File ovmf-Revert-OvmfPkg-RiscVVirt-Add-SecureBootDefaultKeysIn.patch of Package ovmf
From 96eb23c5556ed28d2242669bed9eb818285251b6 Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Wed, 17 Dec 2025 11:35:31 +0800
Subject: [PATCH] Revert "OvmfPkg/RiscVVirt: Add SecureBootDefaultKeysInit
module."
This reverts commit 35a3ceb882b57da0964c8b4a038e8808b3dc2b13.
---
.../SecureBootDefaultKeysInit.c | 643 ------------------
.../SecureBootDefaultKeysInit.inf | 49 --
OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc | 2 +-
OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf | 18 -
4 files changed, 1 insertion(+), 711 deletions(-)
delete mode 100644 OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c
delete mode 100644 OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
diff --git a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c b/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c
deleted file mode 100644
index 037174dc6a..0000000000
--- a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c
+++ /dev/null
@@ -1,643 +0,0 @@
-/** @file
- This driver init default Secure Boot variables
-
- Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
- (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
- Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
- Copyright (c) 2021, Semihalf All rights reserved.<BR>
- Copyright (c) 2021, Ampere Computing LLC. All rights reserved.<BR>
- Copyright (C) 2023-2025 Advanced Micro Devices, Inc. All rights reserved.
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include <Uefi.h>
-#include <UefiSecureBoot.h>
-#include <Library/BaseLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/DebugLib.h>
-#include <Library/DxeServicesLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
-#include <Library/UefiLib.h>
-#include <Guid/AuthenticatedVariableFormat.h>
-#include <Guid/ImageAuthentication.h>
-#include <Library/SecureBootVariableLib.h>
-#include <Library/SecureBootVariableProvisionLib.h>
-
-/**
- Set PKDefault Variable.
-
- @param[in] X509Data X509 Certificate data.
- @param[in] X509DataSize X509 Certificate data size.
-
- @retval EFI_SUCCESS PKDefault is set successfully.
-
-**/
-EFI_STATUS
-SetPkDefault (
- IN UINT8 *X509Data,
- IN UINTN X509DataSize
- )
-{
- EFI_STATUS Status;
- UINT32 Attr;
- UINTN DataSize;
- EFI_SIGNATURE_LIST *PkCert;
- EFI_SIGNATURE_DATA *PkCertData;
-
- PkCert = NULL;
-
- //
- // Allocate space for PK certificate list and initialize it.
- // Create PK database entry with SignatureHeaderSize equals 0.
- //
- PkCert = (EFI_SIGNATURE_LIST *)AllocateZeroPool (
- sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1
- + X509DataSize
- );
- if (PkCert == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
- PkCert->SignatureListSize = (UINT32)(sizeof (EFI_SIGNATURE_LIST)
- + sizeof (EFI_SIGNATURE_DATA) - 1
- + X509DataSize);
- PkCert->SignatureSize = (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- PkCert->SignatureHeaderSize = 0;
- CopyGuid (&PkCert->SignatureType, &gEfiCertX509Guid);
- PkCertData = (EFI_SIGNATURE_DATA *)((UINTN)PkCert
- + sizeof (EFI_SIGNATURE_LIST)
- + PkCert->SignatureHeaderSize);
- CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid);
- //
- // Fill the PK database with PKpub data from X509 certificate file.
- //
- CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize);
-
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
- DataSize = PkCert->SignatureListSize;
-
- Status = gRT->SetVariable (
- EFI_PK_DEFAULT_VARIABLE_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- DataSize,
- PkCert
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (PkCert != NULL) {
- FreePool (PkCert);
- }
-
- return Status;
-}
-
-/**
- Set KDKDefault Variable.
-
- @param[in] X509Data X509 Certificate data.
- @param[in] X509DataSize X509 Certificate data size.
-
- @retval EFI_SUCCESS KEKDefault is set successfully.
