From 67031da928735e1d3b6bfca8d393a07d98e478dd Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Sun, 14 Aug 2016 23:45:10 +0200
Subject: Windows: Add DCS EFI Bootloader files that are signed. Add
 certificates and powershell script to update Secure Boot configuration.

---
 src/Boot/EFI/DcsBml.efi                            | Bin 0 -> 8544 bytes
 src/Boot/EFI/DcsBoot.efi                           | Bin 0 -> 12640 bytes
 src/Boot/EFI/DcsCfg.efi                            | Bin 0 -> 499072 bytes
 src/Boot/EFI/DcsInt.efi                            | Bin 0 -> 469504 bytes
 src/Boot/EFI/DcsRe.efi                             | Bin 0 -> 18304 bytes
 src/Boot/EFI/LegacySpeaker.efi                     | Bin 0 -> 2784 bytes
 src/Boot/EFI/Readme.txt                            |  13 ++++++++++++
 src/Boot/EFI/certs/DCS_key_exchange.crt            | Bin 0 -> 1093 bytes
 src/Boot/EFI/certs/DCS_platform.crt                | Bin 0 -> 1341 bytes
 src/Boot/EFI/certs/DCS_sign.crt                    | Bin 0 -> 826 bytes
 src/Boot/EFI/certs/MicCorUEFCA2011_2011-06-27.crt  | Bin 0 -> 1556 bytes
 src/Boot/EFI/certs/MicWinProPCA2011_2011-10-19.crt | Bin 0 -> 1499 bytes
 src/Boot/EFI/certs/Readme.txt                      |   3 +++
 src/Boot/EFI/sb_set_siglists.ps1                   |  22 +++++++++++++++++++++
 src/Boot/EFI/siglists/DCS_key_exchange_SigList.bin | Bin 0 -> 1137 bytes
 .../DCS_key_exchange_SigList_Serialization.bin     | Bin 0 -> 1179 bytes
 .../DCS_key_exchange_SigList_Serialization.bin.p7  | Bin 0 -> 1996 bytes
 src/Boot/EFI/siglists/DCS_platform_SigList.bin     | Bin 0 -> 1385 bytes
 .../DCS_platform_SigList_Serialization.bin         | Bin 0 -> 1425 bytes
 .../DCS_platform_SigList_Serialization.bin.p7      | Bin 0 -> 1996 bytes
 src/Boot/EFI/siglists/DCS_sign_SigList.bin         | Bin 0 -> 870 bytes
 .../siglists/DCS_sign_SigList_Serialization.bin    | Bin 0 -> 910 bytes
 .../siglists/DCS_sign_SigList_Serialization.bin.p7 | Bin 0 -> 1492 bytes
 .../MicCorUEFCA2011_2011-06-27_SigList.bin         | Bin 0 -> 1600 bytes
 ...rUEFCA2011_2011-06-27_SigList_Serialization.bin | Bin 0 -> 1640 bytes
 ...FCA2011_2011-06-27_SigList_Serialization.bin.p7 | Bin 0 -> 1492 bytes
 .../MicWinProPCA2011_2011-10-19_SigList.bin        | Bin 0 -> 1543 bytes
 ...ProPCA2011_2011-10-19_SigList_Serialization.bin | Bin 0 -> 1583 bytes
 ...PCA2011_2011-10-19_SigList_Serialization.bin.p7 | Bin 0 -> 1492 bytes
 29 files changed, 38 insertions(+)
 create mode 100644 src/Boot/EFI/DcsBml.efi
 create mode 100644 src/Boot/EFI/DcsBoot.efi
 create mode 100644 src/Boot/EFI/DcsCfg.efi
 create mode 100644 src/Boot/EFI/DcsInt.efi
 create mode 100644 src/Boot/EFI/DcsRe.efi
 create mode 100644 src/Boot/EFI/LegacySpeaker.efi
 create mode 100644 src/Boot/EFI/Readme.txt
 create mode 100644 src/Boot/EFI/certs/DCS_key_exchange.crt
 create mode 100644 src/Boot/EFI/certs/DCS_platform.crt
 create mode 100644 src/Boot/EFI/certs/DCS_sign.crt
 create mode 100644 src/Boot/EFI/certs/MicCorUEFCA2011_2011-06-27.crt
 create mode 100644 src/Boot/EFI/certs/MicWinProPCA2011_2011-10-19.crt
 create mode 100644 src/Boot/EFI/certs/Readme.txt
 create mode 100644 src/Boot/EFI/sb_set_siglists.ps1
 create mode 100644 src/Boot/EFI/siglists/DCS_key_exchange_SigList.bin
 create mode 100644 src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin
 create mode 100644 src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin.p7
 create mode 100644 src/Boot/EFI/siglists/DCS_platform_SigList.bin
 create mode 100644 src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin
 create mode 100644 src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin.p7
 create mode 100644 src/Boot/EFI/siglists/DCS_sign_SigList.bin
 create mode 100644 src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin
 create mode 100644 src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin.p7
 create mode 100644 src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin
 create mode 100644 src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin
 create mode 100644 src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7
 create mode 100644 src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList.bin
 create mode 100644 src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin
 create mode 100644 src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7

diff --git a/src/Boot/EFI/DcsBml.efi b/src/Boot/EFI/DcsBml.efi
new file mode 100644
index 00000000..8775ce4c
Binary files /dev/null and b/src/Boot/EFI/DcsBml.efi differ
diff --git a/src/Boot/EFI/DcsBoot.efi b/src/Boot/EFI/DcsBoot.efi
new file mode 100644
index 00000000..03f15633
Binary files /dev/null and b/src/Boot/EFI/DcsBoot.efi differ
diff --git a/src/Boot/EFI/DcsCfg.efi b/src/Boot/EFI/DcsCfg.efi
new file mode 100644
index 00000000..da5a6ee4
Binary files /dev/null and b/src/Boot/EFI/DcsCfg.efi differ
diff --git a/src/Boot/EFI/DcsInt.efi b/src/Boot/EFI/DcsInt.efi
new file mode 100644
index 00000000..666030ba
Binary files /dev/null and b/src/Boot/EFI/DcsInt.efi differ
diff --git a/src/Boot/EFI/DcsRe.efi b/src/Boot/EFI/DcsRe.efi
new file mode 100644
index 00000000..646a79e3
Binary files /dev/null and b/src/Boot/EFI/DcsRe.efi differ
diff --git a/src/Boot/EFI/LegacySpeaker.efi b/src/Boot/EFI/LegacySpeaker.efi
new file mode 100644
index 00000000..5f49a76a
Binary files /dev/null and b/src/Boot/EFI/LegacySpeaker.efi differ
diff --git a/src/Boot/EFI/Readme.txt b/src/Boot/EFI/Readme.txt
new file mode 100644
index 00000000..882c247a
--- /dev/null
+++ b/src/Boot/EFI/Readme.txt
@@ -0,0 +1,13 @@
+To update secure boot configuration
+1. Enter BIOS configuration
+2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
+3. Boot Windows
+4. execute from admin command prompt
+   powershell -File sb_set_siglists.ps1
+It sets in PK (platform key) - DCS_platform
+It sets in KEK (key exchange key) - DCS_key_exchange
+It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27 
+
+All DCS modules are protected by DCS_sign. 
+All Windows modules are protected by MicWinProPCA2011_2011-10-19
+All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27 
\ No newline at end of file
diff --git a/src/Boot/EFI/certs/DCS_key_exchange.crt b/src/Boot/EFI/certs/DCS_key_exchange.crt
new file mode 100644
index 00000000..80bc7ca4
Binary files /dev/null and b/src/Boot/EFI/certs/DCS_key_exchange.crt differ
diff --git a/src/Boot/EFI/certs/DCS_platform.crt b/src/Boot/EFI/certs/DCS_platform.crt
new file mode 100644
index 00000000..a7cf8ce9
Binary files /dev/null and b/src/Boot/EFI/certs/DCS_platform.crt differ
diff --git a/src/Boot/EFI/certs/DCS_sign.crt b/src/Boot/EFI/certs/DCS_sign.crt
new file mode 100644
index 00000000..f0538dbb
Binary files /dev/null and b/src/Boot/EFI/certs/DCS_sign.crt differ
diff --git a/src/Boot/EFI/certs/MicCorUEFCA2011_2011-06-27.crt b/src/Boot/EFI/certs/MicCorUEFCA2011_2011-06-27.crt
new file mode 100644
index 00000000..9aa6ac6c
Binary files /dev/null and b/src/Boot/EFI/certs/MicCorUEFCA2011_2011-06-27.crt differ
diff --git a/src/Boot/EFI/certs/MicWinProPCA2011_2011-10-19.crt b/src/Boot/EFI/certs/MicWinProPCA2011_2011-10-19.crt
new file mode 100644
index 00000000..a6d001c2
Binary files /dev/null and b/src/Boot/EFI/certs/MicWinProPCA2011_2011-10-19.crt differ
diff --git a/src/Boot/EFI/certs/Readme.txt b/src/Boot/EFI/certs/Readme.txt
new file mode 100644
index 00000000..6663a5d1
--- /dev/null
+++ b/src/Boot/EFI/certs/Readme.txt
@@ -0,0 +1,3 @@
+Apart from DCS certificates, there are two public DB entries - one for Windows and one for the UEFI Certificate Authority (CA).
