diff --git a/.gitignore b/.gitignore
index 1a61eb8..bbfdb74 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 /openssl-*-hobbled.tar.xz
 /edk2-*.tar.xz
 /qemu-ovmf-secureboot-*.tar.gz
-/edk2-edk2-stable201903.tar.gz
+/edk2-*.tar.gz
+/softfloat-20180726-gitb64af41.tar.xz
diff --git a/0001-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch b/0001-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
index f9b0326..50e08da 100644
--- a/0001-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
+++ b/0001-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
@@ -1,4 +1,4 @@
-From 69da45eedaef8b6a02a0c77933330bcb0ec137e8 Mon Sep 17 00:00:00 2001
+From c9b16fbf5a762cd95bdd8b40c72b3e471c5cf84b Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Wed, 27 Jan 2016 03:05:18 +0100
 Subject: [PATCH] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe
@@ -16,10 +16,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  3 files changed, 12 insertions(+), 3 deletions(-)
 
 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
-index 5b885590b2..3f77f78a68 100644
+index e74a9d5a51..ef8bd35153 100644
 --- a/OvmfPkg/OvmfPkgIa32.dsc
 +++ b/OvmfPkg/OvmfPkgIa32.dsc
-@@ -739,7 +739,10 @@
+@@ -735,7 +735,10 @@
    OvmfPkg/SataControllerDxe/SataControllerDxe.inf
    MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
    MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
@@ -32,10 +32,10 @@ index 5b885590b2..3f77f78a68 100644
    MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
    MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
-index bbf0853ee6..3fb003e670 100644
+index 67ac015991..dfd47378e7 100644
 --- a/OvmfPkg/OvmfPkgIa32X64.dsc
 +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
-@@ -748,7 +748,10 @@
+@@ -744,7 +744,10 @@
    OvmfPkg/SataControllerDxe/SataControllerDxe.inf
    MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
    MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
@@ -48,10 +48,10 @@ index bbf0853ee6..3fb003e670 100644
    MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
    MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
-index d81460f520..26bbfecddf 100644
+index 68073ef55b..fdccae3976 100644
 --- a/OvmfPkg/OvmfPkgX64.dsc
 +++ b/OvmfPkg/OvmfPkgX64.dsc
-@@ -746,7 +746,10 @@
+@@ -742,7 +742,10 @@
    OvmfPkg/SataControllerDxe/SataControllerDxe.inf
    MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
    MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
diff --git a/0002-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-the-DXE-.patch b/0002-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-the-DXE-.patch
index 6401920..9c67f7a 100644
--- a/0002-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-the-DXE-.patch
+++ b/0002-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-the-DXE-.patch
@@ -1,4 +1,4 @@
-From 98991ce22e7347461a3f5a912a1f885776ace4cf Mon Sep 17 00:00:00 2001
+From 4a3f9b9691c88b316f45a163470c255a393d2dc9 Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Wed, 27 Jan 2016 03:05:18 +0100
 Subject: [PATCH] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in the DXE core
@@ -17,10 +17,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  3 files changed, 6 insertions(+)
 
 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
-index 3f77f78a68..89d380b72a 100644
+index ef8bd35153..5cd51062a7 100644
 --- a/OvmfPkg/OvmfPkgIa32.dsc
 +++ b/OvmfPkg/OvmfPkgIa32.dsc
-@@ -645,6 +645,8 @@
+@@ -641,6 +641,8 @@
      <LibraryClasses>
        NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
        DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
@@ -30,10 +30,10 @@ index 3f77f78a68..89d380b72a 100644
  
    MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf
 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
-index 3fb003e670..e87d840a0c 100644
+index dfd47378e7..05fe5661dc 100644
 --- a/OvmfPkg/OvmfPkgIa32X64.dsc
 +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
-@@ -654,6 +654,8 @@
+@@ -650,6 +650,8 @@
      <LibraryClasses>
        NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
        DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
@@ -43,10 +43,10 @@ index 3fb003e670..e87d840a0c 100644
  
    MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf
 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
-index 26bbfecddf..d6df5771e6 100644
+index fdccae3976..4f3566cd14 100644
 --- a/OvmfPkg/OvmfPkgX64.dsc
 +++ b/OvmfPkg/OvmfPkgX64.dsc
-@@ -652,6 +652,8 @@
+@@ -648,6 +648,8 @@
      <LibraryClasses>
        NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
        DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
diff --git a/0003-OvmfPkg-enable-DEBUG_VERBOSE.patch b/0003-OvmfPkg-enable-DEBUG_VERBOSE.patch
index be68aa0..bd6656c 100644
--- a/0003-OvmfPkg-enable-DEBUG_VERBOSE.patch
+++ b/0003-OvmfPkg-enable-DEBUG_VERBOSE.patch
@@ -1,4 +1,4 @@
-From ec976161fc60922a53106f2aa3d17a2b5f7f577c Mon Sep 17 00:00:00 2001
+From e69ceee47877b92dca587592b477dee7aba8e4cd Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Sun, 8 Jul 2012 14:26:07 +0200
 Subject: [PATCH] OvmfPkg: enable DEBUG_VERBOSE
@@ -14,10 +14,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
-index 89d380b72a..453b3563ab 100644
+index 5cd51062a7..6b1bf39246 100644
 --- a/OvmfPkg/OvmfPkgIa32.dsc
 +++ b/OvmfPkg/OvmfPkgIa32.dsc
-@@ -484,7 +484,7 @@
+@@ -479,7 +479,7 @@
    # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
    #                             // significantly impact boot performance
    # DEBUG_ERROR     0x80000000  // Error
@@ -27,10 +27,10 @@ index 89d380b72a..453b3563ab 100644
  !ifdef $(SOURCE_DEBUG_ENABLE)
    gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
-index e87d840a0c..41ff89c3db 100644
+index 05fe5661dc..a1c083ec7b 100644
 --- a/OvmfPkg/OvmfPkgIa32X64.dsc
 +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
-@@ -489,7 +489,7 @@
+@@ -484,7 +484,7 @@
    # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
    #                             // significantly impact boot performance
    # DEBUG_ERROR     0x80000000  // Error
@@ -40,10 +40,10 @@ index e87d840a0c..41ff89c3db 100644
  !ifdef $(SOURCE_DEBUG_ENABLE)
    gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
-index d6df5771e6..c12a90a83c 100644
+index 4f3566cd14..7ee9d2b359 100644
 --- a/OvmfPkg/OvmfPkgX64.dsc
 +++ b/OvmfPkg/OvmfPkgX64.dsc
-@@ -489,7 +489,7 @@
+@@ -484,7 +484,7 @@
    # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
    #                             // significantly impact boot performance
    # DEBUG_ERROR     0x80000000  // Error
diff --git a/0004-OvmfPkg-increase-max-debug-message-length-to-512.patch b/0004-OvmfPkg-increase-max-debug-message-length-to-512.patch
index a1ddd5b..79b227f 100644
--- a/0004-OvmfPkg-increase-max-debug-message-length-to-512.patch
+++ b/0004-OvmfPkg-increase-max-debug-message-length-to-512.patch
@@ -1,4 +1,4 @@
-From 4baed0985163d9b34a55e97905da77660f6dc118 Mon Sep 17 00:00:00 2001
+From 4f43c23c001910836cbf76644daad38ec7ceb240 Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Thu, 20 Feb 2014 22:54:45 +0100
 Subject: [PATCH] OvmfPkg: increase max debug message length to 512
@@ -16,15 +16,15 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
-index 36cde54976..c0c4eaee0f 100644
+index 3dfa3126c3..9451c50c70 100644
 --- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
 +++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
-@@ -27,7 +27,7 @@
+@@ -21,7 +21,7 @@
  //
  // Define the maximum debug and assert message length that this library supports
  //
 -#define MAX_DEBUG_MESSAGE_LENGTH  0x100
 +#define MAX_DEBUG_MESSAGE_LENGTH  0x200
  
- /**
-   Prints a debug message to the debug output device if the specified error level is enabled.
+ //
+ // VA_LIST can not initialize to NULL for all compiler, so we use this to
diff --git a/0005-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch b/0005-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
index d4bafdc..4e8aef5 100644
--- a/0005-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
+++ b/0005-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
@@ -1,4 +1,4 @@
-From 2f0378ed75fd17e9ddd4e15b475197f6c6147b6c Mon Sep 17 00:00:00 2001
+From 07b59d495afdcf98ffbc6dc2dbaa0978690bf3c0 Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Wed, 11 Jun 2014 23:33:33 +0200
 Subject: [PATCH] advertise OpenSSL on TianoCore splash screen / boot logo
@@ -113,10 +113,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.uni
 
 diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
-index a77d71bcea..319254f0db 100644
+index cf28478977..bd64ea610d 100644
 --- a/ArmVirtPkg/ArmVirtQemu.dsc
 +++ b/ArmVirtPkg/ArmVirtQemu.dsc
-@@ -347,7 +347,11 @@
+@@ -360,7 +360,11 @@
    MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
    MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
    MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
@@ -129,10 +129,10 @@ index a77d71bcea..319254f0db 100644
      <LibraryClasses>
        NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
 diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
-index 098d40b61b..514759a637 100644
+index 31f615a9d0..764954c84a 100644
 --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
 +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
-@@ -203,7 +203,11 @@ READ_LOCK_STATUS   = TRUE
+@@ -176,7 +176,11 @@ READ_LOCK_STATUS   = TRUE
    #
    # TianoCore logo (splash screen)
    #
@@ -145,10 +145,10 @@ index 098d40b61b..514759a637 100644
    #
    # Ramdisk support
 diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
-index 1e5388ae70..daa8ee7009 100644
+index 596e59739c..eea9ccaebb 100644
 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
 +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
-@@ -331,7 +331,11 @@
+@@ -344,7 +344,11 @@
    MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
    MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
    MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
@@ -3026,10 +3026,10 @@ index 0000000000..7227ac3910
 +#string STR_MODULE_DESCRIPTION          #language en-US "This module provides the logo bitmap picture (with OpenSSL advertisment) shown on setup screen, through EDKII Platform Logo protocol."
 +
 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
-index 453b3563ab..5dd44bceb7 100644
+index 6b1bf39246..5ef48d2410 100644
 --- a/OvmfPkg/OvmfPkgIa32.dsc
 +++ b/OvmfPkg/OvmfPkgIa32.dsc
-@@ -695,7 +695,11 @@
+@@ -691,7 +691,11 @@
        NULL|IntelFrameworkModulePkg/Library/LegacyBootManagerLib/LegacyBootManagerLib.inf
  !endif
    }
@@ -3042,10 +3042,10 @@ index 453b3563ab..5dd44bceb7 100644
      <LibraryClasses>
        NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
 diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
-index 4999403ad7..77d0d3f131 100644
+index e428334702..87e008e6fe 100644
 --- a/OvmfPkg/OvmfPkgIa32.fdf
 +++ b/OvmfPkg/OvmfPkgIa32.fdf
-@@ -293,7 +293,11 @@ INF  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+@@ -292,7 +292,11 @@ INF  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
  !endif
  INF  ShellPkg/Application/Shell/Shell.inf
  
