oNzhwCbFQz0Y$+8D7{&)qRlB_S@oIRNY5-^q5U
znK(ouPt@LLqyNI@i3o&#vQr>e8i$j3x`RLi^M`lVICLYcT*(370%ZDY!l+hg&!%eI
zp{&|Z^CyJATlE9uVIaz#xDBZzR-`l`@k&;fsbeko4wI)egpLYX5jYT#1M+MZX2Y+&
zEjBIR7+~!WA|obn*{7#L$mu<9J5Imr;=Ta+_isN%pl8Ru`u1uoClXyb(p2Q;TcHsL
z*aYOoQcO4M0eN26)OAD8HBdWl=irneAI)2owD-yfs-#}f*6}k~{-Z!%1&-_%HG$5K
zMQrICSM}*rSLnLbiq1iiVnTTt>um?v{T+4l^dXd2<t*1Z{%*#^9Sl877pYA_<+&vL
zC=b3eR3@OlrbKNW3Cr>%_YlqOUbpn0WqragI+i-YPZ-x}s&n6|fV{3*_giEV*t<J|
z_;B;0<Uu4*1+^BOL0&;H=J7jpGie}ipsZbvBVq6?Ig#TTr1N+|-e__9>{mkjJLpFw
zPoEw=khdTz6qa{4qz>p%%&I{i$9sCm#M8cHlqY~TMo;%U84k!>Z(gO_p?oyw&G(_R
zK?)X&opv3{sSEl;*Kd0o7aIrmyoB}3iXrrs%J)dE$$5N!MPpA%@2^Pp*zYRy^Lf9`
zwSm<GPL@wPSGl7jA#7dQhG-9nklj@KEKKa-&1yB5zE09${gLyxY;v2CFT}H{KQdzI
zQk$wId>oG+Y~K{F;+&vWppydQ_jYnDL3P-W^k_*!!IKhOw&7IXC`goMr6M8GYjqF2
z0`h)z3{x?qUize$M~<EM%a&NBZh`GY#43IvgW6t#7hvmG0CVjl(<M)Mij-q^RX09)
zQ=D}!MT(kmGcA+`(q$u9zZ{^GUcHk(P4i+ZIlRI6j3gai?nLF?PNnpRi%Z(koF5oZ
zBuHDY%lq^1Z3;Qhl{kDO;TtG)Dg{2AT`G=LPo@uG`JYIj{Z1srne6Lj`q<Jn{18Gy
zRT5J!A3ee{^~YEH46u48@j?AApJ5L2BSEc>o5r@hTR@#Q`$&LH(J1H}`NIk#FrH+b
z+edZfv}pKet2$5OvXAIHqOW66WW|i3j%8x{H(>R1ZfBXQ^pEyje(imT`w<%jEmU`g
z%av;+OGkF+Or0P2K>aGbHByEGhg5FGx8}V5=e?n4zKZkg53gp+PB*r(`e6C?_py_?
zR|q1fbJpGVt}YUrcAxa{vZq~YLZ#wUNK>V0pnj82%MZRpz2mByDbdg5)*<%-l;XD4
z@(X8fcV(M|@X<hiz#fkfZm&U!n#YjiL!y+&<SYT#Mog^Sh@C4Z+nx;A`a9v2I@=Fd
z^}Lg7zxeZ-36Up`<#?+S*0n8!(|(gk04(382!B6MS<YrdEKyle)$%>?Y48~Y=LeeZ
z#vN)~m&;)T<C(|rfl<=-YILCrGIXEXB!4l*@d#>jimZerecR=-2ljlz)^s@Wg+q$C
zI4q2ha{$_6<`(J;I&M-;`$eFAQD_g?d}e>SvtuYq>r?}Uu9<0!A=ND_%Dj$VVr|B`
z<?<U#To*8&%d{^J`I${Z<&gugKI<bvZl!rE-~MdiRJ0=cB&unF-G6yqG>`RRh~{Gz
zYQWv6ZQnQLQ`zF33x8$2F>vQVh~oz8i=(}c(2OZ-di)r86(AHekS)Wq;!OOV_B||N
z%qfEnZ2l0t=Eg=VS0P;(tZ$v~wUz7ma*8OP_KuLn*hxw{atsNmKkb+6gNQ-(<xBtV
z`2DZS`?@&jq8Sf^dtA6bIX7IfXF#5T0xB>6y^;;dWNuhhc+&62{D`oA8luQh2Xm7(
z<z;mskNxG^>-0$lzp0sXt1!Si?nl_7T#yA$ef{a^i*+Fy7+-OwM4R}CQBR4`FslL?
zY~VE-rkxAD%fYK~<ErM95Czn~QbBP0_|mw%e6+VN9vtGraEv}pr~P5hNs&nWUJ@z{
z$Y)rSsHW&VeMk?@TBWx~vzl;yYwlpB-T9SH`**l7CD`$?QjzleouFyqCK9zCCtioQ
z<UH_D`k}G&nUf#(rso_?-v(c<*G$m+$&U1^j)PO?%T{yn7S0ag-fcPPj<N^>tlt?=
zDVp2Zpx635qcM6#)yHP0d=xD<xBX}>7HXKa9aaX6f7N?rb`^6QrefXJkR~XOqn@hS
z{{pn;#ZDStcvoluR=<VAO`~}ISoejTCBHRe$K*Z4+YEA1b?cObvZh{n7YcSiV#=g1
zg<>)|{c+iF_a0Ss5JuGW1aa7)1Z8-j00Q5&2pA7tB3!J3fgO{h^5KsFyfQz^L_xXU
z=1BD}v5eNhlPh~5zvPa8Z-iL4L$2bEFs{aPgc9qsDNN<TBf=FDNFWm04CE)snd4}b
zPh3XN%7?UbxX(%+Pu1Xz4?)`j8m^P?nZTa^@k+k<q{ms8B}(6h(8VkO0pjXmJXR*f
z%lU}fgu;O*1=OFOE4||F*cVZdwxwCSHox>juzRF5p^Zn+Pjs@i*ZmFTFTTyp4~o0{
zZ!I@F#x}{!g*VO@*p38U_au`<Ugac%{XWh?K&WZ+22RsXAkt&0oM!N&$hgisqY=sP
z>h%e1&TSMxeF{}MGTz^}Onh@`b3V6*xIHfj`Q2t*=GRL@J;tk_!PcXP>u81J!=)Wv
zha!!^?n?(3ZT1*FgFHUlYb3$A8HQP)e!JA0rR$iscwB{4K8dcNCKGsT+lG43x2Z!?
z88^5Iuz3jXFP1xDb9E0SCE<RKI~NuBPj{G@NIFbr4T?Sp?~uTbPhE%Z&F%2PU64K&
zz6rX>{zC3EM0y{+RK#!wvYSJn8!#U3{htwI=@~6!j4kgLUlP!iG)MQ`<y4kfZ6Qn`
zKNkuEd2$2>1IUNPpKIiH3TxlY3>h&W5C^82D0G6v^zn1AegSz>r{AkrtayA`8KXuF
zD4bcz<XLdBKO@9b$gp&OSx)2ud4yRW%{mVqiNYZCZ`)#=;nX-AucIAjSd=vVDsy=+
zBtSk_nFIr=Cz>`$u!^tvdy7#gHr3oE!2^FzeLW8RSgtXUcXDT@3m7<?MajoUow1@{
zSE*|{RK$ALUok+z;NDIm1oGkrrQwbOw@V%kGEg|e)T5tm6o!YK&oph>KJJP8@q-=z
z753?ZTdLI0=f{f5p1zf>ktZ0Z3_|4D=$}@<uUmbZ1nR@ZAFa%R=+wGBu=+xX-+$x_
z(Z;Bvw8U(G8Cl4Q!~yH?9#NBU9hBl}?8Mc7_I-$2qIJ&`p-@nRFJs#sB-qUZ^OG!@
z2m94p10?nx;qUJ(R;TE@bS=Eing`e-Be2tMR>0P;8<MYUtpzxH%J*FDH>(NeLvZ_~
z{we!Epm1wf`=%Yh?mtR)Jw{j9bU7!T?gVjLH4v4}n<VQSI5$6y@uA{xHI)PR*Luw5
z2u_QmwS3efW0gllWpbAQJHcY06AwP^VNZY#tUkoZPVi@vKPip6gCBpiG!x4n6126=
zn(4A4KbtcWL4g74Zy5}SV1D&=_9vs^ep4I5a3jsy0S7S~KFF~YwO^611mtJw-l}^0
z(%_U0`x!4xa+CcsL43xJp4>FSI;XV3ee?tJ)&@j#bnlkj;*hM65H*8xtU82#R8ie(
z<%Q@QI~lwV19=1_Ltoa;Q3&BGP@}%w;nBf}W@i&cW1|lBB=#u*6Ij0!X=}cuS&P1y
z7S!FUI-Q<1n-mANs<!R$1b<9ceyafq)Tb3@$)|-XOv<#+Qw&QN5)XXUCpA0DR$+8c
z6=bd^cm?uj`gR4A<~Gf$vKa&IoJ+pO4++ZW?;56W2-tr*AIlO0d2IcN3Lc-K=r@<#
zs&Q~)t7_kwvyVL%cI9%66RVi^z~(cz#lo6n7}iGRCMiF{4IUN`97Nl)otc?w-)sw$
zn5%%@A77hRTR^;^Z@~W}m%nVg!xa!vIHUmzs#Y6ZhrRtx0Cs<YG~rqBOsJhf-|hae
zknCOGLD*D61F4evnTOV{ASPQDF#cD|=}rwpsl1k8o0_neAo5<^MF-Ln@isG&1C7{l
znI#|}O}b(!_;HqRXgAJ=(f1`Kw#TC!D%riQEwk*Fzx84p$m<HX<oQVuz-=b@zRU=v
z@b$3>eqi=;5D~mbQ*Di00jr;*4?_*)?KvqT4OSFeT-gcI1KfnG4irC6t8^02dSsLU
z^_Sl|eW*mm8taBxUkd!&!VC4RYB**6_%?>W9{=q<F)xrmX^!Z1+I*DPSGdtsE7GDh
zU#hH|GO&p}yNJ=HW}LJG^3uf@d7miHp3XQ>QBNIB<S5GiKD;uJciy0pY#+6W4-Moi
zmurKddLFaGW~Iox&KzYDaU`5q5j82#bmE`{{1?F17tfx~&&gioEmY83H$IZCDu@wb
z%>6kCKW~kcgc{F$!Tg^|qc00KZ&zA@B5Jqp+KsA<u1#X%*M;BO9?Z$0m!Kgqo*f#v
zxHeC*Q4`z&-*g9$z~FqNwD}QppO=~$C;xZ9+JXFJ^C&7$OAx>E+uJ2Y8{x+c<m|5$
ze~blRtAE4#<mE~N`9WzR{cm6G^2M8*(5gFvBHW=}+XOD}_=UZ`G-_?<Cjt5KNBU44
z`FawQk~&B6w)uOIx~R2dV%O(Y+qU|g5<IZ$J;&F<xi4Ty$x3X9t*x}54e1w(+iJX9
zbgyJmINgn|E>J&<j02YOS+CZnLO0G!;v(QD?IPuhM%9*b>vm-0mvjjrzdg9C8_Y=}
z$kI{pmh{4b>;b{`_@1Z&eraz<vph<?2FRZwa${F?^2@g97Gk^LXGW<Oq;v2=*X+V-
z79AYVqV)m!hRtvo>iZBcXQD(Bn3qIXY($#r_#&DCl~()xg4h<Yeql1dp*Si2n=O%v
z<R_8nb}d;iT~Vn6&&fl-Mo}N*<!7M&i0=!mbJ}lciUoR$Z<q-T2j`J6dWVC1o!Zfa
z!VC2&KtA`)FJmPRc0yI1k{%NcanWj0Zi18VK37bCx)Sz@c{G5$(VhF-m$Gz^2;<lH
zEzZIrK4mOCvD+KMrf2=Qd-~{L^&9fQg*#V_a0PT;SatAp3^#~z{FnVe)dr=}@$=r=
z#Vt^OtGdsjRm1WlY10q6DEyF}ogv)mDm`(Sj-Em~QJyrg^JOJUdpy2lyNnrkH7~)m
zO}B_#3c_3WwEOf>lgJg+p#s$3lnq~%e4h=gYHlu7wEd87qZ(^6@EpoRs6Zkl5jF4q
F{{XMjn*RU*