-
-**/
-EFI_STATUS
-SetKekDefault (
- IN UINT8 *X509Data,
- IN UINTN X509DataSize
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_DATA *KEKSigData;
- EFI_SIGNATURE_LIST *KekSigList;
- UINTN DataSize;
- UINTN KekSigListSize;
- UINT32 Attr;
-
- KekSigList = NULL;
- KekSigListSize = 0;
- DataSize = 0;
- KEKSigData = NULL;
-
- KekSigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
- KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
- if (KekSigList == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- KekSigList->SignatureListSize = (UINT32)KekSigListSize;
- KekSigList->SignatureHeaderSize = 0;
- KekSigList->SignatureSize = (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
-
- KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&KEKSigData->SignatureOwner, &gEfiGlobalVariableGuid);
- CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize);
-
- //
- // Check if KEK been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new kek to original variable
- //
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
-
- Status = gRT->GetVariable (
- EFI_KEK_DEFAULT_VARIABLE_NAME,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot get the value of KEK: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable (
- EFI_KEK_DEFAULT_VARIABLE_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- KekSigListSize,
- KekSigList
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (KekSigList != NULL) {
- FreePool (KekSigList);
- }
-
- return Status;
-}
-
-/**
- Checks if the file content complies with EFI_VARIABLE_AUTHENTICATION_2 format
-
- @param[in] Data Data.
- @param[in] DataSize Data size.
-
- @retval TRUE The content is EFI_VARIABLE_AUTHENTICATION_2 format.
- @retval FALSE The content is NOT a EFI_VARIABLE_AUTHENTICATION_2 format.
-
-**/
-BOOLEAN
-IsAuthentication2Format (
- IN UINT8 *Data,
- IN UINTN DataSize
- )
-{
- EFI_VARIABLE_AUTHENTICATION_2 *Auth2;
- BOOLEAN IsAuth2Format;
-
- IsAuth2Format = FALSE;
-
- Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)Data;
- if (Auth2->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {
- goto ON_EXIT;
- }
-
- if (CompareGuid (&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) {
- IsAuth2Format = TRUE;
- }
-
-ON_EXIT:
-
- return IsAuth2Format;
-}
-
-/**
- Set signature database with the data of EFI_VARIABLE_AUTHENTICATION_2 format.
-
- @param[in] AuthData AUTHENTICATION_2 data.
- @param[in] AuthDataSize AUTHENTICATION_2 data size.
- @param[in] VariableName Variable name of signature database, must be
- EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX_DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME.
-
- @retval EFI_SUCCESS New signature is set successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-SetAuthentication2ToSigDb (
- IN UINT8 *AuthData,
- IN UINTN AuthDataSize,
- IN CHAR16 *VariableName
- )
-{
- EFI_STATUS Status;
- UINTN DataSize;
- UINT32 Attr;
- UINT8 *Data;
-
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
-
- //
- // Check if SigDB variable has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- DataSize = 0;
- Status = gRT->GetVariable (
- VariableName,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot get the value of signature database: %r\n", __func__, Status));
- return Status;
- }
-
- //
- // Ignore AUTHENTICATION_2 region. Only the actual certificate is needed.
- //
- DataSize = AuthDataSize - ((EFI_VARIABLE_AUTHENTICATION_2 *)AuthData)->AuthInfo.Hdr.dwLength - sizeof (EFI_TIME);
- Data = AuthData + (AuthDataSize - DataSize);
-
- Status = gRT->SetVariable (
- VariableName,
- &gEfiGlobalVariableGuid,
- Attr,
- DataSize,
- Data
- );
-
- return Status;
-}
-
-/**
-
- Set signature database with the data of X509 format.
-
- @param[in] X509Data X509 Certificate data.
- @param[in] X509DataSize X509 Certificate data size.
- @param[in] VariableName Variable name of signature database, must be
- EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX_DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME.
- @param[in] SignatureOwnerGuid Guid of the signature owner.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-SetX509ToSigDb (
- IN UINT8 *X509Data,
- IN UINTN X509DataSize,
- IN CHAR16 *VariableName,
- IN EFI_GUID *SignatureOwnerGuid
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_LIST *SigDBCert;
- EFI_SIGNATURE_DATA *SigDBCertData;
- VOID *Data;
- UINTN DataSize;
- UINTN SigDBSize;
- UINT32 Attr;
-
- SigDBSize = 0;
- DataSize = 0;
- SigDBCert = NULL;
- SigDBCertData = NULL;
- Data = NULL;
-
- SigDBSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
- Data = AllocateZeroPool (SigDBSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- DEBUG ((DEBUG_ERROR, "%a: Cannot allocate memory: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- SigDBCert = (EFI_SIGNATURE_LIST *)Data;
- SigDBCert->SignatureListSize = (UINT32)SigDBSize;
- SigDBCert->SignatureHeaderSize = 0;
- SigDBCert->SignatureSize = (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid);
-
- SigDBCertData = (EFI_SIGNATURE_DATA *)((UINT8 *)SigDBCert + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&SigDBCertData->SignatureOwner, SignatureOwnerGuid);
- CopyMem ((UINT8 *)(SigDBCertData->SignatureData), X509Data, X509DataSize);
-
- //
- // Check if signature database entry has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
-
- Status = gRT->GetVariable (
- VariableName,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- &gEfiGlobalVariableGuid,
- Attr,
- SigDBSize,
- Data
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot set signature database: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- return Status;
-}
-
-/**
-
- Set signature database.