+Windows DB: http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
+UEFI DB: http://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt 
diff --git a/src/Boot/EFI/sb_set_siglists.ps1 b/src/Boot/EFI/sb_set_siglists.ps1
new file mode 100644
index 00000000..5f664f21
--- /dev/null
+++ b/src/Boot/EFI/sb_set_siglists.ps1
@@ -0,0 +1,22 @@
+Set-ExecutionPolicy Bypass -Force
+Import-Module secureboot
+
+Set-SecureBootUEFI -Name PK -Time 2015-09-11 -Content $null
+Set-SecureBootUEFI -Name KEK -Time 2015-09-11 -Content $null
+Set-SecureBootUEFI -Name db -Time 2015-09-11 -Content $null
+Set-SecureBootUEFI -Name dbx -Time 2015-09-11 -Content $null
+
+Write-Host "Setting self-signed PK..."
+Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_platform_SigList.bin -SignedFilePath siglists\DCS_platform_SigList_Serialization.bin.p7 -Name PK
+
+Write-Host "Setting PK-signed KEK..."
+Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_key_exchange_SigList.bin -SignedFilePath siglists\DCS_key_exchange_SigList_Serialization.bin.p7 -Name KEK
+
+Write-Host "Setting KEK-signed DCS cert in db..."
+Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_sign_SigList.bin -SignedFilePath siglists\DCS_sign_SigList_Serialization.bin.p7 -Name db
+
+Write-Host "Setting KEK-signed MS cert in db..."
+Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\MicWinProPCA2011_2011-10-19_SigList.bin -SignedFilePath siglists\MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
+
+Write-Host "Setting KEK-signed MS UEFI cert in db..."
+Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\MicCorUEFCA2011_2011-06-27_SigList.bin -SignedFilePath siglists\MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
diff --git a/src/Boot/EFI/siglists/DCS_key_exchange_SigList.bin b/src/Boot/EFI/siglists/DCS_key_exchange_SigList.bin
new file mode 100644
index 00000000..62f5cc6f
Binary files /dev/null and b/src/Boot/EFI/siglists/DCS_key_exchange_SigList.bin differ
diff --git a/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin b/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin
new file mode 100644
index 00000000..1cffcf0c
Binary files /dev/null and b/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin differ
diff --git a/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin.p7 b/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin.p7
new file mode 100644
index 00000000..1e9d29ae
Binary files /dev/null and b/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin.p7 differ
diff --git a/src/Boot/EFI/siglists/DCS_platform_SigList.bin b/src/Boot/EFI/siglists/DCS_platform_SigList.bin
new file mode 100644
index 00000000..0b6d7e12
Binary files /dev/null and b/src/Boot/EFI/siglists/DCS_platform_SigList.bin differ
diff --git a/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin b/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin
new file mode 100644
index 00000000..e8fbf79a
Binary files /dev/null and b/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin differ
diff --git a/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin.p7 b/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin.p7
new file mode 100644
index 00000000..19cb86db
Binary files /dev/null and b/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin.p7 differ
diff --git a/src/Boot/EFI/siglists/DCS_sign_SigList.bin b/src/Boot/EFI/siglists/DCS_sign_SigList.bin
new file mode 100644
index 00000000..9a3f568b
Binary files /dev/null and b/src/Boot/EFI/siglists/DCS_sign_SigList.bin differ
diff --git a/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin b/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin
new file mode 100644
index 00000000..de58d77d
Binary files /dev/null and b/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin differ
diff --git a/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin.p7 b/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin.p7
new file mode 100644
index 00000000..01753a8b
Binary files /dev/null and b/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin.p7 differ
diff --git a/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin
new file mode 100644
index 00000000..413ccab9
Binary files /dev/null and b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin differ
diff --git a/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin
new file mode 100644
index 00000000..735d9626
Binary files /dev/null and b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin differ
diff --git a/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7
new file mode 100644
index 00000000..ed8cefda
Binary files /dev/null and b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 differ
diff --git a/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList.bin b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList.bin
new file mode 100644
index 00000000..ac542ca0
Binary files /dev/null and b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList.bin differ
diff --git a/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin
new file mode 100644
index 00000000..9138dae9
Binary files /dev/null and b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin differ
diff --git a/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7
new file mode 100644
index 00000000..b08c60a3
Binary files /dev/null and b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 differ
-- 
cgit v1.2.3