@@ -3058,10 +3058,10 @@ index 4999403ad7..77d0d3f131 100644
  #
  # Network modules
 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
-index 41ff89c3db..9a14a26845 100644
+index a1c083ec7b..b55a88d1c4 100644
 --- a/OvmfPkg/OvmfPkgIa32X64.dsc
 +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
-@@ -704,7 +704,11 @@
+@@ -700,7 +700,11 @@
        NULL|IntelFrameworkModulePkg/Library/LegacyBootManagerLib/LegacyBootManagerLib.inf
  !endif
    }
@@ -3074,10 +3074,10 @@ index 41ff89c3db..9a14a26845 100644
      <LibraryClasses>
        NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
 diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
-index d0cc107928..da68440ddb 100644
+index 6ddffe7547..7dd8940c5f 100644
 --- a/OvmfPkg/OvmfPkgIa32X64.fdf
 +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
-@@ -294,7 +294,11 @@ INF  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+@@ -293,7 +293,11 @@ INF  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
  !endif
  INF  ShellPkg/Application/Shell/Shell.inf
  
@@ -3090,10 +3090,10 @@ index d0cc107928..da68440ddb 100644
  #
  # Network modules
 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
-index c12a90a83c..0f888b0373 100644
+index 7ee9d2b359..80ba78628e 100644
 --- a/OvmfPkg/OvmfPkgX64.dsc
 +++ b/OvmfPkg/OvmfPkgX64.dsc
-@@ -702,7 +702,11 @@
+@@ -698,7 +698,11 @@
        NULL|IntelFrameworkModulePkg/Library/LegacyBootManagerLib/LegacyBootManagerLib.inf
  !endif
    }
@@ -3106,10 +3106,10 @@ index c12a90a83c..0f888b0373 100644
      <LibraryClasses>
        NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
-index d0cc107928..da68440ddb 100644
+index 6ddffe7547..7dd8940c5f 100644
 --- a/OvmfPkg/OvmfPkgX64.fdf
 +++ b/OvmfPkg/OvmfPkgX64.fdf
-@@ -294,7 +294,11 @@ INF  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+@@ -293,7 +293,11 @@ INF  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
  !endif
  INF  ShellPkg/Application/Shell/Shell.inf
  
diff --git a/0006-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch b/0006-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
index 91d0348..5883e3d 100644
--- a/0006-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
+++ b/0006-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
@@ -1,4 +1,4 @@
-From 17be7ae189a51fa09d2ccf9bedefb481c5ed22ea Mon Sep 17 00:00:00 2001
+From fcd392ab40bcc478d5136959781e37ed629e03ac Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Thu, 12 Jun 2014 00:17:59 +0200
 Subject: [PATCH] OvmfPkg: QemuVideoDxe: enable debug messages in VbeShim
@@ -29,10 +29,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  2 files changed, 308 insertions(+), 175 deletions(-)
 
 diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.asm b/OvmfPkg/QemuVideoDxe/VbeShim.asm
-index 18fa9209d4..f87ed5cf30 100644
+index cb2a60d827..26fe1bcc32 100644
 --- a/OvmfPkg/QemuVideoDxe/VbeShim.asm
 +++ b/OvmfPkg/QemuVideoDxe/VbeShim.asm
-@@ -18,7 +18,7 @@
+@@ -12,7 +12,7 @@
  ;------------------------------------------------------------------------------
  
  ; enable this macro for debug messages
diff --git a/0007-MdeModulePkg-TerminalDxe-add-other-text-resolutions.patch b/0007-MdeModulePkg-TerminalDxe-add-other-text-resolutions.patch
index 5a18c92..692e46b 100644
--- a/0007-MdeModulePkg-TerminalDxe-add-other-text-resolutions.patch
+++ b/0007-MdeModulePkg-TerminalDxe-add-other-text-resolutions.patch
@@ -1,4 +1,4 @@
-From 07ce34a8761d89ab3d6009576f995ff48bbd7487 Mon Sep 17 00:00:00 2001
+From 1506edb0d4cd40517e557354d517c1f762725b4b Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Tue, 25 Feb 2014 18:40:35 +0100
 Subject: [PATCH] MdeModulePkg: TerminalDxe: add other text resolutions
@@ -76,10 +76,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  1 file changed, 38 insertions(+), 3 deletions(-)
 
 diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
-index 66dd3ad550..78a198379a 100644
+index c76b2c5100..eff9d9787f 100644
 --- a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
 +++ b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
-@@ -113,9 +113,44 @@ TERMINAL_DEV  mTerminalDevTemplate = {
+@@ -107,9 +107,44 @@ TERMINAL_DEV  mTerminalDevTemplate = {
  };
  
  TERMINAL_CONSOLE_MODE_DATA mTerminalConsoleModeData[] = {
diff --git a/0008-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch b/0008-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
index 3c6cf4b..75d9245 100644
--- a/0008-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
+++ b/0008-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
@@ -1,4 +1,4 @@
-From 84e29eaec51ad2365674fbbaa6556c456b983367 Mon Sep 17 00:00:00 2001
+From 21285bd60350b5f6e7c6a90889a59d169db5b32f Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Tue, 25 Feb 2014 22:40:01 +0100
 Subject: [PATCH] MdeModulePkg: TerminalDxe: set xterm resolution on mode
@@ -37,10 +37,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  3 files changed, 36 insertions(+)
 
 diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
-index a2130bc439..dcd118ba62 100644
+index 6cba729982..e2d59349c9 100644
 --- a/MdeModulePkg/MdeModulePkg.dec
 +++ b/MdeModulePkg/MdeModulePkg.dec
-@@ -1968,6 +1968,10 @@
+@@ -1945,6 +1945,10 @@
    # @Prompt The address mask when memory encryption is enabled.
    gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0|UINT64|0x30001047
  
@@ -52,10 +52,10 @@ index a2130bc439..dcd118ba62 100644
    ## Specify memory size with page number for PEI code when
    #  Loading Module at Fixed Address feature is enabled.
 diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
-index 4d7218e415..295e7641a5 100644
+index 7ef655cca5..1113252df2 100644
 --- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
 +++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
-@@ -13,6 +13,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+@@ -7,6 +7,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
  
  **/
  
@@ -64,7 +64,7 @@ index 4d7218e415..295e7641a5 100644
  #include "Terminal.h"
  
  //
-@@ -86,6 +88,16 @@ CHAR16 mSetCursorPositionString[]  = { ESC, '[', '0', '0', ';', '0', '0', 'H', 0
+@@ -80,6 +82,16 @@ CHAR16 mSetCursorPositionString[]  = { ESC, '[', '0', '0', ';', '0', '0', 'H', 0
  CHAR16 mCursorForwardString[]      = { ESC, '[', '0', '0', 'C', 0 };
  CHAR16 mCursorBackwardString[]     = { ESC, '[', '0', '0', 'D', 0 };
  
@@ -81,7 +81,7 @@ index 4d7218e415..295e7641a5 100644
  //
  // Body of the ConOut functions
  //
-@@ -508,6 +520,24 @@ TerminalConOutSetMode (
+@@ -502,6 +514,24 @@ TerminalConOutSetMode (
      return EFI_DEVICE_ERROR;
    }
  
@@ -107,10 +107,10 @@ index 4d7218e415..295e7641a5 100644
  
    Status            = This->ClearScreen (This);
 diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
-index 15b4ac1c33..a704bc17e5 100644
+index 24e164ef4d..d1160ed1c7 100644
 --- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
 +++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
-@@ -60,6 +60,7 @@
+@@ -55,6 +55,7 @@
    DebugLib
    PcdLib
    BaseLib
@@ -118,7 +118,7 @@ index 15b4ac1c33..a704bc17e5 100644
  
  [Guids]
    ## SOMETIMES_PRODUCES ## Variable:L"ConInDev"
-@@ -88,6 +89,7 @@
+@@ -83,6 +84,7 @@
  [Pcd]
    gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType           ## SOMETIMES_CONSUMES
    gEfiMdeModulePkgTokenSpaceGuid.PcdErrorCodeSetVariable    ## CONSUMES
diff --git a/0009-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch b/0009-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
index 2546753..706dfc2 100644
--- a/0009-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
+++ b/0009-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
@@ -1,4 +1,4 @@
-From 040bd938a84163ba1f196de97f9137bcc84f653d Mon Sep 17 00:00:00 2001
+From 50d915724e8283db90d402d8cd8ce10bdd93c3cb Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Wed, 14 Oct 2015 15:59:06 +0200
 Subject: [PATCH] OvmfPkg: take PcdResizeXterm from the QEMU command line (RH
@@ -29,10 +29,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  5 files changed, 5 insertions(+)
 
 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
-index 5dd44bceb7..702d3a86c4 100644
+index 5ef48d2410..f03cbe713f 100644
 --- a/OvmfPkg/OvmfPkgIa32.dsc
 +++ b/OvmfPkg/OvmfPkgIa32.dsc
-@@ -531,6 +531,7 @@
+@@ -527,6 +527,7 @@
    #   ($(SMM_REQUIRE) == FALSE)
    gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
  
@@ -41,10 +41,10 @@ index 5dd44bceb7..702d3a86c4 100644
    gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
    gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
-index 9a14a26845..46bc3a0b77 100644
+index b55a88d1c4..248030402c 100644
 --- a/OvmfPkg/OvmfPkgIa32X64.dsc
 +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
-@@ -537,6 +537,7 @@
+@@ -533,6 +533,7 @@
    #   ($(SMM_REQUIRE) == FALSE)
    gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
  
