From ac6f817327fedc8d164aeba9f038d9943e100a79 Mon Sep 17 00:00:00 2001 From: Doug Flick Date: Tue, 6 Feb 2024 15:57:06 -0800 Subject: [PATCH] Updating from code review --- .../SecureBootRecovery/SecureBootRecovery.c | 247 ++++++++---------- .../SecureBootRecovery/TargetCertificate.h | 144 ++++++++++ 2 files changed, 251 insertions(+), 140 deletions(-) create mode 100644 MsApplicationPkg/SecureBootRecovery/TargetCertificate.h diff --git a/MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.c b/MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.c index 2be5f8df0b..6d389dc98b 100644 --- a/MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.c +++ b/MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.c @@ -14,6 +14,7 @@ #include #include "RecoveryPayload.h" +#include "TargetCertificate.h" // // 10 seconds in microseconds @@ -26,56 +27,13 @@ #define STATUS_SIZE (sizeof(EFI_STATUS) * 2) #define STATUS_STRING_SIZE (STATUS_SIZE + sizeof(L"\0")) -// -// The certificate we are looking for -// -#define CERT_ORGANIZATION "Microsoft Corporation" -#define CERT_ORGANIZATION_OFFSET 0xF6 -#define CERT_COMMON_NAME "Windows UEFI CA 2023" -#define CERT_COMMON_NAME_OFFSET 0x116 -#define CERT_SIGNATURE { 0x9f, 0xc9, 0xb6, 0xff, 0x6e, 0xe1, 0x9c, 0x3b, 0x55, 0xf6, 0xfe, 0x8b, 0x39, 0xdd, 0x61, 0x04 } -#define CERT_SIGNATURE_OFFSET 0x3AE - -// -// The system table pointers -// -EFI_SYSTEM_TABLE *mST = NULL; -EFI_RUNTIME_SERVICES *mRT = NULL; -EFI_BOOT_SERVICES *mBS = NULL; - -typedef struct { - UINT8 *Organization; // The organization name in the certificate - UINTN OrganizationLength; // The length of the organization name in the certificate - UINTN OrganizationOffset; // The offset of the organization name in the certificate - UINT8 *CommonName; // The common name in the certificate - UINTN CommonNameLength; // The length of the common name in the certificate - UINTN CommonNameOffset; // The offset of the common name in the certificate - UINT8 Signature[16]; // The signature of the certificate - UINTN SignatureOffset; // The offset of the signature in the certificate -} CERTIFICATE_ENTRY; - -// -// This is Certificate entry for the Windows UEFI CA 2023 certificate -// This will be used to check if the certificate is already in the DB -// -CERTIFICATE_ENTRY mWindows2023ProductionCA = { - .Organization = CERT_ORGANIZATION, - .OrganizationLength = sizeof (CERT_ORGANIZATION) - 1, - .OrganizationOffset = CERT_ORGANIZATION_OFFSET, - .CommonName = CERT_COMMON_NAME, - .CommonNameLength = sizeof (CERT_COMMON_NAME) - 1, - .CommonNameOffset = CERT_COMMON_NAME_OFFSET, - .Signature = CERT_SIGNATURE, - .SignatureOffset = CERT_SIGNATURE_OFFSET -}; - /** - * Converts an EFI_STATUS to a hex string - * @param[in] Status The EFI_STATUS to convert - * - * @return A pointer to a static buffer containing the hex string - * @note The caller must not free the returned pointer - * @note The returned pointer is only valid until the next call to this function + Converts an EFI_STATUS to a hex string + @param[in] Status The EFI_STATUS to convert + + @return A pointer to a static buffer containing the hex string + @note The caller must not free the returned pointer + @note The returned pointer is only valid until the next call to this function */ CHAR16 * StatusToHexString ( @@ -98,37 +56,47 @@ StatusToHexString ( } /** - * Prints an error message to the console - * @param[in] Message The message to print - * @param[in] Status The EFI_STATUS to print + Prints an error message to the console + + @param[in] SystemTable A pointer to the EFI System Table + @param[in] Message The message to print + @param[in] Status The EFI_STATUS to print */ VOID PrintError ( - CHAR16 *Message, - EFI_STATUS Status + IN EFI_SYSTEM_TABLE *SystemTable, + IN CHAR16 *Message, + IN EFI_STATUS Status ) { - mST->ConOut->OutputString (mST->ConOut, Message); - mST->ConOut->OutputString (mST->ConOut, L"Error: 0x"); - mST->ConOut->OutputString (mST->ConOut, StatusToHexString (Status)); - mST->ConOut->OutputString (mST->ConOut, L"\r\n"); + if (Message == NULL) { + return; + } + + SystemTable->ConOut->OutputString (SystemTable->ConOut, Message); + SystemTable->ConOut->OutputString (SystemTable->ConOut, L"Error: 0x"); + SystemTable->ConOut->OutputString (SystemTable->ConOut, StatusToHexString (Status)); + SystemTable->ConOut->OutputString (SystemTable->ConOut, L"\r\n"); } /** This function checks if a specified certificate is present in the EFI image security database (db). - @param Certificate A pointer to the CERTIFICATE_ENTRY structure that contains the certificate to search for. - @param OptionalStatus If not NULL, a pointer to a variable that receives the status of the operation. + @param[in] SystemTable A pointer to the EFI System Table. + @param[in] Certificate A pointer to the CERTIFICATE_ENTRY structure that contains the certificate to search for. + @param[out] IsFound A pointer to a BOOLEAN that will be set to TRUE if the certificate is found in the DB, FALSE otherwise. - @retval TRUE The certificate was found in the database. - @retval FALSE The certificate was not found in the database. - If OptionalStatus is not NULL, it contains an error code indicating the reason for the failure. + @retval EFI_SUCCESS The certificate was found in the DB. + @retval EFI_UNSUPPORTED The DB does not have the expected attributes. + @retval EFI_INVALID_PARAMETER The input parameters are invalid. + @retval others An error occurred while attempting to read the DB. See GetVariable or AllocatePool for more details. **/ -BOOLEAN +EFI_STATUS IsCertificateInDB ( + IN EFI_SYSTEM_TABLE *SystemTable, IN CERTIFICATE_ENTRY *Certificate, - OUT EFI_STATUS *OptionalStatus + OUT BOOLEAN *IsFound ) { EFI_STATUS Status; @@ -139,40 +107,49 @@ IsCertificateInDB ( UINT8 *Cert; UINTN CertCount; UINT8 *Db; - BOOLEAN Found; EFI_SIGNATURE_LIST *CertList; EFI_SIGNATURE_DATA *CertData; - Found = FALSE; Db = NULL; DbSize = 0; Attributes = VARIABLE_ATTRIBUTE_NV_BS_RT_AT | EFI_VARIABLE_APPEND_WRITE; - if ((mST == NULL) || (Certificate == NULL)) { + if ((Certificate == NULL) || (IsFound == NULL)) { Status = EFI_INVALID_PARAMETER; goto Exit; } + *IsFound = FALSE; + // // Read the size and attributes of the DB // - Status = mRT->GetVariable ( - L"db", - &gEfiImageSecurityDatabaseGuid, - &Attributes, - &DbSize, - NULL - ); + Status = SystemTable->RuntimeServices->GetVariable ( + L"db", + &gEfiImageSecurityDatabaseGuid, + &Attributes, + &DbSize, + NULL + ); // // Confirm we got the expected error that the buffer was too small + // We need to know the size of the DB to allocate a buffer to read it // if (Status != EFI_BUFFER_TOO_SMALL) { // // Likely this will continue to fail on reboot // - return FALSE; + if (Status == EFI_SUCCESS) { + // + // While unlikely, it is possible that the DB is empty + // In that case, we should fail out gracefully because there is nothing we can do + // + Status = EFI_UNSUPPORTED; + } + + goto Exit; } // @@ -183,15 +160,14 @@ IsCertificateInDB ( // // Likely this will continue to fail on reboot // - return FALSE; + goto Exit; } - Status = mBS->AllocatePool ( - EfiBootServicesData, - DbSize, - &Db - ); - + Status = SystemTable->BootServices->AllocatePool ( + EfiBootServicesData, + DbSize, + &Db + ); if ((Db == NULL) || EFI_ERROR (Status)) { // // Likely this will continue to fail on reboot @@ -202,23 +178,24 @@ IsCertificateInDB ( // // Grab the DB // - Status = mRT->GetVariable ( - L"db", - &gEfiImageSecurityDatabaseGuid, - &Attributes, - &DbSize, - Db - ); + Status = SystemTable->RuntimeServices->GetVariable ( + L"db", + &gEfiImageSecurityDatabaseGuid, + &Attributes, + &DbSize, + Db + ); if (EFI_ERROR (Status)) { // // Likely this will continue to fail on reboot - // GetVariable could return NOT_FOUND if the DB variable does not exist // In that case, we should fail out gracefully because there is nothing we can do // goto Exit; } + // // Confirm the DB is at least as large as the EFI_SIGNATURE_LIST header + // if (DbSize < sizeof (EFI_SIGNATURE_LIST)) { Status = EFI_BUFFER_TOO_SMALL; goto Exit; @@ -226,7 +203,7 @@ IsCertificateInDB ( // // The DB is a list of EFI_SIGNATURE_LISTs but we only care about certificates - // they are not garunteed to be in any particular order + // they are not gauranteed to be in any particular order // CertList = (EFI_SIGNATURE_LIST *)Db; @@ -259,8 +236,8 @@ IsCertificateInDB ( // First lets ensure that the size of the certificate is at least as large as the certificate we are looking for // Each offset in the certficate entry plus the size of the string must be less than the size of the certificate // - if (((Certificate->OrganizationOffset + sizeof (Certificate->Organization)) <= CertSize) && - ((Certificate->CommonNameOffset + sizeof (Certificate->CommonName)) <= CertSize) && + if (((Certificate->OrganizationOffset + Certificate->OrganizationLength) <= CertSize) && + ((Certificate->CommonNameOffset + Certificate->CommonNameLength) <= CertSize) && ((Certificate->SignatureOffset + sizeof (Certificate->Signature)) <= CertSize)) { // @@ -270,8 +247,8 @@ IsCertificateInDB ( (CompareMem (Cert + Certificate->CommonNameOffset, Certificate->CommonName, Certificate->CommonNameLength) == 0) && (CompareMem (Cert + Certificate->SignatureOffset, Certificate->Signature, sizeof (Certificate->Signature)) == 0)) { - Status = EFI_SUCCESS; - Found = TRUE; + Status = EFI_SUCCESS; + *IsFound = TRUE; goto Exit; } } @@ -294,11 +271,15 @@ IsCertificateInDB ( Exit: - if (OptionalStatus != NULL) { - *OptionalStatus = Status; + // + // Regardless of the outcome, free the DB buffer + // We only needed it to check if the certificate was in the DB + // + if (Db != NULL) { + SystemTable->BootServices->FreePool (Db); } - return Found; + return Status; } /** @@ -311,7 +292,6 @@ IsCertificateInDB ( @retval EFI_SUCCESS The entry point is executed successfully. @retval EFI_INVALID_PARAMETER SystemTable provided was not valid. @retval other Some error occurs when executing this entry point. - **/ EFI_STATUS EFIAPI @@ -352,48 +332,35 @@ UefiMain ( goto Exit; } - // Save off the system table pointers - mST = SystemTable; - mBS = SystemTable->BootServices; - mRT = SystemTable->RuntimeServices; - // // Start informing the user of what is happening // - mST->ConOut->ClearScreen (mST->ConOut); - mST->ConOut->OutputString (mST->ConOut, L"\r\nAttempting to update the system's secureboot certificates!