literal 0
HcmV?d00001

diff --git a/debian/rules b/debian/rules
index 316a7b7727..0f217730ea 100755
--- a/debian/rules
+++ b/debian/rules
@@ -167,7 +167,8 @@ endif
 
 # Usage: $(call enroll_vendor,<var-template>,<output-file>,<uefi-arch>)
 enroll_vendor   = virt-fw-vars --input $(1) --output $(2) \
-                    --enroll-cert debian/PkKek-1-vendor.pem
+                    --enroll-cert debian/PkKek-1-vendor.pem \
+                    --set-dbx ./debian/DBXUpdate-*.$(3).bin
 # Usage: $(call enroll_snakeoil,<var-template>,<output-file>)
 enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
                     --set-pk OvmfEnrollDefaultKeys \
@@ -262,4 +263,18 @@ get-orig-source:
 		edk2-$(DEB_VERSION_UPSTREAM)
 	rm -rf edk2.tmp edk2-$(DEB_VERSION_UPSTREAM)
 
-.PHONY: build-ovmf build-ovmf32 build-ovmf-cvm build-qemu-efi build-qemu-efi-aarch64 build-qemu-efi-riscv64
+update-dbx:
+	rm -rf debian/DBXUpdate-*.bin
+	set -ex; \
+	tmpdir="$$(mktemp -d)"; \
+	git clone https://github.com/microsoft/secureboot_objects $$tmpdir; \
+	for arch in amd64 arm64; do \
+	  bin=PostSignedObjects/DBX/$$arch/DBXUpdate.bin; \
+	  date=$$(cd $$tmpdir && git log -1 --pretty=format:"%cs" $$bin); \
+	  cp $$tmpdir/$$bin debian/DBXUpdate-$${date}.$${arch}.bin; \
+	done; \
+	rm -rf "$$tmpdir"
+	sed -i -e '/DBXUpdate-/d' debian/source/include-binaries
+	ls debian/DBXUpdate-*.bin >> debian/source/include-binaries
+
+.PHONY: build-ovmf build-ovmf32 build-ovmf-cvm build-qemu-efi build-qemu-efi-aarch64 build-qemu-efi-riscv64 update-dbx
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index 2d863865bd..862b8adda0 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -3,3 +3,5 @@ debian/legacy-2M-builds/OVMF_VARS.ms.fd
 debian/legacy-2M-builds/OVMF_VARS.fd
 debian/legacy-2M-builds/OVMF_CODE.secboot.fd
 debian/legacy-2M-builds/OVMF_CODE.fd
+debian/DBXUpdate-2025-02-24.arm64.bin
+debian/DBXUpdate-2025-10-16.amd64.bin
-- 
2.47.3

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH edk2-firmware 6/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys

[Fiona Ebner]

This fixes the issue with the Microsoft UEFI CA 2011 expiring in June
2026 for new EFI disks. What still needs to be done is giving users a
way for (or automatically) enrolling the new keys to existing EFI
disks.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...nrollDefaultKeys-with-Microsoft-2023.patch | 613 ++++++++++++++++++
 debian/patches/series                         |   1 +
 2 files changed, 614 insertions(+)
 create mode 100644 debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch

diff --git a/debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch b/debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
new file mode 100644
index 0000000000..2d0fcd2bcc
--- /dev/null
+++ b/debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
@@ -0,0 +1,613 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alex Haydock <alex@alexhaydock.co.uk>
+Date: Thu, 30 Oct 2025 14:25:57 +0000
+Subject: [PATCH] OvmfPkg: Expand EnrollDefaultKeys with Microsoft 2023 keys
+
+Expand EnrollDefaultKeys by adding the 2023 Microsoft Secure Boot
+keys to the existing keys already being enrolled.
+
+Signed-off-by: Alex Haydock <alex@alexhaydock.co.uk>
+(cherry picked from commit 05429cbe91118e9123d9556652635d47ebec7d08)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ OvmfPkg/EnrollDefaultKeys/AuthData.c          | 519 ++++++++++++++++++
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c |  12 +
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h |  12 +
+ 3 files changed, 543 insertions(+)
+
+diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c
+index 53ee7f7003..8a215bc29c 100644
+--- a/OvmfPkg/EnrollDefaultKeys/AuthData.c
++++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
+@@ -136,6 +136,136 @@ CONST UINT8  mMicrosoftKek[] = {
+ 
+ CONST UINTN  mSizeOfMicrosoftKek = sizeof mMicrosoftKek;
+ 
++//
++// Third KEK: "Microsoft Corporation KEK 2K CA 2023".
++//
++CONST UINT8  mMicrosoftKek2023[] = {
++  0x30, 0x82, 0x05, 0xb2, 0x30, 0x82, 0x03, 0x9a, 0xa0, 0x03, 0x02, 0x01,
++  0x02, 0x02, 0x13, 0x33, 0x00, 0x00, 0x00, 0x13, 0x14, 0x16, 0xb8, 0x61,
++  0x6d, 0x82, 0x82, 0x4b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x30, 0x0d,
++  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++  0x00, 0x30, 0x5a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++  0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04,
++  0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
++  0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d,
++  0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x53, 0x41,
++  0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x20, 0x52, 0x6f, 0x6f,
++  0x74, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x31, 0x30, 0x1e, 0x17,
++  0x0d, 0x32, 0x33, 0x30, 0x33, 0x30, 0x32, 0x32, 0x30, 0x32, 0x31, 0x33,
++  0x35, 0x5a, 0x17, 0x0d, 0x33, 0x38, 0x30, 0x33, 0x30, 0x32, 0x32, 0x30,
++  0x33, 0x31, 0x33, 0x35, 0x5a, 0x30, 0x5c, 0x31, 0x0b, 0x30, 0x09, 0x06,
++  0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c,
++  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61,
++  0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2d, 0x30, 0x2b, 0x06, 0x03, 0x55, 0x04,
++  0x03, 0x13, 0x24, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
++  0x20, 0x4b, 0x45, 0x4b, 0x20, 0x32, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32,
++  0x30, 0x32, 0x33, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
++  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82,
++  0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
++  0xe3, 0x5e, 0x88, 0x8b, 0x73, 0x2c, 0xc3, 0x0a, 0xc4, 0xe9, 0xf5, 0xce,
++  0x81, 0x2d, 0xf1, 0x0f, 0xf1, 0x26, 0x35, 0x37, 0xd1, 0x49, 0x53, 0x71,
++  0xb1, 0x5b, 0x93, 0x52, 0xaf, 0xe1, 0x15, 0xdf, 0xde, 0x8b, 0x39, 0xbd,
++  0xaf, 0x4c, 0x65, 0x75, 0x53, 0xe5, 0xda, 0x0a, 0x32, 0x98, 0x2f, 0x33,
++  0x26, 0xb6, 0x2b, 0xbe, 0x94, 0x99, 0x9f, 0xec, 0xda, 0xc2, 0x8e, 0x05,
++  0x34, 0x92, 0x13, 0x0f, 0x63, 0xbf, 0x74, 0xa2, 0x72, 0xa8, 0x29, 0x7e,
++  0x9f, 0x32, 0x21, 0x29, 0x08, 0x59, 0xc4, 0x77, 0xc4, 0x2a, 0x92, 0x4c,
++  0x87, 0xb6, 0x03, 0x37, 0xeb, 0x9a, 0xe2, 0xc3, 0xc9, 0xb4, 0x48, 0x21,
++  0xc3, 0x61, 0x94, 0xea, 0x17, 0x51, 0xb1, 0xe7, 0x14, 0xe2, 0x24, 0x63,
++  0x2e, 0xd5, 0xf2, 0xc6, 0xa5, 0xf2, 0xa2, 0x5e, 0x1f, 0x69, 0xc6, 0x51,
++  0x0d, 0xa7, 0x29, 0xfb, 0x52, 0x0a, 0x9b, 0xe3, 0x88, 0xe8, 0x68, 0xff,
++  0xbb, 0xfa, 0x92, 0x69, 0xaf, 0xc4, 0x16, 0xff, 0x5d, 0xe5, 0x5f, 0xe0,
++  0xdf, 0xec, 0x66, 0x55, 0x0b, 0x61, 0xc2, 0xac, 0x3b, 0x20, 0x6e, 0xdf,
++  0xb4, 0x0d, 0xeb, 0x2b, 0xc8, 0xd0, 0xc2, 0x34, 0x4e, 0x82, 0x96, 0x39,
++  0xee, 0xf1, 0x31, 0x85, 0x04, 0x3d, 0xef, 0xd6, 0x76, 0xfb, 0xc3, 0xca,
++  0xc1, 0xd5, 0x8c, 0x2f, 0x0b, 0x10, 0x28, 0x9b, 0x48, 0x9a, 0xb0, 0x10,
++  0x14, 0xa4, 0xd9, 0x94, 0xe5, 0x68, 0x5b, 0xcd, 0x6e, 0xe7, 0x7a, 0xec,
++  0xbc, 0xa0, 0x49, 0xb8, 0xa9, 0x53, 0xd8, 0x4d, 0x2f, 0xb2, 0x7b, 0xc8,
++  0xda, 0xbc, 0xb2, 0xe7, 0xfc, 0xab, 0x70, 0x10, 0x77, 0x95, 0x45, 0x49,
++  0xfd, 0xad, 0xd2, 0x3f, 0x17, 0xcb, 0x66, 0x9a, 0xf2, 0x7d, 0x36, 0xdd,
++  0x0a, 0x2c, 0xe2, 0xc0, 0x87, 0x21, 0x2d, 0x93, 0xdb, 0x08, 0x96, 0xd2,
++  0xe8, 0x5c, 0x54, 0xe1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
++  0x6d, 0x30, 0x82, 0x01, 0x69, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f,
++  0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x10, 0x06,
++  0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
++  0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
++  0x04, 0x14, 0xe0, 0xab, 0x72, 0xbc, 0x96, 0x3e, 0xff, 0xb8, 0x66, 0x9b,
++  0x7d, 0x10, 0x5a, 0x43, 0x3e, 0x5c, 0x42, 0x54, 0x87, 0x5f, 0x30, 0x19,
++  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04,
++  0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
++  0x41, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
++  0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
++  0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x84, 0x44, 0x86, 0x06, 0x00,
++  0x98, 0x3f, 0x2c, 0xaa, 0xb3, 0xc5, 0x89, 0xf3, 0xac, 0x2e, 0xc9, 0xe6,
++  0x9d, 0x09, 0x03, 0x30, 0x65, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x5e,
++  0x30, 0x5c, 0x30, 0x5a, 0xa0, 0x58, 0xa0, 0x56, 0x86, 0x54, 0x68, 0x74,
++  0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63,
++  0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
++  0x6b, 0x69, 0x6f, 0x70, 0x73, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x69,
++  0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x25, 0x32, 0x30, 0x52, 0x53,
++  0x41, 0x25, 0x32, 0x30, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25,
++  0x32, 0x30, 0x52, 0x6f, 0x6f, 0x74, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25,
++  0x32, 0x30, 0x32, 0x30, 0x32, 0x31, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x72,
++  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x66,
++  0x30, 0x64, 0x30, 0x62, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
++  0x30, 0x02, 0x86, 0x56, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77,
++  0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x6f, 0x70, 0x73, 0x2f,
++  0x63, 0x65, 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73,
++  0x6f, 0x66, 0x74, 0x25, 0x32, 0x30, 0x52, 0x53, 0x41, 0x25, 0x32, 0x30,
++  0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30, 0x52, 0x6f,
++  0x6f, 0x74, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32, 0x30,
++  0x32, 0x31, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
++  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02,
++  0x01, 0x00, 0x85, 0x02, 0x06, 0x12, 0xfa, 0x67, 0xae, 0x4f, 0x39, 0xa9,
++  0xb8, 0x34, 0xdc, 0x5d, 0x2a, 0x78, 0x19, 0x7b, 0x38, 0xee, 0x9c, 0x82,
++  0x8f, 0x1b, 0xe2, 0x3c, 0x3d, 0x32, 0x0a, 0x5e, 0xbf, 0x58, 0x06, 0xe7,
++  0x6f, 0xf8, 0x8d, 0x18, 0xa8, 0x1b, 0x84, 0xf5, 0x9b, 0xca, 0xad, 0x8b,
++  0x08, 0x44, 0x0e, 0x26, 0x8d, 0x2c, 0xd8, 0x5f, 0x6e, 0x23, 0x25, 0x07,
++  0xfa, 0x5b, 0x4c, 0x26, 0x2e, 0x76, 0x31, 0x43, 0x2e, 0x6e, 0xe8, 0xc8,
++  0x31, 0xc1, 0x4a, 0xd2, 0xf2, 0x02, 0xb7, 0xa6, 0xf1, 0x75, 0xe4, 0x96,
++  0xed, 0x06, 0xe2, 0xca, 0x95, 0x78, 0x44, 0xa8, 0x33, 0x76, 0xd4, 0x2b,
++  0x4d, 0xd7, 0xbc, 0xdc, 0x87, 0x3b, 0xab, 0x4d, 0x29, 0xad, 0x96, 0x89,
++  0xb7, 0xd5, 0xc2, 0x8f, 0xab, 0x46, 0xc3, 0x5d, 0xb3, 0xfd, 0xed, 0xa5,
++  0x9e, 0xf5, 0x76, 0xb7, 0x2b, 0x85, 0xff, 0x98, 0xa1, 0x9f, 0x6b, 0x1c,
++  0x9b, 0x3e, 0xf7, 0xee, 0x0e, 0x17, 0xa3, 0xfd, 0x36, 0x2f, 0xe1, 0xcd,