@@ -53,10 +53,10 @@ index 9a14a26845..46bc3a0b77 100644
    gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
    gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
-index 0f888b0373..31c5933016 100644
+index 80ba78628e..2788e84401 100644
 --- a/OvmfPkg/OvmfPkgX64.dsc
 +++ b/OvmfPkg/OvmfPkgX64.dsc
-@@ -536,6 +536,7 @@
+@@ -532,6 +532,7 @@
    #   ($(SMM_REQUIRE) == FALSE)
    gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
  
@@ -65,10 +65,10 @@ index 0f888b0373..31c5933016 100644
    gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
    gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
 diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
-index 22139a64cb..64b8034117 100644
+index 3ba2459872..bbbf1ac2a8 100644
 --- a/OvmfPkg/PlatformPei/Platform.c
 +++ b/OvmfPkg/PlatformPei/Platform.c
-@@ -670,6 +670,7 @@ InitializePlatform (
+@@ -667,6 +667,7 @@ InitializePlatform (
      PeiFvInitialization ();
      MemMapInitialization ();
      NoexecDxeInitialization ();
@@ -77,10 +77,10 @@ index 22139a64cb..64b8034117 100644
  
    InstallClearCacheCallback ();
 diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
-index 5c8dd0fe6d..035ce249fe 100644
+index f660c2d9e4..3e0d7917ab 100644
 --- a/OvmfPkg/PlatformPei/PlatformPei.inf
 +++ b/OvmfPkg/PlatformPei/PlatformPei.inf
-@@ -96,6 +96,7 @@
+@@ -90,6 +90,7 @@
    gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
    gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
    gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration
diff --git a/0010-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch b/0010-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
index 5fa8cc9..33c3d46 100644
--- a/0010-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
+++ b/0010-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
@@ -1,4 +1,4 @@
-From 1931e213b6185c87f95f8ce6aec005272dba2621 Mon Sep 17 00:00:00 2001
+From a5249c3f4b359fde1bd6b526239ad2805012e97d Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Tue, 12 Apr 2016 20:50:25 +0200
 Subject: [PATCH] ArmVirtPkg: QemuFwCfgLib: allow UEFI_DRIVER client modules
@@ -22,10 +22,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
-index eff4a21650..adf1ff6c6a 100644
+index 4d27d7d30b..feceed5f93 100644
 --- a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
 +++ b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
-@@ -22,7 +22,7 @@
+@@ -15,7 +15,7 @@
    FILE_GUID                      = B271F41F-B841-48A9-BA8D-545B4BC2E2BF
    MODULE_TYPE                    = BASE
    VERSION_STRING                 = 1.0
diff --git a/0011-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch b/0011-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
index e25543e..1085a00 100644
--- a/0011-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
+++ b/0011-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
@@ -1,4 +1,4 @@
-From 18b097d4857f31d0117e31872d989b39c30215a6 Mon Sep 17 00:00:00 2001
+From 1bb7a4dfcc190606f30f0a4ec3575db709392e6c Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Sun, 26 Jul 2015 08:02:50 +0000
 Subject: [PATCH] ArmVirtPkg: take PcdResizeXterm from the QEMU command line
@@ -31,10 +31,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
 
 diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
-index 319254f0db..9a2b861fae 100644
+index bd64ea610d..ccbadffd65 100644
 --- a/ArmVirtPkg/ArmVirtQemu.dsc
 +++ b/ArmVirtPkg/ArmVirtQemu.dsc
-@@ -221,6 +221,8 @@
+@@ -233,6 +233,8 @@
    gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0
    gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE
  
@@ -43,7 +43,7 @@ index 319254f0db..9a2b861fae 100644
  [PcdsDynamicHii]
    gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
  
-@@ -297,7 +299,10 @@
+@@ -310,7 +312,10 @@
    MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
    MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf
    MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
diff --git a/0012-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch b/0012-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
index a5c6f80..b86c613 100644
--- a/0012-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
+++ b/0012-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
@@ -1,4 +1,4 @@
-From 026848dd55609cd184cd8fef3b312236e0ee3024 Mon Sep 17 00:00:00 2001
+From 7e6180b3e73d7fb2a18f3c15ccba632d8c933f95 Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Tue, 4 Nov 2014 23:02:53 +0100
 Subject: [PATCH] OvmfPkg: allow exclusion of the shell from the firmware image
@@ -55,10 +55,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  3 files changed, 8 insertions(+)
 
 diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
-index 77d0d3f131..aa07387d19 100644
+index 87e008e6fe..21872aeecb 100644
 --- a/OvmfPkg/OvmfPkgIa32.fdf
 +++ b/OvmfPkg/OvmfPkgIa32.fdf
-@@ -288,10 +288,12 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+@@ -287,10 +287,12 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
  INF  FatPkg/EnhancedFatDxe/Fat.inf
  INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
  
@@ -72,10 +72,10 @@ index 77d0d3f131..aa07387d19 100644
  !if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
  INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
 diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
-index da68440ddb..585d97685a 100644
+index 7dd8940c5f..95c04fd8f4 100644
 --- a/OvmfPkg/OvmfPkgIa32X64.fdf
 +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
-@@ -289,10 +289,13 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+@@ -288,10 +288,13 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
  INF  FatPkg/EnhancedFatDxe/Fat.inf
  INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
  
@@ -90,10 +90,10 @@ index da68440ddb..585d97685a 100644
  !if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
  INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
-index da68440ddb..585d97685a 100644
+index 7dd8940c5f..95c04fd8f4 100644
 --- a/OvmfPkg/OvmfPkgX64.fdf
 +++ b/OvmfPkg/OvmfPkgX64.fdf
-@@ -289,10 +289,13 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+@@ -288,10 +288,13 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
  INF  FatPkg/EnhancedFatDxe/Fat.inf
  INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
  
diff --git a/0014-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch b/0013-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
similarity index 93%
rename from 0014-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
rename to 0013-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
index 1e66bb3..e9049e5 100644
--- a/0014-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
+++ b/0013-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
@@ -1,4 +1,4 @@
-From ddb3084986db65a9006d28d5e9b6f0f7969cf2c0 Mon Sep 17 00:00:00 2001
+From 01046984f4e68e7f0ef8649c0bf30803f4059b66 Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Wed, 14 Oct 2015 13:49:43 +0200
 Subject: [PATCH] ArmPlatformPkg: introduce fixed PCD for early hello message
@@ -36,10 +36,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  1 file changed, 7 insertions(+)
 
 diff --git a/ArmPlatformPkg/ArmPlatformPkg.dec b/ArmPlatformPkg/ArmPlatformPkg.dec
-index 44c00bd0c1..40c8ec3251 100644
+index c8ea183313..bab4804a17 100644
 --- a/ArmPlatformPkg/ArmPlatformPkg.dec
 +++ b/ArmPlatformPkg/ArmPlatformPkg.dec
-@@ -114,6 +114,13 @@
+@@ -108,6 +108,13 @@
    ## If set, this will swap settings for HDLCD RED_SELECT and BLUE_SELECT registers
    gArmPlatformTokenSpaceGuid.PcdArmHdLcdSwapBlueRedSelect|FALSE|BOOLEAN|0x00000045
  
