Keep LegacyFirmwareDefaults.toml around for legacy firmware builds

Flickdm · Flickdm · commit 127ef5fcbf8a · 2025-06-10T18:40:36.000-07:00
Until downstream manufacturing processes are updated, keeping a
legacy configuration file around for firmware builds. Will update notes
indicating that this file is deprecated and will be removed in the future
with instructions for how to update the build process.
diff --git a/.github/workflows/prepare-binaries.yml b/.github/workflows/prepare-binaries.yml
@@ -61,6 +61,9 @@ jobs:
     - name: Build Compatible Defaults Template (2023 MSFT + 2023 3P + 2023 OROM)
       run: python scripts/secure_boot_default_keys.py --keystore Templates/MicrosoftAndThirdParty.toml -o FirmwareArtifacts
 
+    - name: Build X86 / X64 / ARM Binaries
+      run: python scripts/secure_boot_default_keys.py --keystore Templates/LegacyFirmwareDefaults.toml -o FirmwareArtifacts
+
     - name: Upload Firmware Binaries as Artifacts
       uses: actions/upload-artifact@v4
       with:
diff --git a/Templates/LegacyFirmwareDefaults.toml b/Templates/LegacyFirmwareDefaults.toml
@@ -0,0 +1,167 @@
+# @file
+##
+#
+# [IMPORTANT!] This file will be deprecated in the future. This provides a legacy
+# configuration for existing downstream firmware that still needs to support Default*
+# and a DefaultDbx with a list of revoked certificates. Before Moving to the new
+# configurations ensure that your manufacturing process is prepared for the contents
+# you move to.
+#
+# Configuration for building EFI Signature Lists for UEFI Secure Boot
+#
+# This file will generate the EFI Signature Lists for the UEFI Secure Boot
+# following https://uefi.org/specs/UEFI/2.9_A/32_Secure_Boot_and_Driver_Signing.html#signature-database
+#
+# The Signature Lists are used to store the signature database in the UEFI Secure Boot Database
+# Each entry must have a "SignatureOwner" GUID. While the GUID is not required to be unique,
+# the Microsoft HLK test will fail if the GUID overlaps with the Microsoft GUID.
+# It is recommended to use your own GUID for the SignatureOwner.
+#
+# #pragma pack(1)
+# typedef struct _EFI_SIGNATURE_DATA {
+#   EFI_GUID                 SignatureOwner;
+#   UINT8                    SignatureData [_];
+# }   EFI_SIGNATURE_DATA;
+#
+# typedef struct _EFI_SIGNATURE_LIST {
+#   EFI_GUID                 SignatureType;
+#   UINT32                   SignatureListSize;
+#   UINT32                   SignatureHeaderSize;
+#   UINT32                   SignatureSize;
+# //   UINT8                 SignatureHeader [SignatureHeaderSize];
+# //   EFI_SIGNATURE_DATA    Signatures [__][SignatureSize];
+# }   EFI_SIGNATURE_LIST;
+# #pragma pack()
+#
+# Each Variable may contain multiple EFI_SIGNATURE_LISTs, each with a different SignatureType.
+# Following is the structure of a EFI Signature List:
+#
+#                             ---┌─────────────────────────┐
+#                            /   │  SIGNATURE LIST HEADER  │
+#                           /    │                         │
+# ┌───────────────┐        /     │                         │
+# │   SIGNATURE   │       /      ├─────────────────────────┤
+# │     LIST #0   │      /       │    SIGNATURE HEADER     │
+# │               │     /        │                         │
+# │               │    /         ├─────────────────────────┤
+# ├───────────────┤   /          │     SIGNATURE #0        │
+# │   SIGNATURE   │  /           │                         │
+# │     LIST #1   │ /            ├─────────────────────────┤
+# ├───────────────┤/             │     SIGNATURE #1        │
+# │   SIGNATURE   │              │                         │
+# │     LIST #2   │              ├─────────────────────────┤
+# │               │              │                         │
+# │               │              │                         │
+# │               │              │                         │
+# │               │              │                         │
+# │               │              │                         │
+# │               │              ├─────────────────────────┤
+# │               │              │     SIGNATURE #N        │
+# └───────────────┘\             │                         │
+#                   \____________└─────────────────────────┘
+#
+# Note:
+#   Powershell:
+#       Use the following command to compute the SHA1 hash of a file:
+#        > Get-FileHash -Algorithm SHA1 <file>
+#
+#   Bash:
+#       Use the following command to compute the SHA1 hash of a file:
+#        > sha1sum <file>
+#
+# Copyright (C) Microsoft Corporation
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+############################
+# Default PK File Entry    #
+############################
+[DefaultPk]
+help = "Contains the Microsoft PK to enable signature database updates and binary execution."