\r\n"); - mST->ConOut->OutputString (mST->ConOut, L"Learn more about this tool at https://aka.ms/securebootrecovery\r\n"); + SystemTable->ConOut->ClearScreen (SystemTable->ConOut); + SystemTable->ConOut->OutputString (SystemTable->ConOut, L"\r\nAttempting to update the system's secureboot certificates!\r\n"); + SystemTable->ConOut->OutputString (SystemTable->ConOut, L"Learn more about this tool at https://aka.ms/securebootrecovery\r\n"); // // Determine if the system is in a state we can safely use or if the system is already up to date // - IsFound = IsCertificateInDB (&mWindows2023ProductionCA, &Status); - if (IsFound && (Status == EFI_SUCCESS)) { + Status = IsCertificateInDB (SystemTable, &mTargetCertificate, &IsFound); + if ((Status == EFI_SUCCESS) && IsFound) { // // If the 2023 certificate is already in the DB, inform the user and reboot // This is likely someone running this tool multiple times so let's do nothing // - mST->ConOut->OutputString (mST->ConOut, L"\r\nThe system's secureboot keys are already up to date!\r\n"); + SystemTable->ConOut->OutputString (SystemTable->ConOut, L"\r\nThe system's secureboot keys are already up to date!\r\n"); goto Reboot; - } else if (IsFound && (EFI_ERROR (Status))) { + } else if (EFI_ERROR (Status) && IsFound) { // // Should be impossible to get here, but just in case, let's inform the user and reboot // - PrintError (L"\r\nFailed to read the system's secure boot keys and something went wrong!\r\n", Status); + PrintError (SystemTable, L"\r\nFailed to read the system's secure boot keys and something went wrong!\r\n", Status); goto Reboot; - } else if (!IsFound) { - if (EFI_ERROR (Status)) { - // - // Likely this will continue to fail on reboot, the user will hopefully go to https://aka.ms/securebootrecovery to learn more - // - PrintError (L"\r\nFailed to read the system's secureboot keys!\r\n", Status); - } else { - // - // The DB is empty, so let's assume the system has secureboot disabled, inform the user and reboot - // - PrintError (L"\r\nFailed to read the system's secureboot keys! Is Secureboot enabled?\r\n", Status); - } - + } else if (EFI_ERROR (Status) && !IsFound) { + // + // Likely this will continue to fail on reboot, the user will hopefully go to https://aka.ms/securebootrecovery to learn more + // + PrintError (SystemTable, L"\r\nFailed to read the system's secureboot keys!\r\n", Status); goto Reboot; } @@ -405,38 +372,38 @@ UefiMain ( // // Perform the append operation // - Status = mRT->SetVariable ( - L"db", - &gEfiImageSecurityDatabaseGuid, - Attributes, - sizeof (mDbUpdate), - mDbUpdate - ); + Status = SystemTable->RuntimeServices->SetVariable ( + L"db", + &gEfiImageSecurityDatabaseGuid, + Attributes, + sizeof (mDbUpdate), + mDbUpdate + ); if (EFI_ERROR (Status)) { // // On failure, inform the user and reboot + // This means that the payload being applied is not signed by a key in the KEK // Likely this will continue to fail on reboot, the user will hopefully go to https://aka.ms/securebootrecovery to learn more // - PrintError (L"\r\nFailed to update the system to the 2023 Secure Boot Certificate!\r\n", Status); + PrintError (SystemTable, L"\r\nFailed to update the system to the 2023 Secure Boot Certificate!\r\n", Status); goto Reboot; } // // Otherwise the system took the update, so let's inform the user // - mST->ConOut->OutputString (mST->ConOut, L"\r\nSuccessfully updated the system's secureboot keys!\r\n"); + SystemTable->ConOut->OutputString (SystemTable->ConOut, L"\r\nSuccessfully updated the system's secureboot keys!\r\n"); Reboot: - // // Stall for 10 seconds to give the user a chance to read the message // - mBS->Stall (STALL_10_SECONDS); + SystemTable->BootServices->Stall (STALL_10_SECONDS); // // Reset the system // - mRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); + SystemTable->RuntimeServices->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); Exit: // @@ -446,12 +413,12 @@ UefiMain ( // // let's atleast try to print an error to the console // - PrintError (L"Exiting unexpectedly!\r\n", Status); + PrintError (SystemTable, L"Exiting unexpectedly!\r\n", Status); // // Stall for 10 seconds to give the user a chance to read the error message // - mBS->Stall (STALL_10_SECONDS); + SystemTable->BootServices->Stall (STALL_10_SECONDS); return Status; } diff --git a/MsApplicationPkg/SecureBootRecovery/TargetCertificate.h b/MsApplicationPkg/SecureBootRecovery/TargetCertificate.h new file mode 100644 index 0000000000..d02b46699d --- /dev/null +++ b/MsApplicationPkg/SecureBootRecovery/TargetCertificate.h @@ -0,0 +1,144 @@ +/** @file + This file contains the information about the certificate that we will search for in the DB + If the certificate is found in the DB, the system will be considered up to date and + no recovery attempt will be performed. + + Copyright (C) Microsoft Corporation + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef TARGET_CERTIFICATE_H_ +#define TARGET_CERTIFICATE_H_ + +#include + +// +// Version: 3 (0x02) +// Serial number: 1137338005262830966003041513284644495440216090 (0x330000001a888b9800562284c100000000001a) +// Algorithm ID: SHA256withRSA +// Validity +// Not Before: 13/06/2023 18:58:29 (dd-mm-yyyy hh:mm:ss) (230613185829Z) +// Not After: 13/06/2035 19:08:29 (dd-mm-yyyy hh:mm:ss) (350613190829Z) +// Issuer +// C = US +// ST = Washington +// L = Redmond +// O = Microsoft Corporation +// CN = Microsoft Root Certificate Authority 2010 +// Subject +// C = US +// O = Microsoft Corporation +// CN = Windows UEFI CA 2023 +// Public Key +// Algorithm: RSA +// Length: 2048 bits +// Modulus: bc:b2:35:d1:54:79:b4:8f:cc:81:2a:6e:b3:12:d6:93: +// 97:30:7c:38:5c:bf:79:92:19:0a:0f:2d:0a:fe:bf:e0: +// a8:d8:32:3f:d2:ab:6f:6f:81:c1:4d:17:69:45:cf:85: +// 80:27:a3:7c:b3:31:cc:a5:a7:4d:f9:43:d0:5a:2f:d7: +// 18:1b:d2:58:96:05:39:a3:95:b7:bc:dd:79:c1:a0:cf: +// 8f:e2:53:1e:2b:26:62:a8:1c:ae:36:1e:4f:a1:df:b9: +// 13:ba:0c:25:bb:24:65:67:01:aa:1d:41:10:b7:36:c1: +// 6b:2e:b5:6c:10:d3:4e:96:d0:9f:2a:a1:f1:ed:a1:15: +// 0b:82:95:c5:ff:63:8a:13:b5:92:34:1e:31:5e:61:11: +// ae:5d:cc:f1:10:e6:4c:79:c9:72:b2:34:8a:82:56:2d: +// ab:0f:7c:c0:4f:93:8e:59:75:41:86:ac:09:10:09:f2: +// 51:65:50:b5:f5:21:b3:26:39:8d:aa:c4:91:b3:dc:ac: +// 64:23:06:cd:35:5f:0d:42:49:9c:4f:0d:ce:80:83:82: +// 59:fe:df:4b:44:e1:40:c8:3d:63:b6:cf:b4:42:0d:39: +// 5c:d2:42:10:0c:08:c2:74:eb:1c:dc:6e:bc:0a:ac:98: +// bb:cc:fa:1e:3c:a7:83:16:c5:db:02:da:d9:96:df:6b +// Exponent: 65537 (0x10001) +// Certificate Signature +// Algorithm: SHA256withRSA +// Signature: 9f:c9:b6:ff:6e:e1:9c:3b:55:f6:fe:8b:39:dd:61:04: +// 6f:d0:ad:63:cd:17:76:4a:a8:43:89:8d:f8:c6:f2:8c: +// 5e:90:e1:e4:68:a5:15:ec:b8:d3:60:0c:40:57:1f:fb: +// 5e:35:72:61:de:97:31:6c:79:a0:f5:16:ae:4b:1c:ed: +// 01:0c:ef:f7:57:0f:42:30:18:69:f8:a1:a3:2e:97:92: +// b8:be:1b:fe:2b:86:5e:42:42:11:8f:8e:70:4d:90:a7: +// fd:01:63:f2:64:bf:9b:e2:7b:08:81:cf:49:f2:37:17: +// df:f1:f9:72:d3:c3:1d:c3:90:45:4d:e6:80:06:bd:fd: +// e5:6a:69:ce:b3:7e:4e:31:5b:84:73:a8:e8:72:3f:27: +// 35:c9:7c:20:ce:00:9b:4f:e0:4c:b4:36:69:cb:f7:34: +// 11:11:74:12:7a:a8:8c:2e:81:6c:a6:50:ad:19:fa:a8: +// 46:45:6f:b1:67:73:c3:6b:e3:40:e8:2a:69:8f:24:10: +// e1:29:6e:8d:16:88:ee:8e:7f:66:93:02:6f:5b:9e:04: +// 8c:cc:81:1c:ad:97:54:f1:18:2e:7e:52:90:bc:51:de: +// 2a:0e:ae:66:ea:bc:64:6e:a0:91:64:e4:2f:12:a8:bc: +// e7:6b:ba:c7:1b:9b:79:1a:64:66:f1:43:b4:d1:c3:46: +// 21:38:81:79:4c:fa:f0:31:0d:d3:79:ff:7a:12:a5:1d: +// d9:dd:ac:a2:0f:71:82:f7:93:ff:5c:a1:61:ae:65:f2: +// 14:81:ed:79:5a:9a:87:ea:60:7b:cb:b3:4f:75:34:ca: +// ba:a1:ef:a2:f6:a2:80:45:a1:8b:27:81:cd:d5:77:38: +// 3e:ca:4e:dd:28:ea:58:ba:c5:a0:29:de:86:8c:88:fc: +// 95:27:51:dd:ab:d3:d0:5b:0d:77:c7:6c:8f:55:d7:d4: +// a2:0e:5b:e4:34:46:14:16:1d:e3:1c:d6:6d:99:ad:4c: +// ec:71:73:2f:ab:ce:b2:b4:29:de:55:30:53:39:3a:32: +// 8b:f0:ea:9c:88:12:3b:05:68:19:bf:cf:87:52:10:fb: +// d6:13:60:f3:41:64:f4:08:57:81:cb:9d:11:a5:8e:f4: +// e5:27:f5:a3:3a:ec:e4:3d:4a:b7:ce:f9:88:0d:9f:bd: +// ca:6d:d2:4a:bc:58:76:8e:32:04:94:6e:dd:f4:cf:6d: +// 47:6d:c2:d7:6a:dc:87:71:ea:a4:bf:ef:67:97:9c:b8: +// c7:80:36:2a:2a:59:c9:c0:0c:a7:44:a0:73:b5:8c:cf: +// 38:5a:ae:f8:bb:86:95:f0:44:ad:66:7a:33:ed:71:e4: +// 45:87:83:e5:a7:ce:a2:40:d0:72:d2:48:00:fa:f9:1a +// +// Extensions +// keyUsage CRITICAL: +// digitalSignature,keyCertSign,cRLSign +// 1.3.6.1.4.1.311.21.1 : +// subjectKeyIdentifier : +// aefc5fbbbe055d8f8daa585473499417ab5a5272 +// 1.3.6.1.4.1.311.20.2 : +// basicConstraints CRITICAL: +// cA=true +// authorityKeyIdentifier : +// kid=d5f656cb8fe8a25c6268d13d94905bd7ce9a18c4 +// cRLDistributionPoints : +// http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl +// authorityInfoAccess : +// caissuer: http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt +// + +// +// The certificate we are looking for +// +#define CERT_ORGANIZATION "Microsoft Corporation" +#define CERT_ORGANIZATION_OFFSET 0xF6 +#define CERT_COMMON_NAME "Windows UEFI CA 2023" +#define CERT_COMMON_NAME_OFFSET 0x116 +#define CERT_SIGNATURE { 0x9f, 0xc9, 0xb6, 0xff, 0x6e, 0xe1, 0x9c, 0x3b, 0x55, 0xf6, 0xfe, 0x8b, 0x39, 0xdd, 0x61, 0x04 } +#define CERT_SIGNATURE_OFFSET 0x3AE + +// +// This is the certificate entry structure +// It is used to check if the certificate is already in the DB +// +typedef struct { + CHAR8 *Organization; // The organization name in the certificate + UINTN OrganizationLength; // The length of the organization name in the certificate + UINTN OrganizationOffset; // The offset of the organization name in the certificate + CHAR8 *CommonName; // The common name in the certificate + UINTN CommonNameLength; // The length of the common name in the certificate + UINTN CommonNameOffset; // The offset of the common name in the certificate + UINT8 Signature[16]; // The signature of the certificate + UINTN SignatureOffset; // The offset of the signature in the certificate +} CERTIFICATE_ENTRY; + +// +// This is Certificate entry for the Windows UEFI CA 2023 certificate +// This will be used to check if the certificate is already in the DB +// +CERTIFICATE_ENTRY mTargetCertificate = { + .Organization = CERT_ORGANIZATION, + .OrganizationLength = sizeof (CERT_ORGANIZATION) - 1, + .OrganizationOffset = CERT_ORGANIZATION_OFFSET, + .CommonName = CERT_COMMON_NAME, + .CommonNameLength = sizeof (CERT_COMMON_NAME) - 1, + .CommonNameOffset = CERT_COMMON_NAME_OFFSET, + .Signature = CERT_SIGNATURE, + .SignatureOffset = CERT_SIGNATURE_OFFSET +}; + +#endif // TARGET_CERTIFICATE_H_