-
- @param[in] Data Data.
- @param[in] DataSize Data size.
- @param[in] VariableName Variable name of signature database, must be
- EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX_DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME.
- @param[in] SignatureOwnerGuid Guid of the signature owner.
-
- @retval EFI_SUCCESS Signature is set successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-SetSignatureDatabase (
- IN UINT8 *Data,
- IN UINTN DataSize,
- IN CHAR16 *VariableName,
- IN EFI_GUID *SignatureOwnerGuid
- )
-{
- if (IsAuthentication2Format (Data, DataSize)) {
- return SetAuthentication2ToSigDb (Data, DataSize, VariableName);
- } else {
- return SetX509ToSigDb (Data, DataSize, VariableName, SignatureOwnerGuid);
- }
-}
-
-/** Initializes PKDefault variable with data from FFS section.
-
- @retval EFI_SUCCESS Variable was initialized successfully.
- @retval EFI_UNSUPPORTED Variable already exists.
-**/
-EFI_STATUS
-InitPkDefault (
- IN VOID
- )
-{
- EFI_STATUS Status;
- UINT8 *Data;
- UINTN DataSize;
-
- //
- // Check if variable exists, if so do not change it
- //
- Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
- if (Status == EFI_SUCCESS) {
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
- FreePool (Data);
- return EFI_UNSUPPORTED;
- }
-
- //
- // Variable does not exist, can be initialized
- //
- DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
-
- //
- // Enroll default PK.
- //
- Status = GetSectionFromFv (
- &gDefaultPKFileGuid,
- EFI_SECTION_RAW,
- 0,
- (VOID **)&Data,
- &DataSize
- );
- if (!EFI_ERROR (Status)) {
- SetPkDefault (Data, DataSize);
- }
-
- return EFI_SUCCESS;
-}
-
-/** Initializes KEKDefault variable with data from FFS section.
-
- @retval EFI_SUCCESS Variable was initialized successfully.
- @retval EFI_UNSUPPORTED Variable already exists.
-**/
-EFI_STATUS
-InitKekDefault (
- IN VOID
- )
-{
- EFI_STATUS Status;
- UINTN Index;
- UINT8 *Data;
- UINTN DataSize;
-
- //
- // Check if variable exists, if so do not change it
- //
- Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
- if (Status == EFI_SUCCESS) {
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
- FreePool (Data);
- return EFI_UNSUPPORTED;
- }
-
- Index = 0;
- do {
- Status = GetSectionFromFv (
- &gDefaultKEKFileGuid,
- EFI_SECTION_RAW,
- Index,
- (VOID **)&Data,
- &DataSize
- );
- if (!EFI_ERROR (Status)) {
- SetKekDefault (Data, DataSize);
- Index++;
- }
- } while (Status == EFI_SUCCESS);
-
- return EFI_SUCCESS;
-}
-
-/** Initializes dbDefault variable with data from FFS section.
-
- @retval EFI_SUCCESS Variable was initialized successfully.
- @retval EFI_UNSUPPORTED Variable already exists.
-**/
-EFI_STATUS
-InitDbDefault (
- IN VOID
- )
-{
- EFI_STATUS Status;
- UINTN Index;
- UINT8 *Data;
- UINTN DataSize;
-
- Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
- if (Status == EFI_SUCCESS) {
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
- FreePool (Data);
- return EFI_UNSUPPORTED;
- }
-
- DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
-
- Index = 0;
- do {
- Status = GetSectionFromFv (
- &gDefaultdbFileGuid,
- EFI_SECTION_RAW,
- Index,
- (VOID **)&Data,
- &DataSize
- );
- if (!EFI_ERROR (Status)) {
- SetSignatureDatabase (Data, DataSize, EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid);
- Index++;
- }
- } while (Status == EFI_SUCCESS);
-
- return EFI_SUCCESS;
-}
-
-/** Initializes dbxDefault variable with data from FFS section.
-
- @retval EFI_SUCCESS Variable was initialized successfully.
- @retval EFI_UNSUPPORTED Variable already exists.
-**/
-EFI_STATUS
-InitDbxDefault (
- IN VOID
- )
-{
- EFI_STATUS Status;
- UINTN Index;
- UINT8 *Data;
- UINTN DataSize;
-
- //
- // Check if variable exists, if so do not change it
- //
- Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
- if (Status == EFI_SUCCESS) {
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
- FreePool (Data);
- return EFI_UNSUPPORTED;
- }
-
- //
- // Variable does not exist, can be initialized
- //
- DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
-
- Index = 0;
- do {
- Status = GetSectionFromFv (
- &gDefaultdbxFileGuid,
- EFI_SECTION_RAW,
- Index,
- (VOID **)&Data,
- &DataSize
- );
- if (!EFI_ERROR (Status)) {
- SetSignatureDatabase (Data, DataSize, EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid);
- Index++;
- }
- } while (Status == EFI_SUCCESS);
-
- return EFI_SUCCESS;
-}
-
-/**
- Initializes default SecureBoot certificates with data from FFS section.
-
- @param[in] ImageHandle The firmware allocated handle for the EFI image.
- @param[in] SystemTable A pointer to the EFI System Table.
-
- @retval EFI_SUCCESS Variable was initialized successfully.
-**/
-EFI_STATUS
-EFIAPI
-SecureBootDefaultKeysInitEntry (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- )
-{
- EFI_STATUS Status;
-
- Status = InitPkDefault ();
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__, Status));
- return Status;
- }
-
- Status = InitKekDefault ();
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func__, Status));
- return Status;
- }
-
- Status = InitDbDefault ();
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __func__, Status));
- return Status;
- }
-
- Status = InitDbxDefault ();
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbxDefault: %r\n", __func__, Status));
- return Status;
- }
-
- return EFI_SUCCESS;
-}
diff --git a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf b/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
deleted file mode 100644
index 0127841733..0000000000
--- a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
+++ /dev/null
@@ -1,49 +0,0 @@
-## @file
-# Initializes Secure Boot default keys
-#
-# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
-# Copyright (c) 2021, Semihalf All rights reserved.<BR>
-# Copyright (C) 2023-2025 Advanced Micro Devices, Inc. All rights reserved.
-#
-# SPDX-License-Identifier: BSD-2-Clause-Patent
-#
-##
-
-[Defines]
- INF_VERSION = 1.29
- BASE_NAME = SecureBootDefaultKeysInit
- FILE_GUID = 384D1860-7306-11F0-B8B4-F53A5CB787AC
- MODULE_TYPE = DXE_DRIVER
- VERSION_STRING = 1.0
- ENTRY_POINT = SecureBootDefaultKeysInitEntry
-
-[Sources]
- SecureBootDefaultKeysInit.c
-
-[Packages]
- MdeModulePkg/MdeModulePkg.dec
- MdePkg/MdePkg.dec
- SecurityPkg/SecurityPkg.dec
-
-[LibraryClasses]
- DebugLib
- DxeServicesLib
- SecureBootVariableLib
- SecureBootVariableProvisionLib
- UefiBootServicesTableLib
- UefiDriverEntryPoint
-
-[Guids]
- gDefaultdbFileGuid
- gDefaultdbxFileGuid
- gDefaultKEKFileGuid
- gDefaultPKFileGuid
- gEfiCertPkcs7Guid
- gEfiCertX509Guid
- gEfiCustomModeEnableGuid
- gEfiImageSecurityDatabaseGuid
- gEfiSecureBootEnableDisableGuid
-
-[Depex]
- gEfiVariableArchProtocolGuid AND
- gEfiVariableWriteArchProtocolGuid
diff --git a/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc b/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc
index a7c4f842bb..0c1162b845 100644
--- a/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc
+++ b/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc
@@ -392,7 +392,7 @@
!endif
}
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
- OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
!endif
diff --git a/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf b/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf
index 1f37eb6894..a71ce1ae0b 100644
--- a/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf
+++ b/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf
@@ -89,24 +89,6 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
- INF OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
-
- FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/PK/PK.cer
- }
-
- FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/KEK/MicCorKEKCA2011_2011-06-24.crt
- }
-
- FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/db/MicWinProPCA2011_2011-10-19.crt
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/db/MicCorUEFCA2011_2011-06-27.crt
- }
-
- FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/dbx/dbxupdate_x64.bin
- }
!endif
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
INF MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
--
2.51.0