++  0x28, 0x98, 0x1c, 0x40, 0x99, 0x26, 0xca, 0x03, 0x8d, 0xa6, 0x35, 0xea,
++  0xd2, 0x0a, 0xa7, 0x8b, 0x16, 0xae, 0x21, 0x01, 0x00, 0x1e, 0x27, 0x0f,
++  0xb7, 0x0e, 0xb2, 0x42, 0x31, 0x56, 0x2e, 0xe6, 0xf8, 0x8e, 0xea, 0x0c,
++  0x34, 0xf0, 0x4e, 0xdf, 0x70, 0x30, 0x69, 0x04, 0xd1, 0xcf, 0xd3, 0x9c,
++  0x64, 0x46, 0x6f, 0xcc, 0x21, 0xcd, 0xcb, 0xef, 0x05, 0x32, 0xbb, 0x08,
++  0xa6, 0xd8, 0x9f, 0x45, 0x38, 0x5d, 0x4e, 0xd2, 0x9c, 0x92, 0x89, 0xe9,
++  0x73, 0xe4, 0x7a, 0x08, 0x35, 0x1e, 0x4f, 0xa6, 0xc2, 0xba, 0x6b, 0x3e,
++  0xb7, 0x1f, 0x54, 0x34, 0x49, 0xfa, 0xb4, 0x7a, 0xcb, 0xda, 0xa0, 0x1f,
++  0x59, 0x81, 0x2b, 0x2a, 0xf6, 0x88, 0x26, 0xb0, 0xfa, 0x6c, 0xf2, 0xeb,
++  0xc1, 0xd8, 0xae, 0x41, 0xe1, 0x6f, 0xfc, 0xbf, 0x13, 0xe8, 0x6e, 0x14,
++  0xe7, 0xe7, 0xc7, 0x03, 0x8b, 0x40, 0x99, 0x10, 0x38, 0x06, 0x6d, 0x70,
++  0xbd, 0x01, 0xc8, 0xde, 0x8d, 0x56, 0x1d, 0x38, 0x0f, 0x4f, 0x23, 0xa8,
++  0x25, 0x40, 0xde, 0xbb, 0x28, 0x2d, 0x43, 0xaf, 0xa4, 0xbc, 0x20, 0x83,
++  0xb5, 0x06, 0xf9, 0x05, 0x21, 0x9f, 0x3b, 0xb9, 0x79, 0x0d, 0x70, 0x6b,
++  0x53, 0xc0, 0x75, 0xc2, 0x1b, 0x10, 0x13, 0xb3, 0xe4, 0x6f, 0x09, 0xa8,
++  0xcf, 0xd1, 0xb7, 0x0e, 0x71, 0x5c, 0xb7, 0xc9, 0x8f, 0xe5, 0x1c, 0xf0,
++  0x13, 0x55, 0xd9, 0x93, 0xb9, 0xae, 0x5d, 0x3f, 0xca, 0x0b, 0xb0, 0x59,
++  0x6a, 0x45, 0x4a, 0xc3, 0xe1, 0xe3, 0x27, 0x78, 0x0d, 0x16, 0x81, 0xfc,
++  0x58, 0x2d, 0xb1, 0x41, 0xba, 0x18, 0x0d, 0xcf, 0xf0, 0xef, 0xab, 0x08,
++  0x1e, 0x4f, 0xf8, 0xfc, 0xc6, 0xfd, 0x4b, 0xdd, 0x1d, 0xef, 0x30, 0x25,
++  0x50, 0x39, 0xa3, 0xdf, 0xfe, 0x3f, 0xb9, 0xfa, 0xeb, 0x96, 0x97, 0xd0,
++  0xcd, 0xf9, 0x04, 0x26, 0xfb, 0x0d, 0x48, 0x19, 0x08, 0xd8, 0xe1, 0x93,
++  0xc1, 0x50, 0xc7, 0x6e, 0x6d, 0xd8, 0xd0, 0x6b, 0x8e, 0x95, 0x72, 0x64,
++  0x50, 0xc9, 0xed, 0x55, 0x89, 0x6e, 0xc1, 0x4b, 0xa2, 0x06, 0xd4, 0x32,
++  0xb5, 0xa9, 0x6d, 0x65, 0x01, 0x7a, 0xf1, 0x52, 0x57, 0x18, 0x05, 0x30,
++  0x5c, 0xb8, 0x28, 0x66, 0x11, 0xb7, 0x7a, 0xf0, 0x71, 0x4e, 0x86, 0x61,
++  0x60, 0x7a, 0x6d, 0x56, 0xc7, 0x5b, 0x09, 0x3e, 0xa2, 0xef, 0xd4, 0x0e,
++  0x9e, 0x92, 0xd3, 0x1f, 0x99, 0xf6, 0x9d, 0xb1, 0x1d, 0x78, 0x78, 0x6b,
++  0xff, 0xe8, 0x2a, 0x04, 0xaf, 0x78, 0x67, 0x3e, 0xf0, 0x2a, 0x0b, 0xa7,
++  0xe0, 0x5d, 0x01, 0xe9, 0x87, 0x99, 0x35, 0x30, 0x90, 0xed, 0xd7, 0x45,
++  0x6b, 0x9c, 0xcc, 0xe6, 0xa2, 0xe4, 0xe6, 0x17, 0xa7, 0xdd
++};
++
++CONST UINTN  mSizeOfMicrosoftKek2023 = sizeof mMicrosoftKek2023;
++
+ //
+ // First DB entry: "Microsoft Windows Production PCA 2011"
+ // SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
+@@ -395,6 +525,395 @@ CONST UINT8  mMicrosoftUefiCa[] = {
+ 
+ CONST UINTN  mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa;
+ 
++//
++// Third DB entry: "Microsoft UEFI CA 2023"
++//
++CONST UINT8  mMicrosoftUefiCa2023[] = {
++  0x30, 0x82, 0x05, 0xa4, 0x30, 0x82, 0x03, 0x8c, 0xa0, 0x03, 0x02, 0x01,
++  0x02, 0x02, 0x13, 0x33, 0x00, 0x00, 0x00, 0x16, 0x36, 0xbf, 0x36, 0x89,
++  0x9f, 0x15, 0x75, 0xcc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x30, 0x0d,
++  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++  0x00, 0x30, 0x5a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++  0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04,
++  0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
++  0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d,
++  0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x53, 0x41,
++  0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x20, 0x52, 0x6f, 0x6f,
++  0x74, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x31, 0x30, 0x1e, 0x17,
++  0x0d, 0x32, 0x33, 0x30, 0x36, 0x31, 0x33, 0x31, 0x39, 0x32, 0x31, 0x34,
++  0x37, 0x5a, 0x17, 0x0d, 0x33, 0x38, 0x30, 0x36, 0x31, 0x33, 0x31, 0x39,
++  0x33, 0x31, 0x34, 0x37, 0x5a, 0x30, 0x4e, 0x31, 0x0b, 0x30, 0x09, 0x06,
++  0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c,
++  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61,
++  0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
++  0x03, 0x13, 0x16, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32,
++  0x33, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
++  0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
++  0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbd, 0x22,
++  0x2a, 0xae, 0xef, 0x1a, 0x31, 0x85, 0x13, 0x78, 0x51, 0xa7, 0x9b, 0xfd,
++  0xfc, 0x78, 0xd1, 0x63, 0xb8, 0x1a, 0x9b, 0x63, 0xf5, 0x12, 0x06, 0xdb,
++  0x4b, 0x41, 0x35, 0x6a, 0x6f, 0xab, 0xf5, 0x6a, 0x04, 0xcc, 0x97, 0xcf,
++  0xbb, 0xd4, 0x08, 0x09, 0x1a, 0x61, 0x3a, 0x0d, 0xe6, 0xb3, 0xa0, 0x46,
++  0xff, 0x09, 0xad, 0xde, 0x80, 0x24, 0xdc, 0x12, 0x80, 0xf2, 0x5f, 0xd9,
++  0x16, 0xed, 0xe2, 0x42, 0x9d, 0xcd, 0x2f, 0x4d, 0x61, 0x02, 0x61, 0x8a,
++  0x1c, 0x4b, 0x1d, 0x18, 0x62, 0x39, 0x86, 0x97, 0x71, 0xad, 0x3e, 0x7f,
++  0x5d, 0x71, 0x13, 0x4b, 0xe9, 0x2a, 0x00, 0xc1, 0xbe, 0xd5, 0xb7, 0x00,
++  0x9f, 0x5e, 0x65, 0xb2, 0x2c, 0x1a, 0xff, 0x74, 0xed, 0xea, 0x83, 0xd2,
++  0x39, 0x89, 0x33, 0x35, 0x73, 0x7d, 0xa0, 0xa2, 0xfa, 0x40, 0xe4, 0x66,
++  0x50, 0x58, 0xaa, 0xfc, 0x87, 0xe8, 0x5c, 0x20, 0x83, 0x34, 0xec, 0xab,
++  0xe2, 0x0b, 0xc5, 0x5f, 0x3e, 0xff, 0x48, 0x2b, 0x11, 0x91, 0x26, 0xef,
++  0x18, 0x6e, 0x57, 0xc5, 0x9f, 0x18, 0x73, 0x99, 0xef, 0xe1, 0x6a, 0x74,
++  0x2b, 0xbb, 0x2f, 0x7f, 0x50, 0x8e, 0x1d, 0xda, 0x3d, 0x76, 0xb6, 0x04,
++  0xe5, 0xcc, 0x2e, 0x10, 0xc7, 0x83, 0x1b, 0x83, 0xa3, 0xe4, 0xa5, 0x13,
++  0x13, 0x71, 0x6e, 0x33, 0x78, 0xa3, 0xa8, 0x3c, 0xec, 0x48, 0x26, 0x5e,
++  0xc7, 0xc6, 0x5e, 0x0d, 0x87, 0x9a, 0xaa, 0xcc, 0x55, 0x34, 0x81, 0xad,
++  0x9d, 0x90, 0xf5, 0xe6, 0x96, 0x63, 0xa6, 0xe8, 0x07, 0x20, 0x17, 0xc8,
++  0x93, 0x1e, 0xd2, 0xae, 0xa4, 0xdc, 0xae, 0x7d, 0x59, 0xbf, 0x88, 0x5e,
++  0x62, 0x0c, 0xae, 0x5b, 0xf2, 0x29, 0x40, 0x56, 0x1d, 0x26, 0x40, 0xde,
++  0x85, 0xa6, 0xad, 0x56, 0xd1, 0xcf, 0x55, 0x47, 0x76, 0x5f, 0x9c, 0x39,
++  0xdb, 0x03, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x6d, 0x30,
++  0x82, 0x01, 0x69, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01,
++  0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x10, 0x06, 0x09, 0x2b,
++  0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01,
++  0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
++  0x81, 0xaa, 0x6b, 0x32, 0x44, 0xc9, 0x35, 0xbc, 0xe0, 0xd6, 0x62, 0x8a,
++  0xf3, 0x98, 0x27, 0x42, 0x1e, 0x32, 0x49, 0x7d, 0x30, 0x19, 0x06, 0x09,
++  0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e,
++  0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30,
++  0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30,
++  0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
++  0x18, 0x30, 0x16, 0x80, 0x14, 0x84, 0x44, 0x86, 0x06, 0x00, 0x98, 0x3f,
++  0x2c, 0xaa, 0xb3, 0xc5, 0x89, 0xf3, 0xac, 0x2e, 0xc9, 0xe6, 0x9d, 0x09,
++  0x03, 0x30, 0x65, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x5e, 0x30, 0x5c,
++  0x30, 0x5a, 0xa0, 0x58, 0xa0, 0x56, 0x86, 0x54, 0x68, 0x74, 0x74, 0x70,
++  0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f,
++  0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69,
++  0x6f, 0x70, 0x73, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x69, 0x63, 0x72,
++  0x6f, 0x73, 0x6f, 0x66, 0x74, 0x25, 0x32, 0x30, 0x52, 0x53, 0x41, 0x25,
++  0x32, 0x30, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30,
++  0x52, 0x6f, 0x6f, 0x74, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30,
++  0x32, 0x30, 0x32, 0x31, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x72, 0x06, 0x08,
++  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x66, 0x30, 0x64,
++  0x30, 0x62, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02,
++  0x86, 0x56, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
++  0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63,
++  0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x6f, 0x70, 0x73, 0x2f, 0x63, 0x65,
++  0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
++  0x74, 0x25, 0x32, 0x30, 0x52, 0x53, 0x41, 0x25, 0x32, 0x30, 0x44, 0x65,