diff --git a/0013-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch b/0013-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
deleted file mode 100644
index 168326b..0000000
--- a/0013-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
+++ /dev/null
@@ -1,1328 +0,0 @@
-From deeaddfb366703c157668588947e5f1767a1193a Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Tue, 4 Nov 2014 23:02:55 +0100
-Subject: [PATCH] OvmfPkg: EnrollDefaultKeys: application for enrolling default
- keys
-
-This application is meant to be invoked by the management layer, after
-booting the UEFI shell and getting a shell prompt on the serial console.
-The app enrolls a number of certificates (see below), and then reports
-status to the serial console as well. The expected output is "info:
-success":
-
-> Shell> EnrollDefaultKeys.efi
-> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
-> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
-> info: success
-> Shell>
-
-In case of success, the management layer can force off or reboot the VM
-(for example with the "reset -s" or "reset -c" UEFI shell commands,
-respectively), and start the guest installation with SecureBoot enabled.
-
-PK:
-- A unique, static, ad-hoc certificate whose private half has been
-  destroyed (more precisely, never saved) and is therefore unusable for
-  signing. (The command for creating this certificate is saved in the
-  source code.) Background:
-
-On 09/30/14 20:00, Peter Jones wrote:
-> We should generate a special key that's not in our normal signing chains
-> for PK and KEK.  The reason for this is that [in practice] PK gets
-> treated as part of DB (*).
->
-> [Shipping a key in our normal signing chains] as PK means you can run
-> grub directly, in which case it won't have access to the shim protocol.
-> When grub is run without the shim protocol registered, it assumes SB is
-> disabled and boots without verifying the kernel.  We don't want that to
-> be a thing you can do, but allowing that is the inevitable result of
-> shipping with any of our normal signing chain in PK or KEK.
->
-> (* USRT has actually agreed that since you can escalate to this behavior
-> if you have the secret half of a key in KEK or PK anyway, and many
-> vendors had already shipped it this way, that it is fine and I think
-> even *expected* at this point, even though it wasn't formally in the
-> UEFI 2.3.1 Spec that introduced Secure Boot.  I'll try and make sure the
-> language reflects that in an upcoming spec revision.)
->
-> So let me get SRT to issue a special key to use for PK and KEK.  We can
-> use it just for those operations, and make sure it's protected with the
-> same processes and controls as our other signing keys.
-
-  Until SRT generates such a key for us, this ad-hoc key should be a good
-  placeholder.
-
-KEK:
-- same ad-hoc certificate as used for the PK,
-- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
-  package is signed (indirectly, through a chain) with this; enrolling
-  such a KEK should allow guests to install those updates.
-
-DB:
-- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
-  Server 2012 R2,
-- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
-  oproms.
-
-*UPDATE*
-
-OvmfPkg: EnrollDefaultKeys: pick up official Red Hat PK/KEK (RHEL only)
-
-Replace the placeholder ExampleCert with a certificate generated and
-managed by the Red Hat Security Response Team.
-
-> Certificate:
->     Data:
->         Version: 3 (0x2)
->         Serial Number: 18371740789028339953 (0xfef588e8f396c0f1)
->     Signature Algorithm: sha256WithRSAEncryption
->         Issuer: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
->         Validity
->             Not Before: Oct 31 11:15:37 2014 GMT
->             Not After : Oct 25 11:15:37 2037 GMT
->         Subject: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
->         Subject Public Key Info:
->             Public Key Algorithm: rsaEncryption
->                 Public-Key: (2048 bit)
->                 Modulus:
->                     00:90:1f:84:7b:8d:bc:eb:97:26:82:6d:88:ab:8a:
->                     c9:8c:68:70:f9:df:4b:07:b2:37:83:0b:02:c8:67:
->                     68:30:9e:e3:f0:f0:99:4a:b8:59:57:c6:41:f6:38:
->                     8b:fe:66:4c:49:e9:37:37:92:2e:98:01:1e:5b:14:
->                     50:e6:a8:8d:25:0d:f5:86:e6:ab:30:cb:40:16:ea:
->                     8d:8b:16:86:70:43:37:f2:ce:c0:91:df:71:14:8e:
->                     99:0e:89:b6:4c:6d:24:1e:8c:e4:2f:4f:25:d0:ba:
->                     06:f8:c6:e8:19:18:76:73:1d:81:6d:a8:d8:05:cf:
->                     3a:c8:7b:28:c8:36:a3:16:0d:29:8c:99:9a:68:dc:
->                     ab:c0:4d:8d:bf:5a:bb:2b:a9:39:4b:04:97:1c:f9:
->                     36:bb:c5:3a:86:04:ae:af:d4:82:7b:e0:ab:de:49:
->                     05:68:fc:f6:ae:68:1a:6c:90:4d:57:19:3c:64:66:
->                     03:f6:c7:52:9b:f7:94:cf:93:6a:a1:68:c9:aa:cf:
->                     99:6b:bc:aa:5e:08:e7:39:1c:f7:f8:0f:ba:06:7e:
->                     f1:cb:e8:76:dd:fe:22:da:ad:3a:5e:5b:34:ea:b3:
->                     c9:e0:4d:04:29:7e:b8:60:b9:05:ef:b5:d9:17:58:
->                     56:16:60:b9:30:32:f0:36:4a:c3:f2:79:8d:12:40:
->                     70:f3
->                 Exponent: 65537 (0x10001)
->         X509v3 extensions:
->             X509v3 Basic Constraints:
->                 CA:FALSE
->             Netscape Comment:
->                 OpenSSL Generated Certificate
->             X509v3 Subject Key Identifier:
->                 3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
->             X509v3 Authority Key Identifier:
->                 keyid:3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
->
->     Signature Algorithm: sha256WithRSAEncryption
->          5c:4d:92:88:b4:82:5f:1d:ad:8b:11:ec:df:06:a6:7a:a5:2b:
->          9f:37:55:0c:8d:6e:05:00:ad:b7:0c:41:89:69:cf:d6:65:06:
->          9b:51:78:d2:ad:c7:bf:9c:dc:05:73:7f:e7:1e:39:13:b4:ea:
->          b6:30:7d:40:75:ab:9c:43:0b:df:b0:c2:1b:bf:30:e0:f4:fe:
->          c0:db:62:21:98:f6:c5:af:de:3b:4f:49:0a:e6:1e:f9:86:b0:
->          3f:0d:d6:d4:46:37:db:54:74:5e:ff:11:c2:60:c6:70:58:c5:
->          1c:6f:ec:b2:d8:6e:6f:c3:bc:33:87:38:a4:f3:44:64:9c:34:
->          3b:28:94:26:78:27:9f:16:17:e8:3b:69:0a:25:a9:73:36:7e:
->          9e:37:5c:ec:e8:3f:db:91:f9:12:b3:3d:ce:e7:dd:15:c3:ae:
->          8c:05:20:61:9b:95:de:9b:af:fa:b1:5c:1c:e5:97:e7:c3:34:
->          11:85:f5:8a:27:26:a4:70:36:ec:0c:f6:83:3d:90:f7:36:f3:
->          f9:f3:15:d4:90:62:be:53:b4:af:d3:49:af:ef:f4:73:e8:7b:
->          76:e4:44:2a:37:ba:81:a4:99:0c:3a:31:24:71:a0:e4:e4:b7:
->          1a:cb:47:e4:aa:22:cf:ef:75:61:80:e3:43:b7:48:57:73:11:
->          3d:78:9b:69
-> -----BEGIN CERTIFICATE-----
-> MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
-> BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
-> 9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
-> MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
-> RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
-> IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
-> +d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
-> huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
-> bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
-> 3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
-> y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
-> AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
-> YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
-> HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
-> ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
-> 3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
-> 1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
-> qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
-> NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
-> R+SqIs/vdWGA40O3SFdzET14m2k=
-> -----END CERTIFICATE-----
-
-Notes about the 9ece15a -> c9e5618 rebase:
-- resolved conflicts in:
-    OvmfPkg/OvmfPkgIa32.dsc
-    OvmfPkg/OvmfPkgIa32X64.dsc
-    OvmfPkg/OvmfPkgX64.dsc
-  due to OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf having
-  disappeared in upstream (commit 57446bb9).
-
-Notes about the c9e5618 -> b9ffeab rebase:
-- Guid/VariableFormat.h now lives under MdeModulePkg.
-
-Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
-
-- This patch now squashes the following commits:
-  - 014f459c197b OvmfPkg: EnrollDefaultKeys: application for enrolling
-                 default keys (RH only)
-  - 18422a18d0e9 OvmfPkg/EnrollDefaultKeys: assign Status before reading
-                 it (RH only)
-  - ddb90568e874 OvmfPkg/EnrollDefaultKeys: silence VS2015x86 warning (RH
-                 only)
-
-Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
-
-- This patch now squashes the following commits:
-  - c0b2615a9c0b OvmfPkg: EnrollDefaultKeys: application for enrolling
-                 default keys (RH only)
-  - 22f4d33d0168 OvmfPkg/EnrollDefaultKeys: update SignatureOwner GUID for
-                 Windows HCK (RH)
-  - ff7f2c1d870d OvmfPkg/EnrollDefaultKeys: expose CertType parameter of
-                 EnrollListOfCerts (RH)
-  - aee7b5ba60b4 OvmfPkg/EnrollDefaultKeys: blacklist empty file in dbx
-                 for Windows HCK (RH)
-
-- Consequently, OvmfPkg/EnrollDefaultKeys/ is identical to the same
-  directory at the "RHEL-7.4" tag (49d06d386736).
-
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-(cherry picked from commit c0b2615a9c0b4a4be1bffe45681a32915449279d)
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 1015 +++++++++++++++++
- .../EnrollDefaultKeys/EnrollDefaultKeys.inf   |   52 +
- OvmfPkg/OvmfPkgIa32.dsc                       |    4 +
- OvmfPkg/OvmfPkgIa32X64.dsc                    |    4 +
- OvmfPkg/OvmfPkgX64.dsc                        |    4 +
- 5 files changed, 1079 insertions(+)
- create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
- create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
-
-diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-new file mode 100644
-index 0000000000..dd413df12d
---- /dev/null
-+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-@@ -0,0 +1,1015 @@
-+/** @file
-+  Enroll default PK, KEK, DB.
-+
-+  Copyright (C) 2014, Red Hat, Inc.
-+
-+  This program and the accompanying materials are licensed and made available
-+  under the terms and conditions of the BSD License which accompanies this
-+  distribution. The full text of the license may be found at
-+  http://opensource.org/licenses/bsd-license.
-+
-+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
-+  WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-+**/
-+#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
-+#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
-+#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
-+#include <Library/BaseMemoryLib.h>               // CopyGuid()
-+#include <Library/DebugLib.h>                    // ASSERT()
-+#include <Library/MemoryAllocationLib.h>         // FreePool()
-+#include <Library/ShellCEntryLib.h>              // ShellAppMain()
-+#include <Library/UefiLib.h>                     // AsciiPrint()
-+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
-+
-+//
-+// We'll use the certificate below as both Platform Key and as first Key
-+// Exchange Key.
-+//
-+// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
-+// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
-+//
-+STATIC CONST UINT8 RedHatPkKek1[] = {
-+  0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+  0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
-+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
-+  0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
-+  0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
-+  0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
-+  0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
-+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
-+  0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
-+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
-+  0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
-+  0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
-+  0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
-+  0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
-+  0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
-+  0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
-+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
-+  0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
-+  0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
-+  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
-+  0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
-+  0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
-+  0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
-+  0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
-+  0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
-+  0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
-+  0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
-+  0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
-+  0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
-+  0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
-+  0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
-+  0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
-+  0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
-+  0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
-+  0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
-+  0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
-+  0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
-+  0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
-+  0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
-+  0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
-+  0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
-+  0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
-+  0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
-+  0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
-+  0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
-+  0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
-+  0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
-+  0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
-+  0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
-+  0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
-+  0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
-+  0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
-+  0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
-+  0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
-+  0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
-+  0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
-+  0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
-+  0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
-+  0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
-+  0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
-+  0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
-+  0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
-+  0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
-+  0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
-+  0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
-+  0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
-+  0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
-+  0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
-+  0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
-+  0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
-+  0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
-+  0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
-+};
-+
-+//
-+// Second KEK: "Microsoft Corporation KEK CA 2011".
-+// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
-+//
-+// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
-+//
-+STATIC CONST UINT8 MicrosoftKEK[] = {
-+  0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+  0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
-+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
-+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
-+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
-+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
-+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
-+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
-+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
-+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
-+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
-+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
-+  0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
-+  0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
-+  0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
-+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
-+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
-+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
-+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
-+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
-+  0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
-+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
-+  0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
-+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-+  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
-+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
-+  0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
-+  0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
-+  0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
-+  0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
-+  0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
-+  0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
-+  0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
-+  0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
-+  0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
-+  0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
-+  0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
-+  0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
-+  0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
-+  0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
-+  0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
-+  0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
-+  0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
-+  0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
-+  0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
-+  0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
-+  0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
-+  0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
-+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
-+  0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
-+  0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
-+  0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
-+  0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
-+  0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
-+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
-+  0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
-+  0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
-+  0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
-+  0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
-+  0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
-+  0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
-+  0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
-+  0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
-+  0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
-+  0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
-+  0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
