Initial port of contents

.github/dependabot.yml

@@ -0,0 +1,24 @@
+## @file
+# Dependabot configuration file to enable GitHub services for managing and updating
+# dependencies.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+##
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "01:00"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "01:00"

.github/workflows/prepare-binaries.yml

@@ -0,0 +1,68 @@
+# This workflow call is responsible for building the secure boot binaries and
+# uploading them as a build artifact. This is for PR Checks.
+#
+# If the workflow call is triggered by a release, (i.e. a tag push), then it
+# will additionally archive them (zip, tar.gz) and upload the archives to the
+# release as an asset.
+#
+# NOTE: The GITHUB_TOKEN is used by the action-gh-release@v1 action to upload
+#       the archives to the release, and thus must have Read and Write
+#       permissions.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+name: Prepare Secure Boot Binaries
+on:
+  push:
+    branches: [ "main" ]
+  pull_request_target:
+    branches: [ "main" ]
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build
+
+    permissions:
+        actions: write
+        contents: write
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout Self
+      uses: actions/checkout@v3
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: 3.11
+        cache: 'pip'
+
+    - name: Install Pip Dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+
+    - name: Run Ruff Checks
+      run: ruff check scripts --format=github
+
+    - name: Build Intel / ARM Binaries
+      run: python scripts/secure_boot_default_keys.py --keystore keystore/keystore.toml -o Artifacts
+
+    - name: Upload Binaries as Artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: Binaries
+        path: Artifacts/
+
+    - name: Prepare Release Artifacts
+      run: python scripts/prepare.py Artifacts --output ReleaseArtifacts --version ${{ github.event.release.tag_name }}
+      if: startsWith(github.ref, 'refs/tags/')
+
+    - name: Upload Release Artifacts
+      uses: softprops/action-gh-release@v1
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: ReleaseArtifacts/*

.gitignore

@@ -1,3 +1,6 @@
-Artifacts/*
+**/*.zip
+**/*.tar.gz
+**/*.bin
+**/README.md
 Pipfile
 .ruff_cache/*

Readme.md

@@ -1,3 +1,110 @@
 # Secure Boot Objects
 
-This repository is used to hold the secure boot objects recommended by Microsoft such as the KEK, DB, and DBX.
+This repository is used to hold the secure boot objects recommended by
+Microsoft to use as the default KEK, DB, and DBX variables. This repository
+utilizes a script (`scripts/secure_boot_default_keys.py`) to generate the
+binary blobs based off of the `keystore.toml` configuration file.
+
+On a release github release, the script is run and the generated binaries are
+bundled, zipped, and attached to the release so that they can be consumed by
+platforms.
+
+## Transparency
+
+By Keeping the contents of the KeK, Db, and Dbx in a human readable form in
+this repository, it enables developers to easily review the contents and make
+changes as needed. This also enables an easy way for the KeK, Db, and (mainly)
+the Dbx to be updated transparently and then consumed by any platform!
+
+## Platform Consumption
+
+The secure boot binary objects are formatted to the expected EDKII data
+structures to enable simple integration into any platform. Please refer to
+[SecureBootKeyStoreLibOem](https://github.com/microsoft/mu_oem_sample/tree/release/202302/OemPkg/Library/SecureBootKeyStoreLibOem)
+to see one example on how to easily integrate these binaries into your
+platform. The EDKII build system even supports easily appending to the default
+values suggested by Microsoft!
+
+This is just one suggested way of consuming the binary objects. There are of
+course plenty of others, such as storing them as a Freeform Ffs file in an
+FV.
+
+## secure_boot_default_keys.py
+
+This script ingests a configuration file and generates binary blobs for each
+table specified in the configuration file.
+
+``` cmd
+usage: secure_boot_default_keys.py [-h] --keystore KEYSTORE [-o OUTPUT]
+
+Build the default keys for secure boot.
+
+options:
+  -h, --help            show this help message and exit
+  --keystore KEYSTORE   A json file containing the keys mapped to certificates and
+                        hashes.
+  -o OUTPUT, --output OUTPUT
+                        The output directory for the default keys.
+```
+
+## Configuration File
+
+A configuration file must be provided to the script to generate the binary
+information. The script generates a binary blob for each table entry in the
+toml file (a table is each `[]` in the toml file) and for each supported
+architecture (Currently Intel, ARM). We also generate a readme for each
+architecture to provide information about the files inside each binary blob
+
+That is to say, if you define a toml file similar to this:
+
+```toml
+[MyCustomKek]
+
+[MyCustomDb]
+
+[MyCustomDbx]
+```
+
+Binary blobs will be created with the following folder structure:
+
+``` cmd
+Artifacts
+├── Aarch64
+│   ├── MyCustomKek.bin
+│   ├── MyCustomDb.bin
+│   ├── MyCustomDbx.bin
+│   └── README.md
+├── Arm
+│   ├── MyCustomKek.bin
+│   ├── MyCustomDb.bin
+│   ├── MyCustomDbx.bin
+│   └── README.md
+├── Ia32
+│   ├── MyCustomKek.bin
+│   ├── MyCustomDb.bin
+│   ├── MyCustomDbx.bin
+│   └── README.md
+└── X64
+    ├── MyCustomKek.bin
+    ├── MyCustomDb.bin
+    ├── MyCustomDbx.bin
+    └── README.md
+```
+
+For each table in the toml file, the script supports the following entries:
+
+1. `help (Optional<str>)`: A short blob of information to be added to the
+   readme for that table entry.
+2. `arch (Optional<str>)`: The architecture (Intel, ARM) the blob should be
+   generated for. Defaults to all.
+3. `file (list<File>)`: A list of files to include in the binary blob (.crt,
+   .csv). This has additional config described below
+4. `signature_owner (Optional<str>)`: The GUID of the signature owner.
+
+For each file in the toml file, the script supports the following entries:
+
+1. `path (str)`: The local path to the file to include in the binary
+2. `url (Optional<str>)`: The url to where the file was downloaded from.
+   Included in the readme if provided
+3. `sha1 (Optional<str>)`: The sha1 hash of the file. Included in the readme
+   if provided.