++  0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30, 0x52, 0x6f, 0x6f, 0x74,
++  0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32, 0x30, 0x32, 0x31,
++  0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00,
++  0x07, 0x60, 0x13, 0x2a, 0x53, 0x87, 0x12, 0x0f, 0x1a, 0xf3, 0x5a, 0x14,
++  0x95, 0x17, 0xe5, 0xd8, 0xd7, 0x95, 0x54, 0x9b, 0x8b, 0x0e, 0xdd, 0x91,
++  0xa5, 0xed, 0xc7, 0x5d, 0x47, 0x50, 0x93, 0x45, 0xb7, 0x95, 0x88, 0x5f,
++  0x17, 0x19, 0x41, 0x63, 0x76, 0xb5, 0x82, 0xb0, 0xa8, 0xc5, 0x9d, 0x99,
++  0x15, 0x36, 0x89, 0x49, 0xbe, 0x12, 0xc2, 0x66, 0xfb, 0x83, 0x0c, 0xb0,
++  0x81, 0xce, 0xe5, 0xa4, 0xab, 0xc2, 0xa0, 0x9a, 0xeb, 0xf5, 0x07, 0x3c,
++  0xfe, 0x21, 0xf8, 0x9a, 0xdc, 0x19, 0x21, 0x0c, 0x9e, 0x24, 0x2c, 0xd1,
++  0x5c, 0xa2, 0x16, 0x0a, 0x4b, 0xeb, 0xec, 0x48, 0x9c, 0xb1, 0x5b, 0x74,
++  0xdb, 0x01, 0x64, 0xc2, 0xe3, 0x80, 0x6a, 0xab, 0x1a, 0xcd, 0x77, 0x1b,
++  0x6a, 0x39, 0x9a, 0xb7, 0xba, 0x70, 0x44, 0xff, 0x67, 0x94, 0xc5, 0x81,
++  0x06, 0xf0, 0xcb, 0x81, 0x04, 0x93, 0x27, 0x21, 0x99, 0xbd, 0x87, 0x88,
++  0x14, 0x9c, 0x22, 0x71, 0x0e, 0x0b, 0x2f, 0x5c, 0xbe, 0xb8, 0x90, 0x54,
++  0x7c, 0xc0, 0x1e, 0xbc, 0x2b, 0x9b, 0xa3, 0x56, 0x17, 0x4b, 0x97, 0xe7,
++  0xe3, 0x7f, 0x13, 0x34, 0xfa, 0xb0, 0x34, 0x6b, 0x9b, 0xf6, 0xb2, 0x2d,
++  0xf7, 0xd8, 0x7b, 0xd8, 0x20, 0xd3, 0x5c, 0xa7, 0x95, 0x4c, 0x4f, 0x2a,
++  0xf9, 0xe7, 0x1e, 0x68, 0xaf, 0xfc, 0x6c, 0x8f, 0xc8, 0x86, 0x3d, 0x9f,
++  0xc8, 0xd1, 0xef, 0x4d, 0x1a, 0xc8, 0xd1, 0xf6, 0xfd, 0x2d, 0x7c, 0xe3,
++  0xe8, 0x41, 0xc1, 0xea, 0x27, 0xc1, 0xfb, 0x8e, 0x25, 0x86, 0x5a, 0x89,
++  0xa6, 0x10, 0xbe, 0xce, 0xe3, 0x8f, 0xa5, 0x7b, 0xc4, 0x1a, 0xa0, 0xe8,
++  0x75, 0x90, 0xfd, 0x21, 0xb0, 0xc1, 0xa3, 0xc5, 0x16, 0x23, 0x5e, 0x3c,
++  0xce, 0x2f, 0xfe, 0x8c, 0x98, 0xbf, 0x08, 0x5c, 0xf6, 0xb9, 0xc5, 0xb2,
++  0x3c, 0xb6, 0xcc, 0xc8, 0xec, 0x7f, 0xd2, 0x77, 0x74, 0xcb, 0xed, 0xf3,
++  0x96, 0xc9, 0x8b, 0x8d, 0x1c, 0x2a, 0x89, 0x0f, 0xa3, 0x8f, 0xbd, 0xce,
++  0x2a, 0x85, 0x46, 0x9a, 0x23, 0xa2, 0x8f, 0x42, 0xc0, 0x99, 0xd6, 0xea,
++  0x85, 0x1f, 0x61, 0x19, 0xbe, 0x16, 0x35, 0xb7, 0x75, 0xa0, 0x95, 0x80,
++  0x65, 0x06, 0x87, 0xd4, 0x0b, 0x35, 0xc8, 0xc4, 0xaa, 0x0e, 0xce, 0xa2,
++  0x0a, 0x63, 0x60, 0xca, 0x4b, 0x2b, 0x5c, 0x27, 0x04, 0x82, 0xaf, 0x3e,
++  0x58, 0x83, 0x7a, 0x5a, 0xd8, 0x67, 0x3f, 0x10, 0x53, 0xf5, 0x0c, 0x16,
++  0xf7, 0x26, 0x4b, 0x8a, 0x80, 0xb9, 0xc5, 0x1f, 0xa0, 0xde, 0xd8, 0xd3,
++  0x61, 0x44, 0x14, 0x45, 0xa7, 0xf5, 0xab, 0x9a, 0x88, 0x17, 0xfd, 0xb7,
++  0x94, 0x54, 0x02, 0x8b, 0xe4, 0xb7, 0x53, 0xa1, 0x3e, 0x8d, 0x9e, 0x50,
++  0x82, 0xa8, 0x00, 0xe0, 0x78, 0x94, 0x1b, 0xbe, 0xb3, 0xc4, 0x30, 0x1f,
++  0xb2, 0x0e, 0xdb, 0xf0, 0x46, 0x90, 0xc1, 0xe6, 0x57, 0xfe, 0x7c, 0xc1,
++  0x70, 0xb2, 0x1c, 0x4b, 0x64, 0xd9, 0x10, 0x03, 0x1b, 0x34, 0xfb, 0x66,
++  0xcf, 0x82, 0x6e, 0x9e, 0x40, 0xa8, 0x11, 0x37, 0xf2, 0x65, 0x8b, 0x21,
++  0x09, 0xaf, 0x3c, 0x93, 0x62, 0x3d, 0xf3, 0xbc, 0x83, 0xdd, 0x3f, 0x55,
++  0x90, 0x15, 0xd2, 0x31, 0xaf, 0x11, 0xe7, 0xf8, 0xca, 0xa0, 0x82, 0xe1,
++  0xb9, 0xcf, 0xb3, 0x57, 0x93, 0xc7, 0x55, 0x37, 0xac, 0x7f, 0x41, 0xbf,
++  0x1f, 0x96, 0x3c, 0xf3, 0x26, 0x94, 0xf9, 0xd8, 0xd2, 0x55, 0x24, 0x8a,
++  0x8a, 0xb6, 0x41, 0xf0, 0xe0, 0x16, 0xc0, 0x23, 0x92, 0x8c, 0x71, 0x0a,
++  0x4c, 0x6a, 0x0d, 0x19, 0x55, 0xf7, 0x3a, 0x9c, 0x92, 0x21, 0x96, 0xa1,
++  0xd5, 0xf8, 0x0a, 0x8c, 0x9d, 0xbf, 0xc9, 0xeb, 0xca, 0x88, 0x42, 0xfc,
++  0x4b, 0xb4, 0xef, 0xff, 0x27, 0x30, 0x21, 0x61
++};
++
++CONST UINTN  mSizeOfMicrosoftUefiCa2023 = sizeof mMicrosoftUefiCa2023;
++
++//
++// Fourth DB entry: "Microsoft Option ROM UEFI CA 2023"
++//
++CONST UINT8  mMicrosoftUefiOpRom2023[] = {
++  0x30, 0x82, 0x05, 0xaf, 0x30, 0x82, 0x03, 0x97, 0xa0, 0x03, 0x02, 0x01,
++  0x02, 0x02, 0x13, 0x33, 0x00, 0x00, 0x00, 0x17, 0xb3, 0xec, 0x4d, 0x8f,
++  0x01, 0xe2, 0x70, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x30, 0x0d,
++  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++  0x00, 0x30, 0x5a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++  0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04,
++  0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
++  0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d,
++  0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x53, 0x41,
++  0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x20, 0x52, 0x6f, 0x6f,
++  0x74, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x31, 0x30, 0x1e, 0x17,
++  0x0d, 0x32, 0x33, 0x31, 0x30, 0x32, 0x36, 0x31, 0x39, 0x30, 0x32, 0x32,
++  0x30, 0x5a, 0x17, 0x0d, 0x33, 0x38, 0x31, 0x30, 0x32, 0x36, 0x31, 0x39,
++  0x31, 0x32, 0x32, 0x30, 0x5a, 0x30, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06,
++  0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c,
++  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61,
++  0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06, 0x03, 0x55, 0x04,
++  0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x20, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x52, 0x4f, 0x4d, 0x20,
++  0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x33,
++  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
++  0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd3, 0x0b, 0xfe,
++  0x89, 0xcd, 0xcd, 0xb6, 0xee, 0xdc, 0xe5, 0x1a, 0x8d, 0xdc, 0xca, 0x21,
++  0x1a, 0x0f, 0x22, 0x2f, 0x0b, 0xb5, 0x32, 0x84, 0x35, 0xc0, 0xbe, 0x6f,
++  0x70, 0x93, 0x55, 0xb4, 0x47, 0xcc, 0x49, 0x03, 0xc2, 0xfe, 0xcf, 0xba,
++  0x32, 0x65, 0x64, 0xb7, 0x35, 0xbd, 0x04, 0x3b, 0x44, 0x64, 0x2f, 0xa0,
++  0xf2, 0xdd, 0xe1, 0x5d, 0xba, 0xe7, 0xbd, 0x39, 0x9a, 0xbd, 0xcb, 0x4b,
++  0xe1, 0x83, 0xaa, 0x1b, 0xe8, 0x6f, 0x4e, 0x4c, 0x91, 0x52, 0x43, 0xa5,
++  0xc4, 0x50, 0x55, 0x68, 0xf5, 0xda, 0xac, 0x48, 0xa2, 0x9c, 0xec, 0x35,
++  0xa7, 0x04, 0x56, 0x68, 0x19, 0xe2, 0xb1, 0x62, 0xd4, 0x92, 0xf4, 0x85,
++  0x3f, 0x34, 0xa1, 0x15, 0x67, 0x87, 0x21, 0x6e, 0x1f, 0xc9, 0xd8, 0x35,
++  0x32, 0xb8, 0x3d, 0xcb, 0x58, 0xca, 0x29, 0x43, 0x54, 0x4a, 0x7e, 0x8b,
++  0x55, 0x7b, 0x23, 0x7a, 0x3a, 0xb6, 0x9d, 0x43, 0x07, 0x04, 0x6b, 0x9a,
++  0x6b, 0xf4, 0xf0, 0x20, 0xff, 0xfa, 0xa6, 0xdf, 0xa2, 0x9e, 0x49, 0xe8,
++  0x55, 0xc5, 0x75, 0x88, 0x44, 0xac, 0xa4, 0x41, 0x3a, 0x03, 0x7c, 0xbb,
++  0xe9, 0x93, 0xe4, 0x6c, 0xf1, 0xed, 0x79, 0x26, 0xc7, 0x8b, 0x32, 0xf7,
++  0x59, 0x49, 0x25, 0x31, 0x00, 0x67, 0x18, 0x0c, 0x67, 0xfb, 0x40, 0xc5,
++  0x5d, 0x76, 0x3d, 0x09, 0x87, 0xc2, 0x2d, 0x8c, 0x5f, 0x2b, 0x5a, 0x1e,
++  0x01, 0x0f, 0x33, 0xaf, 0x65, 0x08, 0x90, 0x4f, 0xfc, 0x64, 0x5b, 0x9c,
++  0xa3, 0x5c, 0xd6, 0x53, 0x1b, 0x51, 0x01, 0x9f, 0x98, 0xcf, 0xc4, 0x53,
++  0xc5, 0xb1, 0xdf, 0xb3, 0x68, 0x6f, 0x45, 0x4b, 0xc8, 0x45, 0x85, 0xc8,
++  0x1d, 0xb8, 0x9e, 0xd1, 0x77, 0x71, 0xa0, 0xd5, 0xa2, 0x77, 0x87, 0xec,
++  0x67, 0x2e, 0xb9, 0x87, 0x06, 0x46, 0xdd, 0x41, 0x43, 0x40, 0x6a, 0x5f,
++  0x2f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x6d, 0x30, 0x82,
++  0x01, 0x69, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff,
++  0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06,
++  0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00,
++  0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x51,
++  0x4f, 0xbf, 0x93, 0x7f, 0xa4, 0x6f, 0xb5, 0x7b, 0xf0, 0x7a, 0xf8, 0xbe,
++  0xd8, 0x4b, 0x3b, 0x86, 0x4b, 0x17, 0x11, 0x30, 0x19, 0x06, 0x09, 0x2b,
++  0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a,
++  0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0f,
++  0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03,
++  0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18,
++  0x30, 0x16, 0x80, 0x14, 0x84, 0x44, 0x86, 0x06, 0x00, 0x98, 0x3f, 0x2c,
++  0xaa, 0xb3, 0xc5, 0x89, 0xf3, 0xac, 0x2e, 0xc9, 0xe6, 0x9d, 0x09, 0x03,
++  0x30, 0x65, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x5e, 0x30, 0x5c, 0x30,
++  0x5a, 0xa0, 0x58, 0xa0, 0x56, 0x86, 0x54, 0x68, 0x74, 0x74, 0x70, 0x3a,
++  0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73,