-+  0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
-+  0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
-+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
-+  0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
-+  0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
-+  0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
-+  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
-+  0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
-+  0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
-+  0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
-+  0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
-+  0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
-+  0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
-+  0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
-+  0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
-+  0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
-+  0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
-+  0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
-+  0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
-+  0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
-+  0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
-+  0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
-+  0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
-+  0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
-+  0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
-+  0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
-+  0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
-+  0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
-+  0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
-+  0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
-+  0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
-+  0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
-+  0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
-+  0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
-+  0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
-+  0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
-+  0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
-+  0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
-+  0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
-+  0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
-+  0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
-+  0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
-+  0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
-+  0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
-+  0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
-+  0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
-+  0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
-+};
-+
-+//
-+// First DB entry: "Microsoft Windows Production PCA 2011"
-+// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
-+//
-+// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
-+// rooted in this certificate.
-+//
-+STATIC CONST UINT8 MicrosoftPCA[] = {
-+  0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+  0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
-+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-+  0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
-+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
-+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
-+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
-+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
-+  0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
-+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
-+  0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
-+  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
-+  0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
-+  0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
-+  0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
-+  0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
-+  0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
-+  0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
-+  0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
-+  0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
-+  0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
-+  0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
-+  0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
-+  0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
-+  0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
-+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
-+  0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
-+  0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
-+  0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
-+  0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
-+  0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
-+  0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
-+  0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
-+  0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
-+  0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
-+  0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
-+  0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
-+  0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
-+  0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
-+  0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
-+  0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
-+  0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
-+  0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
-+  0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
-+  0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
-+  0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
-+  0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
-+  0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
-+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
-+  0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
-+  0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
-+  0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
-+  0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
-+  0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
-+  0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
-+  0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
-+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
-+  0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
-+  0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
-+  0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
-+  0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
-+  0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
-+  0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
-+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
-+  0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
-+  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
-+  0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
-+  0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
-+  0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
-+  0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
-+  0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
-+  0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
-+  0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
-+  0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
-+  0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
-+  0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
-+  0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
-+  0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
-+  0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
-+  0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
-+  0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
-+  0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
-+  0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
-+  0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
-+  0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
-+  0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
-+  0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
-+  0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
-+  0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
-+  0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
-+  0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
-+  0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
-+  0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
-+  0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
-+  0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
-+  0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
-+  0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
-+  0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
-+  0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
-+  0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
-+  0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
-+  0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
-+  0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
-+  0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
-+  0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
-+  0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
-+  0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
-+  0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
-+  0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
-+  0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
-+  0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
-+  0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
-+  0x62, 0x1c, 0x59, 0x7e
-+};
-+
-+//
-+// Second DB entry: "Microsoft Corporation UEFI CA 2011"
-+// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
-+//
-+// To verify the "shim" binary and PCI expansion ROMs with.
-+//
-+STATIC CONST UINT8 MicrosoftUefiCA[] = {
-+  0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
-+  0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
-+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-+  0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
-+  0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
-+  0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
-+  0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
-+  0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
-+  0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
-+  0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
-+  0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
-+  0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
-+  0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
-+  0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
-+  0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
-+  0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
-+  0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-+  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
-+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
-+  0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
-+  0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
-+  0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
-+  0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
-+  0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
-+  0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
-+  0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
-+  0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-+  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
-+  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
-+  0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
-+  0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
-+  0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
-+  0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
-+  0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
-+  0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
-+  0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
-+  0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
-+  0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
-+  0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
-+  0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
-+  0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
-+  0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
-+  0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
-+  0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
-+  0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
-+  0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
-+  0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
-+  0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
-+  0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
-+  0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
-+  0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
-+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
-+  0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
-+  0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
-+  0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
-+  0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
-+  0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
-+  0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
-+  0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
-+  0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
-+  0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
-+  0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
-+  0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
-+  0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
-+  0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
-+  0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
-+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
-+  0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
-+  0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
-+  0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
-+  0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
-+  0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
-+  0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
-+  0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
-+  0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
-+  0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
-+  0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
-+  0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
-+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
-+  0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
-+  0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
-+  0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
-+  0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
-+  0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
-+  0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
-+  0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
-+  0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
-+  0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
-+  0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
-+  0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
-+  0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
-+  0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
-+  0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
-+  0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
-+  0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
-+  0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
-+  0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
-+  0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
-+  0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
-+  0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
-+  0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
-+  0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
-+  0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
-+  0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
-+  0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
-+  0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
-+  0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
-+  0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
-+  0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
-+  0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
-+  0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
-+  0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
-+  0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
-+  0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
-+  0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
-+  0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
-+  0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
-+  0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
-+  0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
-+};
-+
-+//
-+// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
-+// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
-+// expects that the "dbx" variable exist.
-+//
-+// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
-+// writes (excerpt):
-+//
-+//    Windows 8.1 Secure Boot Key Creation and Management Guidance
-+//    1. Secure Boot, Windows 8.1 and Key Management
-+//    1.4 Signature Databases (Db and Dbx)
-+//    1.4.3 Forbidden Signature Database (dbx)
-+//
-+//    The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when
-+//    verifying images before checking db and any matches must prevent the
-+//    image from executing. The database may contain multiple certificates,
-+//    keys, and hashes in order to identify forbidden images. The Windows
-+//    Hardware Certification Requirements state that a dbx must be present, so
-+//    any dummy value, such as the SHA-256 hash of 0, may be used as a safe
-+//    placeholder until such time as Microsoft begins delivering dbx updates.
-+//
-+// The byte array below captures the SHA256 checksum of the empty file,
-+// blacklisting it for loading & execution. This qualifies as a dummy, since
-+// the empty file is not a valid UEFI binary anyway.
-+//
-+// Technically speaking, we could also capture an official (although soon to be
-+// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
-+// the terms and conditions on distributing that binary aren't exactly light
-+// reading, so let's best steer clear of it, and follow the "dummy entry"
-+// practice recommended -- in natural English langauge -- in the
-+// above-referenced TechNet article.
-+//
-+STATIC CONST UINT8 mSha256OfDevNull[] = {
-+  0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
-+  0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
-+  0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
-+};
-+
-+//
-+// The following test cases of the Secure Boot Logo Test in the Microsoft
-+// Hardware Certification Kit:
-+//
-+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
-+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
-+//
-+// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
-+// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
-+// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
-+// certificates:
-+//
-+// - "Microsoft Corporation KEK CA 2011" (in KEK)
-+// - "Microsoft Windows Production PCA 2011" (in db)
-+// - "Microsoft Corporation UEFI CA 2011" (in db)
-+//
-+// This is despite the fact that the UEFI specification requires
-+// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
-+// application or driver) that enrolled and therefore owns
-+// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
-+// EFI_SIGNATURE_DATA.SignatureData.
-+//
-+STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
-+  0x77fa9abd, 0x0359, 0x4d32,
-+  { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