+
+[[DefaultPk.files]]
+path = "PreSignedObjects/PK/Certificate/WindowsOEMDevicesPK.der"
+sha1 = 0x3D8660C0CB2D57B189C3D7995572A552F75E48B5
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+
+############################
+# Default Kek File Entries #
+############################
+[DefaultKek]
+help = "Contains the Microsoft KEKs to enable signature database updates and binary execution."
+
+[[DefaultKek.files]]
+path = "PreSignedObjects/KEK/Certificates/MicCorKEKCA2011_2011-06-24.der"
+url = "https://go.microsoft.com/fwlink/?LinkId=321185"
+sha1 = 0x31590bfd89c9d74ed087dfac66334b3931254b30
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+
+[[DefaultKek.files]]
+path = "PreSignedObjects/KEK/Certificates/microsoft corporation kek 2k ca 2023.der"
+url = "https://go.microsoft.com/fwlink/?linkid=2239775"
+sha1 = 0x459ab6fb5e284d272d5e3e6abc8ed663829d632b
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+
+###########################
+# Default Db File Entries #
+###########################
+[DefaultDb]
+help = "Contains only Microsoft certificates to verify binaries before execution. More secure than Default3PDb."
+
+[[DefaultDb.files]]
+path = "PreSignedObjects/DB/Certificates/MicWinProPCA2011_2011-10-19.der"
+url = "https://go.microsoft.com/fwlink/p/?linkid=321192"
+sha1 = 0x580a6f4cc4e4b669b9ebdc1b2b3e087b80d0678d
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+
+[[DefaultDb.files]]
+path = "PreSignedObjects/DB/Certificates/windows uefi ca 2023.der"
+url = "https://go.microsoft.com/fwlink/?linkid=2239776"
+sha1 = 0x45a0fa32604773c82433c3b7d59e7466b3ac0c67
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+
+#####################################
+# Default 3rd Party Db File Entries #
+#####################################
+[Default3PDb]
+help = "Contains Microsoft and UEFI third party certificates to verify binaries before execution. More compatible than DefaultDb."
+
+[[Default3PDb.files]]
+path = "PreSignedObjects/DB/Certificates/MicWinProPCA2011_2011-10-19.der"
+url = "https://go.microsoft.com/fwlink/p/?linkid=321192"
+sha1 = 0x580a6f4cc4e4b669b9ebdc1b2b3e087b80d0678d
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+
+[[Default3PDb.files]]
+path = "PreSignedObjects/DB/Certificates/windows uefi ca 2023.der"
+url = "https://go.microsoft.com/fwlink/?linkid=2239776"
+sha1 = 0x45a0fa32604773c82433c3b7d59e7466b3ac0c67
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+
+[[Default3PDb.files]]
+path = "PreSignedObjects/DB/Certificates/MicCorUEFCA2011_2011-06-27.der"
+url = "https://go.microsoft.com/fwlink/p/?linkid=321194"
+sha1 = 0x46def63b5ce61cf8ba0de2e6639c1019d0ed14f3
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+
+[[Default3PDb.files]]
+path = "PreSignedObjects/DB/Certificates/microsoft uefi ca 2023.der"
+url = "https://go.microsoft.com/fwlink/?linkid=2239872"
+sha1 = 0xb5eeb4a6706048073f0ed296e7f580a790b59eaa
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+
+[[Default3PDb.files]]
+path = "PreSignedObjects/DB/Certificates/microsoft option rom uefi ca 2023.der"
+url = "http://www.microsoft.com/pkiops/certs/microsoft%20option%20rom%20uefi%20ca%202023.crt"
+sha1 = 0x3FB39E2B8BD183BF9E4594E72183CA60AFCD4277
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+
+############################
+# Default Dbx File Entries #
+############################
+[DefaultDbx]
+help = "Contains a list of revoked certificates that will not execute on this system. Filtered per Architecture (ARM, Intel)."
+
+[[DefaultDbx.files]]
+path = "PreSignedObjects/DBX/dbx_info_msft_1_14_25.json"
+sha1 = 0xE0241D2F36A26F3668E7AEF287F726D0CE19CA80
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