++  0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x6f,
++  0x70, 0x73, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++  0x73, 0x6f, 0x66, 0x74, 0x25, 0x32, 0x30, 0x52, 0x53, 0x41, 0x25, 0x32,
++  0x30, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30, 0x52,
++  0x6f, 0x6f, 0x74, 0x25, 0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32,
++  0x30, 0x32, 0x31, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x72, 0x06, 0x08, 0x2b,
++  0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x66, 0x30, 0x64, 0x30,
++  0x62, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86,
++  0x56, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e,
++  0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f,
++  0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x6f, 0x70, 0x73, 0x2f, 0x63, 0x65, 0x72,
++  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x25, 0x32, 0x30, 0x52, 0x53, 0x41, 0x25, 0x32, 0x30, 0x44, 0x65, 0x76,
++  0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30, 0x52, 0x6f, 0x6f, 0x74, 0x25,
++  0x32, 0x30, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32, 0x30, 0x32, 0x31, 0x2e,
++  0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
++  0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x4a,
++  0x4b, 0x80, 0xfc, 0x71, 0xb1, 0x87, 0xdd, 0x06, 0x8b, 0x24, 0x10, 0xd1,
++  0x76, 0xf8, 0x10, 0xe4, 0x65, 0x34, 0xa1, 0xbb, 0x81, 0x08, 0x7d, 0x70,
++  0xd4, 0x15, 0x24, 0xf9, 0x90, 0x3b, 0x48, 0x6f, 0x6e, 0x4e, 0x23, 0xfe,
++  0x85, 0x53, 0xec, 0xa2, 0x99, 0x1f, 0x89, 0xe4, 0x34, 0xbe, 0xd0, 0x98,
++  0xaf, 0xf1, 0xf8, 0x2d, 0xf3, 0x47, 0xd1, 0xb5, 0x32, 0x64, 0x9e, 0xde,
++  0x72, 0xc0, 0x17, 0x7e, 0x81, 0x20, 0x7a, 0xc1, 0x5f, 0x91, 0xf5, 0x4e,
++  0x3a, 0xa6, 0x7b, 0x69, 0xd9, 0xd0, 0xd6, 0xf0, 0xfa, 0x80, 0x63, 0xc5,
++  0xc0, 0x44, 0x67, 0xd3, 0x8b, 0x27, 0x61, 0xc1, 0xe5, 0xdc, 0x51, 0x99,
++  0x6e, 0x23, 0xc9, 0x29, 0x18, 0xfe, 0x35, 0xbd, 0x45, 0x21, 0xac, 0x0f,
++  0xf9, 0x60, 0xe2, 0x0f, 0xd1, 0x5f, 0x70, 0x0f, 0x92, 0x2b, 0x58, 0x4e,
++  0xcf, 0xac, 0x64, 0x2f, 0x09, 0x73, 0xed, 0x50, 0x08, 0xc8, 0xe1, 0x85,
++  0x73, 0x40, 0x2c, 0x31, 0xa9, 0xb4, 0xb6, 0x23, 0x4b, 0xc0, 0x19, 0x3b,
++  0xfd, 0x15, 0xf8, 0xd3, 0xcb, 0x74, 0x54, 0xcd, 0xda, 0xbb, 0x7d, 0x04,
++  0x85, 0x9f, 0x70, 0x15, 0x75, 0xf9, 0xb7, 0xf4, 0x61, 0x4b, 0xfe, 0xe4,
++  0x9f, 0x45, 0x0e, 0xf5, 0x82, 0xe9, 0xc5, 0xf3, 0x78, 0xbb, 0xaa, 0x6a,
++  0xe1, 0xf7, 0xbb, 0x85, 0x92, 0x2b, 0xaf, 0x4b, 0xb5, 0x27, 0x4e, 0x9a,
++  0xc9, 0x29, 0x6f, 0x0e, 0xc8, 0xd2, 0x64, 0x63, 0x9b, 0x5d, 0x14, 0x06,
++  0xcc, 0x78, 0x7f, 0xe4, 0x12, 0xdd, 0x96, 0xe3, 0x9c, 0x04, 0x42, 0xec,
++  0x17, 0xfa, 0x92, 0x21, 0xa7, 0xde, 0xf5, 0x69, 0x8f, 0x20, 0xb2, 0x64,
++  0xf3, 0x3f, 0x15, 0xa3, 0x51, 0xaf, 0x27, 0x6f, 0xb7, 0x62, 0x57, 0xaf,
++  0x74, 0x17, 0xec, 0xab, 0xb1, 0xee, 0xa8, 0x50, 0xef, 0xaf, 0x83, 0x82,
++  0xab, 0x61, 0x04, 0x79, 0x3f, 0x49, 0x8c, 0x40, 0x56, 0xc0, 0x3c, 0xaf,
++  0xfb, 0x2a, 0x5a, 0x19, 0x1e, 0xaa, 0xe6, 0x2e, 0x67, 0x24, 0x21, 0xac,
++  0x33, 0xf0, 0xd7, 0x4a, 0x8b, 0x0a, 0x24, 0x30, 0x10, 0xa6, 0x52, 0x3e,
++  0x1d, 0xc8, 0xfc, 0x91, 0x9c, 0x87, 0x1b, 0xfa, 0x86, 0xe1, 0x9e, 0x6b,
++  0xe5, 0x09, 0x61, 0x75, 0xa8, 0xa3, 0x39, 0x5f, 0xe2, 0x9f, 0x6c, 0x0e,
++  0x85, 0x21, 0xe6, 0xbd, 0x76, 0xa5, 0xea, 0x45, 0x83, 0x68, 0x1e, 0x2f,
++  0x36, 0xbf, 0xe0, 0x68, 0x8a, 0x42, 0xce, 0x1f, 0xb8, 0x8d, 0xe1, 0x60,
++  0xe6, 0x93, 0x8a, 0xee, 0xba, 0x4a, 0xad, 0xb3, 0x49, 0x4c, 0xee, 0xa3,
++  0x03, 0xc9, 0xa7, 0xa2, 0x86, 0x71, 0x9c, 0x81, 0x01, 0x67, 0x69, 0x0f,
++  0xde, 0x80, 0x55, 0xd6, 0xc0, 0xde, 0x72, 0x85, 0xc0, 0x46, 0x60, 0xf0,
++  0xce, 0x60, 0x2a, 0x88, 0x08, 0x8d, 0x9c, 0x30, 0xeb, 0xa9, 0x8b, 0x40,
++  0xf3, 0x61, 0x25, 0x09, 0xe1, 0xe1, 0x82, 0x32, 0x04, 0xa5, 0x29, 0xf8,
++  0x59, 0xec, 0x26, 0xb6, 0xc8, 0xd7, 0x23, 0xf0, 0x0b, 0xd3, 0x6c, 0x63,
++  0x6a, 0xda, 0x2f, 0xd2, 0xd3, 0xa5, 0x25, 0x9a, 0x9a, 0x5e, 0xa5, 0xfd,
++  0x02, 0xa5, 0xec, 0xa2, 0x90, 0x81, 0x68, 0x3e, 0x3d, 0x45, 0x8e, 0x7c,
++  0x05, 0xb2, 0x2e, 0xea, 0x99, 0x01, 0x45, 0xfd, 0x09, 0x30, 0x94, 0x26,
++  0xd7, 0x4a, 0x2c, 0xfe, 0x7d, 0x82, 0x44, 0x33, 0x43, 0x55, 0xcb, 0x5a,
++  0x43, 0xd2, 0x92, 0x92, 0xfe, 0x4e, 0x47, 0xc6, 0x49, 0x3f, 0x35, 0x1b,
++  0x21, 0x9c, 0x6a, 0xda, 0x82, 0xfc, 0x64, 0x37, 0xfb, 0x27, 0xea, 0xf4,
++  0x30, 0xdf, 0x65, 0xec, 0xd0, 0xfc, 0x50, 0x01, 0x38, 0x6a, 0xec, 0xdc,
++  0x51, 0xf6, 0xf5, 0xee, 0x9b, 0x26, 0xcc, 0xee, 0x6d, 0xfe, 0x2f, 0x56,
++  0x0e, 0x3a, 0xe8, 0x38, 0x22, 0x8e, 0xaa
++};
++
++CONST UINTN  mSizeOfMicrosoftUefiOpRom2023 = sizeof mMicrosoftUefiOpRom2023;
++
++//
++// Fifth DB entry: "Windows UEFI CA 2023"
++//
++CONST UINT8  mWindowsUefi2023[] = {
++  0x30, 0x82, 0x05, 0xaa, 0x30, 0x82, 0x03, 0x92, 0xa0, 0x03, 0x02, 0x01,
++  0x02, 0x02, 0x13, 0x33, 0x00, 0x00, 0x00, 0x1a, 0x88, 0x8b, 0x98, 0x00,
++  0x56, 0x22, 0x84, 0xc1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x30, 0x0d,
++  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++  0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
++  0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
++  0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74,
++  0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
++  0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c,
++  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61,
++  0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30, 0x30, 0x06, 0x03, 0x55, 0x04,
++  0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++  0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
++  0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
++  0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17, 0x0d,
++  0x32, 0x33, 0x30, 0x36, 0x31, 0x33, 0x31, 0x38, 0x35, 0x38, 0x32, 0x39,
++  0x5a, 0x17, 0x0d, 0x33, 0x35, 0x30, 0x36, 0x31, 0x33, 0x31, 0x39, 0x30,
++  0x38, 0x32, 0x39, 0x5a, 0x30, 0x4c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
++  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c, 0x06,
++  0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73,
++  0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
++  0x69, 0x6f, 0x6e, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x04, 0x03,
++  0x13, 0x14, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x55, 0x45,
++  0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x33, 0x30, 0x82,
++  0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
++  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
++  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbc, 0xb2, 0x35, 0xd1, 0x54,
++  0x79, 0xb4, 0x8f, 0xcc, 0x81, 0x2a, 0x6e, 0xb3, 0x12, 0xd6, 0x93, 0x97,
++  0x30, 0x7c, 0x38, 0x5c, 0xbf, 0x79, 0x92, 0x19, 0x0a, 0x0f, 0x2d, 0x0a,
++  0xfe, 0xbf, 0xe0, 0xa8, 0xd8, 0x32, 0x3f, 0xd2, 0xab, 0x6f, 0x6f, 0x81,
++  0xc1, 0x4d, 0x17, 0x69, 0x45, 0xcf, 0x85, 0x80, 0x27, 0xa3, 0x7c, 0xb3,
++  0x31, 0xcc, 0xa5, 0xa7, 0x4d, 0xf9, 0x43, 0xd0, 0x5a, 0x2f, 0xd7, 0x18,
++  0x1b, 0xd2, 0x58, 0x96, 0x05, 0x39, 0xa3, 0x95, 0xb7, 0xbc, 0xdd, 0x79,
++  0xc1, 0xa0, 0xcf, 0x8f, 0xe2, 0x53, 0x1e, 0x2b, 0x26, 0x62, 0xa8, 0x1c,
++  0xae, 0x36, 0x1e, 0x4f, 0xa1, 0xdf, 0xb9, 0x13, 0xba, 0x0c, 0x25, 0xbb,
++  0x24, 0x65, 0x67, 0x01, 0xaa, 0x1d, 0x41, 0x10, 0xb7, 0x36, 0xc1, 0x6b,
++  0x2e, 0xb5, 0x6c, 0x10, 0xd3, 0x4e, 0x96, 0xd0, 0x9f, 0x2a, 0xa1, 0xf1,
++  0xed, 0xa1, 0x15, 0x0b, 0x82, 0x95, 0xc5, 0xff, 0x63, 0x8a, 0x13, 0xb5,
++  0x92, 0x34, 0x1e, 0x31, 0x5e, 0x61, 0x11, 0xae, 0x5d, 0xcc, 0xf1, 0x10,
++  0xe6, 0x4c, 0x79, 0xc9, 0x72, 0xb2, 0x34, 0x8a, 0x82, 0x56, 0x2d, 0xab,
++  0x0f, 0x7c, 0xc0, 0x4f, 0x93, 0x8e, 0x59, 0x75, 0x41, 0x86, 0xac, 0x09,
++  0x10, 0x09, 0xf2, 0x51, 0x65, 0x50, 0xb5, 0xf5, 0x21, 0xb3, 0x26, 0x39,
++  0x8d, 0xaa, 0xc4, 0x91, 0xb3, 0xdc, 0xac, 0x64, 0x23, 0x06, 0xcd, 0x35,
++  0x5f, 0x0d, 0x42, 0x49, 0x9c, 0x4f, 0x0d, 0xce, 0x80, 0x83, 0x82, 0x59,
++  0xfe, 0xdf, 0x4b, 0x44, 0xe1, 0x40, 0xc8, 0x3d, 0x63, 0xb6, 0xcf, 0xb4,
++  0x42, 0x0d, 0x39, 0x5c, 0xd2, 0x42, 0x10, 0x0c, 0x08, 0xc2, 0x74, 0xeb,