keystore/Db/microsoft uefi ca 2023.crt

@@ -0,0 +1 @@
+MIIFpDCCA4ygAwIBAgITMwAAABY2vzaJnxV1zAAAAAAAFjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSswKQYDVQQDEyJNaWNyb3NvZnQgUlNBIERldmljZXMgUm9vdCBDQSAyMDIxMB4XDTIzMDYxMzE5MjE0N1oXDTM4MDYxMzE5MzE0N1owTjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEfMB0GA1UEAxMWTWljcm9zb2Z0IFVFRkkgQ0EgMjAyMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0iKq7vGjGFE3hRp5v9/HjRY7gam2P1EgbbS0E1am+r9WoEzJfPu9QICRphOg3ms6BG/wmt3oAk3BKA8l/ZFu3iQp3NL01hAmGKHEsdGGI5hpdxrT5/XXETS+kqAMG+1bcAn15lsiwa/3Tt6oPSOYkzNXN9oKL6QORmUFiq/IfoXCCDNOyr4gvFXz7/SCsRkSbvGG5XxZ8Yc5nv4Wp0K7svf1COHdo9drYE5cwuEMeDG4Oj5KUTE3FuM3ijqDzsSCZex8ZeDYeaqsxVNIGtnZD15pZjpugHIBfIkx7SrqTcrn1Zv4heYgyuW/IpQFYdJkDehaatVtHPVUd2X5w52wMCAwEAAaOCAW0wggFpMA4GA1UdDwEB/wQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUgaprMkTJNbzg1mKK85gnQh4ySX0wGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSERIYGAJg/LKqzxYnzrC7J5p0JAzBlBgNVHR8EXjBcMFqgWKBWhlRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBSU0ElMjBEZXZpY2VzJTIwUm9vdCUyMENBJTIwMjAyMS5jcmwwcgYIKwYBBQUHAQEEZjBkMGIGCCsGAQUFBzAChlZodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFJTQSUyMERldmljZXMlMjBSb290JTIwQ0ElMjAyMDIxLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAB2ATKlOHEg8a81oUlRfl2NeVVJuLDt2Rpe3HXUdQk0W3lYhfFxlBY3a1grCoxZ2ZFTaJSb4Swmb7gwywgc7lpKvCoJrr9Qc8/iH4mtwZIQyeJCzRXKIWCkvr7EicsVt02wFkwuOAaqsazXcbajmat7pwRP9nlMWBBvDLgQSTJyGZvYeIFJwicQ4LL1y+uJBUfMAevCubo1YXS5fn438TNPqwNGub9rIt99h72CDTXKeVTE8q+eceaK/8bI/Ihj2fyNHvTRrI0fb9LXzj6EHB6ifB+44lhlqJphC+zuOPpXvEGqDodZD9IbDBo8UWI148zi/+jJi/CFz2ucWyPLbMyOx/0nd0y+3zlsmLjRwqiQ+jj73OKoVGmiOij0LAmdbqhR9hGb4WNbd1oJWAZQaH1As1yMSqDs6iCmNgyksrXCcEgq8+WIN6WthnPxBT9QwW9yZLioC5xR+g3tjTYUQURaf1q5qIF/23lFQCi+S3U6E+jZ5QgqgA4HiUG76zxDAfsg7b8EaQweZX/nzBcLIcS2TZEAMbNPtmz4JunkCoETfyZYshCa88k2I987yD3T9VkBXSMa8R5/jKoILhuc+zV5PHVTesf0G/H5Y88yaU+djSVSSKirZB8OAWwCOSjHEKTGoNGVX3OpySIZah1fgKjJ2/yevKiEL8S7Tv/ycwIWE=

keystore/Db/windows uefi ca 2023.crt

@@ -0,0 +1 @@
+MIIFqjCCA5KgAwIBAgITMwAAABqIi5gAViKEwQAAAAAAGjANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMjMwNjEzMTg1ODI5WhcNMzUwNjEzMTkwODI5WjBMMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR0wGwYDVQQDExRXaW5kb3dzIFVFRkkgQ0EgMjAyMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALyyNdFUebSPzIEqbrMS1pOXMHw4XL95khkKDy0K/r/gqNgyP9Krb2+BwU0XaUXPhYAno3yzMcylp035Q9BaL9cYG9JYlgU5o5W3vN15waDPj+JTHismYqgcrjYeT6HfuRO6DCW7JGVnAaodQRC3NsFrLrVsENNOltCfKqHx7aEVC4KVxf9jihO1kjQeMV5hEa5dzPEQ5kx5yXKyNIqCVi2rD3zAT5OOWXVBhqwJEAnyUWVQtfUhsyY5jarEkbPcrGQjBs01Xw1CSZxPDc6Ag4JZ/t9LROFAyD1jts+0Qg05XNJCEAwIwnTrHNxuvAqsmLvM+h48p4MWxdsC2tmW32sCAwEAAaOCAUYwggFCMA4GA1UdDwEB/wQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUrvxfu74FXY+NqlhUc0mUF6taUnIwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAn8m2/27hnDtV9v6LOd1hBG/QrWPNF3ZKqEOJjfjG8oxekOHkaKUV7LjTYAxAVx/7XjVyYd6XMWx5oPUWrksc7QEM7/dXD0IwGGn4oaMul5K4vhv+K4ZeQkIRj45wTZCn/QFj8mS/m+J7CIHPSfI3F9/x+XLTwx3DkEVN5oAGvf3lamnOs35OMVuEc6jocj8nNcl8IM4Am0/gTLQ2acv3NBERdBJ6qIwugWymUK0Z+qhGRW+xZ3PDa+NA6CppjyQQ4SlujRaI7o5/ZpMCb1ueBIzMgRytl1TxGC5+UpC8Ud4qDq5m6rxkbqCRZOQvEqi852u6xxubeRpkZvFDtNHDRiE4gXlM+vAxDdN5/3oSpR3Z3ayiD3GC95P/XKFhrmXyFIHteVqah+pge8uzT3U0yrqh76L2ooBFoYsngc3Vdzg+yk7dKOpYusWgKd6GjIj8lSdR3avT0FsNd8dsj1XX1KIOW+Q0RhQWHeMc1m2ZrUzscXMvq86ytCneVTBTOToyi/DqnIgSOwVoGb/Ph1IQ+9YTYPNBZPQIV4HLnRGljvTlJ/WjOuzkPUq3zvmIDZ+9ym3SSrxYdo4yBJRu3fTPbUdtwtdq3Idx6qS/72eXnLjHgDYqKlnJwAynRKBztYzPOFqu+LuGlfBErWZ6M+1x5EWHg+WnzqJA0HLSSAD6+Ro=