BS Variables for bootmgr revocations

This adds support for applying SkuSiPolicy UEFI BS variables. These
varaibles are needed for non-dbx based Windows revocations and are
described here:

https://support.microsoft.com/en-us/topic/kb5027455-guidance-for-blocking-vulnerable-windows-boot-managers-522bb851-0a61-44ad-aa94-ad11119c5e91

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>

5 files changed, 40 insertions, 5 deletions

diff --git a/include/guid.h b/include/guid.h
index dad63f0f..898c4fad 100644
--- a/include/guid.h
+++ b/include/guid.h
@@ -37,5 +37,6 @@ extern EFI_GUID SECURITY2_PROTOCOL_GUID;
 extern EFI_GUID EFI_MEMORY_ATTRIBUTE_PROTOCOL_GUID;
 extern EFI_GUID SHIM_LOCK_GUID;
 extern EFI_GUID MOK_VARIABLE_STORE;
+extern EFI_GUID SECUREBOOT_EFI_NAMESPACE_GUID;
 
 #endif /* SHIM_GUID_H */
diff --git a/include/sbat.h b/include/sbat.h
index 84f5ef01..af4c1a8f 100644
--- a/include/sbat.h
+++ b/include/sbat.h
@@ -30,11 +30,13 @@
 
 #define SBAT_POLICY L"SbatPolicy"
 #define SBAT_POLICY8 "SbatPolicy"
+#define SSP_POLICY L"SSPPolicy"
+#define SSP_POLICY8 "SSPPolicy"
 
-#define SBAT_POLICY_LATEST	1
-#define SBAT_POLICY_PREVIOUS	2
-#define SBAT_POLICY_RESET	3
-#define SBAT_POLICY_NOTREAD	255
+#define POLICY_LATEST	1
+#define POLICY_PREVIOUS	2
+#define POLICY_RESET	3
+#define POLICY_NOTREAD	255
 
 extern UINTN _sbat, _esbat;
 
diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
index 2ea98e4e..772df972 100644
--- a/include/sbat_var_defs.h
+++ b/include/sbat_var_defs.h
@@ -42,5 +42,4 @@
 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
 	SBAT_VAR_LATEST_REVOCATIONS
 #endif /* ENABLE_SHIM_DEVEL */
-
 #endif /* !SBAT_VAR_DEFS_H_ */
diff --git a/include/ssp.h b/include/ssp.h
new file mode 100644
index 00000000..f25590c6
--- /dev/null
+++ b/include/ssp.h
@@ -0,0 +1,14 @@
+#ifndef SSP_H_
+#define SSP_H_
+
+#define SSPVER_VAR_NAME L"SkuSiPolicyVersion"
+#define SSPSIG_VAR_NAME L"SkuSiPolicyUpdateSigners"
+#define SSP_VAR_ATTRS UEFI_VAR_NV_BS
+
+#define SSPVER_SIZE 8
+#define SSPSIG_SIZE 131
+
+EFI_STATUS set_ssp_uefi_variable_internal(void);
+EFI_STATUS set_ssp_uefi_variable(uint8_t*, uint8_t*, uint8_t*, uint8_t*);
+
+#endif /* !SSP_H_ */
diff --git a/include/ssp_var_defs.h b/include/ssp_var_defs.h
new file mode 100644
index 00000000..4bfad878
--- /dev/null
+++ b/include/ssp_var_defs.h
@@ -0,0 +1,19 @@
+/*
+ * variable definitions to enable bootmgr self revocation
+ */
+#ifndef SSP_VAR_DEFS_H_
+#define SSP_VAR_DEFS_H_
+
+uint8_t SkuSiPolicyVersion[] = { 0x2,0x0,0x0,0x0,0x0,0x0,0x2,0x0 };
+uint8_t SkuSiPolicyUpdateSigners[] = {
+0x01,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
+0x0b,0x00,0x00,0x00,0xd0,0x91,0x73,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,
+0x00,0x00,0x00,0x00,0x54,0xa6,0x78,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,
+0x00,0x00,0x00,0x00,0x5c,0xa6,0x78,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,
+0x00,0x00,0x00,0x00,0x64,0xa6,0x78,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+0x00,0x00,0x00,0x00,0x0a,0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x0a,0x03,0x06,0x00,
+0x00,0x00,0x00 };
+
+#endif /* !SSP_VAR_DEFS_H_ */