++  0x1c, 0xdc, 0x6e, 0xbc, 0x0a, 0xac, 0x98, 0xbb, 0xcc, 0xfa, 0x1e, 0x3c,
++  0xa7, 0x83, 0x16, 0xc5, 0xdb, 0x02, 0xda, 0xd9, 0x96, 0xdf, 0x6b, 0x02,
++  0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x46, 0x30, 0x82, 0x01, 0x42,
++  0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04,
++  0x03, 0x02, 0x01, 0x86, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04,
++  0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d,
++  0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xae, 0xfc, 0x5f,
++  0xbb, 0xbe, 0x05, 0x5d, 0x8f, 0x8d, 0xaa, 0x58, 0x54, 0x73, 0x49, 0x94,
++  0x17, 0xab, 0x5a, 0x52, 0x72, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01,
++  0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53,
++  0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0f, 0x06, 0x03,
++  0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01,
++  0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
++  0x80, 0x14, 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68,
++  0xd1, 0x3d, 0x94, 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56,
++  0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0,
++  0x49, 0xa0, 0x47, 0x86, 0x45, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
++  0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
++  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72,
++  0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d,
++  0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41, 0x75, 0x74, 0x5f,
++  0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33, 0x2e, 0x63,
++  0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
++  0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
++  0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70,
++  0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f,
++  0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69,
++  0x2f, 0x63, 0x65, 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f,
++  0x6f, 0x43, 0x65, 0x72, 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30,
++  0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d,
++  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++  0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x9f, 0xc9, 0xb6, 0xff, 0x6e, 0xe1,
++  0x9c, 0x3b, 0x55, 0xf6, 0xfe, 0x8b, 0x39, 0xdd, 0x61, 0x04, 0x6f, 0xd0,
++  0xad, 0x63, 0xcd, 0x17, 0x76, 0x4a, 0xa8, 0x43, 0x89, 0x8d, 0xf8, 0xc6,
++  0xf2, 0x8c, 0x5e, 0x90, 0xe1, 0xe4, 0x68, 0xa5, 0x15, 0xec, 0xb8, 0xd3,
++  0x60, 0x0c, 0x40, 0x57, 0x1f, 0xfb, 0x5e, 0x35, 0x72, 0x61, 0xde, 0x97,
++  0x31, 0x6c, 0x79, 0xa0, 0xf5, 0x16, 0xae, 0x4b, 0x1c, 0xed, 0x01, 0x0c,
++  0xef, 0xf7, 0x57, 0x0f, 0x42, 0x30, 0x18, 0x69, 0xf8, 0xa1, 0xa3, 0x2e,
++  0x97, 0x92, 0xb8, 0xbe, 0x1b, 0xfe, 0x2b, 0x86, 0x5e, 0x42, 0x42, 0x11,
++  0x8f, 0x8e, 0x70, 0x4d, 0x90, 0xa7, 0xfd, 0x01, 0x63, 0xf2, 0x64, 0xbf,
++  0x9b, 0xe2, 0x7b, 0x08, 0x81, 0xcf, 0x49, 0xf2, 0x37, 0x17, 0xdf, 0xf1,
++  0xf9, 0x72, 0xd3, 0xc3, 0x1d, 0xc3, 0x90, 0x45, 0x4d, 0xe6, 0x80, 0x06,
++  0xbd, 0xfd, 0xe5, 0x6a, 0x69, 0xce, 0xb3, 0x7e, 0x4e, 0x31, 0x5b, 0x84,
++  0x73, 0xa8, 0xe8, 0x72, 0x3f, 0x27, 0x35, 0xc9, 0x7c, 0x20, 0xce, 0x00,
++  0x9b, 0x4f, 0xe0, 0x4c, 0xb4, 0x36, 0x69, 0xcb, 0xf7, 0x34, 0x11, 0x11,
++  0x74, 0x12, 0x7a, 0xa8, 0x8c, 0x2e, 0x81, 0x6c, 0xa6, 0x50, 0xad, 0x19,
++  0xfa, 0xa8, 0x46, 0x45, 0x6f, 0xb1, 0x67, 0x73, 0xc3, 0x6b, 0xe3, 0x40,
++  0xe8, 0x2a, 0x69, 0x8f, 0x24, 0x10, 0xe1, 0x29, 0x6e, 0x8d, 0x16, 0x88,
++  0xee, 0x8e, 0x7f, 0x66, 0x93, 0x02, 0x6f, 0x5b, 0x9e, 0x04, 0x8c, 0xcc,
++  0x81, 0x1c, 0xad, 0x97, 0x54, 0xf1, 0x18, 0x2e, 0x7e, 0x52, 0x90, 0xbc,
++  0x51, 0xde, 0x2a, 0x0e, 0xae, 0x66, 0xea, 0xbc, 0x64, 0x6e, 0xa0, 0x91,
++  0x64, 0xe4, 0x2f, 0x12, 0xa8, 0xbc, 0xe7, 0x6b, 0xba, 0xc7, 0x1b, 0x9b,
++  0x79, 0x1a, 0x64, 0x66, 0xf1, 0x43, 0xb4, 0xd1, 0xc3, 0x46, 0x21, 0x38,
++  0x81, 0x79, 0x4c, 0xfa, 0xf0, 0x31, 0x0d, 0xd3, 0x79, 0xff, 0x7a, 0x12,
++  0xa5, 0x1d, 0xd9, 0xdd, 0xac, 0xa2, 0x0f, 0x71, 0x82, 0xf7, 0x93, 0xff,
++  0x5c, 0xa1, 0x61, 0xae, 0x65, 0xf2, 0x14, 0x81, 0xed, 0x79, 0x5a, 0x9a,
++  0x87, 0xea, 0x60, 0x7b, 0xcb, 0xb3, 0x4f, 0x75, 0x34, 0xca, 0xba, 0xa1,
++  0xef, 0xa2, 0xf6, 0xa2, 0x80, 0x45, 0xa1, 0x8b, 0x27, 0x81, 0xcd, 0xd5,
++  0x77, 0x38, 0x3e, 0xca, 0x4e, 0xdd, 0x28, 0xea, 0x58, 0xba, 0xc5, 0xa0,
++  0x29, 0xde, 0x86, 0x8c, 0x88, 0xfc, 0x95, 0x27, 0x51, 0xdd, 0xab, 0xd3,
++  0xd0, 0x5b, 0x0d, 0x77, 0xc7, 0x6c, 0x8f, 0x55, 0xd7, 0xd4, 0xa2, 0x0e,
++  0x5b, 0xe4, 0x34, 0x46, 0x14, 0x16, 0x1d, 0xe3, 0x1c, 0xd6, 0x6d, 0x99,
++  0xad, 0x4c, 0xec, 0x71, 0x73, 0x2f, 0xab, 0xce, 0xb2, 0xb4, 0x29, 0xde,
++  0x55, 0x30, 0x53, 0x39, 0x3a, 0x32, 0x8b, 0xf0, 0xea, 0x9c, 0x88, 0x12,
++  0x3b, 0x05, 0x68, 0x19, 0xbf, 0xcf, 0x87, 0x52, 0x10, 0xfb, 0xd6, 0x13,
++  0x60, 0xf3, 0x41, 0x64, 0xf4, 0x08, 0x57, 0x81, 0xcb, 0x9d, 0x11, 0xa5,
++  0x8e, 0xf4, 0xe5, 0x27, 0xf5, 0xa3, 0x3a, 0xec, 0xe4, 0x3d, 0x4a, 0xb7,
++  0xce, 0xf9, 0x88, 0x0d, 0x9f, 0xbd, 0xca, 0x6d, 0xd2, 0x4a, 0xbc, 0x58,
++  0x76, 0x8e, 0x32, 0x04, 0x94, 0x6e, 0xdd, 0xf4, 0xcf, 0x6d, 0x47, 0x6d,
++  0xc2, 0xd7, 0x6a, 0xdc, 0x87, 0x71, 0xea, 0xa4, 0xbf, 0xef, 0x67, 0x97,
++  0x9c, 0xb8, 0xc7, 0x80, 0x36, 0x2a, 0x2a, 0x59, 0xc9, 0xc0, 0x0c, 0xa7,
++  0x44, 0xa0, 0x73, 0xb5, 0x8c, 0xcf, 0x38, 0x5a, 0xae, 0xf8, 0xbb, 0x86,
++  0x95, 0xf0, 0x44, 0xad, 0x66, 0x7a, 0x33, 0xed, 0x71, 0xe4, 0x45, 0x87,
++  0x83, 0xe5, 0xa7, 0xce, 0xa2, 0x40, 0xd0, 0x72, 0xd2, 0x48, 0x00, 0xfa,
++  0xf9, 0x1a
++};
++
++CONST UINTN  mSizeOfWindowsUefi2023 = sizeof mWindowsUefi2023;
++
+ //
+ // The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
+ // of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+index 88b6bafee8..c19764256f 100644
+--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+@@ -702,6 +702,15 @@ ShellAppMain (
+                mMicrosoftUefiCa,
+                mSizeOfMicrosoftUefiCa,
+                &gMicrosoftVendorGuid,
++               mMicrosoftUefiCa2023,
++               mSizeOfMicrosoftUefiCa2023,
++               &gMicrosoftVendorGuid,
++               mMicrosoftUefiOpRom2023,
++               mSizeOfMicrosoftUefiOpRom2023,
++               &gMicrosoftVendorGuid,
++               mWindowsUefi2023,
++               mSizeOfWindowsUefi2023,
++               &gMicrosoftVendorGuid,
+                NULL
+                );
+   }
+@@ -750,6 +759,9 @@ ShellAppMain (
+                mMicrosoftKek,
+                mSizeOfMicrosoftKek,
+                &gMicrosoftVendorGuid,
++               mMicrosoftKek2023,
++               mSizeOfMicrosoftKek2023,
++               &gMicrosoftVendorGuid,
+                NULL
+                );
+   }
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
+index 56da9c71d6..07800ce571 100644
+--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
+@@ -124,12 +124,24 @@ typedef struct {
+ extern CONST UINT8  mMicrosoftKek[];
+ extern CONST UINTN  mSizeOfMicrosoftKek;
+ 
++extern CONST UINT8  mMicrosoftKek2023[];
++extern CONST UINTN  mSizeOfMicrosoftKek2023;
++
+ extern CONST UINT8  mMicrosoftPca[];
+ extern CONST UINTN  mSizeOfMicrosoftPca;
+ 
+ extern CONST UINT8  mMicrosoftUefiCa[];
+ extern CONST UINTN  mSizeOfMicrosoftUefiCa;
+ 
++extern CONST UINT8  mMicrosoftUefiCa2023[];
++extern CONST UINTN  mSizeOfMicrosoftUefiCa2023;
++
++extern CONST UINT8  mMicrosoftUefiOpRom2023[];
++extern CONST UINTN  mSizeOfMicrosoftUefiOpRom2023;
++
++extern CONST UINT8  mWindowsUefi2023[];
++extern CONST UINTN  mSizeOfWindowsUefi2023;
++
+ extern CONST UINT8  mSha256OfDevNull[];
+ extern CONST UINTN  mSizeOfSha256OfDevNull;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index e74582c057..9f3c8910bf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch
 Revert-UefiCpuPkg-Produce-EFI-memory-attributes-prot.patch
 UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
 UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch
+OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
-- 
2.47.3

