From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 12 Nov 2025 12:01:37 +0000 (+0000)
Subject: [efi] Add Microsoft vendor GUID definition
X-Git-Tag: rolling/bin~94
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c135240bc2cc0e4d885f65f9a20cfa76bd8916a;p=thirdparty%2Fipxe.git

[efi] Add Microsoft vendor GUID definition

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/include/ipxe/efi/Guid/MicrosoftVendor.h b/src/include/ipxe/efi/Guid/MicrosoftVendor.h
new file mode 100644
index 000000000..063c89213
--- /dev/null
+++ b/src/include/ipxe/efi/Guid/MicrosoftVendor.h
@@ -0,0 +1,57 @@
+/** @file
+  Declare the GUID that is expected:
+
+  - as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and
+    RSA2048 Secure Boot certificates issued by/for Microsoft,
+
+  - as UEFI variable vendor GUID in association with (unspecified)
+    Microsoft-owned variables.
+
+  Copyright (C) 2014-2019, Red Hat, Inc.
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+  @par Specification Reference:
+  - MSDN: System.Fundamentals.Firmware at
+    <https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>.
+**/
+
+#ifndef MICROSOFT_VENDOR_H_
+#define MICROSOFT_VENDOR_H_
+
+FILE_LICENCE ( BSD2_PATENT );
+
+#include <ipxe/efi/Uefi/UefiBaseType.h>
+
+//
+// The following test cases of the Secure Boot Logo Test in the Microsoft
+// Hardware Certification Kit:
+//
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
+//
+// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
+// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
+// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
+// certificates:
+//
+// - "Microsoft Corporation KEK CA 2011" (in KEK)
+// - "Microsoft Windows Production PCA 2011" (in db)
+// - "Microsoft Corporation UEFI CA 2011" (in db)
+//
+// This is despite the fact that the UEFI specification requires
+// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
+// application or driver) that enrolled and therefore owns
+// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
+// EFI_SIGNATURE_DATA.SignatureData.
+//
+#define MICROSOFT_VENDOR_GUID                           \
+  { 0x77fa9abd,                                         \
+    0x0359,                                             \
+    0x4d32,                                             \
+    { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \
+  }
+
+extern EFI_GUID  gMicrosoftVendorGuid;
+
+#endif /* MICROSOFT_VENDOR_H_ */
diff --git a/src/include/ipxe/efi/efi.h b/src/include/ipxe/efi/efi.h
index 30b10f507..bfef573ed 100644
--- a/src/include/ipxe/efi/efi.h
+++ b/src/include/ipxe/efi/efi.h
@@ -264,6 +264,7 @@ extern EFI_GUID efi_cert_x509_guid;
 extern EFI_GUID efi_file_info_id;
 extern EFI_GUID efi_file_system_info_id;
 extern EFI_GUID efi_global_variable;
+extern EFI_GUID efi_microsoft_vendor_guid;
 extern EFI_GUID efi_tls_ca_certificate_guid;
 
 extern EFI_HANDLE efi_image_handle;
diff --git a/src/include/ipxe/efi/import.pl b/src/include/ipxe/efi/import.pl
index 75c200de0..cdd58e86d 100755
--- a/src/include/ipxe/efi/import.pl
+++ b/src/include/ipxe/efi/import.pl
@@ -119,7 +119,8 @@ my $edktop = shift;
 
 # Identify edk import directories
 my $edkdirs = [ "MdePkg/Include", "MdeModulePkg/Include",
-		"NetworkPkg/Include", "EmbeddedPkg/Include" ];
+		"NetworkPkg/Include", "EmbeddedPkg/Include",
+		"OvmfPkg/Include" ];
 foreach my $edkdir ( @$edkdirs ) {
   die "Directory \"$edktop\" does not appear to contain the EFI EDK2 "
       ."(missing \"$edkdir\")\n" unless -d catdir ( $edktop, $edkdir );
diff --git a/src/interface/efi/efi_guid.c b/src/interface/efi/efi_guid.c
index 8c8c06d7c..967f1f1f5 100644
--- a/src/interface/efi/efi_guid.c
+++ b/src/interface/efi/efi_guid.c
@@ -95,6 +95,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/efi/Guid/FileSystemInfo.h>
 #include <ipxe/efi/Guid/GlobalVariable.h>
 #include <ipxe/efi/Guid/ImageAuthentication.h>
+#include <ipxe/efi/Guid/MicrosoftVendor.h>
 #include <ipxe/efi/Guid/SmBios.h>
 #include <ipxe/efi/Guid/TlsAuthentication.h>
 
@@ -466,6 +467,9 @@ EFI_GUID efi_file_system_info_id = EFI_FILE_SYSTEM_INFO_ID;
 /** Global variable GUID */
 EFI_GUID efi_global_variable = EFI_GLOBAL_VARIABLE;
 
+/** Microsoft vendor GUID */
+EFI_GUID efi_microsoft_vendor_guid = MICROSOFT_VENDOR_GUID;
+
 /** TLS CA certificate variable GUID */
 EFI_GUID efi_tls_ca_certificate_guid = EFI_TLS_CA_CERTIFICATE_GUID;
 
@@ -615,6 +619,8 @@ static struct efi_well_known_guid efi_well_known_guids[] = {
 	  "ManagedNetwork" },
 	{ &efi_managed_network_service_binding_protocol_guid,
 	  "ManagedNetworkSb" },
+	{ &efi_microsoft_vendor_guid,
+	  "Microsoft" },
 	{ &efi_mtftp4_protocol_guid,
 	  "Mtftp4" },
 	{ &efi_mtftp4_service_binding_protocol_guid,