-+};
-+
-+//
-+// The most important thing about the variable payload is that it is a list of
-+// lists, where the element size of any given *inner* list is constant.
-+//
-+// Since X509 certificates vary in size, each of our *inner* lists will contain
-+// one element only (one X.509 certificate). This is explicitly mentioned in
-+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
-+//
-+// The list structure looks as follows:
-+//
-+// struct EFI_VARIABLE_AUTHENTICATION_2 {                           |
-+//   struct EFI_TIME {                                              |
-+//     UINT16 Year;                                                 |
-+//     UINT8  Month;                                                |
-+//     UINT8  Day;                                                  |
-+//     UINT8  Hour;                                                 |
-+//     UINT8  Minute;                                               |
-+//     UINT8  Second;                                               |
-+//     UINT8  Pad1;                                                 |
-+//     UINT32 Nanosecond;                                           |
-+//     INT16  TimeZone;                                             |
-+//     UINT8  Daylight;                                             |
-+//     UINT8  Pad2;                                                 |
-+//   } TimeStamp;                                                   |
-+//                                                                  |
-+//   struct WIN_CERTIFICATE_UEFI_GUID {                           | |
-+//     struct WIN_CERTIFICATE {                                   | |
-+//       UINT32 dwLength; ----------------------------------------+ |
-+//       UINT16 wRevision;                                        | |
-+//       UINT16 wCertificateType;                                 | |
-+//     } Hdr;                                                     | +- DataSize
-+//                                                                | |
-+//     EFI_GUID CertType;                                         | |
-+//     UINT8    CertData[1] = { <--- "struct hack"                | |
-+//       struct EFI_SIGNATURE_LIST {                            | | |
-+//         EFI_GUID SignatureType;                              | | |
-+//         UINT32   SignatureListSize; -------------------------+ | |
-+//         UINT32   SignatureHeaderSize;                        | | |
-+//         UINT32   SignatureSize; ---------------------------+ | | |
-+//         UINT8    SignatureHeader[SignatureHeaderSize];     | | | |
-+//                                                            v | | |
-+//         struct EFI_SIGNATURE_DATA {                        | | | |
-+//           EFI_GUID SignatureOwner;                         | | | |
-+//           UINT8    SignatureData[1] = { <--- "struct hack" | | | |
-+//             X.509 payload                                  | | | |
-+//           }                                                | | | |
-+//         } Signatures[];                                      | | |
-+//       } SigLists[];                                            | |
-+//     };                                                         | |
-+//   } AuthInfo;                                                  | |
-+// };                                                               |
-+//
-+// Given that the "struct hack" invokes undefined behavior (which is why C99
-+// introduced the flexible array member), and because subtracting those pesky
-+// sizes of 1 is annoying, and because the format is fully specified in the
-+// UEFI specification, we'll introduce two matching convenience structures that
-+// are customized for our X.509 purposes.
-+//
-+#pragma pack(1)
-+typedef struct {
-+  EFI_TIME TimeStamp;
-+
-+  //
-+  // dwLength covers data below
-+  //
-+  UINT32   dwLength;
-+  UINT16   wRevision;
-+  UINT16   wCertificateType;
-+  EFI_GUID CertType;
-+} SINGLE_HEADER;
-+
-+typedef struct {
-+  //
-+  // SignatureListSize covers data below
-+  //
-+  EFI_GUID SignatureType;
-+  UINT32   SignatureListSize;
-+  UINT32   SignatureHeaderSize; // constant 0
-+  UINT32   SignatureSize;
-+
-+  //
-+  // SignatureSize covers data below
-+  //
-+  EFI_GUID SignatureOwner;
-+
-+  //
-+  // X.509 certificate follows
-+  //
-+} REPEATING_HEADER;
-+#pragma pack()
-+
-+/**
-+  Enroll a set of certificates in a global variable, overwriting it.
-+
-+  The variable will be rewritten with NV+BS+RT+AT attributes.
-+
-+  @param[in] VariableName  The name of the variable to overwrite.
-+
-+  @param[in] VendorGuid    The namespace (ie. vendor GUID) of the variable to
-+                           overwrite.
-+
-+  @param[in] CertType      The GUID determining the type of all the
-+                           certificates in the set that is passed in. For
-+                           example, gEfiCertX509Guid stands for DER-encoded
-+                           X.509 certificates, while gEfiCertSha256Guid stands
-+                           for SHA256 image hashes.
-+
-+  @param[in] ...           A list of
-+
-+                             IN CONST UINT8    *Cert,
-+                             IN UINTN          CertSize,
-+                             IN CONST EFI_GUID *OwnerGuid
-+
-+                           triplets. If the first component of a triplet is
-+                           NULL, then the other two components are not
-+                           accessed, and processing is terminated. The list of
-+                           certificates is enrolled in the variable specified,
-+                           overwriting it. The OwnerGuid component identifies
-+                           the agent installing the certificate.
-+
-+  @retval EFI_INVALID_PARAMETER  The triplet list is empty (ie. the first Cert
-+                                 value is NULL), or one of the CertSize values
-+                                 is 0, or one of the CertSize values would
-+                                 overflow the accumulated UINT32 data size.
-+
-+  @retval EFI_OUT_OF_RESOURCES   Out of memory while formatting variable
-+                                 payload.
-+
-+  @retval EFI_SUCCESS            Enrollment successful; the variable has been
-+                                 overwritten (or created).
-+
-+  @return                        Error codes from gRT->GetTime() and
-+                                 gRT->SetVariable().
-+**/
-+STATIC
-+EFI_STATUS
-+EFIAPI
-+EnrollListOfCerts (
-+  IN CHAR16   *VariableName,
-+  IN EFI_GUID *VendorGuid,
-+  IN EFI_GUID *CertType,
-+  ...
-+  )
-+{
-+  UINTN            DataSize;
-+  SINGLE_HEADER    *SingleHeader;
-+  REPEATING_HEADER *RepeatingHeader;
-+  VA_LIST          Marker;
-+  CONST UINT8      *Cert;
-+  EFI_STATUS       Status;
-+  UINT8            *Data;
-+  UINT8            *Position;
-+
-+  Status = EFI_SUCCESS;
-+
-+  //
-+  // compute total size first, for UINT32 range check, and allocation
-+  //
-+  DataSize = sizeof *SingleHeader;
-+  VA_START (Marker, CertType);
-+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
-+       Cert != NULL;
-+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
-+    UINTN          CertSize;
-+
-+    CertSize = VA_ARG (Marker, UINTN);
-+    (VOID)VA_ARG (Marker, CONST EFI_GUID *);
-+
-+    if (CertSize == 0 ||
-+        CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
-+        DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
-+      Status = EFI_INVALID_PARAMETER;
-+      break;
-+    }
-+    DataSize += sizeof *RepeatingHeader + CertSize;
-+  }
-+  VA_END (Marker);
-+
-+  if (DataSize == sizeof *SingleHeader) {
-+    Status = EFI_INVALID_PARAMETER;
-+  }
-+  if (EFI_ERROR (Status)) {
-+    goto Out;
-+  }
-+
-+  Data = AllocatePool (DataSize);
-+  if (Data == NULL) {
-+    Status = EFI_OUT_OF_RESOURCES;
-+    goto Out;
-+  }
-+
-+  Position = Data;
-+
-+  SingleHeader = (SINGLE_HEADER *)Position;
-+  Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
-+  if (EFI_ERROR (Status)) {
-+    goto FreeData;
-+  }
-+  SingleHeader->TimeStamp.Pad1       = 0;
-+  SingleHeader->TimeStamp.Nanosecond = 0;
-+  SingleHeader->TimeStamp.TimeZone   = 0;
-+  SingleHeader->TimeStamp.Daylight   = 0;
-+  SingleHeader->TimeStamp.Pad2       = 0;
-+#if 0
-+  SingleHeader->dwLength         = DataSize - sizeof SingleHeader->TimeStamp;
-+#else
-+  //
-+  // This looks like a bug in edk2. According to the UEFI specification,
-+  // dwLength is "The length of the entire certificate, including the length of
-+  // the header, in bytes". That shouldn't stop right after CertType -- it
-+  // should include everything below it.
-+  //
-+  SingleHeader->dwLength         = sizeof *SingleHeader
-+                                     - sizeof SingleHeader->TimeStamp;
-+#endif
-+  SingleHeader->wRevision        = 0x0200;
-+  SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
-+  CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
-+  Position += sizeof *SingleHeader;
-+
-+  VA_START (Marker, CertType);
-+  for (Cert = VA_ARG (Marker, CONST UINT8 *);
-+       Cert != NULL;
-+       Cert = VA_ARG (Marker, CONST UINT8 *)) {
-+    UINTN            CertSize;
-+    CONST EFI_GUID   *OwnerGuid;
-+
-+    CertSize  = VA_ARG (Marker, UINTN);
-+    OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
-+
-+    RepeatingHeader = (REPEATING_HEADER *)Position;
-+    CopyGuid (&RepeatingHeader->SignatureType, CertType);
-+    RepeatingHeader->SignatureListSize   =
-+      (UINT32)(sizeof *RepeatingHeader + CertSize);
-+    RepeatingHeader->SignatureHeaderSize = 0;
-+    RepeatingHeader->SignatureSize       =
-+      (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);
-+    CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
-+    Position += sizeof *RepeatingHeader;
-+
-+    CopyMem (Position, Cert, CertSize);
-+    Position += CertSize;
-+  }
-+  VA_END (Marker);
-+
-+  ASSERT (Data + DataSize == Position);
-+
-+  Status = gRT->SetVariable (VariableName, VendorGuid,
-+                  (EFI_VARIABLE_NON_VOLATILE |
-+                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
-+                   EFI_VARIABLE_RUNTIME_ACCESS |
-+                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
-+                  DataSize, Data);
-+
-+FreeData:
-+  FreePool (Data);
-+
-+Out:
-+  if (EFI_ERROR (Status)) {
-+    AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
-+      VendorGuid, Status);
-+  }
-+  return Status;
-+}
-+
-+
-+STATIC
-+EFI_STATUS
-+EFIAPI
-+GetExact (
-+  IN CHAR16   *VariableName,
-+  IN EFI_GUID *VendorGuid,
-+  OUT VOID    *Data,
-+  IN UINTN    DataSize,
-+  IN BOOLEAN  AllowMissing
-+  )
-+{
-+  UINTN      Size;
-+  EFI_STATUS Status;
-+
-+  Size = DataSize;
-+  Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
-+  if (EFI_ERROR (Status)) {
-+    if (Status == EFI_NOT_FOUND && AllowMissing) {
-+      ZeroMem (Data, DataSize);
-+      return EFI_SUCCESS;
-+    }
-+
-+    AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
-+      VendorGuid, Status);
-+    return Status;
-+  }
-+
-+  if (Size != DataSize) {
-+    AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
-+      "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
-+    return EFI_PROTOCOL_ERROR;
-+  }
-+
-+  return EFI_SUCCESS;
-+}
-+
-+typedef struct {
-+  UINT8 SetupMode;
-+  UINT8 SecureBoot;
-+  UINT8 SecureBootEnable;
-+  UINT8 CustomMode;
-+  UINT8 VendorKeys;
-+} SETTINGS;
-+
-+STATIC
-+EFI_STATUS
-+EFIAPI
-+GetSettings (
-+  OUT SETTINGS *Settings
-+  )
-+{
-+  EFI_STATUS Status;
-+
-+  Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
-+             &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
-+  if (EFI_ERROR (Status)) {
-+    return Status;
-+  }
-+
-+  Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
-+             &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
-+  if (EFI_ERROR (Status)) {
-+    return Status;
-+  }
-+
-+  Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
-+             &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
-+             sizeof Settings->SecureBootEnable, TRUE);
-+  if (EFI_ERROR (Status)) {
-+    return Status;
-+  }
-+
-+  Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
-+             &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
-+  if (EFI_ERROR (Status)) {
-+    return Status;
-+  }
-+
-+  Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
-+             &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
-+  return Status;
-+}
-+
-+STATIC
-+VOID
-+EFIAPI
-+PrintSettings (
-+  IN CONST SETTINGS *Settings
-+  )
-+{
-+  AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
-+    "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
-+    Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
-+}
-+
-+
-+INTN
-+EFIAPI
-+ShellAppMain (
-+  IN UINTN  Argc,
-+  IN CHAR16 **Argv
-+  )
-+{
-+  EFI_STATUS Status;
-+  SETTINGS   Settings;
-+
-+  Status = GetSettings (&Settings);
-+  if (EFI_ERROR (Status)) {
-+    return 1;
-+  }
-+  PrintSettings (&Settings);
-+
-+  if (Settings.SetupMode != 1) {
-+    AsciiPrint ("error: already in User Mode\n");
-+    return 1;
-+  }
-+
-+  if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
-+    Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
-+    Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
-+                    (EFI_VARIABLE_NON_VOLATILE |
-+                     EFI_VARIABLE_BOOTSERVICE_ACCESS),
-+                    sizeof Settings.CustomMode, &Settings.CustomMode);
-+    if (EFI_ERROR (Status)) {
-+      AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
-+        &gEfiCustomModeEnableGuid, Status);
-+      return 1;
-+    }
-+  }
-+
-+  Status = EnrollListOfCerts (
-+             EFI_IMAGE_SECURITY_DATABASE,
-+             &gEfiImageSecurityDatabaseGuid,
-+             &gEfiCertX509Guid,
-+             MicrosoftPCA,    sizeof MicrosoftPCA,    &mMicrosoftOwnerGuid,
-+             MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid,
-+             NULL);
-+  if (EFI_ERROR (Status)) {
-+    return 1;
-+  }
-+
-+  Status = EnrollListOfCerts (
-+             EFI_IMAGE_SECURITY_DATABASE1,
-+             &gEfiImageSecurityDatabaseGuid,
-+             &gEfiCertSha256Guid,
-+             mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
-+             NULL);
-+  if (EFI_ERROR (Status)) {
-+    return 1;
-+  }
-+
-+  Status = EnrollListOfCerts (
-+             EFI_KEY_EXCHANGE_KEY_NAME,
-+             &gEfiGlobalVariableGuid,
-+             &gEfiCertX509Guid,
-+             RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
-+             MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid,
-+             NULL);
-+  if (EFI_ERROR (Status)) {
-+    return 1;
-+  }
-+
-+  Status = EnrollListOfCerts (
-+             EFI_PLATFORM_KEY_NAME,
-+             &gEfiGlobalVariableGuid,
-+             &gEfiCertX509Guid,
-+             RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
-+             NULL);
-+  if (EFI_ERROR (Status)) {
-+    return 1;
-+  }
-+
-+  Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
-+  Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
-+                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-+                  sizeof Settings.CustomMode, &Settings.CustomMode);
-+  if (EFI_ERROR (Status)) {
-+    AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
-+      &gEfiCustomModeEnableGuid, Status);
-+    return 1;
-+  }
-+
-+  Status = GetSettings (&Settings);
-+  if (EFI_ERROR (Status)) {
-+    return 1;
-+  }
-+  PrintSettings (&Settings);
-+
-+  if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
-+      Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
-+      Settings.VendorKeys != 0) {
-+    AsciiPrint ("error: unexpected\n");
-+    return 1;
-+  }
-+
-+  AsciiPrint ("info: success\n");
-+  return 0;
-+}
-diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
-new file mode 100644
-index 0000000000..0ad86a2843
---- /dev/null
-+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
-@@ -0,0 +1,52 @@
-+## @file
-+#  Enroll default PK, KEK, DB.
-+#
-+#  Copyright (C) 2014, Red Hat, Inc.
-+#
-+#  This program and the accompanying materials are licensed and made available
-+#  under the terms and conditions of the BSD License which accompanies this
-+#  distribution. The full text of the license may be found at
-+#  http://opensource.org/licenses/bsd-license.
-+#
-+#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-+#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
-+#  IMPLIED.
-+##
-+
-+[Defines]
-+  INF_VERSION                    = 0x00010006
-+  BASE_NAME                      = EnrollDefaultKeys
-+  FILE_GUID                      = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
-+  MODULE_TYPE                    = UEFI_APPLICATION
-+  VERSION_STRING                 = 0.1
-+  ENTRY_POINT                    = ShellCEntryLib
-+
-+#
-+#  VALID_ARCHITECTURES           = IA32 X64
-+#
-+
-+[Sources]
-+  EnrollDefaultKeys.c
-+
-+[Packages]
-+  MdePkg/MdePkg.dec
-+  MdeModulePkg/MdeModulePkg.dec
-+  SecurityPkg/SecurityPkg.dec
-+  ShellPkg/ShellPkg.dec
-+
-+[Guids]
-+  gEfiCertPkcs7Guid
-+  gEfiCertSha256Guid
-+  gEfiCertX509Guid
-+  gEfiCustomModeEnableGuid
-+  gEfiGlobalVariableGuid
-+  gEfiImageSecurityDatabaseGuid
-+  gEfiSecureBootEnableDisableGuid
-+
-+[LibraryClasses]
-+  BaseMemoryLib
-+  DebugLib
-+  MemoryAllocationLib
-+  ShellCEntryLib
-+  UefiLib
-+  UefiRuntimeServicesTableLib
-diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
-index 702d3a86c4..877f0fc83c 100644
---- a/OvmfPkg/OvmfPkgIa32.dsc
-+++ b/OvmfPkg/OvmfPkgIa32.dsc
-@@ -873,6 +873,10 @@
- 
- !if $(SECURE_BOOT_ENABLE) == TRUE
-   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
-+    <LibraryClasses>
-+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
-+  }
- !endif
- 
-   OvmfPkg/PlatformDxe/Platform.inf
-diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
-index 46bc3a0b77..6ff2121122 100644
---- a/OvmfPkg/OvmfPkgIa32X64.dsc
-+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
-@@ -882,6 +882,10 @@
- 
- !if $(SECURE_BOOT_ENABLE) == TRUE
-   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
-+    <LibraryClasses>
-+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
-+  }
- !endif
- 
-   OvmfPkg/PlatformDxe/Platform.inf
-diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
-index 31c5933016..12676f5ba6 100644
---- a/OvmfPkg/OvmfPkgX64.dsc
-+++ b/OvmfPkg/OvmfPkgX64.dsc
-@@ -880,6 +880,10 @@
- 
- !if $(SECURE_BOOT_ENABLE) == TRUE
-   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-+  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
-+    <LibraryClasses>
-+      ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
-+  }
- !endif
- 
-   OvmfPkg/PlatformDxe/Platform.inf
diff --git a/0015-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch b/0014-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
similarity index 90%
rename from 0015-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
rename to 0014-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
index 23a2de2..134e8b2 100644
--- a/0015-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
+++ b/0014-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
@@ -1,4 +1,4 @@
-From b317a290531118f54808ebe015ee1957262fdced Mon Sep 17 00:00:00 2001
+From d0d66aef08ebf250a33f2ef431dc86e5ba4390cd Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Wed, 14 Oct 2015 13:59:20 +0200
 Subject: [PATCH] ArmPlatformPkg: PrePeiCore: write early hello message to the
@@ -35,10 +35,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  5 files changed, 15 insertions(+)
 
 diff --git a/ArmPlatformPkg/PrePeiCore/MainMPCore.c b/ArmPlatformPkg/PrePeiCore/MainMPCore.c
-index dc47adbaff..cbd72232c7 100644
+index d379ad8b7a..ff1672f94d 100644
 --- a/ArmPlatformPkg/PrePeiCore/MainMPCore.c
 +++ b/ArmPlatformPkg/PrePeiCore/MainMPCore.c
-@@ -117,6 +117,11 @@ PrimaryMain (
+@@ -111,6 +111,11 @@ PrimaryMain (
    UINTN                       TemporaryRamBase;
    UINTN                       TemporaryRamSize;
  
@@ -51,10 +51,10 @@ index dc47adbaff..cbd72232c7 100644
  
    // Enable the GIC Distributor
 diff --git a/ArmPlatformPkg/PrePeiCore/MainUniCore.c b/ArmPlatformPkg/PrePeiCore/MainUniCore.c
-index 134a469427..af39fc017c 100644
+index 1500d2bd51..5b0790beac 100644
 --- a/ArmPlatformPkg/PrePeiCore/MainUniCore.c
 +++ b/ArmPlatformPkg/PrePeiCore/MainUniCore.c
-@@ -35,6 +35,11 @@ PrimaryMain (
+@@ -29,6 +29,11 @@ PrimaryMain (
    UINTN                       TemporaryRamBase;
    UINTN                       TemporaryRamSize;
  
@@ -67,10 +67,10 @@ index 134a469427..af39fc017c 100644
  
    // Adjust the Temporary Ram as the new Ppi List (Common + Platform Ppi Lists) is created at
 diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
-index 160894620c..bf843d7768 100644
+index 7140c7f5b5..1d69a2b468 100644
 --- a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
 +++ b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
-@@ -21,6 +21,7 @@
+@@ -15,6 +15,7 @@
  #include <Library/DebugLib.h>
  #include <Library/IoLib.h>
  #include <Library/PcdLib.h>
@@ -79,10 +79,10 @@ index 160894620c..bf843d7768 100644
  #include <PiPei.h>
  #include <Ppi/TemporaryRamSupport.h>
 diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
-index e3a31fa7c6..1bc0c45420 100644
+index 0e112710dc..9a5ba1adcb 100644
 --- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
 +++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
-@@ -72,6 +72,8 @@
+@@ -66,6 +66,8 @@
    gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
    gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
  
@@ -92,10 +92,10 @@ index e3a31fa7c6..1bc0c45420 100644
    gArmTokenSpaceGuid.PcdGicInterruptInterfaceBase
    gArmTokenSpaceGuid.PcdGicSgiIntId
 diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
-index ec83cec2d8..20698fcfac 100644
+index c163a818c4..652260e6ab 100644
 --- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
 +++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
-@@ -71,3 +71,5 @@
+@@ -65,3 +65,5 @@
    gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
  
    gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack
diff --git a/0016-ArmVirtPkg-set-early-hello-message-RH-only.patch b/0015-ArmVirtPkg-set-early-hello-message-RH-only.patch
similarity index 90%
rename from 0016-ArmVirtPkg-set-early-hello-message-RH-only.patch
rename to 0015-ArmVirtPkg-set-early-hello-message-RH-only.patch
index d667a2f..2945d9c 100644
--- a/0016-ArmVirtPkg-set-early-hello-message-RH-only.patch
+++ b/0015-ArmVirtPkg-set-early-hello-message-RH-only.patch
@@ -1,4 +1,4 @@
-From 48efc8ca8b083936939d679e8b489dea97bcf695 Mon Sep 17 00:00:00 2001
+From 127d7ebe3107a6d0846c19f9c4587098ef96864d Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Wed, 14 Oct 2015 14:07:17 +0200
 Subject: [PATCH] ArmVirtPkg: set early hello message (RH only)
@@ -27,10 +27,10 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
-index 9a2b861fae..dd644b181e 100644
+index ccbadffd65..6254900644 100644
 --- a/ArmVirtPkg/ArmVirtQemu.dsc
 +++ b/ArmVirtPkg/ArmVirtQemu.dsc
-@@ -94,6 +94,7 @@
+@@ -105,6 +105,7 @@
    gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
  
  [PcdsFixedAtBuild.common]
diff --git a/0099-Tweak-the-tools_def-to-support-cross-compiling.patch b/0016-Tweak-the-tools_def-to-support-cross-compiling.patch
similarity index 93%
rename from 0099-Tweak-the-tools_def-to-support-cross-compiling.patch
rename to 0016-Tweak-the-tools_def-to-support-cross-compiling.patch
index ef2f30a..4068498 100644
--- a/0099-Tweak-the-tools_def-to-support-cross-compiling.patch
+++ b/0016-Tweak-the-tools_def-to-support-cross-compiling.patch
@@ -1,4 +1,4 @@
-From 70e4530eefdb2cecc37fff91235e716ed76f2da2 Mon Sep 17 00:00:00 2001
+From 32c885fe4a0c410d17968565cf759798f9f0067b Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Thu, 16 Aug 2018 15:45:47 -0400
 Subject: [PATCH] Tweak the tools_def to support cross-compiling.
@@ -12,10 +12,10 @@ Signed-off-by: Cole Robinson <crobinso@redhat.com>
  1 file changed, 22 insertions(+), 22 deletions(-)
 
 diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
-index 7bf682ffa9..ad1bbcbdc6 100755
+index 26a2cf604f..ab4aced67c 100755
 --- a/BaseTools/Conf/tools_def.template
 +++ b/BaseTools/Conf/tools_def.template
-@@ -3517,17 +3517,17 @@ RELEASE_GCC49_AARCH64_DLINK_XIPFLAGS = -z common-page-size=0x20
+@@ -2114,17 +2114,17 @@ RELEASE_GCC49_AARCH64_DLINK_XIPFLAGS = -z common-page-size=0x20
  ##################
  # GCC5 IA32 definitions
  ##################
@@ -44,7 +44,7 @@ index 7bf682ffa9..ad1bbcbdc6 100755
  
  *_GCC5_IA32_ASLCC_FLAGS          = DEF(GCC5_ASLCC_FLAGS) -m32
  *_GCC5_IA32_ASLDLINK_FLAGS       = DEF(GCC5_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_i386 -no-pie
-@@ -3549,17 +3549,17 @@ RELEASE_GCC5_IA32_DLINK_FLAGS    = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,
+@@ -2146,17 +2146,17 @@ RELEASE_GCC5_IA32_DLINK_FLAGS    = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,
  ##################
  # GCC5 X64 definitions
  ##################
diff --git a/edk2.spec b/edk2.spec
index d5df715..86df7fe 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -6,17 +6,18 @@
 # https://fedoraproject.org/wiki/Changes/Avoid_usr_bin_python_in_RPM_Build#Python_bytecompilation
 %global __python %{__python3}
 
-%global edk2_date        20180815
-%global edk2_githash     cb5f4f45ce
-%global openssl_version  1.1.0j
+
+# global edk2_date        20180815
+# global edk2_githash     cb5f4f45ce
+
+%global edk2_stable_date 201905
+%global edk2_stable_str  edk2-stable%{edk2_stable_date}
+%global openssl_version  1.1.1b
 %global qosb_version     1.1.3
+%global softfloat_version 20180726-gitb64af41
 
-# Even though edk2 stable releases are YYYYMM, we need
-# to use YYYMMDD to avoid needing to bump package epoch
-# due to previous 'git' Version:
-%global edk2_stable_date 20190308
-%global edk2_stable_str  edk2-stable201903
 
+%global skip_enroll 1
 %define qosb_testing 0
 
 %ifarch x86_64
@@ -49,7 +50,10 @@
 
 Name:           edk2
 #Version:       {edk2_date}git{edk2_githash}
-Version:        %{edk2_stable_date}stable
+# Even though edk2 stable releases are YYYYMM, we need
+# to use YYYMMDD to avoid needing to bump package epoch
+# due to previous 'git' Version:
+Version:        %{edk2_stable_date}01stable
 Release:        1%{dist}
 Summary:        EFI Development Kit II
 
@@ -62,6 +66,7 @@ Source0:        https://github.com/tianocore/edk2/archive/%{edk2_stable_str}.tar
 Source1:        openssl-%{openssl_version}-hobbled.tar.xz
 Source2:        ovmf-whitepaper-c770f8c.txt
 Source3:        https://github.com/puiterwijk/qemu-ovmf-secureboot/archive/v%{qosb_version}/qemu-ovmf-secureboot-%{qosb_version}.tar.gz
+Source4:        softfloat-%{softfloat_version}.tar.xz
 Source10:       hobble-openssl
 Source11:       build-iso.sh
 Source12:       update-tarball.sh
@@ -80,15 +85,13 @@ Patch0009: 0009-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
 Patch0010: 0010-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
 Patch0011: 0011-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
 Patch0012: 0012-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
-Patch0013: 0013-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
-Patch0014: 0014-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
-Patch0015: 0015-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
-Patch0016: 0016-ArmVirtPkg-set-early-hello-message-RH-only.patch
+Patch0013: 0013-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
+Patch0014: 0014-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
+Patch0015: 0015-ArmVirtPkg-set-early-hello-message-RH-only.patch
+Patch0016: 0016-Tweak-the-tools_def-to-support-cross-compiling.patch
+
 
 %if 0%{?cross:1}
-# Tweak the tools_def to support cross-compiling.
-# These files are meant for customization, so this is not upstream too.
-Patch0099: 0099-Tweak-the-tools_def-to-support-cross-compiling.patch
 %endif
 
 %if 0%{?fedora:1}
@@ -222,7 +225,6 @@ armv7 UEFI Firmware
 %prep
 %setup -q -n edk2-%{edk2_stable_str}
 
-
 # Ensure old shell and binary packages are not used
 rm -rf EdkShellBinPkg
 rm -rf EdkShellPkg
@@ -233,6 +235,8 @@ rm -rf ShellBinPkg
 cp -a -- %{SOURCE2} .
 # extract openssl into place
 tar -xvf %{SOURCE1} --strip-components=1 --directory CryptoPkg/Library/OpensslLib/openssl
+# extract softfloat into place
+tar -xvf %{SOURCE4} --strip-components=1 --directory ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3/
 
 # Extract QOSB
 tar -xvf %{SOURCE3}
@@ -242,6 +246,8 @@ mv qemu-ovmf-secureboot-%{qosb_version}/LICENSE LICENSE.qosb
 %autopatch -p1
 base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp
 
+
+
 %build
 source ./edksetup.sh
 
@@ -256,7 +262,7 @@ if test "$JOBS" != ""; then
 fi
 
 # common features
-CC_FLAGS="$CC_FLAGS --cmd-len=65536 -t %{TOOLCHAIN} -b DEBUG --hash"
+CC_FLAGS="$CC_FLAGS --cmd-len=65536 -b DEBUG --hash"
 CC_FLAGS="$CC_FLAGS -D NETWORK_IP6_ENABLE"
 CC_FLAGS="$CC_FLAGS -D TPM2_ENABLE"
 
@@ -307,14 +313,15 @@ cp Build/Ovmf3264/*/X64/Shell.efi ovmf/
 cp Build/Ovmf3264/*/X64/EnrollDefaultKeys.efi ovmf
 sh %{_sourcedir}/build-iso.sh ovmf/
 
-# Build enrolled VARS file
+%if !%{skip_enroll}
 python3 qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator \
-	--qemu-binary /usr/bin/qemu-system-x86_64 \
-	--skip-testing \
-	--ovmf-binary ovmf/OVMF_CODE.secboot.fd \
-	--ovmf-template-vars ovmf/OVMF_VARS.fd \
-	--uefi-shell-iso ovmf/UefiShell.iso \
-	ovmf/OVMF_VARS.secboot.fd
+    --qemu-binary /usr/bin/qemu-system-x86_64 \
+    --ovmf-binary ovmf/OVMF_CODE.secboot.fd \
+    --ovmf-template-vars ovmf/OVMF_VARS.fd \
+    --uefi-shell-iso ovmf/UefiShell.iso \
+    --skip-testing \
+    ovmf/OVMF_VARS.secboot.fd
+%endif
 %endif
 
 
@@ -357,22 +364,27 @@ dd of="arm/QEMU_EFI-pflash.raw" if="arm/QEMU_EFI.fd" conv=notrunc
 dd of="arm/vars-template-pflash.raw" if="/dev/zero" bs=1M count=64
 %endif
 
+
+
 %check
 %if 0%{?build_ovmf_x64:1}
 %if 0%{?qosb_testing}
-# Verify enrolled VARS file
+%if !%{skip_enroll}
 python3 qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator \
-	--qemu-binary /usr/bin/qemu-system-x86_64 \
-	--skip-enrollment \
-	--print-output \
-	--ovmf-binary ovmf/OVMF_CODE.secboot.fd \
-	--ovmf-template-vars ovmf/OVMF_VARS.fd \
-	--uefi-shell-iso ovmf/UefiShell.iso \
-	--no-download \
-	--kernel-path `rpm -ql kernel-core | grep "\/vmlinuz$" -m 1` \
-	ovmf/OVMF_VARS.secboot.fd
+    --qemu-binary /usr/bin/qemu-system-x86_64 \
+    --ovmf-binary ovmf/OVMF_CODE.secboot.fd \
+    --ovmf-template-vars ovmf/OVMF_VARS.fd \
+    --uefi-shell-iso ovmf/UefiShell.iso \
+    --skip-enrollment \
+    --print-output \
+    --no-download \
+    --kernel-path `rpm -ql kernel-core | grep "\/vmlinuz$" -m 1` \
+    ovmf/OVMF_VARS.secboot.fd
 %endif
 %endif
+%endif
+
+
 
 %install
 cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl
@@ -522,6 +534,10 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_
 
 
 %changelog
+* Thu Jul 11 2019 Cole Robinson <crobinso@redhat.com> - 20190501stable-1
+- Update to stable-201905
+- Update to openssl-1.1.1b
+
 * Mon Mar 18 2019 Cole Robinson <aintdiscole@gmail.com> - 20190308stable-1
 - Use YYYYMMDD versioning to fix upgrade path
 
diff --git a/sources b/sources
index 660fae5..47de423 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,4 @@
 SHA512 (qemu-ovmf-secureboot-1.1.3.tar.gz) = f830a525f66379e8e3c61d006fab49547e6709f7aa0f95e70f23c7d26407cc804a0ced9dcfd26af63391d603e9cb5a0714c222c7cdca8599e41852e22e13be80
-SHA512 (edk2-edk2-stable201903.tar.gz) = 44021473e137b0b7863608192badbee154aa2fe49f71b476597d83fa4046ae0f6b174acc27c4b7b185925ea9627b357bb444d98fc027031064645da91c54e0df
-SHA512 (openssl-1.1.0j-hobbled.tar.xz) = 9d2c24a634d4669742f2ac78196def4b9f35dd9977aca375c1edbc0b20cbeb62c651cbcd106e6d485a1d83d2c35f60cc0acf24b158ed685cc1780ed4415ceecf
+SHA512 (edk2-edk2-stable201905.tar.gz) = 91188923f7d1ab83c0d6abf7ec6d59f357d0341a617ad6a3ae05f3d0e041dff43f62b014b0c5fc5d15e16d8f1c279c581a5cd64b31e3d52b340d7ef90adb50f1
+SHA512 (openssl-1.1.1b-hobbled.tar.xz) = 8055b19bfeec41fe0607c04d468d2f16a1e5fe02642c8deb67b00878be7e28ab266d13da41b9576800cba0b9448253f26f72ab8889d666f5d23103648f80bea1
+SHA512 (softfloat-20180726-gitb64af41.tar.xz) = f079debd1bfcc0fe64329a8947b0689ef49246793edcdd28a2879f6550c652b0cf0f53ac4f6f5ab61ac4f7933972e0019d0ab63eb9931b6884c2909f3a5ead30