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH-SERIES edk2-firmware 0/6] partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys

[Fiona Ebner]

This fixes the issue with the Microsoft UEFI CA 2011 expiring in June
2026 for new EFI disks. What still needs to be done is giving users a
way for (or automatically) enrolling the new keys to existing EFI
disks. I will look at that part of the issue in the coming days.

To update an existing EFI disk, it should be enough to do something
like:
virt-fw-vars --inplace vm-103-disk-0.raw --distro-keys ms-uefi

AFAICS, virt-fw-vars can only deal with raw images, so we can use FUSE
exports of differently formatted EFI disks which requires [0].

[0]: https://lore.proxmox.com/pve-devel/20251020141335.124077-1-f.ebner@proxmox.com/


pve-edk2-firmware:

Fiona Ebner (6):
  update edk2 to edk2-stable202505 tag and refresh patches
  d/patches: pick up CVE fix from Debian tag debian/2025.05-1
  d/rules: pick up some improvements from Debian
  Use virt-firmware to enroll default keys.
  Initialize the Secure Boot dbx in *.ms.fd with the latest revocations
  partially fix #6985: pre-enroll Microsoft UEFI CA 2023 keys

 debian/DBXUpdate-2025-02-24.arm64.bin         | Bin 0 -> 4613 bytes
 debian/DBXUpdate-2025-10-16.amd64.bin         | Bin 0 -> 24053 bytes
 debian/control                                |   1 +
 debian/edk2-vars-generator.py                 | 140 ----
 ...nrollDefaultKeys-with-Microsoft-2023.patch | 613 ++++++++++++++++++
 ...tLib-Fix-split-lock-violation-from-M.patch |  10 +-
 ...CpuDxeSmm-Safe-handling-of-IDT-regis.patch |  45 ++
 debian/patches/series                         |   2 +
 debian/rules                                  |  99 +--
 debian/source/include-binaries                |   2 +
 edk2                                          |   2 +-
 11 files changed, 721 insertions(+), 193 deletions(-)
 create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
 create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin
 delete mode 100755 debian/edk2-vars-generator.py
 create mode 100644 debian/patches/OvmfPkg-Expand-EnrollDefaultKeys-with-Microsoft-2023.patch
 create mode 100644 debian/patches/UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch


Summary over all repositories:
  11 files changed, 721 insertions(+), 193 deletions(-)

-- 
Generated by git-murpp 0.5.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH edk2-firmware 1/6] update edk2 to edk2-stable202505 tag and refresh patches

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...Pkg-MpInitLib-Fix-split-lock-violation-from-M.patch | 10 ++++++----
 edk2                                                   |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch b/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
index e68278add2..dc086324b4 100644
--- a/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
+++ b/debian/patches/UefiCpuPkg-MpInitLib-Fix-split-lock-violation-from-M.patch
@@ -34,6 +34,8 @@ Signed-off-by: Aaron Young <aaron.young@oracle.com>
 (cherry picked from commit b0bc23d1f246dac977b639470a51bcef1bcd6e1d)
 Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+[FE: rebase for edk2-stable202505]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 15 ++++++++++++---
  UefiCpuPkg/Library/MpInitLib/MpLib.c   | 15 ++++++++++-----
@@ -41,7 +43,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 29 insertions(+), 10 deletions(-)
 
 diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
-index 317e627b58..ded603f8f8 100644
+index d8ba9ea124..7e4afbcaa5 100644
 --- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
 +++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
 @@ -74,18 +74,18 @@ struc MP_CPU_EXCHANGE_INFO
@@ -65,8 +67,8 @@ index 317e627b58..ded603f8f8 100644
    .CpuMpData:                    CTYPE_UINTN 1
    .InitializeFloatingPointUnits: CTYPE_UINTN 1
    .ModeTransitionMemory:         CTYPE_UINT32 1
-@@ -99,5 +99,14 @@ struc MP_CPU_EXCHANGE_INFO
-   .ExtTopoAvail:                 CTYPE_BOOLEAN 1
+@@ -100,5 +100,14 @@ struc MP_CPU_EXCHANGE_INFO
+   .SevSnpKnownInitApicId:        CTYPE_BOOLEAN 1
  endstruc
  
 -MP_CPU_EXCHANGE_INFO_OFFSET equ (Flat32Start - RendezvousFunnelProcStart)
@@ -130,7 +132,7 @@ index fdcc21d794..ffaff1855f 100644
      // The AP reset stack is only used by SEV-ES guests. Do not allocate it
      // if SEV-ES is not enabled. An SEV-SNP guest is also considered
 diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h
-index 145538b6ee..fc08ae2ce6 100644
+index a63bb81bef..b30dcb3828 100644
 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h
 +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h
 @@ -213,18 +213,23 @@ typedef struct {
diff --git a/edk2 b/edk2
index fbe0805b20..6951dfe7d5 160000
--- a/edk2
+++ b/edk2
@@ -1 +1 @@
-Subproject commit fbe0805b2091393406952e84724188f8c1941837
+Subproject commit 6951dfe7d59d144a3a980bd7eda699db2d8554ac
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel