[efi] Add Microsoft vendor GUID definition

author Michael Brown <mcb30@ipxe.org>

Wed, 12 Nov 2025 12:01:37 +0000 (12:01 +0000)

committer Michael Brown <mcb30@ipxe.org>

Wed, 12 Nov 2025 12:01:37 +0000 (12:01 +0000)
author Michael Brown <mcb30@ipxe.org>
Wed, 12 Nov 2025 12:01:37 +0000 (12:01 +0000)
committer Michael Brown <mcb30@ipxe.org>
Wed, 12 Nov 2025 12:01:37 +0000 (12:01 +0000)
diff --git a/src/include/ipxe/efi/Guid/MicrosoftVendor.h b/src/include/ipxe/efi/Guid/MicrosoftVendor.h

new file mode 100644 (file)

index 0000000..063c892
--- /dev/null
+++ b/src/include/ipxe/efi/Guid/MicrosoftVendor.h
@@ -0,0 +1,57 @@
+/** @file
+  Declare the GUID that is expected:
+
+  - as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and
+    RSA2048 Secure Boot certificates issued by/for Microsoft,
+
+  - as UEFI variable vendor GUID in association with (unspecified)
+    Microsoft-owned variables.
+
+  Copyright (C) 2014-2019, Red Hat, Inc.
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+  @par Specification Reference:
+  - MSDN: System.Fundamentals.Firmware at
+    <https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>.
+**/
+
+#ifndef MICROSOFT_VENDOR_H_
+#define MICROSOFT_VENDOR_H_
+
+FILE_LICENCE ( BSD2_PATENT );
+
+#include <ipxe/efi/Uefi/UefiBaseType.h>
+
+//
+// The following test cases of the Secure Boot Logo Test in the Microsoft
+// Hardware Certification Kit:
+//
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
+//
+// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
+// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
+// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
+// certificates:
+//
+// - "Microsoft Corporation KEK CA 2011" (in KEK)
+// - "Microsoft Windows Production PCA 2011" (in db)
+// - "Microsoft Corporation UEFI CA 2011" (in db)
+//
+// This is despite the fact that the UEFI specification requires
+// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
+// application or driver) that enrolled and therefore owns
+// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
+// EFI_SIGNATURE_DATA.SignatureData.
+//
+#define MICROSOFT_VENDOR_GUID                           \
+  { 0x77fa9abd,                                         \
+    0x0359,                                             \
+    0x4d32,                                             \
+    { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \
+  }
+
+extern EFI_GUID  gMicrosoftVendorGuid;
+
+#endif /* MICROSOFT_VENDOR_H_ */
diff --git a/src/include/ipxe/efi/efi.h b/src/include/ipxe/efi/efi.h

index 30b10f5078b805e52508501601539617a5069c61..bfef573edb67c26e5acff790f490675fc058a41d 100644 (file)
--- a/src/include/ipxe/efi/efi.h
+++ b/src/include/ipxe/efi/efi.h
@@ -264,6 +264,7 @@ extern EFI_GUID efi_cert_x509_guid;
  extern EFI_GUID efi_file_info_id;
  extern EFI_GUID efi_file_system_info_id;
  extern EFI_GUID efi_global_variable;
+extern EFI_GUID efi_microsoft_vendor_guid;
  extern EFI_GUID efi_tls_ca_certificate_guid;
  
  extern EFI_HANDLE efi_image_handle;
diff --git a/src/include/ipxe/efi/import.pl b/src/include/ipxe/efi/import.pl

index 75c200de00c496b1686f0a9089f7c6752728d46c..cdd58e86d257f34e97bf34b403cd12c3e8f0d783 100755 (executable)
--- a/src/include/ipxe/efi/import.pl
+++ b/src/include/ipxe/efi/import.pl
@@ -119,7 +119,8 @@ my $edktop = shift;
  
  # Identify edk import directories
  my $edkdirs = [ "MdePkg/Include", "MdeModulePkg/Include",
-               "NetworkPkg/Include", "EmbeddedPkg/Include" ];
+               "NetworkPkg/Include", "EmbeddedPkg/Include",
+               "OvmfPkg/Include" ];
  foreach my $edkdir ( @$edkdirs ) {
    die "Directory \"$edktop\" does not appear to contain the EFI EDK2 "
        ."(missing \"$edkdir\")\n" unless -d catdir ( $edktop, $edkdir );
diff --git a/src/interface/efi/efi_guid.c b/src/interface/efi/efi_guid.c

index 8c8c06d7c04f7764219697b755dfd234484c799c..967f1f1f591274c57993e723a2b82c1f58be1aeb 100644 (file)
--- a/src/interface/efi/efi_guid.c
+++ b/src/interface/efi/efi_guid.c
@@ -95,6 +95,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  #include <ipxe/efi/Guid/FileSystemInfo.h>
  #include <ipxe/efi/Guid/GlobalVariable.h>
  #include <ipxe/efi/Guid/ImageAuthentication.h>
+#include <ipxe/efi/Guid/MicrosoftVendor.h>
  #include <ipxe/efi/Guid/SmBios.h>
  #include <ipxe/efi/Guid/TlsAuthentication.h>
  
@@ -466,6 +467,9 @@ EFI_GUID efi_file_system_info_id = EFI_FILE_SYSTEM_INFO_ID;
  /** Global variable GUID */
  EFI_GUID efi_global_variable = EFI_GLOBAL_VARIABLE;
  
+/** Microsoft vendor GUID */
+EFI_GUID efi_microsoft_vendor_guid = MICROSOFT_VENDOR_GUID;
+
  /** TLS CA certificate variable GUID */
  EFI_GUID efi_tls_ca_certificate_guid = EFI_TLS_CA_CERTIFICATE_GUID;
  
@@ -615,6 +619,8 @@ static struct efi_well_known_guid efi_well_known_guids[] = {
           "ManagedNetwork" },
         { &efi_managed_network_service_binding_protocol_guid,
           "ManagedNetworkSb" },
+       { &efi_microsoft_vendor_guid,
+         "Microsoft" },
         { &efi_mtftp4_protocol_guid,
           "Mtftp4" },
         { &efi_mtftp4_service_binding_protocol_guid,
author	Michael Brown <mcb30@ipxe.org>
	Wed, 12 Nov 2025 12:01:37 +0000 (12:01 +0000)
committer	Michael Brown <mcb30@ipxe.org>
	Wed, 12 Nov 2025 12:01:37 +0000 (12:01 +0000)
src/include/ipxe/efi/Guid/MicrosoftVendor.h	[new file with mode: 0644]	patch \| blob
src/include/ipxe/efi/efi.h		patch \| blob \| blame \| history
src/include/ipxe/efi/import.pl		patch \| blob \| blame \| history
src/interface/efi/efi_guid.c		patch \| blob \| blame \| history